Understanding roles

This page describes IAM roles and lists the predefined roles that you can grant to your principals.

A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to principals, including users, groups, and service accounts, you grant roles to the principals.

Prerequisite for this guide

Understand the basic concepts of IAM

Role types

There are three types of roles in IAM:

Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
Predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
Custom roles, which provide granular access according to a user-specified list of permissions.

To determine if a permission is included in a basic, predefined, or custom role, you can use one of the following methods:

Run the gcloud iam roles describe command to list the permissions in the role.
Call the roles.get() REST API method to list the permissions in the role.
For basic and predefined roles only: Search the permissions reference to see if the permission is granted by the role.
For predefined roles only: Search the predefined role descriptions on this page to see which permissions the role includes.

The sections below describe each role type and provide examples of how to use them.

Basic roles

There are several basic roles that existed prior to the introduction of IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role. They were originally known as "primitive roles."

The following table summarizes the permissions that the basic roles include across all Google Cloud services:

Basic role definitions

Name	Title	Permissions
`roles/viewer`	Viewer	Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
`roles/editor`	Editor	All viewer permissions, plus permissions for actions that modify state, such as changing existing resources. Note: The Editor role contains permissions to create and delete resources for most Google Cloud services. However, it does not contain permissions to perform all actions for all services. For more information about how to check whether a role has the permissions that you need, see Role types on this page.
`roles/owner`	Owner	All Editor permissions and permissions for the following actions: Manage roles and permissions for a project and all resources within the project. Set up billing for a project. Note: Granting the Owner role at a resource level, such as a Pub/Sub topic, doesn't grant the Owner role on the parent project. Granting the Owner role at the organization level doesn't allow you to update the organization's metadata. However, it allows you to modify all projects and other resources under that organization. To grant the Owner role on a project to a user outside of your organization, you must use the Google Cloud console, not the gcloud CLI. If your project is not part of an organization, you must use the Google Cloud console to grant the Owner role.

You can grant basic roles with the Google Cloud console, the API, and the gcloud CLI. To grant basic roles on a project, folder, or organization, see Manage access to projects, folders, and organizations. To grant basic roles on other resources, see Manage access to other resources.

Predefined roles

In addition to the basic roles, IAM provides additional predefined roles that give granular access to specific Google Cloud resources and prevent unwanted access to other resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.

The following tables list these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the Google Cloud resource hierarchy.

You can grant multiple roles to the same user, at any level of the resource hierarchy. For example, the same user can have the Compute Network Admin and Logs Viewer roles on a project, and also have the Pub/Sub Publisher role on a Pub/Sub topic within that project. To list the permissions contained in a role, see Getting the role metadata.

For help choosing the most appropriate predefined roles, see Choose predefined roles.

Access Approval roles

Role	Permissions
Access Approval Approver ^Beta (`roles/accessapproval.approver`) Ability to view or act on access approval requests and view configuration	accessapproval.requests.* accessapproval.serviceAccounts.get accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
Access Approval Config Editor ^Beta (`roles/accessapproval.configEditor`) Ability to update the Access Approval configuration	accessapproval.serviceAccounts.get accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
Access Approval Invalidator ^Beta (`roles/accessapproval.invalidator`) Ability to invalidate existing approved approval requests	accessapproval.requests.invalidate accessapproval.serviceAccounts.get accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
Access Approval Viewer ^Beta (`roles/accessapproval.viewer`) Ability to view access approval requests and configuration	accessapproval.requests.get accessapproval.requests.list accessapproval.serviceAccounts.get accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Access Context Manager roles

Role	Permissions
Cloud Access Binding Admin (`roles/accesscontextmanager.gcpAccessAdmin`) Create, edit, and change Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.*
Cloud Access Binding Reader (`roles/accesscontextmanager.gcpAccessReader`) Read access to Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.get accesscontextmanager.gcpUserAccessBindings.list
Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Full access to policies, access levels, and access zones	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.* accesscontextmanager.accessZones.* accesscontextmanager.policies.* accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Edit access to policies. Create, edit, and change access levels and access zones.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) Read access to policies, access levels, and access zones.	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`)	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.sinks.get logging.sinks.list logging.usage.get resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Actions roles

Role	Permissions
Actions Admin (`roles/actions.Admin`) Access to edit and deploy an action	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Actions Viewer (`roles/actions.Viewer`) Access to view an action	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

AI Notebooks roles

Role	Permissions
Notebooks Admin (`roles/notebooks.admin`) Full access to Notebooks, all resources. Lowest-level resources where you can grant this role: Instance	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Admin (`roles/notebooks.legacyAdmin`) Full access to Notebooks all resources through compute API.	compute.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Viewer (`roles/notebooks.legacyViewer`) Read-only access to Notebooks all resources through compute API.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Runner (`roles/notebooks.runner`) Restricted access for running scheduled Notebooks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Viewer (`roles/notebooks.viewer`) Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role: Instance	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

AI Platform roles

Role	Permissions
AI Platform Admin (`roles/ml.admin`) Provides full access to AI Platform resources, and its jobs, operations, models, and versions. Lowest-level resources where you can grant this role: Project	ml.* resourcemanager.projects.get
AI Platform Developer (`roles/ml.developer`) Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Lowest-level resources where you can grant this role: Project	ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.* ml.trials.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get
AI Platform Job Owner (`roles/ml.jobOwner`) Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Lowest-level resources where you can grant this role: Job	ml.jobs.*
AI Platform Model Owner (`roles/ml.modelOwner`) Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Lowest-level resources where you can grant this role: Model	ml.models.* ml.versions.*
AI Platform Model User (`roles/ml.modelUser`) Provides permissions to read the model and its versions, and use them for prediction. Lowest-level resources where you can grant this role: Model	ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict
AI Platform Operation Owner (`roles/ml.operationOwner`) Provides full access to all permissions for a particular operation resource. Lowest-level resources where you can grant this role: Operation	ml.operations.*
AI Platform Viewer (`roles/ml.viewer`) Provides read-only access to AI Platform resources. Lowest-level resources where you can grant this role: Project	ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get

Analytics Hub roles

Role	Permissions
Analytics Hub Admin (`roles/analyticshub.admin`) Administer Data Exchanges and Listings	analyticshub.dataExchanges.* analyticshub.listings.create analyticshub.listings.delete analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.setIamPolicy analyticshub.listings.update resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`) Grants full control over the Listing, including updating, deleting and setting ACLs	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.delete analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.setIamPolicy analyticshub.listings.update resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Publisher (`roles/analyticshub.publisher`) Can publish to Data Exchanges thus creating Listings	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.create analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Subscriber (`roles/analyticshub.subscriber`) Can browse Data Exchanges and subscribe to Listings	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.subscribe resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Viewer (`roles/analyticshub.viewer`) Can browse Data Exchanges and Listings	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list

Android Management roles

Role	Permissions
Android Management User (`roles/androidmanagement.user`) Full access to manage devices.	androidmanagement.enterprises.manage serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Anthos Multi-cloud roles

Role	Permissions
Anthos Multi-cloud Admin (`roles/gkemulticloud.admin`) Admin access to Anthos Multi-cloud resources.	gkemulticloud.* resourcemanager.projects.get resourcemanager.projects.list
Anthos Multi-cloud Telemetry Writer (`roles/gkemulticloud.telemetryWriter`) Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.	logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create opsconfigmonitoring.resourceMetadata.write
Anthos Multi-cloud Viewer (`roles/gkemulticloud.viewer`) Viewer access to Anthos Multi-cloud resources.	gkemulticloud.awsClusters.generateAccessToken gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud.awsNodePools.list gkemulticloud.awsServerConfigs.get gkemulticloud.azureClients.get gkemulticloud.azureClients.list gkemulticloud.azureClusters.generateAccessToken gkemulticloud.azureClusters.get gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.get gkemulticloud.azureNodePools.list gkemulticloud.azureServerConfigs.get gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list

API Gateway roles

Role Permissions

Role	Permissions
ApiGateway Admin (`roles/apigateway.admin`) Full access to ApiGateway and related resources.	apigateway.* monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list
ApiGateway Viewer (`roles/apigateway.viewer`) Read-only access to ApiGateway and related resources.	apigateway.apiconfigs.get apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.* apigateway.operations.get apigateway.operations.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list

ApiGateway Admin
(roles/apigateway.admin)

Full access to ApiGateway and related resources.

apigateway.*
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

ApiGateway Viewer
(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

Apigee roles

Role	Permissions
Apigee Organization Admin (`roles/apigee.admin`) Full access to all apigee resource features	apigee.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Analytics Agent (`roles/apigee.analyticsAgent`) Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization	apigee.datalocation.get apigee.environments.getDataLocation apigee.runtimeconfigs.get
Apigee Analytics Editor (`roles/apigee.analyticsEditor`) Analytics editor for an Apigee Organization	apigee.datacollectors.* apigee.datastores.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.* apigee.hostqueries.* apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Analytics Viewer (`roles/apigee.analyticsViewer`) Analytics viewer for an Apigee Organization	apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list
Apigee API Admin (`roles/apigee.apiAdminV2`) Full read/write access to all apigee API resources	apigee.apiproductattributes.* apigee.apiproducts.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.* apigee.keyvaluemaps.* apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.* apigee.sharedflowrevisions.* apigee.sharedflows.* resourcemanager.projects.get resourcemanager.projects.list
Apigee API Reader (`roles/apigee.apiReaderV2`) Reader of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Developer Admin (`roles/apigee.developerAdmin`) Developer admin of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.apps.* apigee.datacollectors.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developers.* apigee.developersubscriptions.* apigee.environments.get apigee.environments.getStats apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.rateplans.get apigee.rateplans.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Environment Admin (`roles/apigee.environmentAdmin`) Full read/write access to apigee environment resources, including deployments.	apigee.archivedeployments.* apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.environments.update apigee.flowhooks.* apigee.ingressconfigs.get apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Monetization Admin (`roles/apigee.monetizationAdmin`) All permissions related to monetization	apigee.apiproducts.get apigee.apiproducts.list apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developersubscriptions.* apigee.organizations.get apigee.organizations.list apigee.rateplans.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Portal Admin (`roles/apigee.portalAdmin`) Portal admin for an Apigee Organization	apigee.organizations.get apigee.organizations.list apigee.portals.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Read-only Admin (`roles/apigee.readOnlyAdmin`) Viewer of all apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.archivedeployments.download apigee.archivedeployments.get apigee.archivedeployments.list apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datalocation.get apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee.developerappattributes.get apigee.developerappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developerbalances.get apigee.developermonetizationconfigs.get apigee.developers.get apigee.developers.list apigee.developersubscriptions.get apigee.developersubscriptions.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.hoststats.get apigee.ingressconfigs.get apigee.instanceattachments.get apigee.instanceattachments.list apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.operations.* apigee.organizations.get apigee.organizations.list apigee.portals.get apigee.portals.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.rateplans.get apigee.rateplans.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.runtimeconfigs.get apigee.securityProfileEnvironments.computeScore apigee.securityProfiles.* apigee.securityStats.* apigee.securityreports.get apigee.securityreports.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Runtime Agent (`roles/apigee.runtimeAgent`) Curated set of permissions for a runtime agent to access Apigee Organization resources	apigee.canaryevaluations.* apigee.ingressconfigs.get apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.runtimeconfigs.get
Apigee Security Admin (`roles/apigee.securityAdmin`) Security admin for an Apigee Organization	apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.* apigee.organizations.get apigee.organizations.list apigee.securityProfileEnvironments.* apigee.securityProfiles.* apigee.securityStats.* apigee.securityreports.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Security Viewer (`roles/apigee.securityViewer`) Security viewer for an Apigee Organization	apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.organizations.get apigee.organizations.list apigee.securityProfileEnvironments.computeScore apigee.securityProfiles.* apigee.securityStats.* apigee.securityreports.get apigee.securityreports.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Synchronizer Manager (`roles/apigee.synchronizerManager`) Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization	apigee.environments.get apigee.environments.manageRuntime apigee.ingressconfigs.get
Apigee Connect Admin (`roles/apigeeconnect.Admin`) Admin of Apigee Connect	apigeeconnect.connections.list
Apigee Connect Agent (`roles/apigeeconnect.Agent`) Ability to set up Apigee Connect agent between external clusters and Google.	apigeeconnect.endpoints.connect

Apigee Registry roles

Role	Permissions
Cloud Apigee Registry Admin ^Beta (`roles/apigeeregistry.admin`) Full access to Cloud Apigee Registry Registry and Runtime resources.	apigeeregistry.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Apigee Registry Editor ^Beta (`roles/apigeeregistry.editor`) Edit access to Cloud Apigee Registry Registry resources.	apigeeregistry.apis.create apigeeregistry.apis.delete apigeeregistry.apis.get apigeeregistry.apis.getIamPolicy apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry.artifacts.create apigeeregistry.artifacts.delete apigeeregistry.artifacts.get apigeeregistry.artifacts.getIamPolicy apigeeregistry.artifacts.list apigeeregistry.artifacts.update apigeeregistry.deployments.* apigeeregistry.specs.create apigeeregistry.specs.delete apigeeregistry.specs.get apigeeregistry.specs.getIamPolicy apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.create apigeeregistry.versions.delete apigeeregistry.versions.get apigeeregistry.versions.getIamPolicy apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Apigee Registry Viewer ^Beta (`roles/apigeeregistry.viewer`) Read-only access to Cloud Apigee Registry Registry resources.	apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry.deployments.get apigeeregistry.deployments.list apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.versions.get apigeeregistry.versions.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Apigee Registry Worker ^Beta (`roles/apigeeregistry.worker`) The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.	apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry.artifacts.create apigeeregistry.artifacts.delete apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry.artifacts.update apigeeregistry.deployments.get apigeeregistry.deployments.list apigeeregistry.deployments.update apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.get apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list

App Engine roles

Role	Permissions
App Engine Admin (`roles/appengine.appAdmin`) Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have the Service Account User (`roles/iam.serviceAccountUser`) role on the App Engine default service account, and the Cloud Build Editor (`roles/cloudbuild.builds.editor`) and Cloud Storage Object Admin (`roles/storage.objectAdmin`) roles on the project. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.applications.update appengine.instances.* appengine.memcache.addKey appengine.memcache.flush appengine.memcache.get appengine.memcache.update appengine.operations.* appengine.runtimes.actAsAdmin appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list
App Engine Creator (`roles/appengine.appCreator`) Ability to create the App Engine resource for the project. Lowest-level resources where you can grant this role: Project	appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list
App Engine Viewer (`roles/appengine.appViewer`) Read-only access to all application configuration and settings. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Code Viewer (`roles/appengine.codeViewer`) Read-only access to all application configuration, settings, and deployed source code. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Deployer (`roles/appengine.deployer`) Read-only access to all application configuration and settings. To deploy new versions, you must also have the Service Account User (`roles/iam.serviceAccountUser`) role on the App Engine default service account, and the Cloud Build Editor (`roles/cloudbuild.builds.editor`) and Cloud Storage Object Admin (`roles/storage.objectAdmin`) roles on the project. Cannot modify existing versions other than deleting versions that are not receiving traffic. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Memcache Data Admin (`roles/appengine.memcacheDataAdmin`) Can get, set, delete, and flush App Engine Memcache items.	appengine.applications.get appengine.memcache.addKey appengine.memcache.flush appengine.memcache.get appengine.memcache.update resourcemanager.projects.get resourcemanager.projects.list
App Engine Service Admin (`roles/appengine.serviceAdmin`) Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list

Artifact Registry roles

Role	Permissions
Artifact Registry Administrator (`roles/artifactregistry.admin`) Administrator access to create and manage repositories.	artifactregistry.*
Artifact Registry Reader (`roles/artifactregistry.reader`) Access to read repository items.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
Artifact Registry Repository Administrator (`roles/artifactregistry.repoAdmin`) Access to manage artifacts in repositories.	artifactregistry.aptartifacts.create artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.* artifactregistry.pythonpackages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.* artifactregistry.yumartifacts.create
Artifact Registry Writer (`roles/artifactregistry.writer`) Access to read and write repository items.	artifactregistry.aptartifacts.create artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.create

Assured Workloads roles

Role	Permissions
Assured Workloads Administrator (`roles/assuredworkloads.admin`) Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* logging.cmekSettings.update orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Editor (`roles/assuredworkloads.editor`) Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Reader (`roles/assuredworkloads.reader`) Grants read access to all Assured Workloads resources and CRM resources - project/folder	assuredworkloads.operations.* assuredworkloads.violations.get assuredworkloads.violations.list assuredworkloads.workload.get assuredworkloads.workload.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

AutoML roles

Role	Permissions
AutoML Admin ^Beta (`roles/automl.admin`) Full access to all AutoML resources Lowest-level resources where you can grant this role: Dataset Model	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
AutoML Editor ^Beta (`roles/automl.editor`) Editor of all AutoML resources Lowest-level resources where you can grant this role: Dataset Model	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.files.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
AutoML Predictor ^Beta (`roles/automl.predictor`) Predict using models Lowest-level resources where you can grant this role: Model	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list
AutoML Viewer ^Beta (`roles/automl.viewer`) Viewer of all AutoML resources Lowest-level resources where you can grant this role: Dataset Model	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.files.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list

Backup and DR roles

Role	Permissions
Backup and DR Admin (`roles/backupdr.admin`) Full control of Backup and DR resources including ACL configuration via the management console.	backupdr.* resourcemanager.projects.get resourcemanager.projects.list
Backup and DR User (`roles/backupdr.user`) Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.	backupdr.managementServers.backupAccess backupdr.managementServers.get backupdr.managementServers.getIamPolicy backupdr.managementServers.list backupdr.operations.get backupdr.operations.list resourcemanager.projects.get resourcemanager.projects.list
Backup and DR Viewer (`roles/backupdr.viewer`) Read-only access to Backup and DR resources.	backupdr.locations.* backupdr.managementServers.get backupdr.managementServers.getIamPolicy backupdr.managementServers.list backupdr.operations.get backupdr.operations.list resourcemanager.projects.get resourcemanager.projects.list

Backup for GKE roles

Role	Permissions
Backup for GKE Admin ^Beta (`roles/gkebackup.admin`) Full access to all Backup for GKE resources.	gkebackup.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Backup Admin ^Beta (`roles/gkebackup.backupAdmin`) Allows administrators to manage all BackupPlan and Backup resources.	gkebackup.backupPlans.* gkebackup.backups.* gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.volumeBackups.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Delegated Backup Admin ^Beta (`roles/gkebackup.delegatedBackupAdmin`) Allows administrators to manage Backup resources for specific BackupPlans	gkebackup.backupPlans.get gkebackup.backups.* gkebackup.volumeBackups.*
Backup for GKE Delegated Restore Admin ^Beta (`roles/gkebackup.delegatedRestoreAdmin`) Allows administrators to manage Restore resources for specific RestorePlans	gkebackup.restorePlans.get gkebackup.restores.* gkebackup.volumeRestores.*
Backup for GKE Restore Admin ^Beta (`roles/gkebackup.restoreAdmin`) Allows administrators to manage all RestorePlan and Restore resources.	gkebackup.backupPlans.get gkebackup.backupPlans.list gkebackup.backups.get gkebackup.backups.list gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.restorePlans.* gkebackup.restores.* gkebackup.volumeBackups.* gkebackup.volumeRestores.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Viewer ^Beta (`roles/gkebackup.viewer`) Read-only access to all Backup for GKE resources.	gkebackup.backupPlans.get gkebackup.backupPlans.getIamPolicy gkebackup.backupPlans.list gkebackup.backups.get gkebackup.backups.list gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.restorePlans.get gkebackup.restorePlans.getIamPolicy gkebackup.restorePlans.list gkebackup.restores.get gkebackup.restores.list gkebackup.volumeBackups.* gkebackup.volumeRestores.* resourcemanager.projects.get resourcemanager.projects.list

BeyondCorp roles

Role	Permissions
Cloud BeyondCorp Admin ^Beta (`roles/beyondcorp.admin`) Full access to all Cloud BeyondCorp resources.	beyondcorp.appConnections.* beyondcorp.appConnectors.* beyondcorp.appGateways.* beyondcorp.clientConnectorServices.create beyondcorp.clientConnectorServices.delete beyondcorp.clientConnectorServices.get beyondcorp.clientConnectorServices.getIamPolicy beyondcorp.clientConnectorServices.list beyondcorp.clientConnectorServices.setIamPolicy beyondcorp.clientConnectorServices.update beyondcorp.clientGateways.* beyondcorp.locations.* beyondcorp.operations.* resourcemanager.projects.get resourcemanager.projects.list
Cloud BeyondCorp Client Connector Admin ^Beta (`roles/beyondcorp.clientConnectorAdmin`) Full access to all BeyondCorp Client Connector resources.	beyondcorp.clientConnectorServices.create beyondcorp.clientConnectorServices.delete beyondcorp.clientConnectorServices.get beyondcorp.clientConnectorServices.getIamPolicy beyondcorp.clientConnectorServices.list beyondcorp.clientConnectorServices.setIamPolicy beyondcorp.clientConnectorServices.update beyondcorp.clientGateways.* resourcemanager.projects.get resourcemanager.projects.list
Cloud BeyondCorp Client Connector Service User ^Beta (`roles/beyondcorp.clientConnectorServiceUser`) Access Client Connector Service	beyondcorp.clientConnectorServices.access
Cloud BeyondCorp Client Connector Viewer ^Beta (`roles/beyondcorp.clientConnectorViewer`) Read-only access to all BeyondCorp Client Connector resources.	beyondcorp.clientConnectorServices.get beyondcorp.clientConnectorServices.getIamPolicy beyondcorp.clientConnectorServices.list beyondcorp.clientGateways.get beyondcorp.clientGateways.getIamPolicy beyondcorp.clientGateways.list resourcemanager.projects.get resourcemanager.projects.list
Cloud BeyondCorp Viewer ^Beta (`roles/beyondcorp.viewer`) Read-only access to all Cloud BeyondCorp resources.	beyondcorp.appConnections.get beyondcorp.appConnections.getIamPolicy beyondcorp.appConnections.list beyondcorp.appConnectors.get beyondcorp.appConnectors.getIamPolicy beyondcorp.appConnectors.list beyondcorp.appGateways.get beyondcorp.appGateways.getIamPolicy beyondcorp.appGateways.list beyondcorp.clientConnectorServices.get beyondcorp.clientConnectorServices.getIamPolicy beyondcorp.clientConnectorServices.list beyondcorp.clientGateways.get beyondcorp.clientGateways.getIamPolicy beyondcorp.clientGateways.list beyondcorp.locations.* beyondcorp.operations.get beyondcorp.operations.list resourcemanager.projects.get resourcemanager.projects.list

BigQuery roles

Role	Permissions
BigQuery Admin (`roles/bigquery.admin`) Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role: Datasets Row access policies Tables Views	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.overrideTimeTravelRestrictions bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration.translation.translate resourcemanager.projects.get resourcemanager.projects.list
BigQuery Connection Admin (`roles/bigquery.connectionAdmin`)	bigquery.connections.*
BigQuery Connection User (`roles/bigquery.connectionUser`)	bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
BigQuery Data Editor (`roles/bigquery.dataEditor`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Owner (`roles/bigquery.dataOwner`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.config.get bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Viewer (`roles/bigquery.dataViewer`) When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Filtered Data Viewer (`roles/bigquery.filteredDataViewer`) Access to view filtered table data defined by a row access policy	bigquery.rowAccessPolicies.getFilteredData
BigQuery Job User (`roles/bigquery.jobUser`) Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role: Project	bigquery.config.get bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list
BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Read Session User (`roles/bigquery.readSessionUser`) Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) Administer all BigQuery resources.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservations.* recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Editor (`roles/bigquery.resourceEditor`) Manage all BigQuery resources, but cannot make purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) View all BigQuery resources but cannot make changes or purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery User (`roles/bigquery.user`) When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (`roles/bigquery.dataOwner`) on these new datasets. Lowest-level resources where you can grant this role: Dataset	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get bigquerymigration.translation.translate resourcemanager.projects.get resourcemanager.projects.list
Masked Reader ^Beta (`roles/bigquerydatapolicy.maskedReader`) Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns	bigquery.dataPolicies.maskedGet

Billing roles

Role	Permissions
Billing Account Administrator (`roles/billing.admin`) Provides access to see and manage all aspects of billing accounts. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.close billing.accounts.get billing.accounts.getCarbonInformation billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.list billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.activities.list cloudsupport.properties.get cloudsupport.techCases.* commerceoffercatalog.* consumerprocurement.accounts.* consumerprocurement.consents.* consumerprocurement.orderAttributions.* consumerprocurement.orders.* dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.privateLogEntries.list recommender.commitmentUtilizationInsights.* recommender.costInsights.* recommender.spendBasedCommitmentInsights.* recommender.spendBasedCommitmentRecommendations.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment resourcemanager.projects.get resourcemanager.projects.list
Billing Account Costs Manager (`roles/billing.costsManager`) Manage budgets for a billing account, and view, analyze, and export cost information of a billing account. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.updateUsageExportSpec billing.budgets.* billing.resourceAssociations.list recommender.costInsights.*
Billing Account Creator (`roles/billing.creator`) Provides access to create billing accounts. Lowest-level resources where you can grant this role: Organization	billing.accounts.create resourcemanager.organizations.get
Project Billing Manager (`roles/billing.projectManager`) When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing. Lowest-level resources where you can grant this role: Project	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment
Billing Account User (`roles/billing.user`) When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.list billing.resourceAssociations.create
Billing Account Viewer (`roles/billing.viewer`) View billing account cost and pricing information, transactions, and billing and commitment recommendations. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.get billing.accounts.getCarbonInformation billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.list billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list commerceoffercatalog.* consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.consents.check consumerprocurement.consents.list consumerprocurement.orderAttributions.get consumerprocurement.orderAttributions.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.costInsights.get recommender.costInsights.list recommender.spendBasedCommitmentInsights.get recommender.spendBasedCommitmentInsights.list recommender.spendBasedCommitmentRecommendations.get recommender.spendBasedCommitmentRecommendations.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list

Binary Authorization roles

Role	Permissions
Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Administrator of Binary Authorization Attestors	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Editor of Binary Authorization Attestors	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Caller of Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Viewer (`roles/binaryauthorization.attestorsViewer`) Viewer of Binary Authorization Attestors	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Administrator of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.* binaryauthorization.platformPolicies.* binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Editor of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.continuousValidationConfig.update binaryauthorization.platformPolicies.* binaryauthorization.policy.evaluatePolicy binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Evaluator ^Beta (`roles/binaryauthorization.policyEvaluator`) Evaluator of Binary Authorization Policy	binaryauthorization.platformPolicies.evaluatePolicy binaryauthorization.platformPolicies.get binaryauthorization.platformPolicies.list binaryauthorization.policy.evaluatePolicy binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Viewer of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.platformPolicies.get binaryauthorization.platformPolicies.list binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

CA Service roles

Role	Permissions
CA Service Admin (`roles/privateca.admin`) Full access to all CA Service resources.	privateca.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Auditor (`roles/privateca.auditor`) Read-only access to all CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Operation Manager (`roles/privateca.caManager`) Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.	privateca.caPools.create privateca.caPools.delete privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.update privateca.certificateAuthorities.create privateca.certificateAuthorities.delete privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.update privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.update privateca.certificateTemplates.create privateca.certificateTemplates.delete privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificateTemplates.update privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.update privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.create privateca.reusableConfigs.delete privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.update resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Certificate Manager (`roles/privateca.certificateManager`) Create certificates and read-only access for CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.create privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Certificate Requester (`roles/privateca.certificateRequester`) Request certificates from CA Service.	privateca.certificates.create
CA Service Certificate Template User (`roles/privateca.templateUser`) Read, list and use certificate templates.	privateca.certificateTemplates.get privateca.certificateTemplates.list privateca.certificateTemplates.use
CA Service Workload Certificate Requester (`roles/privateca.workloadCertificateRequester`) Request certificates from CA Service with caller's identity.	privateca.certificates.createForSelf

Certificate Manager roles

Role	Permissions
Certificate Manager Editor (`roles/certificatemanager.editor`) Edit access to Certificate Manager all resources.	certificatemanager.certmapentries.create certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmapentries.update certificatemanager.certmaps.create certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certmaps.update certificatemanager.certmaps.use certificatemanager.certs.create certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.certs.update certificatemanager.certs.use certificatemanager.dnsauthorizations.create certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.dnsauthorizations.update certificatemanager.dnsauthorizations.use certificatemanager.locations.* certificatemanager.operations.get certificatemanager.operations.list resourcemanager.projects.get resourcemanager.projects.list
Certificate Manager Owner (`roles/certificatemanager.owner`) Full access to Certificate Manager all resources.	certificatemanager.* resourcemanager.projects.get resourcemanager.projects.list
Certificate Manager Viewer (`roles/certificatemanager.viewer`) Read-only access to Certificate Manager all resources.	certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.locations.* certificatemanager.operations.get certificatemanager.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud AlloyDB roles

Role	Permissions
Cloud AlloyDB Admin ^Beta (`roles/alloydb.admin`) Full access to Cloud AlloyDB all resources.	alloydb.* resourcemanager.projects.get resourcemanager.projects.list
Cloud AlloyDB Client ^Beta (`roles/alloydb.client`) Connectivity access to Cloud AlloyDB instances.	alloydb.clusters.generateClientCertificate alloydb.clusters.get alloydb.instances.connect alloydb.instances.get resourcemanager.projects.get resourcemanager.projects.list
Cloud AlloyDB Viewer ^Beta (`roles/alloydb.viewer`) Read-only access to Cloud AlloyDB all resources.	alloydb.backups.get alloydb.backups.list alloydb.clusters.get alloydb.clusters.list alloydb.instances.get alloydb.instances.list alloydb.locations.* alloydb.operations.get alloydb.operations.list alloydb.supportedDatabaseFlags.* resourcemanager.projects.get resourcemanager.projects.list

Cloud Asset roles

Role	Permissions
Cloud Asset Owner (`roles/cloudasset.owner`) Full access to cloud assets metadata	cloudasset.* recommender.cloudAssetInsights.* recommender.locations.*
Cloud Asset Viewer (`roles/cloudasset.viewer`) Read only access to cloud assets metadata	cloudasset.assets.* recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.*

Cloud Bigtable roles

Role	Permissions
Bigtable Administrator (`roles/bigtable.admin`) Administers all Bigtable instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. Lowest-level resources where you can grant this role: Table	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable Reader (`roles/bigtable.reader`) Provides read-only access to the data stored within Bigtable tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.list bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable User (`roles/bigtable.user`) Provides read-write access to the data stored within Bigtable tables. Intended for application developers or service accounts. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.list bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable Viewer (`roles/bigtable.viewer`) Provides no data access. Intended as a minimal set of permissions to access the Google Cloud console for Bigtable. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.instances.listEffectiveTags bigtable.instances.listTagBindings bigtable.locations.list bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get

Cloud Build roles

Role	Permissions
Cloud Build Approver (`roles/cloudbuild.builds.approver`) Can approve or reject pending builds.	cloudbuild.builds.approve cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Provides access to perform builds.	artifactregistry.aptartifacts.create artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.create cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create logging.logEntries.list logging.privateLogEntries.list logging.views.access pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Build Editor (`roles/cloudbuild.builds.editor`) Provides access to create and cancel builds. Lowest-level resources where you can grant this role: Project	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Provides access to view builds. Lowest-level resources where you can grant this role: Project	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Editor (`roles/cloudbuild.integrationsEditor`) Can update Integrations	cloudbuild.integrations.get cloudbuild.integrations.list cloudbuild.integrations.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Owner (`roles/cloudbuild.integrationsOwner`) Can create/delete Integrations	cloudbuild.integrations.* compute.firewalls.create compute.firewalls.get compute.firewalls.list compute.networks.get compute.networks.updatePolicy compute.regions.get compute.subnetworks.get compute.subnetworks.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Viewer (`roles/cloudbuild.integrationsViewer`) Can view Integrations	cloudbuild.integrations.get cloudbuild.integrations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool Editor (`roles/cloudbuild.workerPoolEditor`) Can update and view WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool Owner (`roles/cloudbuild.workerPoolOwner`) Can create, delete, update, and view WorkerPools	cloudbuild.workerpools.create cloudbuild.workerpools.delete cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool User (`roles/cloudbuild.workerPoolUser`) Can run builds in the WorkerPool	cloudbuild.workerpools.use
Cloud Build WorkerPool Viewer (`roles/cloudbuild.workerPoolViewer`) Can view WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Composer roles

Role	Permissions
Cloud Composer v2 API Service Agent Extension (`roles/composer.ServiceAgentV2Ext`) Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.	iam.serviceAccounts.getIamPolicy iam.serviceAccounts.setIamPolicy
Composer Administrator (`roles/composer.admin`) Provides full control of Cloud Composer resources. Lowest-level resources where you can grant this role: Project	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Provides full control of Cloud Composer resources and of the objects in all project buckets. Lowest-level resources where you can grant this role: Project	composer.* orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.multipartUploads.* storage.objects.*
Environment User and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. Lowest-level resources where you can grant this role: Project	composer.dags.* composer.environments.get composer.environments.list composer.imageversions.list composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list
Composer Shared VPC Agent (`roles/composer.sharedVpcAgent`) Role that should be assigned to Composer Agent service account in Shared VPC host project	compute.networks.access compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.*
Composer User (`roles/composer.user`) Provides the permissions necessary to list and get Cloud Composer environments and operations. Lowest-level resources where you can grant this role: Project	composer.dags.* composer.environments.get composer.environments.list composer.imageversions.list composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Composer Worker (`roles/composer.worker`) Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. Lowest-level resources where you can grant this role: Project	artifactregistry.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use composer.environments.get container.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create logging.logEntries.list logging.privateLogEntries.list logging.views.access monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* orgpolicy.policy.get pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.multipartUploads.* storage.objects.*

Cloud Connectors roles

Role	Permissions
Connector Admin (`roles/connectors.admin`) Full access to all resources of Connectors Service.	connectors.* resourcemanager.projects.get resourcemanager.projects.list
Connector Invoker (`roles/connectors.invoker`) Full Access to invoke all operations on Connections.	connectors.actions.* connectors.connections.executeSqlQuery connectors.entities.* connectors.entityTypes.list
Connectors Viewer (`roles/connectors.viewer`) Read-only access to Connectors all resources.	connectors.connections.get connectors.connections.getConnectionSchemaMetadata connectors.connections.getIamPolicy connectors.connections.getRuntimeActionSchema connectors.connections.getRuntimeEntitySchema connectors.connections.list connectors.connectors.* connectors.locations.* connectors.operations.get connectors.operations.list connectors.providers.* connectors.runtimeconfig.get connectors.versions.* resourcemanager.projects.get resourcemanager.projects.list

Cloud Data Fusion roles

Role Permissions

Role	Permissions
Cloud Data Fusion Admin ^Beta (`roles/datafusion.admin`) Full access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role: Project	datafusion.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Data Fusion Runner ^Beta (`roles/datafusion.runner`) Access to Cloud Data Fusion runtime resources.	datafusion.instances.runtime
Cloud Data Fusion Viewer ^Beta (`roles/datafusion.viewer`) Read-only access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role: Project	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.runtime datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Data Fusion Admin ^Beta
(roles/datafusion.admin)

Full access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

Project

datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion Runner ^Beta
(roles/datafusion.runner)

Access to Cloud Data Fusion runtime resources.

datafusion.instances.runtime

Cloud Data Fusion Viewer ^Beta
(roles/datafusion.viewer)

Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

Project

datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.runtime
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Labeling roles

Role	Permissions
Data Labeling Service Admin ^Beta (`roles/datalabeling.admin`) Full access to all Data Labeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Editor ^Beta (`roles/datalabeling.editor`) Editor of all Data Labeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Viewer ^Beta (`roles/datalabeling.viewer`) Viewer of all Data Labeling resources	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Dataplex roles

Role	Permissions
Dataplex Administrator (`roles/dataplex.admin`) Full access to all Dataplex resources.	cloudasset.assets.analyzeIamPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources dataplex.assetActions.list dataplex.assets.create dataplex.assets.delete dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.setIamPolicy dataplex.assets.update dataplex.content.* dataplex.entities.* dataplex.environments.* dataplex.lakeActions.list dataplex.lakes.* dataplex.locations.* dataplex.operations.* dataplex.partitions.* dataplex.tasks.* dataplex.zoneActions.list dataplex.zones.* resourcemanager.projects.get resourcemanager.projects.list
Dataplex Data Owner (`roles/dataplex.dataOwner`) Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	dataplex.assets.ownData dataplex.assets.readData dataplex.assets.writeData
Dataplex Data Reader (`roles/dataplex.dataReader`) Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	dataplex.assets.readData
Dataplex Data Writer (`roles/dataplex.dataWriter`) Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	dataplex.assets.writeData
Dataplex Developer (`roles/dataplex.developer`) Allows running data analytics workloads in a lake.	dataplex.content.* dataplex.environments.execute dataplex.environments.get dataplex.environments.list dataplex.tasks.cancel dataplex.tasks.create dataplex.tasks.delete dataplex.tasks.get dataplex.tasks.list dataplex.tasks.update
Dataplex Editor (`roles/dataplex.editor`) Write access to Dataplex resources.	cloudasset.assets.analyzeIamPolicy dataplex.assetActions.list dataplex.assets.create dataplex.assets.delete dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.update dataplex.content.delete dataplex.content.get dataplex.content.getIamPolicy dataplex.content.list dataplex.environments.create dataplex.environments.delete dataplex.environments.get dataplex.environments.getIamPolicy dataplex.environments.list dataplex.environments.update dataplex.lakeActions.list dataplex.lakes.create dataplex.lakes.delete dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.lakes.update dataplex.operations.* dataplex.tasks.cancel dataplex.tasks.create dataplex.tasks.delete dataplex.tasks.get dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.tasks.update dataplex.zoneActions.list dataplex.zones.create dataplex.zones.delete dataplex.zones.get dataplex.zones.getIamPolicy dataplex.zones.list dataplex.zones.update
Dataplex Metadata Reader (`roles/dataplex.metadataReader`) Read only access to metadata.	dataplex.assets.get dataplex.assets.list dataplex.entities.get dataplex.entities.list dataplex.partitions.get dataplex.partitions.list dataplex.zones.get dataplex.zones.list
Dataplex Metadata Writer (`roles/dataplex.metadataWriter`) Read and write access to metadata.	dataplex.assets.get dataplex.assets.list dataplex.entities.* dataplex.partitions.* dataplex.zones.get dataplex.zones.list
Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	bigquery.datasets.get bigquery.models.create bigquery.models.delete bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.models.updateData bigquery.models.updateMetadata bigquery.routines.create bigquery.routines.delete bigquery.routines.get bigquery.routines.list bigquery.routines.update bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	bigquery.datasets.get bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list storage.buckets.get storage.objects.get storage.objects.list
Dataplex Storage Data Writer (`roles/dataplex.storageDataWriter`) Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	bigquery.tables.updateData storage.objects.create storage.objects.delete storage.objects.update
Dataplex Viewer (`roles/dataplex.viewer`) Read access to Dataplex resources.	cloudasset.assets.analyzeIamPolicy dataplex.assetActions.list dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.content.get dataplex.content.getIamPolicy dataplex.content.list dataplex.environments.get dataplex.environments.getIamPolicy dataplex.environments.list dataplex.lakeActions.list dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.operations.get dataplex.operations.list dataplex.tasks.get dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.zoneActions.list dataplex.zones.get dataplex.zones.getIamPolicy dataplex.zones.list

Cloud Debugger roles

Role Permissions

Role	Permissions
Cloud Debugger Agent ^Beta (`roles/clouddebugger.agent`) Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. Lowest-level resources where you can grant this role: Service Account	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create
Cloud Debugger User ^Beta (`roles/clouddebugger.user`) Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). Lowest-level resources where you can grant this role: Project	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list

Cloud Debugger Agent ^Beta
(roles/clouddebugger.agent)

Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.

Lowest-level resources where you can grant this role:

Service Account

clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create

Cloud Debugger User ^Beta
(roles/clouddebugger.user)

Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

Lowest-level resources where you can grant this role:

Project

clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list

Cloud Deploy roles

Role	Permissions
Cloud Deploy Admin ^Beta (`roles/clouddeploy.admin`) Full control of Cloud Deploy resources.	clouddeploy.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Approver ^Beta (`roles/clouddeploy.approver`) Permission to approve or reject rollouts.	clouddeploy.jobRuns.* clouddeploy.locations.* clouddeploy.operations.* clouddeploy.rollouts.approve clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Developer ^Beta (`roles/clouddeploy.developer`) Permission to manage deployment configuration without permission to access operational resources, such as targets.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.jobRuns.* clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Runner ^Beta (`roles/clouddeploy.jobRunner`) Permission to execute Cloud Deploy work without permission to deliver to a target.	logging.logEntries.create storage.objects.create storage.objects.get storage.objects.list
Cloud Deploy Operator ^Beta (`roles/clouddeploy.operator`) Permission to manage deployment configuration.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.jobRuns.* clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.rollouts.retryJob clouddeploy.targets.create clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list clouddeploy.targets.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Releaser ^Beta (`roles/clouddeploy.releaser`) Permission to create Cloud Deploy releases and rollouts.	clouddeploy.deliveryPipelines.get clouddeploy.jobRuns.* clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.create clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Viewer ^Beta (`roles/clouddeploy.viewer`) Can view Cloud Deploy resources.	clouddeploy.config.get clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.jobRuns.* clouddeploy.locations.* clouddeploy.operations.get clouddeploy.operations.list clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list resourcemanager.projects.get resourcemanager.projects.list

Cloud DLP roles

Role	Permissions
DLP Administrator (`roles/dlp.admin`) Administer DLP including jobs and templates.	dlp.* serviceusage.services.use
DLP Analyze Risk Templates Editor (`roles/dlp.analyzeRiskTemplatesEditor`) Edit DLP analyze risk templates.	dlp.analyzeRiskTemplates.*
DLP Analyze Risk Templates Reader (`roles/dlp.analyzeRiskTemplatesReader`) Read DLP analyze risk templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
DLP Column Data Profiles Reader (`roles/dlp.columnDataProfilesReader`) Read DLP column profiles.	dlp.columnDataProfiles.*
DLP Data Profiles Reader (`roles/dlp.dataProfilesReader`) Read DLP profiles.	dlp.columnDataProfiles.* dlp.projectDataProfiles.* dlp.tableDataProfiles.*
DLP De-identify Templates Editor (`roles/dlp.deidentifyTemplatesEditor`) Edit DLP de-identify templates.	dlp.deidentifyTemplates.*
DLP De-identify Templates Reader (`roles/dlp.deidentifyTemplatesReader`) Read DLP de-identify templates.	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
DLP Cost Estimation (`roles/dlp.estimatesAdmin`) Manage DLP Cost Estimates.	dlp.estimates.*
DLP Inspect Findings Reader (`roles/dlp.inspectFindingsReader`) Read DLP stored findings.	dlp.inspectFindings.list
DLP Inspect Templates Editor (`roles/dlp.inspectTemplatesEditor`) Edit DLP inspect templates.	dlp.inspectTemplates.*
DLP Inspect Templates Reader (`roles/dlp.inspectTemplatesReader`) Read DLP inspect templates.	dlp.inspectTemplates.get dlp.inspectTemplates.list
DLP Job Triggers Editor (`roles/dlp.jobTriggersEditor`) Edit job triggers configurations.	dlp.jobTriggers.*
DLP Job Triggers Reader (`roles/dlp.jobTriggersReader`) Read job triggers.	dlp.jobTriggers.get dlp.jobTriggers.list
DLP Jobs Editor (`roles/dlp.jobsEditor`) Edit and create jobs	dlp.jobs.* dlp.kms.encrypt
DLP Jobs Reader (`roles/dlp.jobsReader`) Read jobs	dlp.jobs.get dlp.jobs.list
DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) Permissions needed by the DLP service account to generate data profiles within an organization or folder.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration.translation.translate cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP Project Data Profiles Reader (`roles/dlp.projectDataProfilesReader`) Read DLP project profiles.	dlp.projectDataProfiles.*
DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Permissions needed by the DLP service account to generate data profiles within a project.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration.translation.translate cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP Reader (`roles/dlp.reader`) Read DLP entities, such as jobs and templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.locations.* dlp.storedInfoTypes.get dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor (`roles/dlp.storedInfoTypesEditor`) Edit DLP stored info types.	dlp.storedInfoTypes.*
DLP Stored InfoTypes Reader (`roles/dlp.storedInfoTypesReader`) Read DLP stored info types.	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
DLP Table Data Profiles Reader (`roles/dlp.tableDataProfilesReader`) Read DLP table profiles.	dlp.tableDataProfiles.*
DLP User (`roles/dlp.user`) Inspect, Redact, and De-identify Content	dlp.kms.encrypt dlp.locations.* serviceusage.services.use

Cloud Domains roles

Role	Permissions
Cloud Domains Admin (`roles/domains.admin`) Full access to Cloud Domains Registrations and related resources.	domains.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Domains Viewer (`roles/domains.viewer`) Read-only access to Cloud Domains Registrations and related resources.	domains.locations.* domains.operations.get domains.operations.list domains.registrations.get domains.registrations.getIamPolicy domains.registrations.list domains.registrations.listEffectiveTags domains.registrations.listTagBindings resourcemanager.projects.get resourcemanager.projects.list

Cloud Filestore roles

Role	Permissions
Cloud Filestore Editor ^Beta (`roles/file.editor`) Read-write access to Filestore instances and related resources.	file.*
Cloud Filestore Viewer ^Beta (`roles/file.viewer`) Read-only access to Filestore instances and related resources.	file.backups.get file.backups.list file.backups.listEffectiveTags file.backups.listTagBindings file.instances.get file.instances.list file.instances.listEffectiveTags file.instances.listTagBindings file.locations.* file.operations.get file.operations.list file.snapshots.listEffectiveTags file.snapshots.listTagBindings

Cloud Functions roles

Role	Permissions
Cloud Functions Admin (`roles/cloudfunctions.admin`) Full access to functions, operations and locations.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.* eventarc.* recommender.locations.* recommender.runServiceIdentityInsights.* recommender.runServiceIdentityRecommendations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Functions Developer (`roles/cloudfunctions.developer`) Read and write access to all functions-related resources.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.list eventarc.channelConnections.create eventarc.channelConnections.delete eventarc.channelConnections.get eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channelConnections.publish eventarc.channels.attach eventarc.channels.create eventarc.channels.delete eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.channels.publish eventarc.channels.undelete eventarc.channels.update eventarc.googleChannelConfigs.* eventarc.locations.* eventarc.operations.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update recommender.locations.* recommender.runServiceIdentityInsights.* recommender.runServiceIdentityRecommendations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.executions.* run.jobs.create run.jobs.delete run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.run run.jobs.update run.locations.list run.operations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update run.tasks.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Functions Invoker (`roles/cloudfunctions.invoker`) Ability to invoke HTTP functions with restricted access.	cloudfunctions.functions.invoke
Cloud Functions Viewer (`roles/cloudfunctions.viewer`) Read-only access to functions and locations.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.list eventarc.channelConnections.get eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.googleChannelConfigs.get eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list recommender.locations.* recommender.runServiceIdentityInsights.get recommender.runServiceIdentityInsights.list recommender.runServiceIdentityRecommendations.get recommender.runServiceIdentityRecommendations.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.executions.get run.executions.list run.jobs.get run.jobs.getIamPolicy run.jobs.list run.locations.list run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.tasks.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Game Services roles

Role Permissions

Role	Permissions
Game Services API Admin (`roles/gameservices.admin`) Full access to Game Services API and related resources.	gameservices.* resourcemanager.projects.get resourcemanager.projects.list
Game Services API Viewer (`roles/gameservices.viewer`) Read-only access to Game Services API and related resources.	gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list

Game Services API Admin
(roles/gameservices.admin)

Full access to Game Services API and related resources.

gameservices.*
resourcemanager.projects.get
resourcemanager.projects.list

Game Services API Viewer
(roles/gameservices.viewer)

Read-only access to Game Services API and related resources.

gameservices.gameServerClusters.get
gameservices.gameServerClusters.list
gameservices.gameServerConfigs.get
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.get
gameservices.gameServerDeployments.list
gameservices.locations.*
gameservices.operations.get
gameservices.operations.list
gameservices.realms.get
gameservices.realms.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Healthcare roles

Role	Permissions
Healthcare Annotation Editor (`roles/healthcare.annotationEditor`) Create, delete, update, read and list annotations.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Reader (`roles/healthcare.annotationReader`) Read and list annotations in an Annotation store.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.get healthcare.annotations.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Administrator (`roles/healthcare.annotationStoreAdmin`) Administer Annotation stores.	healthcare.annotationStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Store Viewer (`roles/healthcare.annotationStoreViewer`) List Annotation Stores in a dataset.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Attribute Definition Editor (`roles/healthcare.attributeDefinitionEditor`) Edit AttributeDefinition objects.	healthcare.attributeDefinitions.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Attribute Definition Reader (`roles/healthcare.attributeDefinitionReader`) Read AttributeDefinition objects in a consent store.	healthcare.attributeDefinitions.get healthcare.attributeDefinitions.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Administrator (`roles/healthcare.consentArtifactAdmin`) Administer ConsentArtifact objects.	healthcare.consentArtifacts.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Editor (`roles/healthcare.consentArtifactEditor`) Edit ConsentArtifact objects.	healthcare.consentArtifacts.create healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Reader (`roles/healthcare.consentArtifactReader`) Read ConsentArtifact objects in a consent store.	healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Editor (`roles/healthcare.consentEditor`) Edit Consent objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Reader (`roles/healthcare.consentReader`) Read Consent objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.get healthcare.consents.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Store Administrator (`roles/healthcare.consentStoreAdmin`) Administer Consent stores.	healthcare.consentStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Store Viewer (`roles/healthcare.consentStoreViewer`) List Consent Stores in a dataset.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Dataset Administrator (`roles/healthcare.datasetAdmin`) Administer Healthcare Datasets.	healthcare.datasets.* healthcare.locations.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list
Healthcare Dataset Viewer (`roles/healthcare.datasetViewer`) List the Healthcare Datasets in a project.	healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Editor (`roles/healthcare.dicomEditor`) Edit DICOM images individually and in bulk.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Store Administrator (`roles/healthcare.dicomStoreAdmin`) Administer DICOM stores.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.deidentify healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Store Viewer (`roles/healthcare.dicomStoreViewer`) List DICOM Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Viewer (`roles/healthcare.dicomViewer`) Retrieve DICOM images from a DICOM store.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Resource Editor (`roles/healthcare.fhirResourceEditor`) Create, delete, update, read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.translateConceptMap healthcare.fhirResources.update healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Resource Reader (`roles/healthcare.fhirResourceReader`) Read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare.fhirResources.translateConceptMap healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Store Administrator (`roles/healthcare.fhirStoreAdmin`) Administer FHIR resource stores.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare.fhirStores.configureSearch healthcare.fhirStores.create healthcare.fhirStores.deidentify healthcare.fhirStores.delete healthcare.fhirStores.export healthcare.fhirStores.get healthcare.fhirStores.getIamPolicy healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.fhirStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Store Viewer (`roles/healthcare.fhirStoreViewer`) List FHIR Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Message Consumer (`roles/healthcare.hl7V2Consumer`) List and read HL7v2 messages, update message labels, and publish new messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.create healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare.hl7V2Messages.update healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Message Editor (`roles/healthcare.hl7V2Editor`) Read, write, and delete access to HL7v2 messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Message Ingest (`roles/healthcare.hl7V2Ingest`) Ingest HL7v2 messages received from a source network.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.ingest healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Store Administrator (`roles/healthcare.hl7V2StoreAdmin`) Administer HL7v2 Stores.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Store Viewer (`roles/healthcare.hl7V2StoreViewer`) View HL7v2 Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare NLP Service Viewer ^Beta (`roles/healthcare.nlpServiceViewer`) Extract and analyze medical entities from a given text.	healthcare.locations.* healthcare.nlpservice.analyzeEntities resourcemanager.projects.get resourcemanager.projects.list
Healthcare User Data Mapping Editor (`roles/healthcare.userDataMappingEditor`) Edit UserDataMapping objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.* resourcemanager.projects.get resourcemanager.projects.list
Healthcare User Data Mapping Reader (`roles/healthcare.userDataMappingReader`) Read UserDataMapping objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.get healthcare.userDataMappings.list resourcemanager.projects.get resourcemanager.projects.list

Cloud IAP roles

Role	Permissions
IAP Policy Admin (`roles/iap.admin`) Provides full access to Identity-Aware Proxy resources. Lowest-level resources where you can grant this role: Project	iap.tunnel.* iap.tunnelDestGroups.getIamPolicy iap.tunnelDestGroups.setIamPolicy iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelLocations.* iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy
IAP-secured Web App User (`roles/iap.httpsResourceAccessor`) Provides permission to access HTTPS resources which use Identity-Aware Proxy.	iap.webServiceVersions.accessViaIAP
IAP Settings Admin (`roles/iap.settingsAdmin`) Administrator of IAP Settings.	iap.projects.* iap.web.getSettings iap.web.updateSettings iap.webServiceVersions.getSettings iap.webServiceVersions.updateSettings iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings
IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`) Edit Tunnel Destination Group resources which use Identity-Aware Proxy	iap.tunnelDestGroups.create iap.tunnelDestGroups.delete iap.tunnelDestGroups.get iap.tunnelDestGroups.list iap.tunnelDestGroups.update
IAP-secured Tunnel Destination Group Viewer (`roles/iap.tunnelDestGroupViewer`) View Tunnel Destination Group resources which use Identity-Aware Proxy	iap.tunnelDestGroups.get iap.tunnelDestGroups.list
IAP-secured Tunnel User (`roles/iap.tunnelResourceAccessor`) Access Tunnel resources which use Identity-Aware Proxy	iap.tunnelDestGroups.accessViaIAP iap.tunnelInstances.accessViaIAP

Cloud IDS roles

Role	Permissions
Cloud IDS Admin ^Beta (`roles/ids.admin`) Full access to Cloud IDS all resources.	ids.* resourcemanager.projects.get resourcemanager.projects.list
Cloud IDS Viewer ^Beta (`roles/ids.viewer`) Read-only access to Cloud IDS all resources.	ids.endpoints.get ids.endpoints.getIamPolicy ids.endpoints.list ids.locations.* ids.operations.get ids.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud IoT roles

Role	Permissions
Cloud IoT Admin (`roles/cloudiot.admin`) Full control of all Cloud IoT resources and permissions. Lowest-level resources where you can grant this role: Device	cloudiot.* cloudiottoken.*
Cloud IoT Device Controller (`roles/cloudiot.deviceController`) Access to update the device configuration, but not to create or delete devices. Lowest-level resources where you can grant this role: Device	cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get
Cloud IoT Editor (`roles/cloudiot.editor`) Read-write access to all Cloud IoT resources. Lowest-level resources where you can grant this role: Device	cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.*
Cloud IoT Provisioner (`roles/cloudiot.provisioner`) Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry. Lowest-level resources where you can grant this role: Device	cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get
Cloud IoT Viewer (`roles/cloudiot.viewer`) Read-only access to all Cloud IoT resources. Lowest-level resources where you can grant this role: Device	cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get

Cloud KMS roles

Role	Permissions
Cloud KMS Admin (`roles/cloudkms.admin`) Provides full access to Cloud KMS resources, except encrypt and decrypt operations. Lowest-level resources where you can grant this role: CryptoKey	cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeyVersions.useToDecryptViaDelegation cloudkms.cryptoKeyVersions.useToEncryptViaDelegation cloudkms.cryptoKeys.* cloudkms.ekmConnections.* cloudkms.importJobs.* cloudkms.keyRings.* cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Decrypter (`roles/cloudkms.cryptoKeyDecrypter`) Provides ability to use Cloud KMS resources for decrypt operations only. Lowest-level resources where you can grant this role: CryptoKey	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Decrypter Via Delegation (`roles/cloudkms.cryptoKeyDecrypterViaDelegation`) Enables Decrypt operations via other GCP services	cloudkms.cryptoKeyVersions.useToDecryptViaDelegation cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud KMS CryptoKey Encrypter (`roles/cloudkms.cryptoKeyEncrypter`) Provides ability to use Cloud KMS resources for encrypt operations only. Lowest-level resources where you can grant this role: CryptoKey	cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Encrypter/Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) Provides ability to use Cloud KMS resources for encrypt and decrypt operations only. Lowest-level resources where you can grant this role: CryptoKey	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation`) Enables Encrypt and Decrypt operations via other GCP services	cloudkms.cryptoKeyVersions.useToDecryptViaDelegation cloudkms.cryptoKeyVersions.useToEncryptViaDelegation cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud KMS CryptoKey Encrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterViaDelegation`) Enables Encrypt operations via other GCP services	cloudkms.cryptoKeyVersions.useToEncryptViaDelegation cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Enables all Crypto Operations.	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.useToVerify cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.* resourcemanager.projects.get
Cloud KMS Expert Raw PKCS#1 Key Manager (`roles/cloudkms.expertRawPKCS1`) Enables raw PKCS#1 keys management.	cloudkms.cryptoKeyVersions.manageRawPKCS1Keys cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud KMS Importer (`roles/cloudkms.importer`) Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations	cloudkms.importJobs.create cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.importJobs.useToImport cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Public Key Viewer (`roles/cloudkms.publicKeyViewer`) Enables GetPublicKey operations	cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Signer (`roles/cloudkms.signer`) Enables Sign operations	cloudkms.cryptoKeyVersions.useToSign cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Signer/Verifier (`roles/cloudkms.signerVerifier`) Enables Sign, Verify, and GetPublicKey operations	cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.useToVerify cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Verifier (`roles/cloudkms.verifier`) Enables Verify and GetPublicKey operations	cloudkms.cryptoKeyVersions.useToVerify cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS Viewer (`roles/cloudkms.viewer`) Enables Get and List operations.	cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.get cloudkms.cryptoKeys.list cloudkms.ekmConnections.get cloudkms.ekmConnections.list cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.keyRings.get cloudkms.keyRings.list cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get

Cloud Life Sciences roles

Role	Permissions
Cloud Life Sciences Admin ^Beta (`roles/lifesciences.admin`) Full control of Cloud Life Sciences resources.	lifesciences.*
Cloud Life Sciences Editor ^Beta (`roles/lifesciences.editor`) Access to read and edit Cloud Life Sciences resources.	lifesciences.*
Cloud Life Sciences Viewer ^Beta (`roles/lifesciences.viewer`) Access to read Cloud Life Sciences resources.	lifesciences.operations.get lifesciences.operations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Life Sciences Workflows Runner ^Beta (`roles/lifesciences.workflowsRunner`) Full access to operate on Cloud Life Sciences workflows.	lifesciences.*

Cloud Managed Identities roles

Role	Permissions
Google Cloud Managed Identities Admin (`roles/managedidentities.admin`) Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.	managedidentities.* resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Backup Admin (`roles/managedidentities.backupAdmin`) Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level	managedidentities.backups.* managedidentities.domains.get managedidentities.locations.* managedidentities.operations.* resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Backup Viewer (`roles/managedidentities.backupViewer`) Read-only access to Google Cloud Managed Identities Backup and related resources.	managedidentities.backups.get managedidentities.backups.getIamPolicy managedidentities.backups.list managedidentities.domains.get managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Domain Admin (`roles/managedidentities.domainAdmin`) Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.	managedidentities.backups.* managedidentities.domains.attachTrust managedidentities.domains.createTagBinding managedidentities.domains.delete managedidentities.domains.deleteTagBinding managedidentities.domains.detachTrust managedidentities.domains.extendSchema managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.listEffectiveTags managedidentities.domains.listTagBindings managedidentities.domains.reconfigureTrust managedidentities.domains.resetpassword managedidentities.domains.restore managedidentities.domains.update managedidentities.domains.updateLDAPSSettings managedidentities.domains.validateTrust managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list managedidentities.sqlintegrations.* resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Peering Admin (`roles/managedidentities.peeringAdmin`) Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level	managedidentities.locations.* managedidentities.operations.* managedidentities.peerings.* resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Peering Viewer (`roles/managedidentities.peeringViewer`) Read-only access to Google Cloud Managed Identities Peering and related resources.	managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list managedidentities.peerings.get managedidentities.peerings.getIamPolicy managedidentities.peerings.list resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Viewer (`roles/managedidentities.viewer`) Read-only access to Google Cloud Managed Identities Domains and related resources.	managedidentities.backups.get managedidentities.backups.getIamPolicy managedidentities.backups.list managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.domains.listEffectiveTags managedidentities.domains.listTagBindings managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list managedidentities.peerings.get managedidentities.peerings.getIamPolicy managedidentities.peerings.list managedidentities.sqlintegrations.* resourcemanager.projects.get resourcemanager.projects.list

Cloud Marketplace roles

Role	Permissions
Commerce Offer Catalog Offers Viewer ^Beta (`roles/commerceoffercatalog.offersViewer`) Allows viewing offers	commerceoffercatalog.*
Commerce Price Management Private Offers Admin ^Beta (`roles/commercepricemanagement.privateOffersAdmin`) Allows managing private offers	commerceprice.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Commerce Price Management Viewer ^Beta (`roles/commercepricemanagement.viewer`) Allows viewing offers, free trials, skus	commerceprice.privateoffers.get commerceprice.privateoffers.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Consumer Procurement Entitlement Manager ^Beta (`roles/consumerprocurement.entitlementManager`) Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.	consumerprocurement.entitlements.* consumerprocurement.freeTrials.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.operations.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list
Consumer Procurement Entitlement Viewer ^Beta (`roles/consumerprocurement.entitlementViewer`) Allows inspecting entitlements and service states for a consumer project.	consumerprocurement.entitlements.* consumerprocurement.freeTrials.get consumerprocurement.freeTrials.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Consumer Procurement Order Administrator ^Beta (`roles/consumerprocurement.orderAdmin`) Allows managing purchases.	commerceoffercatalog.* consumerprocurement.accounts.* consumerprocurement.consents.* consumerprocurement.orderAttributions.* consumerprocurement.orders.*
Consumer Procurement Order Viewer ^Beta (`roles/consumerprocurement.orderViewer`) Allows inspecting purchases.	commerceoffercatalog.* consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.consents.check consumerprocurement.consents.list consumerprocurement.orderAttributions.get consumerprocurement.orderAttributions.list consumerprocurement.orders.get consumerprocurement.orders.list

Cloud Migration roles

Role	Permissions
Velostrata Manager ^Beta (`roles/cloudmigration.inframanager`) Ability to create and manage Compute VMs to run Velostrata Infrastructure	cloudmigration.velostrataendpoints.connect compute.addresses.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.update compute.instances.updateNetworkInterface compute.instances.updateShieldedInstanceConfig compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.* gkehub.endpoints.connect iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update
Velostrata Storage Access ^Beta (`roles/cloudmigration.storageaccess`) Ability to access migration storage	storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Velostrata Manager Connection Agent ^Beta (`roles/cloudmigration.velostrataconnect`) Ability to set up connection between Velostrata Manager and Google	cloudmigration.velostrataendpoints.connect gkehub.endpoints.connect
VM Migration Administrator ^Beta (`roles/vmmigration.admin`) Ability to view and edit all VM Migration objects	vmmigration.*
VM Migration Viewer ^Beta (`roles/vmmigration.viewer`) Ability to view all VM Migration objects	vmmigration.cloneJobs.get vmmigration.cloneJobs.list vmmigration.cutoverJobs.get vmmigration.cutoverJobs.list vmmigration.datacenterConnectors.get vmmigration.datacenterConnectors.list vmmigration.deployments.get vmmigration.deployments.list vmmigration.groups.get vmmigration.groups.list vmmigration.locations.* vmmigration.migratingVms.get vmmigration.migratingVms.list vmmigration.operations.get vmmigration.operations.list vmmigration.sources.get vmmigration.sources.list vmmigration.targets.get vmmigration.targets.list vmmigration.utilizationReports.get vmmigration.utilizationReports.list

Cloud Private Catalog roles

Role	Permissions
Catalog Consumer ^Beta (`roles/cloudprivatecatalog.consumer`) Can browse catalogs in the target resource context.	cloudprivatecatalog.targets.get resourcemanager.projects.get resourcemanager.projects.list
Catalog Admin ^Beta (`roles/cloudprivatecatalogproducer.admin`) Can manage catalog and view its associations.	cloudprivatecatalog.targets.get cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogAssociations.* cloudprivatecatalogproducer.catalogs.* cloudprivatecatalogproducer.producerCatalogs.* cloudprivatecatalogproducer.products.* cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Catalog Manager ^Beta (`roles/cloudprivatecatalogproducer.manager`) Can manage associations between a catalog and a target resource.	cloudprivatecatalog.targets.get cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogAssociations.* cloudprivatecatalogproducer.catalogs.get cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.producerCatalogs.get cloudprivatecatalogproducer.producerCatalogs.list cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Catalog Org Admin ^Beta (`roles/cloudprivatecatalogproducer.orgAdmin`) Can manage catalog org settings.	cloudprivatecatalog.targets.get cloudprivatecatalogproducer.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Cloud Profiler roles

Role	Permissions
Cloud Profiler Agent (`roles/cloudprofiler.agent`) Cloud Profiler agents are allowed to register and provide the profiling data.	cloudprofiler.profiles.create cloudprofiler.profiles.update
Cloud Profiler User (`roles/cloudprofiler.user`) Cloud Profiler users are allowed to query and view the profiling data.	cloudprofiler.profiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Run roles

Role	Permissions
Cloud Run Admin (`roles/run.admin`) Full control over all Cloud Run resources. Lowest-level resources where you can grant this role: Cloud Run service	recommender.locations.* recommender.runServiceIdentityInsights.* recommender.runServiceIdentityRecommendations.* resourcemanager.projects.get resourcemanager.projects.list run.*
Cloud Run Developer (`roles/run.developer`) Read and write access to all Cloud Run resources.	recommender.locations.* recommender.runServiceIdentityInsights.* recommender.runServiceIdentityRecommendations.* resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.executions.* run.jobs.create run.jobs.delete run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.run run.jobs.update run.locations.list run.operations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update run.tasks.*
Cloud Run Invoker (`roles/run.invoker`) Can invoke a Cloud Run service. Lowest-level resources where you can grant this role: Cloud Run service	run.jobs.run run.routes.invoke
Cloud Run Viewer (`roles/run.viewer`) Can view the state of all Cloud Run resources, including IAM policies. Lowest-level resources where you can grant this role: Cloud Run service	recommender.locations.* recommender.runServiceIdentityInsights.get recommender.runServiceIdentityInsights.list recommender.runServiceIdentityRecommendations.get recommender.runServiceIdentityRecommendations.list resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.executions.get run.executions.list run.jobs.get run.jobs.getIamPolicy run.jobs.list run.locations.list run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.tasks.*

Cloud Scheduler roles

Role	Permissions
Cloud Scheduler Admin (`roles/cloudscheduler.admin`) Full access to jobs and executions. Note that a Cloud Scheduler Admin (or any custom role with the permission cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the project.	appengine.applications.get cloudscheduler.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Cloud Scheduler Job Runner (`roles/cloudscheduler.jobRunner`) Access to run jobs.	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.run resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Cloud Scheduler Viewer (`roles/cloudscheduler.viewer`) Get and list access to jobs, executions, and locations.	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.list cloudscheduler.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list

Cloud Security Scanner roles

Role Permissions

Web Security Scanner Editor
(roles/cloudsecurityscanner.editor)

Full access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

Project

appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Web Security Scanner Runner
(roles/cloudsecurityscanner.runner)

Read access to Scan and ScanRun, plus the ability to start scans

Lowest-level resources where you can grant this role:

Project

cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run

Web Security Scanner Viewer
(roles/cloudsecurityscanner.viewer)

Read access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

Project

cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Cloud Services roles

Role Permissions

Service Broker Admin
(roles/servicebroker.admin)

Full access to ServiceBroker resources.

servicebroker.*

Service Broker Operator
(roles/servicebroker.operator)

Operational access to the ServiceBroker resources.

servicebroker.bindingoperations.*
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.list
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.list
servicebroker.instanceoperations.*
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.list
servicebroker.instances.update

Cloud Spanner roles

Role	Permissions
Cloud Spanner Admin (`roles/spanner.admin`) Has complete access to all Cloud Spanner resources in a Google Cloud project. A principal with this role can: Grant and revoke permissions to other principals for all Cloud Spanner resources in the project. Allocate and delete chargeable Cloud Spanner resources. Issue get/list/modify operations on Cloud Spanner resources. Read from and write to all Cloud Spanner databases in the project. Fetch project metadata. Lowest-level resources where you can grant this role: Project	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.*
Cloud Spanner Backup Admin (`roles/spanner.backupAdmin`) A principal with this role can: Create, view, update, and delete backups. View and manage a backup's allow policy. This role cannot restore a database from a backup. Lowest-level resources where you can grant this role: Instance	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.backupOperations.* spanner.backups.copy spanner.backups.create spanner.backups.delete spanner.backups.get spanner.backups.getIamPolicy spanner.backups.list spanner.backups.setIamPolicy spanner.backups.update spanner.databases.createBackup spanner.databases.get spanner.databases.list spanner.instances.get spanner.instances.list
Cloud Spanner Backup Writer (`roles/spanner.backupWriter`) This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them. Lowest-level resources where you can grant this role: Instance	spanner.backupOperations.get spanner.backupOperations.list spanner.backups.copy spanner.backups.create spanner.backups.get spanner.backups.list spanner.databases.createBackup spanner.databases.get spanner.databases.list spanner.instances.get
Cloud Spanner Database Admin (`roles/spanner.databaseAdmin`) A principal with this role can: Get/list all Cloud Spanner instances in the project. Create/list/drop databases in an instance. Grant/revoke access to databases in the project. Read from and write to all Cloud Spanner databases in the project. Lowest-level resources where you can grant this role: Instance	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databaseOperations.* spanner.databaseRoles.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginPartitionedDmlTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.create spanner.databases.drop spanner.databases.get spanner.databases.getDdl spanner.databases.getIamPolicy spanner.databases.list spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.databases.setIamPolicy spanner.databases.update spanner.databases.updateDdl spanner.databases.useRoleBasedAccess spanner.databases.write spanner.instances.get spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.*
Cloud Spanner Database Reader (`roles/spanner.databaseReader`) A principal with this role can: Read from the Cloud Spanner database. Execute SQL queries on the database. View schema for the database. Lowest-level resources where you can grant this role: Database	spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.instances.get spanner.sessions.*
Cloud Spanner Database Role User (`roles/spanner.databaseRoleUser`) In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.	spanner.databaseRoles.use
Cloud Spanner Database User (`roles/spanner.databaseUser`) A principal with this role can: Read from and write to the Cloud Spanner database. Execute SQL queries on the database, including DML and Partitioned DML. View and update schema for the database. Lowest-level resources where you can grant this role: Database	spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginPartitionedDmlTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instances.get spanner.sessions.*
Cloud Spanner Fine-grained Access User (`roles/spanner.fineGrainedAccessUser`) Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the Cloud Spanner Database Role User IAM role and its necessary conditions.	spanner.databaseRoles.list spanner.databases.useRoleBasedAccess
Cloud Spanner Restore Admin (`roles/spanner.restoreAdmin`) A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups. Lowest-level resources where you can grant this role: Instance	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.backups.get spanner.backups.list spanner.backups.restoreDatabase spanner.databaseOperations.cancel spanner.databaseOperations.get spanner.databaseOperations.list spanner.databases.create spanner.databases.get spanner.databases.list spanner.instances.get spanner.instances.list
Cloud Spanner Viewer (`roles/spanner.viewer`) A principal with this role can: View all Cloud Spanner instances (but cannot modify instances). View all Cloud Spanner databases (but cannot modify or read from databases). For example, you can combine this role with the `roles/spanner.databaseUser` role to grant a user with access to a specific database, but only view access to other instances and databases. This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud console. Lowest-level resources where you can grant this role: Project	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databases.list spanner.instanceConfigs.* spanner.instances.get spanner.instances.list

Cloud SQL roles

Role	Permissions
Cloud SQL Admin (`roles/cloudsql.admin`) Provides full control of Cloud SQL resources. Lowest-level resources where you can grant this role: Project	cloudsql.* recommender.cloudsqlIdleInstanceRecommendations.* recommender.cloudsqlInstanceActivityInsights.* recommender.cloudsqlInstanceCpuUsageInsights.* recommender.cloudsqlInstanceDiskUsageTrendInsights.* recommender.cloudsqlInstanceMemoryUsageInsights.* recommender.cloudsqlInstanceOutOfDiskRecommendations.* recommender.cloudsqlInstancePerformanceInsights.* recommender.cloudsqlInstancePerformanceRecommendations.* recommender.cloudsqlInstanceSecurityInsights.* recommender.cloudsqlInstanceSecurityRecommendations.* recommender.cloudsqlOverprovisionedInstanceRecommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud SQL Client (`roles/cloudsql.client`) Provides connectivity access to Cloud SQL instances. Lowest-level resources where you can grant this role: Project	cloudsql.instances.connect cloudsql.instances.get
Cloud SQL Editor (`roles/cloudsql.editor`) Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. Lowest-level resources where you can grant this role: Project	cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listEffectiveTags cloudsql.instances.listServerCas cloudsql.instances.listTagBindings cloudsql.instances.restart cloudsql.instances.rotateServerCa cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.get cloudsql.users.list recommender.cloudsqlIdleInstanceRecommendations.* recommender.cloudsqlInstanceActivityInsights.* recommender.cloudsqlInstanceCpuUsageInsights.* recommender.cloudsqlInstanceDiskUsageTrendInsights.* recommender.cloudsqlInstanceMemoryUsageInsights.* recommender.cloudsqlInstanceOutOfDiskRecommendations.* recommender.cloudsqlInstancePerformanceInsights.* recommender.cloudsqlInstancePerformanceRecommendations.* recommender.cloudsqlInstanceSecurityInsights.* recommender.cloudsqlInstanceSecurityRecommendations.* recommender.cloudsqlOverprovisionedInstanceRecommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud SQL Instance User (`roles/cloudsql.instanceUser`) Role allowing access to a Cloud SQL instance	cloudsql.instances.get cloudsql.instances.login
Cloud SQL Viewer (`roles/cloudsql.viewer`) Provides read-only access to Cloud SQL resources. Lowest-level resources where you can grant this role: Project	cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listEffectiveTags cloudsql.instances.listServerCas cloudsql.instances.listTagBindings cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.get cloudsql.users.list recommender.cloudsqlIdleInstanceRecommendations.get recommender.cloudsqlIdleInstanceRecommendations.list recommender.cloudsqlInstanceActivityInsights.get recommender.cloudsqlInstanceActivityInsights.list recommender.cloudsqlInstanceCpuUsageInsights.get recommender.cloudsqlInstanceCpuUsageInsights.list recommender.cloudsqlInstanceDiskUsageTrendInsights.get recommender.cloudsqlInstanceDiskUsageTrendInsights.list recommender.cloudsqlInstanceMemoryUsageInsights.get recommender.cloudsqlInstanceMemoryUsageInsights.list recommender.cloudsqlInstanceOutOfDiskRecommendations.get recommender.cloudsqlInstanceOutOfDiskRecommendations.list recommender.cloudsqlInstanceSecurityInsights.get recommender.cloudsqlInstanceSecurityInsights.list recommender.cloudsqlInstanceSecurityRecommendations.get recommender.cloudsqlInstanceSecurityRecommendations.list recommender.cloudsqlOverprovisionedInstanceRecommendations.get recommender.cloudsqlOverprovisionedInstanceRecommendations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Storage roles

Role	Permissions
Storage Admin (`roles/storage.admin`) Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. Lowest-level resources where you can grant this role: Bucket	firebase.projects.get orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`) Full control of Cloud Storage HMAC keys.	firebase.projects.get orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.hmacKeys.*
Storage Object Admin (`roles/storage.objectAdmin`) Grants full control of objects, including listing, creating, viewing, and deleting objects. Lowest-level resources where you can grant this role: Bucket	orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.multipartUploads.* storage.objects.*
Storage Object Creator (`roles/storage.objectCreator`) Allows users to create objects. Does not give permission to view, delete, or overwrite objects. Lowest-level resources where you can grant this role: Bucket	orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.multipartUploads.abort storage.multipartUploads.create storage.multipartUploads.listParts storage.objects.create
Storage Object Viewer (`roles/storage.objectViewer`) Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket. Lowest-level resources where you can grant this role: Bucket	resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Storage Transfer Admin (`roles/storagetransfer.admin`) Create, update and manage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.*
Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Perform transfers from an agent.	monitoring.timeSeries.create pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.get pubsub.topics.list pubsub.topics.publish storagetransfer.agentpools.report storagetransfer.operations.assign storagetransfer.operations.get storagetransfer.operations.report
Storage Transfer User (`roles/storagetransfer.user`) Create and update storage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.agentpools.create storagetransfer.agentpools.get storagetransfer.agentpools.list storagetransfer.agentpools.report storagetransfer.agentpools.update storagetransfer.jobs.create storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.jobs.run storagetransfer.jobs.update storagetransfer.operations.* storagetransfer.projects.getServiceAccount
Storage Transfer Viewer (`roles/storagetransfer.viewer`) Read access to storage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.agentpools.get storagetransfer.agentpools.list storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.operations.get storagetransfer.operations.list storagetransfer.projects.getServiceAccount

Cloud Storage Legacy roles

Role	Permissions
Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`) Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	storage.buckets.createTagBinding storage.buckets.deleteTagBinding storage.buckets.get storage.buckets.getIamPolicy storage.buckets.listEffectiveTags storage.buckets.listTagBindings storage.buckets.setIamPolicy storage.buckets.update storage.multipartUploads.* storage.objects.create storage.objects.delete storage.objects.list
Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`) Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	storage.buckets.get storage.multipartUploads.list storage.objects.list
Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`) Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role: Bucket	storage.buckets.get storage.multipartUploads.* storage.objects.create storage.objects.delete storage.objects.list
Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`) Grants permission to view and edit objects and their metadata, including ACLs. Lowest-level resources where you can grant this role: Bucket	storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update
Storage Legacy Object Reader (`roles/storage.legacyObjectReader`) Grants permission to view objects and their metadata, excluding ACLs. Lowest-level resources where you can grant this role: Bucket	storage.objects.get

Cloud Talent Solution roles

Role	Permissions
Admin (`roles/cloudjobdiscovery.admin`) Access to Cloud Talent Solution Self-Service Tools.	cloudjobdiscovery.tools.access iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
Job Editor (`roles/cloudjobdiscovery.jobsEditor`) Write access to all job data in Cloud Talent Solution.	cloudjobdiscovery.companies.* cloudjobdiscovery.events.create cloudjobdiscovery.jobs.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
Job Viewer (`roles/cloudjobdiscovery.jobsViewer`) Read access to all job data in Cloud Talent Solution.	cloudjobdiscovery.companies.get cloudjobdiscovery.companies.list cloudjobdiscovery.jobs.get cloudjobdiscovery.jobs.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list
Profile Editor (`roles/cloudjobdiscovery.profilesEditor`) Write access to all profile data in Cloud Talent Solution.	cloudjobdiscovery.events.create cloudjobdiscovery.profiles.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
Profile Viewer (`roles/cloudjobdiscovery.profilesViewer`) Read access to all profile data in Cloud Talent Solution.	cloudjobdiscovery.profiles.get cloudjobdiscovery.profiles.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list

Cloud Tasks roles

Role	Permissions
Cloud Tasks Admin ^Beta (`roles/cloudtasks.admin`) Full access to queues and tasks.	cloudtasks.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Enqueuer ^Beta (`roles/cloudtasks.enqueuer`) Access to create tasks.	cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Queue Admin ^Beta (`roles/cloudtasks.queueAdmin`) Admin access to queues.	cloudtasks.locations.* cloudtasks.queues.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Task Deleter ^Beta (`roles/cloudtasks.taskDeleter`) Access to delete tasks.	cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Task Runner ^Beta (`roles/cloudtasks.taskRunner`) Access to run tasks.	cloudtasks.tasks.fullView cloudtasks.tasks.run resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Viewer ^Beta (`roles/cloudtasks.viewer`) Get and list access to tasks, queues, and locations.	cloudtasks.locations.* cloudtasks.queues.get cloudtasks.queues.list cloudtasks.tasks.fullView cloudtasks.tasks.get cloudtasks.tasks.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list

Cloud TPU roles

Role	Permissions
TPU Admin (`roles/tpu.admin`) Full access to TPU nodes and related resources.	resourcemanager.projects.get resourcemanager.projects.list tpu.*
TPU Viewer (`roles/tpu.viewer`) Read-only access to TPU nodes and related resources.	resourcemanager.projects.get resourcemanager.projects.list tpu.acceleratortypes.* tpu.locations.* tpu.nodes.get tpu.nodes.list tpu.operations.* tpu.tensorflowversions.*
TPU Shared VPC Agent (`roles/tpu.xpnAgent`) Can use shared VPC network (XPN) for the TPU VMs.	compute.addresses.use compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.update compute.globalOperations.get compute.networks.get compute.networks.list compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get

Cloud Trace roles

Role Permissions

Cloud Trace Admin
(roles/cloudtrace.admin)

Provides full access to the Trace console and read-write access to traces.

Lowest-level resources where you can grant this role:

Project

cloudtrace.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Trace Agent
(roles/cloudtrace.agent)

For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.

Lowest-level resources where you can grant this role:

Project

cloudtrace.traces.patch

Cloud Trace User
(roles/cloudtrace.user)

Provides full access to the Trace console and read access to traces.

Lowest-level resources where you can grant this role:

Project

cloudtrace.insights.*
cloudtrace.stats.get
cloudtrace.tasks.*
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Translation roles

Role	Permissions
Cloud Translation API Admin (`roles/cloudtranslate.admin`) Full access to all Cloud Translation resources	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Translation API Editor (`roles/cloudtranslate.editor`) Editor of all Cloud Translation resources	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Translation API User (`roles/cloudtranslate.user`) User of Cloud Translation and AutoML models	automl.models.get automl.models.predict cloudtranslate.generalModels.* cloudtranslate.glossaries.batchDocPredict cloudtranslate.glossaries.batchPredict cloudtranslate.glossaries.docPredict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict cloudtranslate.glossaryentries.get cloudtranslate.glossaryentries.list cloudtranslate.languageDetectionModels.predict cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list
Cloud Translation API Viewer (`roles/cloudtranslate.viewer`) Viewer of all Translation resources	automl.models.get cloudtranslate.generalModels.get cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaryentries.get cloudtranslate.glossaryentries.list cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list

Compute Engine roles

Role	Permissions
Compute Admin (`roles/compute.admin`) Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role. Lowest-level resources where you can grant this role: Disk Image Instance Instance template Node group Node template Snapshot ^Beta	compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Image User (`roles/compute.imageUser`) Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project. Lowest-level resources where you can grant this role: Image^Beta	compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Instance Admin (beta) (`roles/compute.instanceAdmin`) Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role. For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances. Lowest-level resources where you can grant this role: Disk Image Instance Instance template Snapshot ^Beta	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionNetworkEndpointGroups.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Instance Admin (v1) (`roles/compute.instanceAdmin.v1`) Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances.	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Load Balancer Admin ^Beta (`roles/compute.loadBalancerAdmin`) Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group. Lowest-level resources where you can grant this role: Instance^Beta	certificatemanager.certmaps.get certificatemanager.certmaps.list certificatemanager.certmaps.use compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute.disks.listEffectiveTags compute.disks.listTagBindings compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.listEffectiveTags compute.instances.listTagBindings compute.instances.use compute.instances.useReadOnly compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionSslCertificates.* compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.use networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Load Balancer Services User ^Beta (`roles/compute.loadBalancerServiceUser`) Permissions to use services from a load balancer in other projects.	compute.backendServices.get compute.backendServices.list compute.backendServices.use compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionBackendServices.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Network Admin (`roles/compute.networkAdmin`) Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group. Or, if you have a combined team that manages both security and networking, then grant this role as well as the `roles/compute.securityAdmin` role to the combined team's group. Lowest-level resources where you can grant this role: Instance^Beta	compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalNetworkEndpointGroups.use compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.instances.updateSecurity compute.instances.use compute.instances.useReadOnly compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.machineTypes.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionFirewallPolicies.get compute.regionFirewallPolicies.list compute.regionFirewallPolicies.use compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNetworkEndpointGroups.use compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* networkconnectivity.locations.* networkconnectivity.operations.* networksecurity.* networkservices.* resourcemanager.projects.get resourcemanager.projects.list servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.createPeeredDnsDomain servicenetworking.services.deletePeeredDnsDomain servicenetworking.services.get servicenetworking.services.listPeeredDnsDomains serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.*
Compute Network User (`roles/compute.networkUser`) Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project. Lowest-level resources where you can grant this role: Project	compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.externalVpnGateways.get compute.externalVpnGateways.list compute.externalVpnGateways.use compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.access compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networkconnectivity.locations.* networkconnectivity.operations.get networkconnectivity.operations.list networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.authorizationPolicies.use networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.use networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.use networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.use networkservices.endpointPolicies.get networkservices.endpointPolicies.list networkservices.endpointPolicies.use networkservices.gateways.get networkservices.gateways.list networkservices.gateways.use networkservices.grpcRoutes.get networkservices.grpcRoutes.list networkservices.grpcRoutes.use networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpFilters.use networkservices.httpRoutes.get networkservices.httpRoutes.list networkservices.httpRoutes.use networkservices.httpfilters.get networkservices.httpfilters.list networkservices.httpfilters.use networkservices.locations.* networkservices.meshes.get networkservices.meshes.list networkservices.meshes.use networkservices.operations.get networkservices.operations.list networkservices.serviceBindings.get networkservices.serviceBindings.list networkservices.tcpRoutes.get networkservices.tcpRoutes.list networkservices.tcpRoutes.use networkservices.tlsRoutes.get networkservices.tlsRoutes.list networkservices.tlsRoutes.use resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Network Viewer (`roles/compute.networkViewer`) Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account. Lowest-level resources where you can grant this role: Instance^Beta	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networkconnectivity.locations.* networkconnectivity.operations.get networkconnectivity.operations.list networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointPolicies.get networkservices.endpointPolicies.list networkservices.gateways.get networkservices.gateways.list networkservices.grpcRoutes.get networkservices.grpcRoutes.list networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpRoutes.get networkservices.httpRoutes.list networkservices.httpfilters.get networkservices.httpfilters.list networkservices.locations.* networkservices.meshes.get networkservices.meshes.list networkservices.operations.get networkservices.operations.list networkservices.serviceBindings.get networkservices.serviceBindings.list networkservices.tcpRoutes.get networkservices.tcpRoutes.list networkservices.tlsRoutes.get networkservices.tlsRoutes.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.*
Compute Organization Firewall Policy Admin (`roles/compute.orgFirewallPolicyAdmin`) Full control of Compute Engine Organization Firewall Policies.	compute.firewallPolicies.cloneRules compute.firewallPolicies.create compute.firewallPolicies.delete compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewallPolicies.move compute.firewallPolicies.setIamPolicy compute.firewallPolicies.update compute.firewallPolicies.use compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.regionFirewallPolicies.* compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionOperations.setIamPolicy resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Organization Firewall Policy User (`roles/compute.orgFirewallPolicyUser`) View or use Compute Engine Firewall Policies to associate with the organization or folders.	compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.projects.get compute.regionFirewallPolicies.get compute.regionFirewallPolicies.list compute.regionFirewallPolicies.use compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Organization Security Policy Admin (`roles/compute.orgSecurityPolicyAdmin`) Full control of Compute Engine Organization Security Policies.	compute.firewallPolicies.* compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Organization Security Policy User (`roles/compute.orgSecurityPolicyUser`) View or use Compute Engine Security Policies to associate with the organization or folders.	compute.firewallPolicies.addAssociation compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.removeAssociation compute.firewallPolicies.use compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.addAssociation compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.removeAssociation compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Organization Resource Admin (`roles/compute.orgSecurityResourceAdmin`) Full control of Compute Engine Firewall Policy associations to the organization or folders.	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.organizations.listAssociations compute.organizations.setFirewallPolicy compute.organizations.setSecurityPolicy compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute OS Admin Login (`roles/compute.osAdminLogin`) Access to log in to a Compute Engine instance as an administrator user. Lowest-level resources where you can grant this role: Instance^Beta	compute.disks.listEffectiveTags compute.disks.listTagBindings compute.images.listEffectiveTags compute.images.listTagBindings compute.instances.get compute.instances.list compute.instances.listEffectiveTags compute.instances.listTagBindings compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute OS Login (`roles/compute.osLogin`) Access to log in to a Compute Engine instance as a standard user. Lowest-level resources where you can grant this role: Instance^Beta	compute.disks.listEffectiveTags compute.disks.listTagBindings compute.images.listEffectiveTags compute.images.listTagBindings compute.instances.get compute.instances.list compute.instances.listEffectiveTags compute.instances.listTagBindings compute.instances.osLogin compute.projects.get compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute OS Login External User (`roles/compute.osLoginExternalUser`) Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH. Lowest-level resources where you can grant this role: Organization	compute.oslogin.updateExternalUser
Compute packet mirroring admin (`roles/compute.packetMirroringAdmin`) Specify resources to be mirrored.	compute.instances.updateSecurity compute.networks.mirror compute.projects.get compute.subnetworks.mirror resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute packet mirroring user (`roles/compute.packetMirroringUser`) Use Compute Engine packet mirrorings.	compute.packetMirrorings.* compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Public IP Admin (`roles/compute.publicIpAdmin`) Full control of public IP address management for Compute Engine.	compute.addresses.* compute.globalAddresses.* compute.globalPublicDelegatedPrefixes.* compute.publicAdvertisedPrefixes.* compute.publicDelegatedPrefixes.* resourcemanager.projects.get resourcemanager.projects.list
Compute Security Admin (`roles/compute.securityAdmin`) Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group. Lowest-level resources where you can grant this role: Instance^Beta	compute.backendBuckets.list compute.backendServices.list compute.firewallPolicies.* compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instances.getEffectiveFirewalls compute.instances.list compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateSecurity compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.updatePolicy compute.packetMirrorings.* compute.projects.get compute.regionBackendServices.list compute.regionFirewallPolicies.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.* compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.targetInstances.list compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Sole Tenant Viewer ^Beta (`roles/compute.soleTenantViewer`) Permissions to view sole tenancy node groups	compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.*
Compute Storage Admin (`roles/compute.storageAdmin`) Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project. Lowest-level resources where you can grant this role: Disk Image Snapshot ^Beta	compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Viewer (`roles/compute.viewer`) Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks. Lowest-level resources where you can grant this role: Disk Image Instance Instance template Node group Node template Snapshot ^Beta	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Shared VPC Admin (`roles/compute.xpnAdmin`) Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin. Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (`roles/compute.networkUser`) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles. Lowest-level resources where you can grant this role: Folder	compute.globalOperations.get compute.globalOperations.list compute.organizations.administerXpn compute.organizations.disableXpnHost compute.organizations.disableXpnResource compute.organizations.enableXpnHost compute.organizations.enableXpnResource compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
GuestPolicy Admin ^Beta (`roles/osconfig.guestPolicyAdmin`) Full admin access to GuestPolicies	osconfig.guestPolicies.* resourcemanager.projects.get resourcemanager.projects.list
GuestPolicy Editor ^Beta (`roles/osconfig.guestPolicyEditor`) Editor of GuestPolicy resources	osconfig.guestPolicies.get osconfig.guestPolicies.list osconfig.guestPolicies.update resourcemanager.projects.get resourcemanager.projects.list
GuestPolicy Viewer ^Beta (`roles/osconfig.guestPolicyViewer`) Viewer of GuestPolicy resources	osconfig.guestPolicies.get osconfig.guestPolicies.list resourcemanager.projects.get resourcemanager.projects.list
InstanceOSPoliciesCompliance Viewer ^Beta (`roles/osconfig.instanceOSPoliciesComplianceViewer`) Viewer of OS Policies Compliance of VM instances	osconfig.instanceOSPoliciesCompliances.* resourcemanager.projects.get resourcemanager.projects.list
OS Inventory Viewer (`roles/osconfig.inventoryViewer`) Viewer of OS Inventories	osconfig.inventories.* resourcemanager.projects.get resourcemanager.projects.list
OSPolicyAssignment Admin (`roles/osconfig.osPolicyAssignmentAdmin`) Full admin access to OS Policy Assignments	osconfig.osPolicyAssignments.* resourcemanager.projects.get resourcemanager.projects.list
OSPolicyAssignment Editor (`roles/osconfig.osPolicyAssignmentEditor`) Editor of OS Policy Assignments	osconfig.osPolicyAssignments.get osconfig.osPolicyAssignments.list osconfig.osPolicyAssignments.update resourcemanager.projects.get resourcemanager.projects.list
OSPolicyAssignmentReport Viewer (`roles/osconfig.osPolicyAssignmentReportViewer`) Viewer of OS policy assignment reports for VM instances	osconfig.osPolicyAssignmentReports.* resourcemanager.projects.get resourcemanager.projects.list
OSPolicyAssignment Viewer (`roles/osconfig.osPolicyAssignmentViewer`) Viewer of OS Policy Assignments	osconfig.osPolicyAssignments.get osconfig.osPolicyAssignments.list resourcemanager.projects.get resourcemanager.projects.list
PatchDeployment Admin (`roles/osconfig.patchDeploymentAdmin`) Full admin access to PatchDeployments	osconfig.patchDeployments.* resourcemanager.projects.get resourcemanager.projects.list
PatchDeployment Viewer (`roles/osconfig.patchDeploymentViewer`) Viewer of PatchDeployment resources	osconfig.patchDeployments.get osconfig.patchDeployments.list resourcemanager.projects.get resourcemanager.projects.list
Patch Job Executor (`roles/osconfig.patchJobExecutor`) Access to execute Patch Jobs.	osconfig.patchJobs.* resourcemanager.projects.get resourcemanager.projects.list
Patch Job Viewer (`roles/osconfig.patchJobViewer`) Get and list Patch Jobs.	osconfig.patchJobs.get osconfig.patchJobs.list resourcemanager.projects.get resourcemanager.projects.list
OS VulnerabilityReport Viewer (`roles/osconfig.vulnerabilityReportViewer`) Viewer of OS VulnerabilityReports	osconfig.vulnerabilityReports.* resourcemanager.projects.get resourcemanager.projects.list

Container Analysis roles

Role	Permissions
Container Analysis Admin (`roles/containeranalysis.admin`) Access to all Container Analysis resources.	containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.notes.setIamPolicy containeranalysis.notes.update containeranalysis.occurrences.* resourcemanager.projects.get resourcemanager.projects.list
Container Analysis Notes Attacher (`roles/containeranalysis.notes.attacher`) Can attach Container Analysis Occurrences to Notes.	containeranalysis.notes.attachOccurrence containeranalysis.notes.get
Container Analysis Notes Editor (`roles/containeranalysis.notes.editor`) Can edit Container Analysis Notes.	containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update resourcemanager.projects.get resourcemanager.projects.list
Container Analysis Occurrences for Notes Viewer (`roles/containeranalysis.notes.occurrences.viewer`) Can view all Container Analysis Occurrences attached to a Note.	containeranalysis.notes.get containeranalysis.notes.listOccurrences
Container Analysis Notes Viewer (`roles/containeranalysis.notes.viewer`) Can view Container Analysis Notes.	containeranalysis.notes.get containeranalysis.notes.list resourcemanager.projects.get resourcemanager.projects.list
Container Analysis Occurrences Editor (`roles/containeranalysis.occurrences.editor`) Can edit Container Analysis Occurrences.	containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list
Container Analysis Occurrences Viewer (`roles/containeranalysis.occurrences.viewer`) Can view Container Analysis Occurrences.	containeranalysis.occurrences.get containeranalysis.occurrences.list resourcemanager.projects.get resourcemanager.projects.list

Data Catalog roles

Role	Permissions
Data Catalog Admin (`roles/datacatalog.admin`) Full access to all DataCatalog resources	bigquery.connections.get bigquery.connections.updateTag bigquery.datasets.get bigquery.datasets.updateTag bigquery.models.getMetadata bigquery.models.updateTag bigquery.routines.get bigquery.routines.updateTag bigquery.tables.get bigquery.tables.updateTag datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.* datacatalog.entryGroups.* datacatalog.tagTemplates.* datacatalog.taxonomies.* pubsub.topics.get pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list
Policy Tag Admin (`roles/datacatalog.categoryAdmin`) Manage taxonomies	datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.taxonomies.* resourcemanager.projects.get resourcemanager.projects.list
Fine-Grained Reader (`roles/datacatalog.categoryFineGrainedReader`) Read access to sub-resources tagged by a policy tag, for example, BigQuery columns	datacatalog.categories.fineGrainedGet
DataCatalog Data Steward ^Beta (`roles/datacatalog.dataSteward`) Can update overview and data steward fields	datacatalog.entries.get datacatalog.entries.list datacatalog.entries.updateContacts datacatalog.entries.updateOverview datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
DataCatalog EntryGroup Creator (`roles/datacatalog.entryGroupCreator`) Can create new entryGroups	datacatalog.entryGroups.create datacatalog.entryGroups.get datacatalog.entryGroups.list resourcemanager.projects.get resourcemanager.projects.list
DataCatalog entryGroup Owner (`roles/datacatalog.entryGroupOwner`) Full access to entryGroups	datacatalog.entries.* datacatalog.entryGroups.* resourcemanager.projects.get resourcemanager.projects.list
DataCatalog entry Owner (`roles/datacatalog.entryOwner`) Full access to entries	datacatalog.entries.* datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
DataCatalog Entry Viewer (`roles/datacatalog.entryViewer`) Read access to entries	datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
Data Catalog Tag Editor (`roles/datacatalog.tagEditor`) Provides access to modify tags on Google Cloud assets for BigQuery and Pub/Sub	bigquery.connections.updateTag bigquery.datasets.updateTag bigquery.models.updateTag bigquery.routines.updateTag bigquery.tables.updateTag datacatalog.entries.updateTag pubsub.topics.updateTag
Data Catalog TagTemplate Creator (`roles/datacatalog.tagTemplateCreator`) Access to create new tag templates	datacatalog.tagTemplates.create datacatalog.tagTemplates.get
Data Catalog TagTemplate Owner (`roles/datacatalog.tagTemplateOwner`) Full access to tag templates	datacatalog.tagTemplates.* resourcemanager.projects.get resourcemanager.projects.list
Data Catalog TagTemplate User (`roles/datacatalog.tagTemplateUser`) Access to use templates to tag resources	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use resourcemanager.projects.get resourcemanager.projects.list
Data Catalog TagTemplate Viewer (`roles/datacatalog.tagTemplateViewer`) Read access to templates and tags created using the templates	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag resourcemanager.projects.get resourcemanager.projects.list
Data Catalog Viewer (`roles/datacatalog.viewer`) Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub	bigquery.connections.get bigquery.datasets.get bigquery.models.getMetadata bigquery.routines.get bigquery.tables.get datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get datacatalog.entryGroups.list datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.taxonomies.get datacatalog.taxonomies.list pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.list

Data Connectors roles

Role	Permissions
Connector Admin ^Beta (`roles/dataconnectors.connectorAdmin`) Full access to Data Connectors.	dataconnectors.* resourcemanager.projects.get resourcemanager.projects.list
Connector User ^Beta (`roles/dataconnectors.connectorUser`) Access to use Data Connectors.	dataconnectors.connectors.get dataconnectors.connectors.getIamPolicy dataconnectors.connectors.list dataconnectors.connectors.use

Data Migration roles

Role	Permissions
Database Migration Admin (`roles/datamigration.admin`) Full access to all resources of Database Migration.	datamigration.* resourcemanager.projects.get resourcemanager.projects.list

Data Pipelines roles

Role	Permissions
Data pipelines Admin (`roles/datapipelines.admin`) Administrator of Data pipelines resources	datapipelines.* resourcemanager.projects.get resourcemanager.projects.list
Data pipelines Invoker (`roles/datapipelines.invoker`) Invoker of Data pipelines jobs	datapipelines.pipelines.run resourcemanager.projects.get resourcemanager.projects.list
Data pipelines Viewer (`roles/datapipelines.viewer`) Viewer of Data pipelines resources	datapipelines.jobs.list datapipelines.pipelines.get datapipelines.pipelines.list resourcemanager.projects.get resourcemanager.projects.list

Dataflow roles

Role	Permissions
Dataflow Admin (`roles/dataflow.admin`) Minimal role for creating and managing dataflow jobs.	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update compute.machineTypes.get compute.projects.get compute.regions.list compute.zones.list dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* recommender.dataflowDiagnosticsInsights.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list
Dataflow Developer (`roles/dataflow.developer`) Provides the permissions necessary to execute and manipulate Dataflow jobs. Lowest-level resources where you can grant this role: Project	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update compute.projects.get compute.regions.list compute.zones.list dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* recommender.dataflowDiagnosticsInsights.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Dataflow Viewer (`roles/dataflow.viewer`) Provides read-only access to all Dataflow-related resources. Lowest-level resources where you can grant this role: Project	dataflow.jobs.get dataflow.jobs.list dataflow.messages.list dataflow.metrics.get dataflow.snapshots.get dataflow.snapshots.list recommender.dataflowDiagnosticsInsights.get recommender.dataflowDiagnosticsInsights.list resourcemanager.projects.get resourcemanager.projects.list
Dataflow Worker (`roles/dataflow.worker`) Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline. Lowest-level resources where you can grant this role: Project	autoscaling.sites.readRecommendations autoscaling.sites.writeMetrics autoscaling.sites.writeState compute.instanceGroupManagers.update compute.instances.delete compute.instances.setDiskAutoDelete dataflow.jobs.get dataflow.shuffle.* dataflow.streamingWorkItems.* dataflow.workItems.* logging.logEntries.create monitoring.timeSeries.create storage.buckets.get storage.objects.create storage.objects.get

Dataform roles

Role	Permissions
Dataform Admin ^Beta (`roles/dataform.admin`) Full access to all Dataform resources.	dataform.* resourcemanager.projects.get resourcemanager.projects.list
Dataform Editor ^Beta (`roles/dataform.editor`) Edit access to Workspaces and Read-only access to Repositories.	dataform.compilationResults.* dataform.locations.* dataform.repositories.fetchRemoteBranches dataform.repositories.get dataform.repositories.list dataform.workflowInvocations.* dataform.workspaces.* resourcemanager.projects.get resourcemanager.projects.list
Dataform Viewer ^Beta (`roles/dataform.viewer`) Read-only access to all Dataform resources.	dataform.compilationResults.get dataform.compilationResults.list dataform.compilationResults.query dataform.locations.* dataform.repositories.fetchRemoteBranches dataform.repositories.get dataform.repositories.list dataform.workflowInvocations.get dataform.workflowInvocations.list dataform.workflowInvocations.query dataform.workspaces.fetchFileDiff dataform.workspaces.fetchFileGitStatuses dataform.workspaces.fetchGitAheadBehind dataform.workspaces.get dataform.workspaces.list dataform.workspaces.queryDirectoryContents dataform.workspaces.readFile resourcemanager.projects.get resourcemanager.projects.list

Dataprep roles

Role	Permissions
Dataprep User ^Beta (`roles/dataprep.projects.user`) Use of Dataprep.	dataprep.projects.use resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Dataproc roles

Role	Permissions
Dataproc Administrator (`roles/dataproc.admin`) Full control of Dataproc resources.	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.* dataproc.batches.* dataproc.clusters.* dataproc.jobs.* dataproc.operations.* dataproc.workflowTemplates.* resourcemanager.projects.get resourcemanager.projects.list
Dataproc Editor (`roles/dataproc.editor`) Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones. Lowest-level resources where you can grant this role: Project	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.batches.* dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.start dataproc.clusters.stop dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.cancel dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update resourcemanager.projects.get resourcemanager.projects.list
Dataproc Hub Agent (`roles/dataproc.hubAgent`) Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.	compute.instances.get compute.instances.setMetadata compute.instances.setTags compute.zoneOperations.get compute.zones.list dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.operations.cancel dataproc.operations.delete dataproc.operations.get dataproc.operations.list iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.create logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.get storage.objects.list
Dataproc Viewer (`roles/dataproc.viewer`) Provides read-only access to Dataproc resources. Lowest-level resources where you can grant this role: Project	compute.machineTypes.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.batches.get dataproc.batches.list dataproc.clusters.get dataproc.clusters.list dataproc.jobs.get dataproc.jobs.list dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.get dataproc.workflowTemplates.list resourcemanager.projects.get resourcemanager.projects.list
Dataproc Worker (`roles/dataproc.worker`) Provides worker access to Dataproc resources. Intended for service accounts.	dataproc.agents.* dataproc.tasks.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create storage.buckets.get storage.multipartUploads.* storage.objects.*

Dataproc Metastore roles

Role	Permissions
Dataproc Metastore Admin (`roles/metastore.admin`) Full access to all Dataproc Metastore resources.	metastore.backups.* metastore.federations.* metastore.imports.* metastore.locations.* metastore.operations.* metastore.services.create metastore.services.delete metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.restore metastore.services.setIamPolicy metastore.services.update resourcemanager.projects.get resourcemanager.projects.list
Dataproc Metastore Editor (`roles/metastore.editor`) Read and write access to all Dataproc Metastore resources.	metastore.backups.* metastore.federations.create metastore.federations.delete metastore.federations.get metastore.federations.list metastore.federations.update metastore.imports.* metastore.locations.* metastore.operations.* metastore.services.create metastore.services.delete metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.restore metastore.services.update resourcemanager.projects.get resourcemanager.projects.list
Metastore Federation Accessor (`roles/metastore.federationAccessor`) Access to the Metastore Federation resource.	metastore.federations.use
Dataproc Metastore Metadata Editor ^Beta (`roles/metastore.metadataEditor`) Access to read and modify the metadata of databases and tables under those databases.	metastore.databases.create metastore.databases.delete metastore.databases.get metastore.databases.getIamPolicy metastore.databases.list metastore.databases.update metastore.services.get metastore.services.use metastore.tables.create metastore.tables.delete metastore.tables.get metastore.tables.getIamPolicy metastore.tables.list metastore.tables.update
Dataproc Metastore Metadata Operator (`roles/metastore.metadataOperator`) Read-only access to Dataproc Metastore resources with additional metadata operations permission.	metastore.backups.* metastore.imports.* metastore.locations.* metastore.operations.get metastore.operations.list metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.restore resourcemanager.projects.get resourcemanager.projects.list
Dataproc Metastore Data Owner ^Beta (`roles/metastore.metadataOwner`) Full access to the metadata of databases and tables under those databases.	metastore.databases.* metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.use metastore.tables.*
Dataproc Metastore Metadata User ^Beta (`roles/metastore.metadataUser`) Access to the Dataproc Metastore gRPC endpoint	metastore.databases.get metastore.databases.list metastore.services.get metastore.services.use
Dataproc Metastore Metadata Viewer ^Beta (`roles/metastore.metadataViewer`) Access to read the metadata of databases and tables under those databases	metastore.databases.get metastore.databases.getIamPolicy metastore.databases.list metastore.services.get metastore.services.use metastore.tables.get metastore.tables.getIamPolicy metastore.tables.list
Dataproc Metastore Viewer (`roles/metastore.user`) Read-only access to all Dataproc Metastore resources.	metastore.backups.get metastore.backups.list metastore.federations.get metastore.federations.getIamPolicy metastore.federations.list metastore.imports.get metastore.imports.list metastore.locations.* metastore.operations.get metastore.operations.list metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list resourcemanager.projects.get resourcemanager.projects.list

Datastore roles

Role	Permissions
Cloud Datastore Import Export Admin (`roles/datastore.importExportAdmin`) Provides full access to manage imports and exports. Lowest-level resources where you can grant this role: Project	appengine.applications.get datastore.databases.export datastore.databases.getMetadata datastore.databases.import datastore.operations.cancel datastore.operations.get datastore.operations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore Index Admin (`roles/datastore.indexAdmin`) Provides full access to manage index definitions. Lowest-level resources where you can grant this role: Project	appengine.applications.get datastore.databases.getMetadata datastore.indexes.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore Key Visualizer Viewer (`roles/datastore.keyVisualizerViewer`) Full access to Key Visualizer scans.	datastore.databases.getMetadata datastore.keyVisualizerScans.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore Owner (`roles/datastore.owner`) Provides full access to Datastore resources. Lowest-level resources where you can grant this role: Project	appengine.applications.get datastore.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore User (`roles/datastore.user`) Provides read/write access to data in a Datastore database. Lowest-level resources where you can grant this role: Project	appengine.applications.get datastore.databases.get datastore.databases.getMetadata datastore.entities.* datastore.indexes.list datastore.namespaces.* datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore Viewer (`roles/datastore.viewer`) Provides read access to Datastore resources. Lowest-level resources where you can grant this role: Project	appengine.applications.get datastore.databases.get datastore.databases.getMetadata datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.* datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list

DataStream roles

Role Permissions

Datastream Admin ^Beta
(roles/datastream.admin)

Full access to all Datastream resources.

datastream.*
resourcemanager.projects.get
resourcemanager.projects.list

Datastream Viewer ^Beta
(roles/datastream.viewer)

Read-only access to all Datastream resources.

datastream.connectionProfiles.destinationTypes
datastream.connectionProfiles.discover
datastream.connectionProfiles.get
datastream.connectionProfiles.getIamPolicy
datastream.connectionProfiles.list
datastream.connectionProfiles.listEffectiveTags
datastream.connectionProfiles.listStaticServiceIps
datastream.connectionProfiles.listTagBindings
datastream.connectionProfiles.sourceTypes
datastream.locations.*
datastream.objects.get
datastream.objects.list
datastream.operations.get
datastream.operations.list
datastream.privateConnections.get
datastream.privateConnections.getIamPolicy
datastream.privateConnections.list
datastream.privateConnections.listEffectiveTags
datastream.privateConnections.listTagBindings
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.streams.fetchErrors
datastream.streams.get
datastream.streams.getIamPolicy
datastream.streams.list
datastream.streams.listEffectiveTags
datastream.streams.listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list

Deployment Manager roles

Role	Permissions
Deployment Manager Editor (`roles/deploymentmanager.editor`) Provides the permissions necessary to create and manage deployments. Lowest-level resources where you can grant this role: Project	deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Deployment Manager Type Editor (`roles/deploymentmanager.typeEditor`) Provides read and write access to all Type Registry resources. Lowest-level resources where you can grant this role: Project	deploymentmanager.compositeTypes.* deploymentmanager.operations.get deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get
Deployment Manager Type Viewer (`roles/deploymentmanager.typeViewer`) Provides read-only access to all Type Registry resources. Lowest-level resources where you can grant this role: Project	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get
Deployment Manager Viewer (`roles/deploymentmanager.viewer`) Provides read-only access to all Deployment Manager-related resources. Lowest-level resources where you can grant this role: Project	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Dialogflow roles

Role	Permissions
AAM Admin (`roles/dialogflow.aamAdmin`) An admin has access to all resources and can perform all administrative actions in an AAM project.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list
AAM Conversational Architect (`roles/dialogflow.aamConversationalArchitect`) A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list
AAM Dialog Designer (`roles/dialogflow.aamDialogDesigner`) A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list
AAM Lead Dialog Designer (`roles/dialogflow.aamLeadDialogDesigner`) A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list
AAM Viewer (`roles/dialogflow.aamViewer`) A user can view the taxonomy and data reports in an AAM project.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list
Dialogflow API Admin (`roles/dialogflow.admin`) Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control. Lowest-level resources where you can grant this role: Project	dialogflow.* resourcemanager.projects.get
Dialogflow API Client (`roles/dialogflow.client`) Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control. Lowest-level resources where you can grant this role: Project	dialogflow.contexts.* dialogflow.conversations.* dialogflow.messages.list dialogflow.participants.* dialogflow.sessionEntityTypes.* dialogflow.sessions.*
Dialogflow Console Agent Editor (`roles/dialogflow.consoleAgentEditor`) Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control. Lowest-level resources where you can grant this role: Project	actions.agentVersions.create dialogflow.* resourcemanager.projects.get
Dialogflow Console Simulator User (`roles/dialogflow.consoleSimulatorUser`) Can perform query of dialogflow suggestions in the simulator in web console.	dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.* dialogflow.documents.get dialogflow.documents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.participants.* dialogflow.sessions.detectIntent resourcemanager.projects.get resourcemanager.projects.list
Dialogflow Console Smart Messaging Allowlist Editor (`roles/dialogflow.consoleSmartMessagingAllowlistEditor`) Can edit allowlist for smart messaging associated with conversation model in the agent assist console	dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.list dialogflow.documents.get dialogflow.documents.list dialogflow.operations.get dialogflow.smartMessagingEntries.* resourcemanager.projects.get resourcemanager.projects.list
Dialogflow Conversation Manager (`roles/dialogflow.conversationManager`) Can manage all the resources related to Dialogflow Conversations.	dialogflow.conversationProfiles.* dialogflow.conversations.* dialogflow.participants.*
Dialogflow Entity Type Admin (`roles/dialogflow.entityTypeAdmin`) Can read & write entity types.	dialogflow.entityTypes.*
Dialogflow Environment editor (`roles/dialogflow.environmentEditor`) Can read & update environment and its sub-resources.	dialogflow.environments.get dialogflow.environments.getHistory dialogflow.environments.list dialogflow.environments.lookupHistory dialogflow.environments.update
Dialogflow Flow editor (`roles/dialogflow.flowEditor`) Can read & update flow and its sub-resources.	dialogflow.flows.get dialogflow.flows.list dialogflow.flows.train dialogflow.flows.update dialogflow.flows.validate dialogflow.pages.* dialogflow.transitionRouteGroups.* dialogflow.versions.*
Dialogflow Integration Manager (`roles/dialogflow.integrationManager`) Can add, remove, enable and disable Dialogflow integrations.	dialogflow.integrations.*
Dialogflow Intent Admin (`roles/dialogflow.intentAdmin`) Can read & write intents.	dialogflow.intents.*
Dialogflow API Reader (`roles/dialogflow.reader`) Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control. Lowest-level resources where you can grant this role: Project	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get
Dialogflow Test Case Admin (`roles/dialogflow.testCaseAdmin`) Can read & write test cases.
Dialogflow Webhook Admin (`roles/dialogflow.webhookAdmin`) Can read & write webhooks.	dialogflow.webhooks.*

DNS roles

Role Permissions

DNS Administrator
(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

Project

compute.networks.get
compute.networks.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get
resourcemanager.projects.list

DNS Peer
(roles/dns.peer)

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

DNS Reader
(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

Project

compute.networks.get
dns.changes.get
dns.changes.list
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.projects.get
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicyRules.get
dns.responsePolicyRules.list
resourcemanager.projects.get
resourcemanager.projects.list

Document AI roles

Role	Permissions
Document AI Administrator ^Beta (`roles/documentai.admin`) Grants full access to all resources in Document AI	documentai.* resourcemanager.projects.get resourcemanager.projects.list
Document AI API User ^Beta (`roles/documentai.apiUser`) Grants access to process documents in Document AI	documentai.humanReviewConfigs.review documentai.operations.getLegacy documentai.processorVersions.processBatch documentai.processorVersions.processOnline documentai.processors.processBatch documentai.processors.processOnline
Document AI Editor ^Beta (`roles/documentai.editor`) Grants access to use all resources in Document AI	documentai.* resourcemanager.projects.get resourcemanager.projects.list
Document AI Viewer ^Beta (`roles/documentai.viewer`) Grants access to view all resources and process documents in Document AI	documentai.dataLabelingJobs.list documentai.datasetSchemas.get documentai.datasets.get documentai.datasets.getDocuments documentai.datasets.listDocuments documentai.evaluations.get documentai.evaluations.list documentai.humanReviewConfigs.get documentai.humanReviewConfigs.review documentai.labelerPools.get documentai.labelerPools.list documentai.locations.* documentai.operations.getLegacy documentai.processorTypes.* documentai.processorVersions.get documentai.processorVersions.list documentai.processorVersions.processBatch documentai.processorVersions.processOnline documentai.processors.fetchHumanReviewDetails documentai.processors.get documentai.processors.list documentai.processors.processBatch documentai.processors.processOnline resourcemanager.projects.get resourcemanager.projects.list

Earth Engine roles

Role	Permissions
Earth Engine Resource Admin ^Beta (`roles/earthengine.admin`) Full access to all Earth Engine resource features	earthengine.* resourcemanager.projects.get resourcemanager.projects.list
Earth Engine Apps Publisher ^Beta (`roles/earthengine.appsPublisher`) Publisher of Earth Engine Apps	iam.serviceAccounts.create iam.serviceAccounts.disable iam.serviceAccounts.enable iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.setIamPolicy resourcemanager.projects.get serviceusage.services.get
Earth Engine Resource Viewer ^Beta (`roles/earthengine.viewer`) Viewer of all Earth Engine resources	earthengine.assets.get earthengine.assets.getIamPolicy earthengine.assets.list earthengine.computations.create earthengine.filmstripthumbnails.get earthengine.maps.get earthengine.operations.get earthengine.operations.list earthengine.tables.get earthengine.thumbnails.get earthengine.videothumbnails.get resourcemanager.projects.get resourcemanager.projects.list
Earth Engine Resource Writer ^Beta (`roles/earthengine.writer`) Writer of all Earth Engine resources	earthengine.assets.create earthengine.assets.delete earthengine.assets.get earthengine.assets.getIamPolicy earthengine.assets.list earthengine.assets.update earthengine.computations.create earthengine.exports.create earthengine.filmstripthumbnails.* earthengine.imports.create earthengine.maps.* earthengine.operations.* earthengine.tables.* earthengine.thumbnails.* earthengine.videothumbnails.* resourcemanager.projects.get resourcemanager.projects.list

Edge Container roles

Role	Permissions
Edge Container Admin (`roles/edgecontainer.admin`) Full access to Edge Container all resources.	edgecontainer.* resourcemanager.projects.get resourcemanager.projects.list
Edge Container Machine User (`roles/edgecontainer.machineUser`) Access to use Edge Container Machine resources.	edgecontainer.machines.get edgecontainer.machines.getIamPolicy edgecontainer.machines.list edgecontainer.machines.use resourcemanager.projects.get resourcemanager.projects.list
Edge Container Viewer (`roles/edgecontainer.viewer`) Read-only access to Edge Container all resources.	edgecontainer.clusters.generateAccessToken edgecontainer.clusters.get edgecontainer.clusters.getIamPolicy edgecontainer.clusters.list edgecontainer.locations.* edgecontainer.machines.get edgecontainer.machines.getIamPolicy edgecontainer.machines.list edgecontainer.nodePools.get edgecontainer.nodePools.getIamPolicy edgecontainer.nodePools.list edgecontainer.operations.get edgecontainer.operations.list edgecontainer.vpnConnections.get edgecontainer.vpnConnections.getIamPolicy edgecontainer.vpnConnections.list resourcemanager.projects.get resourcemanager.projects.list

Endpoints roles

Role Permissions

Endpoints Portal Admin ^Beta
(roles/endpoints.portalAdmin)

Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the Google Cloud console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page.

Lowest-level resources where you can grant this role:

Project

endpoints.*
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get

Error Reporting roles

Role	Permissions
Error Reporting Admin ^Beta (`roles/errorreporting.admin`) Provides full access to Error Reporting data. Lowest-level resources where you can grant this role: Project	cloudnotifications.activities.list errorreporting.* logging.notificationRules.* resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Error Reporting User ^Beta (`roles/errorreporting.user`) Provides the permissions to read and write Error Reporting data, except for sending new error events. Lowest-level resources where you can grant this role: Project	cloudnotifications.activities.list errorreporting.applications.list errorreporting.errorEvents.delete errorreporting.errorEvents.list errorreporting.groupMetadata.* errorreporting.groups.list logging.notificationRules.* resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Error Reporting Viewer ^Beta (`roles/errorreporting.viewer`) Provides read-only access to Error Reporting data. Lowest-level resources where you can grant this role: Project	cloudnotifications.activities.list errorreporting.applications.list errorreporting.errorEvents.list errorreporting.groupMetadata.get errorreporting.groups.list logging.notificationRules.get logging.notificationRules.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Error Reporting Writer ^Beta (`roles/errorreporting.writer`) Provides the permissions to send error events to Error Reporting. Lowest-level resources where you can grant this role: Service Account	errorreporting.errorEvents.create

Eventarc roles

Role	Permissions
Eventarc Admin (`roles/eventarc.admin`) Full control over all Eventarc resources.	eventarc.* resourcemanager.projects.get resourcemanager.projects.list
Eventarc Connection Publisher ^Beta (`roles/eventarc.connectionPublisher`) Can publish events to Eventarc Channel Connections.	eventarc.channelConnections.get eventarc.channelConnections.list eventarc.channelConnections.publish resourcemanager.projects.get resourcemanager.projects.list
Eventarc Developer (`roles/eventarc.developer`) Access to read and write Eventarc resources.	eventarc.channelConnections.create eventarc.channelConnections.delete eventarc.channelConnections.get eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channelConnections.publish eventarc.channels.attach eventarc.channels.create eventarc.channels.delete eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.channels.publish eventarc.channels.undelete eventarc.channels.update eventarc.googleChannelConfigs.* eventarc.locations.* eventarc.operations.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update resourcemanager.projects.get resourcemanager.projects.list
Eventarc Event Receiver (`roles/eventarc.eventReceiver`) Can receive events from all event providers.	eventarc.events.*
Eventarc Publisher ^Beta (`roles/eventarc.publisher`) Can publish events to Eventarc channels.	eventarc.channels.get eventarc.channels.list eventarc.channels.publish resourcemanager.projects.get resourcemanager.projects.list
Eventarc Viewer (`roles/eventarc.viewer`) Can view the state of all Eventarc resources, including IAM policies.	eventarc.channelConnections.get eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.googleChannelConfigs.get eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list resourcemanager.projects.get resourcemanager.projects.list

Firebase roles

Role	Permissions
Firebase Admin (`roles/firebase.admin`) Full access to Firebase products.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.delete clientauthconfig.clients.get clientauthconfig.clients.list clientauthconfig.clients.update cloudbuild.builds.get cloudbuild.builds.list cloudconfig.* cloudfunctions.* cloudmessaging.messages.create cloudnotifications.activities.list cloudtestservice.* cloudtoolresults.* datastore.* errorreporting.groups.list eventarc.* fcmdata.deliverydata.list firebase.* firebaseabt.* firebaseanalytics.* firebaseappcheck.* firebaseappdistro.* firebaseauth.* firebasecrash.* firebasecrashlytics.* firebasedatabase.* firebasedynamiclinks.* firebaseextensions.* firebasehosting.* firebaseinappmessaging.* firebasemessagingcampaigns.* firebaseml.* firebasenotifications.* firebaseperformance.* firebaserules.* firebasestorage.* logging.logEntries.list monitoring.timeSeries.list orgpolicy.policy.get recommender.locations.* recommender.runServiceIdentityInsights.* recommender.runServiceIdentityRecommendations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.* runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Firebase Analytics Admin (`roles/firebase.analyticsAdmin`) Full access to Google Analytics for Firebase.	cloudnotifications.activities.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.* firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Firebase Analytics Viewer (`roles/firebase.analyticsViewer`) Read access to Google Analytics for Firebase.	cloudnotifications.activities.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Firebase Develop Admin (`roles/firebase.developAdmin`) Full access to Firebase Develop products and Analytics.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.get clientauthconfig.clients.list cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.* cloudnotifications.activities.list datastore.* errorreporting.groups.list eventarc.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.* firebaseappcheck.* firebaseauth.* firebasedatabase.* firebaseextensions.configs.list firebasehosting.* firebaseml.* firebaserules.* firebasestorage.* logging.logEntries.list monitoring.timeSeries.list orgpolicy.policy.get recommender.locations.* recommender.runServiceIdentityInsights.* recommender.runServiceIdentityRecommendations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.* runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Firebase Develop Viewer (`roles/firebase.developViewer`) Read access to Firebase Develop products and Analytics.	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.files.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.list cloudnotifications.activities.list datastore.databases.get datastore.databases.getMetadata datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.* datastore.statistics.* errorreporting.groups.list eventarc.channelConnections.get eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.googleChannelConfigs.get eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappcheck.appAttestConfig.get firebaseappcheck.debugTokens.get firebaseappcheck.deviceCheckConfig.get firebaseappcheck.playIntegrityConfig.get firebaseappcheck.recaptchaEnterpriseConfig.get firebaseappcheck.recaptchaV3Config.get firebaseappcheck.safetyNetConfig.get firebaseappcheck.services.get firebaseauth.configs.get firebaseauth.users.get firebasedatabase.instances.get firebasedatabase.instances.list firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list firebasestorage.buckets.get firebasestorage.buckets.list logging.logEntries.list monitoring.timeSeries.list recommender.locations.* recommender.runServiceIdentityInsights.get recommender.runServiceIdentityInsights.list recommender.runServiceIdentityRecommendations.get recommender.runServiceIdentityRecommendations.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.configurations.* run.executions.get run.executions.list run.jobs.get run.jobs.getIamPolicy run.jobs.list run.locations.list run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.tasks.* serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list
Firebase Grow Admin (`roles/firebase.growthAdmin`) Full access to Firebase Grow products and Analytics.	clientauthconfig.clients.get clientauthconfig.clients.list cloudconfig.* cloudmessaging.messages.create cloudnotifications.activities.list fcmdata.deliverydata.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseabt.* firebaseanalytics.* firebasedynamiclinks.* firebaseextensions.configs.list firebaseinappmessaging.* firebasemessagingcampaigns.* firebasenotifications.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Firebase Grow Viewer (`roles/firebase.growthViewer`) Read access to Firebase Grow products and Analytics.	cloudconfig.configs.get cloudnotifications.activities.list fcmdata.deliverydata.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseabt.experimentresults.get firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.get firebaseextensions.configs.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebasemessagingcampaigns.campaigns.get firebasemessagingcampaigns.campaigns.list firebasenotifications.messages.get firebasenotifications.messages.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Firebase Quality Admin (`roles/firebase.qualityAdmin`) Full access to Firebase Quality products and Analytics.	cloudnotifications.activities.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.* firebaseappdistro.* firebasecrash.* firebasecrashlytics.* firebaseextensions.configs.list firebaseperformance.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Firebase Quality Viewer (`roles/firebase.qualityViewer`) Read access to Firebase Quality products and Analytics.	cloudnotifications.activities.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrash.reports.get firebasecrashlytics.config.get firebasecrashlytics.data.get firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.get firebaseextensions.configs.list firebaseperformance.data.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Firebase Viewer (`roles/firebase.viewer`) Read-only access to Firebase products.	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.files.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudbuild.builds.get cloudbuild.builds.list cloudconfig.configs.get cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.list cloudnotifications.activities.list cloudtestservice.environmentcatalog.get cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list datastore.databases.get datastore.databases.getMetadata datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.* datastore.statistics.* errorreporting.groups.list eventarc.channelConnections.get eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.googleChannelConfigs.get eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list fcmdata.deliverydata.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseabt.experimentresults.get firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappcheck.appAttestConfig.get firebaseappcheck.debugTokens.get firebaseappcheck.deviceCheckConfig.get firebaseappcheck.playIntegrityConfig.get firebaseappcheck.recaptchaEnterpriseConfig.get firebaseappcheck.recaptchaV3Config.get firebaseappcheck.safetyNetConfig.get firebaseappcheck.services.get firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebaseauth.configs.get firebaseauth.users.get firebasecrash.reports.get firebasecrashlytics.config.get firebasecrashlytics.data.get firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.get firebasedatabase.instances.get firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.get firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebasemessagingcampaigns.campaigns.get firebasemessagingcampaigns.campaigns.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebasenotifications.messages.get firebasenotifications.messages.list firebaseperformance.data.get firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list firebasestorage.buckets.get firebasestorage.buckets.list logging.logEntries.list monitoring.timeSeries.list recommender.locations.* recommender.runServiceIdentityInsights.get recommender.runServiceIdentityInsights.list recommender.runServiceIdentityRecommendations.get recommender.runServiceIdentityRecommendations.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.configurations.* run.executions.get run.executions.list run.jobs.get run.jobs.getIamPolicy run.jobs.list run.locations.list run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.tasks.* serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list

Firebase Products roles

Role	Permissions
Firebase Remote Config Admin (`roles/cloudconfig.admin`) Full access to Firebase Remote Config resources.	cloudconfig.* firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
Firebase Remote Config Viewer (`roles/cloudconfig.viewer`) Read access to Firebase Remote Config resources.	cloudconfig.configs.get firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
Firebase Test Lab Admin (`roles/cloudtestservice.testAdmin`) Full access to all Test Lab features	cloudtestservice.* cloudtoolresults.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.get storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list
Firebase Test Lab Viewer (`roles/cloudtestservice.testViewer`) Read access to Test Lab features	cloudtestservice.environmentcatalog.get cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Firebase A/B Testing Admin ^Beta (`roles/firebaseabt.admin`) Full read/write access to Firebase A/B Testing resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseabt.* resourcemanager.projects.get resourcemanager.projects.list
Firebase A/B Testing Viewer ^Beta (`roles/firebaseabt.viewer`) Read-only access to Firebase A/B Testing resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseabt.experimentresults.get firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.get resourcemanager.projects.get resourcemanager.projects.list
Firebase App Check Admin (`roles/firebaseappcheck.admin`) Full management of Firebase App Check.	firebaseappcheck.*
Firebase App Check Viewer (`roles/firebaseappcheck.viewer`) Read-only access for Firebase App Check.	firebaseappcheck.appAttestConfig.get firebaseappcheck.debugTokens.get firebaseappcheck.deviceCheckConfig.get firebaseappcheck.playIntegrityConfig.get firebaseappcheck.recaptchaEnterpriseConfig.get firebaseappcheck.recaptchaV3Config.get firebaseappcheck.safetyNetConfig.get firebaseappcheck.services.get
Firebase App Distribution Admin (`roles/firebaseappdistro.admin`) Full read/write access to Firebase App Distribution resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseappdistro.* resourcemanager.projects.get resourcemanager.projects.list
Firebase App Distribution Viewer (`roles/firebaseappdistro.viewer`) Read-only access to Firebase App Distribution resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Authentication Admin (`roles/firebaseauth.admin`) Full read/write access to Firebase Authentication resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseauth.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Authentication Viewer (`roles/firebaseauth.viewer`) Read-only access to Firebase Authentication resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseauth.configs.get firebaseauth.users.get resourcemanager.projects.get resourcemanager.projects.list
Firebase Crashlytics Admin (`roles/firebasecrashlytics.admin`) Full read/write access to Firebase Crashlytics resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasecrashlytics.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Crashlytics Viewer (`roles/firebasecrashlytics.viewer`) Read-only access to Firebase Crashlytics resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasecrashlytics.config.get firebasecrashlytics.data.get firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.get resourcemanager.projects.get resourcemanager.projects.list
Firebase Realtime Database Admin (`roles/firebasedatabase.admin`) Full read/write access to Firebase Realtime Database resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasedatabase.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Realtime Database Viewer (`roles/firebasedatabase.viewer`) Read-only access to Firebase Realtime Database resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasedatabase.instances.get firebasedatabase.instances.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Dynamic Links Admin (`roles/firebasedynamiclinks.admin`) Full read/write access to Firebase Dynamic Links resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasedynamiclinks.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Dynamic Links Viewer (`roles/firebasedynamiclinks.viewer`) Read-only access to Firebase Dynamic Links resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.get resourcemanager.projects.get resourcemanager.projects.list
Firebase Hosting Admin (`roles/firebasehosting.admin`) Full read/write access to Firebase Hosting resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasehosting.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Hosting Viewer (`roles/firebasehosting.viewer`) Read-only access to Firebase Hosting resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasehosting.sites.get firebasehosting.sites.list resourcemanager.projects.get resourcemanager.projects.list
Firebase In-App Messaging Admin ^Beta (`roles/firebaseinappmessaging.admin`) Full read/write access to Firebase In-App Messaging resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseinappmessaging.* resourcemanager.projects.get resourcemanager.projects.list
Firebase In-App Messaging Viewer ^Beta (`roles/firebaseinappmessaging.viewer`) Read-only access to Firebase In-App Messaging resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Messaging Campaigns Admin ^Beta (`roles/firebasemessagingcampaigns.admin`) Full management of Firebase Messaging Campaigns.	firebasemessagingcampaigns.*
Firebase Messaging Campaigns Viewer ^Beta (`roles/firebasemessagingcampaigns.viewer`) Read-only access for Firebase Messaging Campaigns.	firebasemessagingcampaigns.campaigns.get firebasemessagingcampaigns.campaigns.list
Firebase ML Kit Admin ^Beta (`roles/firebaseml.admin`) Full read/write access to Firebase ML Kit resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseml.* resourcemanager.projects.get resourcemanager.projects.list
Firebase ML Kit Viewer ^Beta (`roles/firebaseml.viewer`) Read-only access to Firebase ML Kit resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Cloud Messaging Admin (`roles/firebasenotifications.admin`) Full read/write access to Firebase Cloud Messaging resources.	fcmdata.deliverydata.list firebase.clients.get firebase.clients.list firebase.projects.get firebasenotifications.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Cloud Messaging Viewer (`roles/firebasenotifications.viewer`) Read-only access to Firebase Cloud Messaging resources.	fcmdata.deliverydata.list firebase.clients.get firebase.clients.list firebase.projects.get firebasenotifications.messages.get firebasenotifications.messages.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Performance Reporting Admin (`roles/firebaseperformance.admin`) Full access to firebaseperformance resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseperformance.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Performance Reporting Viewer (`roles/firebaseperformance.viewer`) Read-only access to firebaseperformance resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseperformance.data.get resourcemanager.projects.get resourcemanager.projects.list
Firebase Rules Admin (`roles/firebaserules.admin`) Full management of Firebase Rules.	firebaserules.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Rules Viewer (`roles/firebaserules.viewer`) Read-only access on all resources with the ability to test Rulesets.	firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Storage for Firebase Admin ^Beta (`roles/firebasestorage.admin`) Full management of Cloud Storage for Firebase.	firebase.clients.get firebase.clients.list firebase.projects.get firebasestorage.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Storage for Firebase Viewer ^Beta (`roles/firebasestorage.viewer`) Read-only access for Cloud Storage for Firebase.	firebasestorage.buckets.get firebasestorage.buckets.list resourcemanager.projects.get resourcemanager.projects.list

Fleet Engine roles

Role	Permissions
Fleet Engine Consumer SDK User (`roles/fleetengine.consumerSdkUser`) Limited read access to Fleet Engine resources	fleetengine.trips.get fleetengine.vehicles.get fleetengine.vehicles.search fleetengine.vehicles.searchFuzzed
Fleet Engine Delivery Consumer User (`roles/fleetengine.deliveryConsumer`) Limited read access to Fleet Engine Delivery resources	fleetengine.tasks.searchWithTrackingId
Fleet Engine Delivery Fleet Reader User (`roles/fleetengine.deliveryFleetReader`) Grants read access to all Fleet Engine Delivery resources	fleetengine.deliveryvehicles.get fleetengine.deliveryvehicles.list fleetengine.tasks.get fleetengine.tasks.list fleetengine.tasks.searchWithTrackingId
Fleet Engine Delivery Super User (`roles/fleetengine.deliverySuperUser`) Full access to Fleet Engine DeliveryVehicles and Tasks resources.	fleetengine.deliveryvehicles.* fleetengine.tasks.* resourcemanager.projects.get resourcemanager.projects.list
Fleet Engine Delivery Trusted Driver User (`roles/fleetengine.deliveryTrustedDriver`) Read and write access to Fleet Engine Delivery resources	fleetengine.deliveryvehicles.create fleetengine.deliveryvehicles.get fleetengine.deliveryvehicles.update fleetengine.deliveryvehicles.updateLocation fleetengine.deliveryvehicles.updateVehicleStops fleetengine.tasks.create fleetengine.tasks.update
Fleet Engine Delivery Untrusted Driver User (`roles/fleetengine.deliveryUntrustedDriver`) Limited write access to Fleet Engine Delivery Vehicle resources	fleetengine.deliveryvehicles.get fleetengine.deliveryvehicles.updateLocation
Fleet Engine Driver SDK User (`roles/fleetengine.driverSdkUser`) Read and limited update access to Fleet Engine resources	fleetengine.trips.get fleetengine.trips.search fleetengine.trips.update fleetengine.vehicles.get fleetengine.vehicles.updateLocation
Fleet Engine Service Super User (`roles/fleetengine.serviceSuperUser`) Full access to all Fleet Engine resources.	fleetengine.* resourcemanager.projects.get resourcemanager.projects.list

Genomics roles

Role	Permissions
Genomics Admin (`roles/genomics.admin`) Full access to genomics datasets and operations.	genomics.*
Genomics Editor (`roles/genomics.editor`) Access to read and edit genomics datasets and operations.	genomics.datasets.create genomics.datasets.delete genomics.datasets.get genomics.datasets.list genomics.datasets.update genomics.operations.*
Genomics Pipelines Runner (`roles/genomics.pipelinesRunner`) Full access to operate on genomics pipelines.	genomics.operations.*
Genomics Viewer (`roles/genomics.viewer`) Access to view genomics datasets and operations.	genomics.datasets.get genomics.datasets.list genomics.operations.get genomics.operations.list

GKE Hub roles

Role	Permissions
GKE Hub Admin (`roles/gkehub.admin`) Full access to GKE Hub resources.	gkehub.features.* gkehub.fleet.* gkehub.locations.* gkehub.memberships.* gkehub.operations.* resourcemanager.projects.get resourcemanager.projects.list
GKE Connect Agent (`roles/gkehub.connect`) Ability to set up GKE Connect between external clusters and Google.	gkehub.endpoints.connect
GKE Hub Editor (`roles/gkehub.editor`) Edit access to GKE Hub resources.	gkehub.features.create gkehub.features.delete gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.features.update gkehub.fleet.* gkehub.locations.* gkehub.memberships.create gkehub.memberships.delete gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.memberships.update gkehub.operations.* resourcemanager.projects.get resourcemanager.projects.list
Connect Gateway Admin (`roles/gkehub.gatewayAdmin`) Full access to Connect Gateway.	gkehub.gateway.* serviceusage.services.get
Connect Gateway Editor (`roles/gkehub.gatewayEditor`) Edit access to Connect Gateway.	gkehub.gateway.delete gkehub.gateway.get gkehub.gateway.patch gkehub.gateway.post gkehub.gateway.put serviceusage.services.get
Connect Gateway Reader (`roles/gkehub.gatewayReader`) Read-only access to Connect Gateway.	gkehub.gateway.get serviceusage.services.get
GKE Hub Viewer (`roles/gkehub.viewer`) Read-only access to GKE Hubs and related resources.	gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list resourcemanager.projects.get resourcemanager.projects.list

GKE on-prem roles

Role Permissions

GKE on-prem Admin
(roles/gkeonprem.admin)

Full access to GKE on-prem all resources.

gkeonprem.*
resourcemanager.projects.get
resourcemanager.projects.list

GKE on-prem Viewer
(roles/gkeonprem.viewer)

Read-only access to GKE on-prem all resources.

gkeonprem.bareMetalClusters.get
gkeonprem.bareMetalClusters.getIamPolicy
gkeonprem.bareMetalClusters.list
gkeonprem.bareMetalNodePools.get
gkeonprem.bareMetalNodePools.getIamPolicy
gkeonprem.bareMetalNodePools.list
gkeonprem.locations.*
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
resourcemanager.projects.get
resourcemanager.projects.list

Google Workspace Add-ons roles

Role	Permissions
Google Workspace Add-ons Developer (`roles/gsuiteaddons.developer`) Full access to Google Workspace Add-ons resources	gsuiteaddons.* resourcemanager.projects.get resourcemanager.projects.list
Google Workspace Add-ons Reader (`roles/gsuiteaddons.reader`) Read-only access to Google Workspace Add-ons resources	gsuiteaddons.authorizations.get gsuiteaddons.deployments.get gsuiteaddons.deployments.list resourcemanager.projects.get resourcemanager.projects.list
Google Workspace Add-ons Tester (`roles/gsuiteaddons.tester`) Testing execution access to Google Workspace Add-ons resources	gsuiteaddons.deployments.execute gsuiteaddons.deployments.install gsuiteaddons.deployments.installStatus gsuiteaddons.deployments.uninstall resourcemanager.projects.get resourcemanager.projects.list

Hangouts Chat roles

Role	Permissions
Chat Bots Owner (`roles/chat.owner`) Can view and modify bot configurations	chat.*
Chat Bots Viewer (`roles/chat.reader`) Can view bot configurations	chat.bots.get

IAM roles

Role	Permissions
Deny Admin ^Beta (`roles/iam.denyAdmin`) Deny admin role, with permissions to read and modify deny policies Lowest-level resources where you can grant this role: Organization	iam.denypolicies.*
Deny Reviewer ^Beta (`roles/iam.denyReviewer`) Deny Reviewer role, with permissions to read deny policies Lowest-level resources where you can grant this role: Organization	iam.denypolicies.get iam.denypolicies.list
Security Admin (`roles/iam.securityAdmin`) Security admin role, with permissions to get and set any IAM policy.	accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.setIamPolicy accesscontextmanager.accessZones.list accesscontextmanager.gcpUserAccessBindings.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.setIamPolicy accesscontextmanager.servicePerimeters.list actions.agentVersions.list advisorynotifications.notifications.list aiplatform.annotationSpecs.list aiplatform.annotations.list aiplatform.artifacts.list aiplatform.batchPredictionJobs.list aiplatform.contexts.list aiplatform.customJobs.list aiplatform.dataItems.list aiplatform.dataLabelingJobs.list aiplatform.datasets.list aiplatform.deploymentResourcePools.list aiplatform.edgeDeploymentJobs.list aiplatform.edgeDevices.list aiplatform.endpoints.list aiplatform.entityTypes.getIamPolicy aiplatform.entityTypes.list aiplatform.entityTypes.setIamPolicy aiplatform.executions.list aiplatform.features.list aiplatform.featurestores.getIamPolicy aiplatform.featurestores.list aiplatform.featurestores.setIamPolicy aiplatform.humanInTheLoops.list aiplatform.hyperparameterTuningJobs.list aiplatform.indexEndpoints.list aiplatform.indexes.list aiplatform.locations.list aiplatform.metadataSchemas.list aiplatform.metadataStores.list aiplatform.modelDeploymentMonitoringJobs.list aiplatform.modelEvaluationSlices.list aiplatform.modelEvaluations.list aiplatform.models.list aiplatform.nasJobs.list aiplatform.operations.list aiplatform.pipelineJobs.list aiplatform.specialistPools.list aiplatform.studies.list aiplatform.tensorboardExperiments.list aiplatform.tensorboardRuns.list aiplatform.tensorboardTimeSeries.list aiplatform.tensorboards.list aiplatform.trainingPipelines.list aiplatform.trials.list alloydb.backups.list alloydb.clusters.list alloydb.instances.list alloydb.locations.list alloydb.operations.list alloydb.supportedDatabaseFlags.list analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.dataExchanges.setIamPolicy analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.setIamPolicy apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apiconfigs.setIamPolicy apigateway.apis.getIamPolicy apigateway.apis.list apigateway.apis.setIamPolicy apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.gateways.setIamPolicy apigateway.locations.list apigateway.operations.list apigee.apiproductattributes.list apigee.apiproducts.list apigee.apps.list apigee.archivedeployments.list apigee.caches.list apigee.datacollectors.list apigee.datastores.list apigee.deployments.list apigee.developerappattributes.list apigee.developerapps.list apigee.developerattributes.list apigee.developers.list apigee.developersubscriptions.list apigee.envgroupattachments.list apigee.envgroups.list apigee.environments.getIamPolicy apigee.environments.list apigee.environments.setIamPolicy apigee.exports.list apigee.flowhooks.list apigee.hostqueries.list apigee.hostsecurityreports.list apigee.instanceattachments.list apigee.instances.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.operations.list apigee.organizations.list apigee.portals.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.rateplans.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.securityProfiles.list apigee.securityreports.list apigee.sharedflowrevisions.list apigee.sharedflows.list apigee.targetservers.list apigee.tracesessions.list apigeeconnect.connections.list apigeeregistry.apis.getIamPolicy apigeeregistry.apis.list apigeeregistry.apis.setIamPolicy apigeeregistry.artifacts.getIamPolicy apigeeregistry.artifacts.list apigeeregistry.artifacts.setIamPolicy apigeeregistry.deployments.list apigeeregistry.locations.list apigeeregistry.operations.list apigeeregistry.specs.getIamPolicy apigeeregistry.specs.list apigeeregistry.specs.setIamPolicy apigeeregistry.versions.getIamPolicy apigeeregistry.versions.list apigeeregistry.versions.setIamPolicy apikeys.keys.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list artifactregistry.dockerimages.list artifactregistry.files.list artifactregistry.locations.list artifactregistry.mavenartifacts.list artifactregistry.npmpackages.list artifactregistry.packages.list artifactregistry.pythonpackages.list artifactregistry.repositories.getIamPolicy artifactregistry.repositories.list artifactregistry.repositories.setIamPolicy artifactregistry.tags.list artifactregistry.versions.list assuredworkloads.operations.list assuredworkloads.violations.list assuredworkloads.workload.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.datasets.setIamPolicy automl.examples.list automl.files.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.locations.setIamPolicy automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.models.setIamPolicy automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.list autoscaling.sites.getIamPolicy autoscaling.sites.setIamPolicy backupdr.locations.list backupdr.managementServers.getIamPolicy backupdr.managementServers.list backupdr.managementServers.setIamPolicy backupdr.operations.list baremetalsolution.instancequotas.list baremetalsolution.instances.list baremetalsolution.luns.list baremetalsolution.networkquotas.list baremetalsolution.networks.list baremetalsolution.nfsshares.list baremetalsolution.snapshotschedulepolicies.list baremetalsolution.volumequotas.list baremetalsolution.volumes.list baremetalsolution.volumesnapshots.list batch.jobs.list batch.locations.list batch.operations.list batch.tasks.list beyondcorp.appConnections.getIamPolicy beyondcorp.appConnections.list beyondcorp.appConnections.setIamPolicy beyondcorp.appConnectors.getIamPolicy beyondcorp.appConnectors.list beyondcorp.appConnectors.setIamPolicy beyondcorp.appGateways.getIamPolicy beyondcorp.appGateways.list beyondcorp.appGateways.setIamPolicy beyondcorp.clientConnectorServices.getIamPolicy beyondcorp.clientConnectorServices.list beyondcorp.clientConnectorServices.setIamPolicy beyondcorp.clientGateways.getIamPolicy beyondcorp.clientGateways.list beyondcorp.clientGateways.setIamPolicy beyondcorp.locations.list beyondcorp.operations.list bigquery.capacityCommitments.list bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.setIamPolicy bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy bigquery.jobs.list bigquery.models.list bigquery.reservationAssignments.list bigquery.reservations.list bigquery.routines.list bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.savedqueries.list bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.setIamPolicy bigquerymigration.locations.list bigquerymigration.subtasks.list bigquerymigration.workflows.list bigtable.appProfiles.list bigtable.backups.getIamPolicy bigtable.backups.list bigtable.backups.setIamPolicy bigtable.clusters.list bigtable.instances.getIamPolicy bigtable.instances.list bigtable.instances.setIamPolicy bigtable.keyvisualizer.list bigtable.locations.list bigtable.tables.getIamPolicy bigtable.tables.list bigtable.tables.setIamPolicy billing.accounts.getIamPolicy billing.accounts.list billing.accounts.setIamPolicy billing.budgets.list billing.credits.list billing.resourceAssociations.list billing.subscriptions.list binaryauthorization.attestors.getIamPolicy binaryauthorization.attestors.list binaryauthorization.attestors.setIamPolicy binaryauthorization.continuousValidationConfig.getIamPolicy binaryauthorization.continuousValidationConfig.setIamPolicy binaryauthorization.platformPolicies.list binaryauthorization.policy.getIamPolicy binaryauthorization.policy.setIamPolicy carestudio.patients.list certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmapentries.setIamPolicy certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certmaps.setIamPolicy certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.certs.setIamPolicy certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.dnsauthorizations.setIamPolicy certificatemanager.locations.list certificatemanager.operations.list clientauthconfig.brands.list clientauthconfig.clients.list cloudasset.assets.searchAllResources cloudasset.feeds.list cloudasset.savedqueries.list cloudbuild.builds.list cloudbuild.integrations.list cloudbuild.workerpools.list clouddebugger.breakpoints.list clouddebugger.debuggees.list clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.setIamPolicy clouddeploy.jobRuns.list clouddeploy.locations.list clouddeploy.operations.list clouddeploy.releases.list clouddeploy.rollouts.list clouddeploy.targets.getIamPolicy clouddeploy.targets.list clouddeploy.targets.setIamPolicy cloudfunctions.functions.getIamPolicy cloudfunctions.functions.list cloudfunctions.functions.setIamPolicy cloudfunctions.locations.list cloudfunctions.operations.list cloudfunctions.runtimes.list cloudiot.devices.list cloudiot.registries.getIamPolicy cloudiot.registries.list cloudiot.registries.setIamPolicy cloudjobdiscovery.companies.list cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.cryptoKeys.setIamPolicy cloudkms.ekmConnections.getIamPolicy cloudkms.ekmConnections.list cloudkms.ekmConnections.setIamPolicy cloudkms.importJobs.getIamPolicy cloudkms.importJobs.list cloudkms.importJobs.setIamPolicy cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudkms.keyRings.setIamPolicy cloudkms.locations.list cloudnotifications.activities.list cloudonefs.isiloncloud.com/clusters.list cloudonefs.isiloncloud.com/fileshares.list cloudprivatecatalogproducer.associations.list cloudprivatecatalogproducer.catalogAssociations.list cloudprivatecatalogproducer.catalogs.getIamPolicy cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.catalogs.setIamPolicy cloudprivatecatalogproducer.producerCatalogs.getIamPolicy cloudprivatecatalogproducer.producerCatalogs.list cloudprivatecatalogproducer.producerCatalogs.setIamPolicy cloudprivatecatalogproducer.products.getIamPolicy cloudprivatecatalogproducer.products.list cloudprivatecatalogproducer.products.setIamPolicy cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner.crawledurls.list cloudsecurityscanner.results.list cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.list cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport.accounts.getIamPolicy cloudsupport.accounts.list cloudsupport.accounts.setIamPolicy cloudsupport.techCases.list cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.queues.setIamPolicy cloudtasks.tasks.list cloudtoolresults.executions.list cloudtoolresults.histories.list cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate.glossaries.list cloudtranslate.glossaryentries.list cloudtranslate.locations.list cloudtranslate.operations.list cloudvolumesgcp-api.netapp.com/activeDirectories.list cloudvolumesgcp-api.netapp.com/ipRanges.list cloudvolumesgcp-api.netapp.com/jobs.list cloudvolumesgcp-api.netapp.com/regions.list cloudvolumesgcp-api.netapp.com/serviceLevels.list cloudvolumesgcp-api.netapp.com/snapshots.list cloudvolumesgcp-api.netapp.com/volumes.list commerceprice.privateoffers.list composer.dags.list composer.environments.list composer.imageversions.list composer.operations.list compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute.backendBuckets.list compute.backendServices.getIamPolicy compute.backendServices.list compute.backendServices.setIamPolicy compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.disks.setIamPolicy compute.externalVpnGateways.list compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewallPolicies.setIamPolicy compute.firewalls.list compute.forwardingRules.list compute.globalAddresses.list compute.globalForwardingRules.list compute.globalNetworkEndpointGroups.list compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.globalPublicDelegatedPrefixes.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.images.setIamPolicy compute.instanceGroupManagers.list compute.instanceGroups.list compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instanceTemplates.setIamPolicy compute.instances.getIamPolicy compute.instances.list compute.instances.setIamPolicy compute.interconnectAttachments.list compute.interconnectLocations.list compute.interconnects.list compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenseCodes.setIamPolicy compute.licenses.getIamPolicy compute.licenses.list compute.licenses.setIamPolicy compute.machineImages.getIamPolicy compute.machineImages.list compute.machineImages.setIamPolicy compute.machineTypes.list compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.maintenancePolicies.setIamPolicy compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.setIamPolicy compute.networks.list compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeGroups.setIamPolicy compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTemplates.setIamPolicy compute.nodeTypes.list compute.packetMirrorings.list compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.list compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionBackendServices.setIamPolicy compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionFirewallPolicies.setIamPolicy compute.regionHealthCheckServices.list compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.list compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionOperations.setIamPolicy compute.regionSslCertificates.list compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.list compute.regionUrlMaps.list compute.regions.list compute.reservations.list compute.resourcePolicies.list compute.routers.list compute.routes.list compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.securityPolicies.setIamPolicy compute.serviceAttachments.list compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.setIamPolicy compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.setIamPolicy compute.targetGrpcProxies.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zoneOperations.setIamPolicy compute.zones.list connectors.actions.list connectors.connections.getIamPolicy connectors.connections.list connectors.connections.setIamPolicy connectors.connectors.list connectors.entities.list connectors.entityTypes.list connectors.locations.list connectors.operations.list connectors.providers.list connectors.versions.list consumerprocurement.accounts.list consumerprocurement.consents.list consumerprocurement.entitlements.list consumerprocurement.freeTrials.list consumerprocurement.orderAttributions.list consumerprocurement.orders.list contactcenteraiplatform.contactCenters.list contactcenteraiplatform.locations.list contactcenteraiplatform.operations.list contactcenterinsights.analyses.list contactcenterinsights.conversations.list contactcenterinsights.issueModels.list contactcenterinsights.issues.list contactcenterinsights.operations.list contactcenterinsights.phraseMatchers.list container.apiServices.list container.auditSinks.list container.backendConfigs.list container.bindings.list container.certificateSigningRequests.list container.clusterRoleBindings.list container.clusterRoles.list container.clusters.list container.componentStatuses.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.csiDrivers.list container.csiNodeInfos.list container.csiNodes.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpointSlices.list container.endpoints.list container.events.list container.frontendConfigs.list container.horizontalPodAutoscalers.list container.ingresses.list container.initializerConfigurations.list container.jobs.list container.leases.list container.limitRanges.list container.localSubjectAccessReviews.list container.managedCertificates.list container.mutatingWebhookConfigurations.list container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container.persistentVolumeClaims.list container.persistentVolumes.list container.petSets.list container.podDisruptionBudgets.list container.podPresets.list container.podSecurityPolicies.list container.podTemplates.list container.pods.list container.priorityClasses.list container.replicaSets.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.runtimeClasses.list container.scheduledJobs.list container.selfSubjectAccessReviews.list container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.storageStates.list container.storageVersionMigrations.list container.subjectAccessReviews.list container.thirdPartyObjects.list container.thirdPartyResources.list container.updateInfos.list container.validatingWebhookConfigurations.list container.volumeAttachments.list container.volumeSnapshotClasses.list container.volumeSnapshotContents.list container.volumeSnapshots.list containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.notes.setIamPolicy containeranalysis.occurrences.getIamPolicy containeranalysis.occurrences.list containeranalysis.occurrences.setIamPolicy containersecurity.clusterSummaries.list containersecurity.locations.list containersecurity.workloadConfigAudits.list contentwarehouse.documentSchemas.list contentwarehouse.documents.getIamPolicy contentwarehouse.documents.setIamPolicy contentwarehouse.ruleSets.list contentwarehouse.synonymSets.list datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.getIamPolicy datacatalog.entries.list datacatalog.entries.setIamPolicy datacatalog.entryGroups.getIamPolicy datacatalog.entryGroups.list datacatalog.entryGroups.setIamPolicy datacatalog.tagTemplates.getIamPolicy datacatalog.tagTemplates.setIamPolicy datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.list datacatalog.taxonomies.setIamPolicy dataconnectors.connectors.getIamPolicy dataconnectors.connectors.list dataconnectors.connectors.setIamPolicy dataconnectors.locations.list dataconnectors.operations.list dataflow.jobs.list dataflow.messages.list dataflow.snapshots.list dataform.compilationResults.list dataform.locations.list dataform.repositories.list dataform.workflowInvocations.list dataform.workspaces.list datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.setIamPolicy datafusion.locations.list datafusion.operations.list datalabeling.annotateddatasets.list datalabeling.annotationspecsets.list datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list datamigration.connectionprofiles.getIamPolicy datamigration.connectionprofiles.list datamigration.connectionprofiles.setIamPolicy datamigration.locations.list datamigration.migrationjobs.getIamPolicy datamigration.migrationjobs.list datamigration.migrationjobs.setIamPolicy datamigration.operations.list datapipelines.jobs.list datapipelines.pipelines.list dataplex.assetActions.list dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.setIamPolicy dataplex.content.getIamPolicy dataplex.content.list dataplex.content.setIamPolicy dataplex.entities.list dataplex.environments.getIamPolicy dataplex.environments.list dataplex.environments.setIamPolicy dataplex.lakeActions.list dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.lakes.setIamPolicy dataplex.locations.list dataplex.operations.list dataplex.partitions.list dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.tasks.setIamPolicy dataplex.zoneActions.list dataplex.zones.getIamPolicy dataplex.zones.list dataplex.zones.setIamPolicy dataproc.agents.list dataproc.autoscalingPolicies.getIamPolicy dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.setIamPolicy dataproc.batches.list dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.clusters.setIamPolicy dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.jobs.setIamPolicy dataproc.operations.getIamPolicy dataproc.operations.list dataproc.operations.setIamPolicy dataproc.workflowTemplates.getIamPolicy dataproc.workflowTemplates.list dataproc.workflowTemplates.setIamPolicy dataprocessing.datasources.list dataprocessing.featurecontrols.list dataprocessing.groupcontrols.list datastore.databases.list datastore.entities.list datastore.indexes.list datastore.keyVisualizerScans.list datastore.locations.list datastore.namespaces.list datastore.operations.list datastore.statistics.list datastream.connectionProfiles.getIamPolicy datastream.connectionProfiles.list datastream.connectionProfiles.setIamPolicy datastream.locations.list datastream.objects.list datastream.operations.list datastream.privateConnections.getIamPolicy datastream.privateConnections.list datastream.privateConnections.setIamPolicy datastream.routes.getIamPolicy datastream.routes.list datastream.routes.setIamPolicy datastream.streams.getIamPolicy datastream.streams.list datastream.streams.setIamPolicy deploymentmanager.compositeTypes.list deploymentmanager.deployments.getIamPolicy deploymentmanager.deployments.list deploymentmanager.deployments.setIamPolicy deploymentmanager.manifests.list deploymentmanager.operations.list deploymentmanager.resources.list deploymentmanager.typeProviders.list deploymentmanager.types.list dialogflow.agents.list dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.list dialogflow.contexts.list dialogflow.conversationDatasets.list dialogflow.conversationModels.list dialogflow.conversationProfiles.list dialogflow.conversations.list dialogflow.documents.list dialogflow.entityTypes.list dialogflow.environments.list dialogflow.flows.list dialogflow.integrations.list dialogflow.intents.list dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.list dialogflow.pages.list dialogflow.participants.list dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.list dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.list dialogflow.versions.list dialogflow.webhooks.list dlp.analyzeRiskTemplates.list dlp.columnDataProfiles.list dlp.deidentifyTemplates.list dlp.estimates.list dlp.inspectFindings.list dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.locations.list dlp.projectDataProfiles.list dlp.storedInfoTypes.list dlp.tableDataProfiles.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.getIamPolicy dns.managedZones.list dns.managedZones.setIamPolicy dns.policies.getIamPolicy dns.policies.list dns.policies.setIamPolicy dns.resourceRecordSets.list dns.responsePolicies.list dns.responsePolicyRules.list documentai.dataLabelingJobs.list documentai.evaluations.list documentai.labelerPools.list documentai.locations.list documentai.processorTypes.list documentai.processorVersions.list documentai.processors.list domains.locations.list domains.operations.list domains.registrations.getIamPolicy domains.registrations.list domains.registrations.setIamPolicy earlyaccesscenter.campaigns.list earlyaccesscenter.customerAllowlists.list earthengine.assets.getIamPolicy earthengine.assets.list earthengine.assets.setIamPolicy earthengine.operations.list edgecontainer.clusters.getIamPolicy edgecontainer.clusters.list edgecontainer.clusters.setIamPolicy edgecontainer.locations.list edgecontainer.machines.getIamPolicy edgecontainer.machines.list edgecontainer.machines.setIamPolicy edgecontainer.nodePools.getIamPolicy edgecontainer.nodePools.list edgecontainer.nodePools.setIamPolicy edgecontainer.operations.list edgecontainer.vpnConnections.getIamPolicy edgecontainer.vpnConnections.list edgecontainer.vpnConnections.setIamPolicy errorreporting.applications.list errorreporting.errorEvents.list errorreporting.groups.list essentialcontacts.contacts.list eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channelConnections.setIamPolicy eventarc.channels.getIamPolicy eventarc.channels.list eventarc.channels.setIamPolicy eventarc.locations.list eventarc.operations.list eventarc.providers.list eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.setIamPolicy fcmdata.deliverydata.list file.backups.list file.instances.list file.locations.list file.operations.list firebase.clients.list firebase.links.list firebase.playLinks.list firebaseabt.experiments.list firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrashlytics.issues.list firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.list firebasedynamiclinks.links.list firebaseextensions.configs.list firebasehosting.sites.list firebaseinappmessaging.campaigns.list firebasemessagingcampaigns.campaigns.list firebaseml.compressionjobs.list firebaseml.models.list firebaseml.modelversions.list firebasenotifications.messages.list firebaserules.releases.list firebaserules.rulesets.list firebasestorage.buckets.list fleetengine.deliveryvehicles.list fleetengine.tasks.list fleetengine.vehicles.list gameservices.gameServerClusters.list gameservices.gameServerConfigs.list gameservices.gameServerDeployments.list gameservices.locations.list gameservices.operations.list gameservices.realms.list gcp.redisenterprise.com/databases.list gcp.redisenterprise.com/subscriptions.list genomics.datasets.getIamPolicy genomics.datasets.list genomics.datasets.setIamPolicy genomics.operations.list gkebackup.backupPlans.getIamPolicy gkebackup.backupPlans.list gkebackup.backupPlans.setIamPolicy gkebackup.backups.list gkebackup.locations.list gkebackup.operations.list gkebackup.restorePlans.getIamPolicy gkebackup.restorePlans.list gkebackup.restorePlans.setIamPolicy gkebackup.restores.list gkebackup.volumeBackups.list gkebackup.volumeRestores.list gkehub.features.getIamPolicy gkehub.features.list gkehub.features.setIamPolicy gkehub.gateway.getIamPolicy gkehub.gateway.setIamPolicy gkehub.locations.list gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.memberships.setIamPolicy gkehub.operations.list gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.list gkemulticloud.azureClients.list gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.list gkemulticloud.operations.list gkeonprem.bareMetalClusters.getIamPolicy gkeonprem.bareMetalClusters.list gkeonprem.bareMetalClusters.setIamPolicy gkeonprem.bareMetalNodePools.getIamPolicy gkeonprem.bareMetalNodePools.list gkeonprem.bareMetalNodePools.setIamPolicy gkeonprem.locations.list gkeonprem.operations.list gkeonprem.vmwareClusters.getIamPolicy gkeonprem.vmwareClusters.list gkeonprem.vmwareClusters.setIamPolicy gkeonprem.vmwareNodePools.getIamPolicy gkeonprem.vmwareNodePools.list gkeonprem.vmwareNodePools.setIamPolicy gsuiteaddons.deployments.list healthcare.annotationStores.getIamPolicy healthcare.annotationStores.list healthcare.annotationStores.setIamPolicy healthcare.annotations.list healthcare.attributeDefinitions.list healthcare.consentArtifacts.list healthcare.consentStores.getIamPolicy healthcare.consentStores.list healthcare.consentStores.setIamPolicy healthcare.consents.list healthcare.datasets.getIamPolicy healthcare.datasets.list healthcare.datasets.setIamPolicy healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.fhirStores.getIamPolicy healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.hl7V2Messages.list healthcare.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.list healthcare.hl7V2Stores.setIamPolicy healthcare.locations.list healthcare.operations.list healthcare.userDataMappings.list iam.denypolicies.list iam.googleapis.com/workforcePoolProviders.list iam.googleapis.com/workforcePools.getIamPolicy iam.googleapis.com/workforcePools.list iam.googleapis.com/workforcePools.setIamPolicy iam.googleapis.com/workloadIdentityPoolProviders.list iam.googleapis.com/workloadIdentityPools.list iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iap.tunnel.* iap.tunnelDestGroups.getIamPolicy iap.tunnelDestGroups.list iap.tunnelDestGroups.setIamPolicy iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelLocations.* iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy ids.endpoints.getIamPolicy ids.endpoints.list ids.endpoints.setIamPolicy ids.locations.list ids.operations.list integrations.apigeeAuthConfigs.list integrations.apigeeCertificates.list integrations.apigeeExecutions.list integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.list integrations.apigeeSfdcChannels.list integrations.apigeeSfdcInstances.list integrations.apigeeSuspensions.list integrations.authConfigs.list integrations.certificates.list integrations.executions.list integrations.integrationVersions.list integrations.integrations.list integrations.securityAuthConfigs.list integrations.securityExecutions.list integrations.securityIntegTempVers.list integrations.securityIntegrationVers.list integrations.securityIntegrations.list integrations.sfdcChannels.list integrations.sfdcInstances.list integrations.suspensions.list issuerswitch.complaintTransactions.list issuerswitch.financialTransactions.list issuerswitch.mandateTransactions.list issuerswitch.metadataTransactions.list issuerswitch.operations.list issuerswitch.ruleMetadata.list issuerswitch.ruleMetadataValues.list issuerswitch.rules.list krmapihosting.krmApiHosts.getIamPolicy krmapihosting.krmApiHosts.list krmapihosting.krmApiHosts.setIamPolicy krmapihosting.locations.list krmapihosting.operations.list lifesciences.operations.list livestream.channels.list livestream.events.list livestream.inputs.list livestream.locations.list livestream.operations.list logging.buckets.list logging.exclusions.list logging.links.list logging.locations.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.list logging.operations.list logging.privateLogEntries.list logging.queries.list logging.sinks.list logging.views.list managedidentities.backups.getIamPolicy managedidentities.backups.list managedidentities.backups.setIamPolicy managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.domains.setIamPolicy managedidentities.locations.list managedidentities.operations.list managedidentities.peerings.getIamPolicy managedidentities.peerings.list managedidentities.peerings.setIamPolicy managedidentities.sqlintegrations.list mapsadmin.clientMaps.list mapsadmin.clientStyleSheetSnapshots.list mapsadmin.clientStyles.list mapsadmin.styleSnapshots.list memcache.instances.list memcache.locations.list memcache.operations.list metastore.backups.list metastore.databases.getIamPolicy metastore.databases.list metastore.databases.setIamPolicy metastore.federations.getIamPolicy metastore.federations.list metastore.federations.setIamPolicy metastore.imports.list metastore.locations.list metastore.operations.list metastore.services.getIamPolicy metastore.services.list metastore.services.setIamPolicy metastore.tables.getIamPolicy metastore.tables.list metastore.tables.setIamPolicy migrationcenter.assets.list migrationcenter.groups.list migrationcenter.importJobs.list migrationcenter.locations.list migrationcenter.operations.list migrationcenter.sources.list ml.jobs.getIamPolicy ml.jobs.list ml.jobs.setIamPolicy ml.locations.list ml.models.getIamPolicy ml.models.list ml.models.setIamPolicy ml.operations.list ml.studies.getIamPolicy ml.studies.list ml.studies.setIamPolicy ml.trials.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.list monitoring.publicWidgets.list monitoring.services.list monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.list networkconnectivity.hubs.getIamPolicy networkconnectivity.hubs.list networkconnectivity.hubs.setIamPolicy networkconnectivity.locations.list networkconnectivity.operations.list networkconnectivity.spokes.getIamPolicy networkconnectivity.spokes.list networkconnectivity.spokes.setIamPolicy networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.connectivitytests.setIamPolicy networkmanagement.locations.list networkmanagement.operations.list networksecurity.authorizationPolicies.getIamPolicy networksecurity.authorizationPolicies.list networksecurity.authorizationPolicies.setIamPolicy networksecurity.clientTlsPolicies.getIamPolicy networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.setIamPolicy networksecurity.locations.list networksecurity.operations.list networksecurity.serverTlsPolicies.getIamPolicy networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.setIamPolicy networkservices.endpointConfigSelectors.getIamPolicy networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.setIamPolicy networkservices.endpointPolicies.getIamPolicy networkservices.endpointPolicies.list networkservices.endpointPolicies.setIamPolicy networkservices.gateways.list networkservices.grpcRoutes.getIamPolicy networkservices.grpcRoutes.list networkservices.grpcRoutes.setIamPolicy networkservices.httpFilters.getIamPolicy networkservices.httpFilters.list networkservices.httpFilters.setIamPolicy networkservices.httpRoutes.getIamPolicy networkservices.httpRoutes.list networkservices.httpRoutes.setIamPolicy networkservices.httpfilters.getIamPolicy networkservices.httpfilters.list networkservices.httpfilters.setIamPolicy networkservices.locations.list networkservices.meshes.getIamPolicy networkservices.meshes.list networkservices.meshes.setIamPolicy networkservices.operations.list networkservices.serviceBindings.list networkservices.tcpRoutes.getIamPolicy networkservices.tcpRoutes.list networkservices.tcpRoutes.setIamPolicy networkservices.tlsRoutes.list notebooks.environments.getIamPolicy notebooks.environments.list notebooks.environments.setIamPolicy notebooks.executions.getIamPolicy notebooks.executions.list notebooks.executions.setIamPolicy notebooks.instances.getIamPolicy notebooks.instances.list notebooks.instances.setIamPolicy notebooks.locations.list notebooks.operations.list notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.runtimes.setIamPolicy notebooks.schedules.getIamPolicy notebooks.schedules.list notebooks.schedules.setIamPolicy ondemandscanning.operations.list opsconfigmonitoring.resourceMetadata.list orgpolicy.constraints.list orgpolicy.policies.list osconfig.guestPolicies.list osconfig.instanceOSPoliciesCompliances.list osconfig.inventories.list osconfig.osPolicyAssignmentReports.list osconfig.osPolicyAssignments.list osconfig.patchDeployments.list osconfig.patchJobs.list osconfig.vulnerabilityReports.list paymentsresellersubscription.products.list paymentsresellersubscription.promotions.list policysimulator.* privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.setIamPolicy privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.setIamPolicy privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.setIamPolicy privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificateTemplates.setIamPolicy privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.setIamPolicy privateca.locations.list privateca.operations.list privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.setIamPolicy proximitybeacon.attachments.list proximitybeacon.beacons.getIamPolicy proximitybeacon.beacons.list proximitybeacon.beacons.setIamPolicy proximitybeacon.namespaces.getIamPolicy proximitybeacon.namespaces.list proximitybeacon.namespaces.setIamPolicy pubsub.schemas.getIamPolicy pubsub.schemas.list pubsub.schemas.setIamPolicy pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.snapshots.setIamPolicy pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list pubsub.subscriptions.setIamPolicy pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy pubsublite.operations.list pubsublite.reservations.list pubsublite.subscriptions.list pubsublite.topics.list recaptchaenterprise.keys.list recaptchaenterprise.relatedaccountgroupmemberships.list recaptchaenterprise.relatedaccountgroups.list recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.list recommender.cloudAssetInsights.list recommender.cloudsqlIdleInstanceRecommendations.list recommender.cloudsqlInstanceActivityInsights.list recommender.cloudsqlInstanceCpuUsageInsights.list recommender.cloudsqlInstanceDiskUsageTrendInsights.list recommender.cloudsqlInstanceMemoryUsageInsights.list recommender.cloudsqlInstanceOutOfDiskRecommendations.list recommender.cloudsqlInstancePerformanceInsights.list recommender.cloudsqlInstancePerformanceRecommendations.list recommender.cloudsqlInstanceSecurityInsights.list recommender.cloudsqlInstanceSecurityRecommendations.list recommender.cloudsqlOverprovisionedInstanceRecommendations.list recommender.commitmentUtilizationInsights.list recommender.computeAddressIdleResourceInsights.list recommender.computeAddressIdleResourceRecommendations.list recommender.computeDiskIdleResourceInsights.list recommender.computeDiskIdleResourceRecommendations.list recommender.computeFirewallInsights.list recommender.computeImageIdleResourceInsights.list recommender.computeImageIdleResourceRecommendations.list recommender.computeInstanceCpuUsageInsights.list recommender.computeInstanceCpuUsagePredictionInsights.list recommender.computeInstanceCpuUsageTrendInsights.list recommender.computeInstanceGroupManagerCpuUsageInsights.list recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceGroupManagerMemoryUsageInsights.list recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.list recommender.computeInstanceMemoryUsageInsights.list recommender.computeInstanceMemoryUsagePredictionInsights.list recommender.computeInstanceNetworkThroughputInsights.list recommender.containerDiagnosisInsights.list recommender.containerDiagnosisRecommendations.list recommender.costInsights.list recommender.dataflowDiagnosticsInsights.list recommender.errorReportingInsights.list recommender.errorReportingRecommendations.list recommender.gmpProjectManagementInsights.list recommender.gmpProjectManagementRecommendations.list recommender.gmpProjectProductSuggestionsInsights.list recommender.gmpProjectProductSuggestionsRecommendations.list recommender.gmpProjectQuotaInsights.list recommender.gmpProjectQuotaRecommendations.list recommender.iamPolicyInsights.list recommender.iamPolicyLateralMovementInsights.list recommender.iamPolicyRecommendations.list recommender.iamServiceAccountInsights.list recommender.locations.list recommender.loggingProductSuggestionContainerInsights.list recommender.loggingProductSuggestionContainerRecommendations.list recommender.monitoringProductSuggestionComputeInsights.list recommender.monitoringProductSuggestionComputeRecommendations.list recommender.networkAnalyzerCloudSqlInsights.list recommender.networkAnalyzerDynamicRouteInsights.list recommender.networkAnalyzerGkeConnectivityInsights.list recommender.networkAnalyzerGkeIpAddressInsights.list recommender.networkAnalyzerIpAddressInsights.list recommender.networkAnalyzerLoadBalancerInsights.list recommender.networkAnalyzerVpcConnectivityInsights.list recommender.resourcemanagerProjectUtilizationInsights.list recommender.resourcemanagerProjectUtilizationRecommendations.list recommender.runServiceIdentityInsights.list recommender.runServiceIdentityRecommendations.list recommender.spendBasedCommitmentInsights.list recommender.spendBasedCommitmentRecommendations.list recommender.usageCommitmentRecommendations.list redis.instances.list redis.locations.list redis.operations.list remotebuildexecution.instances.list remotebuildexecution.workerpools.list resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.hierarchyNodes.listTagBindings resourcemanager.organizations.getIamPolicy resourcemanager.organizations.setIamPolicy resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy resourcemanager.tagHolds.list resourcemanager.tagKeys.getIamPolicy resourcemanager.tagKeys.list resourcemanager.tagKeys.setIamPolicy resourcemanager.tagValues.getIamPolicy resourcemanager.tagValues.list resourcemanager.tagValues.setIamPolicy resourcesettings.settings.list retail.catalogs.list retail.controls.list retail.models.list retail.operations.list retail.products.list retail.servingConfigs.list riskmanager.operations.list riskmanager.policies.list riskmanager.reports.list rma.collectors.list rma.locations.list rma.operations.list run.configurations.list run.executions.list run.jobs.getIamPolicy run.jobs.list run.jobs.setIamPolicy run.locations.list run.operations.list run.revisions.list run.routes.list run.services.getIamPolicy run.services.list run.services.setIamPolicy run.tasks.list runtimeconfig.configs.getIamPolicy runtimeconfig.configs.list runtimeconfig.configs.setIamPolicy runtimeconfig.operations.list runtimeconfig.variables.getIamPolicy runtimeconfig.variables.list runtimeconfig.variables.setIamPolicy runtimeconfig.waiters.getIamPolicy runtimeconfig.waiters.list runtimeconfig.waiters.setIamPolicy secretmanager.locations.list secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.secrets.setIamPolicy secretmanager.versions.list securedlandingzone.overwatches.list securitycenter.assets.list securitycenter.bigQueryExports.list securitycenter.findings.list securitycenter.muteconfigs.list securitycenter.notificationconfig.list securitycenter.sources.getIamPolicy securitycenter.sources.list securitycenter.sources.setIamPolicy servicebroker.bindingoperations.list servicebroker.bindings.getIamPolicy servicebroker.bindings.list servicebroker.bindings.setIamPolicy servicebroker.catalogs.getIamPolicy servicebroker.catalogs.list servicebroker.catalogs.setIamPolicy servicebroker.instanceoperations.list servicebroker.instances.getIamPolicy servicebroker.instances.list servicebroker.instances.setIamPolicy serviceconsumermanagement.tenancyu.list servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.endpoints.setIamPolicy servicedirectory.locations.list servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.namespaces.setIamPolicy servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.setIamPolicy servicemanagement.services.getIamPolicy servicemanagement.services.list servicemanagement.services.setIamPolicy servicenetworking.operations.list servicesecurityinsights.clusterSecurityInfo.list servicesecurityinsights.securityInfo.list servicesecurityinsights.workloadPolicies.list serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list source.repos.setIamPolicy spanner.backupOperations.list spanner.backups.getIamPolicy spanner.backups.list spanner.backups.setIamPolicy spanner.databaseOperations.list spanner.databaseRoles.list spanner.databases.getIamPolicy spanner.databases.list spanner.databases.setIamPolicy spanner.instanceConfigs.list spanner.instanceOperations.list spanner.instances.getIamPolicy spanner.instances.list spanner.instances.setIamPolicy spanner.sessions.list speech.customClasses.list speech.operations.list speech.phraseSets.list speech.recognizers.list storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy storage.hmacKeys.list storage.multipartUploads.list storage.objects.getIamPolicy storage.objects.list storage.objects.setIamPolicy storagetransfer.agentpools.list storagetransfer.jobs.list storagetransfer.operations.list stream.locations.list stream.operations.list stream.streamContents.list stream.streamInstances.list timeseriesinsights.datasets.list timeseriesinsights.locations.list tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.tensorflowversions.list transcoder.jobTemplates.list transcoder.jobs.list transferappliance.appliances.list transferappliance.locations.list transferappliance.operations.list transferappliance.orders.list translationhub.portals.list videostitcher.cdnKeys.list videostitcher.liveAdTagDetails.list videostitcher.slates.list videostitcher.vodAdTagDetails.list videostitcher.vodStitchDetails.list visualinspection.annotationSets.list visualinspection.annotationSpecs.list visualinspection.annotations.list visualinspection.datasets.list visualinspection.images.list visualinspection.locations.list visualinspection.modelEvaluations.list visualinspection.models.list visualinspection.modules.list visualinspection.operations.list visualinspection.solutionArtifacts.list visualinspection.solutions.list vmmigration.cloneJobs.list vmmigration.cutoverJobs.list vmmigration.datacenterConnectors.list vmmigration.deployments.list vmmigration.groups.list vmmigration.locations.list vmmigration.migratingVms.list vmmigration.operations.list vmmigration.sources.list vmmigration.targets.list vmmigration.utilizationReports.list vpcaccess.connectors.list vpcaccess.locations.list vpcaccess.operations.list workflows.executions.list workflows.locations.list workflows.operations.list workflows.workflows.list workloadmanager.evaluations.list workloadmanager.executions.list workloadmanager.locations.list workloadmanager.operations.list workloadmanager.results.list workloadmanager.rules.list
Security Reviewer (`roles/iam.securityReviewer`) Provides permissions to list all resources and allow policies on them.	accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.list accesscontextmanager.gcpUserAccessBindings.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.list actions.agentVersions.list advisorynotifications.notifications.list aiplatform.annotationSpecs.list aiplatform.annotations.list aiplatform.artifacts.list aiplatform.batchPredictionJobs.list aiplatform.contexts.list aiplatform.customJobs.list aiplatform.dataItems.list aiplatform.dataLabelingJobs.list aiplatform.datasets.list aiplatform.deploymentResourcePools.list aiplatform.edgeDeploymentJobs.list aiplatform.edgeDevices.list aiplatform.endpoints.list aiplatform.entityTypes.getIamPolicy aiplatform.entityTypes.list aiplatform.executions.list aiplatform.features.list aiplatform.featurestores.getIamPolicy aiplatform.featurestores.list aiplatform.humanInTheLoops.list aiplatform.hyperparameterTuningJobs.list aiplatform.indexEndpoints.list aiplatform.indexes.list aiplatform.locations.list aiplatform.metadataSchemas.list aiplatform.metadataStores.list aiplatform.modelDeploymentMonitoringJobs.list aiplatform.modelEvaluationSlices.list aiplatform.modelEvaluations.list aiplatform.models.list aiplatform.nasJobs.list aiplatform.operations.list aiplatform.pipelineJobs.list aiplatform.specialistPools.list aiplatform.studies.list aiplatform.tensorboardExperiments.list aiplatform.tensorboardRuns.list aiplatform.tensorboardTimeSeries.list aiplatform.tensorboards.list aiplatform.trainingPipelines.list aiplatform.trials.list alloydb.backups.list alloydb.clusters.list alloydb.instances.list alloydb.locations.list alloydb.operations.list alloydb.supportedDatabaseFlags.list analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.getIamPolicy analyticshub.listings.list apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.list apigateway.operations.list apigee.apiproductattributes.list apigee.apiproducts.list apigee.apps.list apigee.archivedeployments.list apigee.caches.list apigee.datacollectors.list apigee.datastores.list apigee.deployments.list apigee.developerappattributes.list apigee.developerapps.list apigee.developerattributes.list apigee.developers.list apigee.developersubscriptions.list apigee.envgroupattachments.list apigee.envgroups.list apigee.environments.getIamPolicy apigee.environments.list apigee.exports.list apigee.flowhooks.list apigee.hostqueries.list apigee.hostsecurityreports.list apigee.instanceattachments.list apigee.instances.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.operations.list apigee.organizations.list apigee.portals.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.rateplans.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.securityProfiles.list apigee.securityreports.list apigee.sharedflowrevisions.list apigee.sharedflows.list apigee.targetservers.list apigee.tracesessions.list apigeeconnect.connections.list apigeeregistry.apis.getIamPolicy apigeeregistry.apis.list apigeeregistry.artifacts.getIamPolicy apigeeregistry.artifacts.list apigeeregistry.deployments.list apigeeregistry.locations.list apigeeregistry.operations.list apigeeregistry.specs.getIamPolicy apigeeregistry.specs.list apigeeregistry.versions.getIamPolicy apigeeregistry.versions.list apikeys.keys.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list artifactregistry.dockerimages.list artifactregistry.files.list artifactregistry.locations.list artifactregistry.mavenartifacts.list artifactregistry.npmpackages.list artifactregistry.packages.list artifactregistry.pythonpackages.list artifactregistry.repositories.getIamPolicy artifactregistry.repositories.list artifactregistry.tags.list artifactregistry.versions.list assuredworkloads.operations.list assuredworkloads.violations.list assuredworkloads.workload.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.examples.list automl.files.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.list autoscaling.sites.getIamPolicy backupdr.locations.list backupdr.managementServers.getIamPolicy backupdr.managementServers.list backupdr.operations.list baremetalsolution.instancequotas.list baremetalsolution.instances.list baremetalsolution.luns.list baremetalsolution.networkquotas.list baremetalsolution.networks.list baremetalsolution.nfsshares.list baremetalsolution.snapshotschedulepolicies.list baremetalsolution.volumequotas.list baremetalsolution.volumes.list baremetalsolution.volumesnapshots.list batch.jobs.list batch.locations.list batch.operations.list batch.tasks.list beyondcorp.appConnections.getIamPolicy beyondcorp.appConnections.list beyondcorp.appConnectors.getIamPolicy beyondcorp.appConnectors.list beyondcorp.appGateways.getIamPolicy beyondcorp.appGateways.list beyondcorp.clientConnectorServices.getIamPolicy beyondcorp.clientConnectorServices.list beyondcorp.clientGateways.getIamPolicy beyondcorp.clientGateways.list beyondcorp.locations.list beyondcorp.operations.list bigquery.capacityCommitments.list bigquery.connections.getIamPolicy bigquery.connections.list bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.datasets.getIamPolicy bigquery.jobs.list bigquery.models.list bigquery.reservationAssignments.list bigquery.reservations.list bigquery.routines.list bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.savedqueries.list bigquery.tables.getIamPolicy bigquery.tables.list bigquerymigration.locations.list bigquerymigration.subtasks.list bigquerymigration.workflows.list bigtable.appProfiles.list bigtable.backups.getIamPolicy bigtable.backups.list bigtable.clusters.list bigtable.instances.getIamPolicy bigtable.instances.list bigtable.keyvisualizer.list bigtable.locations.list bigtable.tables.getIamPolicy bigtable.tables.list billing.accounts.getIamPolicy billing.accounts.list billing.budgets.list billing.credits.list billing.resourceAssociations.list billing.subscriptions.list binaryauthorization.attestors.getIamPolicy binaryauthorization.attestors.list binaryauthorization.continuousValidationConfig.getIamPolicy binaryauthorization.platformPolicies.list binaryauthorization.policy.getIamPolicy carestudio.patients.list certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.locations.list certificatemanager.operations.list clientauthconfig.brands.list clientauthconfig.clients.list cloudasset.feeds.list cloudasset.savedqueries.list cloudbuild.builds.list cloudbuild.integrations.list cloudbuild.workerpools.list clouddebugger.breakpoints.list clouddebugger.debuggees.list clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.jobRuns.list clouddeploy.locations.list clouddeploy.operations.list clouddeploy.releases.list clouddeploy.rollouts.list clouddeploy.targets.getIamPolicy clouddeploy.targets.list cloudfunctions.functions.getIamPolicy cloudfunctions.functions.list cloudfunctions.locations.list cloudfunctions.operations.list cloudfunctions.runtimes.list cloudiot.devices.list cloudiot.registries.getIamPolicy cloudiot.registries.list cloudjobdiscovery.companies.list cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.ekmConnections.getIamPolicy cloudkms.ekmConnections.list cloudkms.importJobs.getIamPolicy cloudkms.importJobs.list cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudkms.locations.list cloudnotifications.activities.list cloudonefs.isiloncloud.com/clusters.list cloudonefs.isiloncloud.com/fileshares.list cloudprivatecatalogproducer.associations.list cloudprivatecatalogproducer.catalogAssociations.list cloudprivatecatalogproducer.catalogs.getIamPolicy cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.producerCatalogs.getIamPolicy cloudprivatecatalogproducer.producerCatalogs.list cloudprivatecatalogproducer.products.getIamPolicy cloudprivatecatalogproducer.products.list cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner.crawledurls.list cloudsecurityscanner.results.list cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.list cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport.accounts.getIamPolicy cloudsupport.accounts.list cloudsupport.techCases.list cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.tasks.list cloudtoolresults.executions.list cloudtoolresults.histories.list cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate.glossaries.list cloudtranslate.glossaryentries.list cloudtranslate.locations.list cloudtranslate.operations.list cloudvolumesgcp-api.netapp.com/activeDirectories.list cloudvolumesgcp-api.netapp.com/ipRanges.list cloudvolumesgcp-api.netapp.com/jobs.list cloudvolumesgcp-api.netapp.com/regions.list cloudvolumesgcp-api.netapp.com/serviceLevels.list cloudvolumesgcp-api.netapp.com/snapshots.list cloudvolumesgcp-api.netapp.com/volumes.list commerceprice.privateoffers.list composer.dags.list composer.environments.list composer.imageversions.list composer.operations.list compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute.backendBuckets.list compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.list compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.list compute.forwardingRules.list compute.globalAddresses.list compute.globalForwardingRules.list compute.globalNetworkEndpointGroups.list compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.list compute.instanceGroups.list compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.getIamPolicy compute.instances.list compute.interconnectAttachments.list compute.interconnectLocations.list compute.interconnects.list compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.list compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.list compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.list compute.packetMirrorings.list compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.list compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.list compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.list compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.list compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.list compute.regionUrlMaps.list compute.regions.list compute.reservations.list compute.resourcePolicies.list compute.routers.list compute.routes.list compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.list compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.list connectors.actions.list connectors.connections.getIamPolicy connectors.connections.list connectors.connectors.list connectors.entities.list connectors.entityTypes.list connectors.locations.list connectors.operations.list connectors.providers.list connectors.versions.list consumerprocurement.accounts.list consumerprocurement.consents.list consumerprocurement.entitlements.list consumerprocurement.freeTrials.list consumerprocurement.orderAttributions.list consumerprocurement.orders.list contactcenteraiplatform.contactCenters.list contactcenteraiplatform.locations.list contactcenteraiplatform.operations.list contactcenterinsights.analyses.list contactcenterinsights.conversations.list contactcenterinsights.issueModels.list contactcenterinsights.issues.list contactcenterinsights.operations.list contactcenterinsights.phraseMatchers.list container.apiServices.list container.auditSinks.list container.backendConfigs.list container.bindings.list container.certificateSigningRequests.list container.clusterRoleBindings.list container.clusterRoles.list container.clusters.list container.componentStatuses.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.csiDrivers.list container.csiNodeInfos.list container.csiNodes.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpointSlices.list container.endpoints.list container.events.list container.frontendConfigs.list container.horizontalPodAutoscalers.list container.ingresses.list container.initializerConfigurations.list container.jobs.list container.leases.list container.limitRanges.list container.localSubjectAccessReviews.list container.managedCertificates.list container.mutatingWebhookConfigurations.list container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container.persistentVolumeClaims.list container.persistentVolumes.list container.petSets.list container.podDisruptionBudgets.list container.podPresets.list container.podSecurityPolicies.list container.podTemplates.list container.pods.list container.priorityClasses.list container.replicaSets.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.runtimeClasses.list container.scheduledJobs.list container.selfSubjectAccessReviews.list container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.storageStates.list container.storageVersionMigrations.list container.subjectAccessReviews.list container.thirdPartyObjects.list container.thirdPartyResources.list container.updateInfos.list container.validatingWebhookConfigurations.list container.volumeAttachments.list container.volumeSnapshotClasses.list container.volumeSnapshotContents.list container.volumeSnapshots.list containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.occurrences.getIamPolicy containeranalysis.occurrences.list containersecurity.clusterSummaries.list containersecurity.locations.list containersecurity.workloadConfigAudits.list contentwarehouse.documentSchemas.list contentwarehouse.documents.getIamPolicy contentwarehouse.ruleSets.list contentwarehouse.synonymSets.list datacatalog.categories.getIamPolicy datacatalog.entries.getIamPolicy datacatalog.entries.list datacatalog.entryGroups.getIamPolicy datacatalog.entryGroups.list datacatalog.tagTemplates.getIamPolicy datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.list dataconnectors.connectors.getIamPolicy dataconnectors.connectors.list dataconnectors.locations.list dataconnectors.operations.list dataflow.jobs.list dataflow.messages.list dataflow.snapshots.list dataform.compilationResults.list dataform.locations.list dataform.repositories.list dataform.workflowInvocations.list dataform.workspaces.list datafusion.instances.getIamPolicy datafusion.instances.list datafusion.locations.list datafusion.operations.list datalabeling.annotateddatasets.list datalabeling.annotationspecsets.list datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list datamigration.connectionprofiles.getIamPolicy datamigration.connectionprofiles.list datamigration.locations.list datamigration.migrationjobs.getIamPolicy datamigration.migrationjobs.list datamigration.operations.list datapipelines.jobs.list datapipelines.pipelines.list dataplex.assetActions.list dataplex.assets.getIamPolicy dataplex.assets.list dataplex.content.getIamPolicy dataplex.content.list dataplex.entities.list dataplex.environments.getIamPolicy dataplex.environments.list dataplex.lakeActions.list dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.locations.list dataplex.operations.list dataplex.partitions.list dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.zoneActions.list dataplex.zones.getIamPolicy dataplex.zones.list dataproc.agents.list dataproc.autoscalingPolicies.getIamPolicy dataproc.autoscalingPolicies.list dataproc.batches.list dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.operations.getIamPolicy dataproc.operations.list dataproc.workflowTemplates.getIamPolicy dataproc.workflowTemplates.list dataprocessing.datasources.list dataprocessing.featurecontrols.list dataprocessing.groupcontrols.list datastore.databases.list datastore.entities.list datastore.indexes.list datastore.keyVisualizerScans.list datastore.locations.list datastore.namespaces.list datastore.operations.list datastore.statistics.list datastream.connectionProfiles.getIamPolicy datastream.connectionProfiles.list datastream.locations.list datastream.objects.list datastream.operations.list datastream.privateConnections.getIamPolicy datastream.privateConnections.list datastream.routes.getIamPolicy datastream.routes.list datastream.streams.getIamPolicy datastream.streams.list deploymentmanager.compositeTypes.list deploymentmanager.deployments.getIamPolicy deploymentmanager.deployments.list deploymentmanager.manifests.list deploymentmanager.operations.list deploymentmanager.resources.list deploymentmanager.typeProviders.list deploymentmanager.types.list dialogflow.agents.list dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.list dialogflow.contexts.list dialogflow.conversationDatasets.list dialogflow.conversationModels.list dialogflow.conversationProfiles.list dialogflow.conversations.list dialogflow.documents.list dialogflow.entityTypes.list dialogflow.environments.list dialogflow.flows.list dialogflow.integrations.list dialogflow.intents.list dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.list dialogflow.pages.list dialogflow.participants.list dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.list dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.list dialogflow.versions.list dialogflow.webhooks.list dlp.analyzeRiskTemplates.list dlp.columnDataProfiles.list dlp.deidentifyTemplates.list dlp.estimates.list dlp.inspectFindings.list dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.locations.list dlp.projectDataProfiles.list dlp.storedInfoTypes.list dlp.tableDataProfiles.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.getIamPolicy dns.managedZones.list dns.policies.getIamPolicy dns.policies.list dns.resourceRecordSets.list dns.responsePolicies.list dns.responsePolicyRules.list documentai.dataLabelingJobs.list documentai.evaluations.list documentai.labelerPools.list documentai.locations.list documentai.processorTypes.list documentai.processorVersions.list documentai.processors.list domains.locations.list domains.operations.list domains.registrations.getIamPolicy domains.registrations.list earlyaccesscenter.campaigns.list earlyaccesscenter.customerAllowlists.list earthengine.assets.getIamPolicy earthengine.assets.list earthengine.operations.list edgecontainer.clusters.getIamPolicy edgecontainer.clusters.list edgecontainer.locations.list edgecontainer.machines.getIamPolicy edgecontainer.machines.list edgecontainer.nodePools.getIamPolicy edgecontainer.nodePools.list edgecontainer.operations.list edgecontainer.vpnConnections.getIamPolicy edgecontainer.vpnConnections.list errorreporting.applications.list errorreporting.errorEvents.list errorreporting.groups.list essentialcontacts.contacts.list eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channels.getIamPolicy eventarc.channels.list eventarc.locations.list eventarc.operations.list eventarc.providers.list eventarc.triggers.getIamPolicy eventarc.triggers.list fcmdata.deliverydata.list file.backups.list file.instances.list file.locations.list file.operations.list firebase.clients.list firebase.links.list firebase.playLinks.list firebaseabt.experiments.list firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrashlytics.issues.list firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.list firebasedynamiclinks.links.list firebaseextensions.configs.list firebasehosting.sites.list firebaseinappmessaging.campaigns.list firebasemessagingcampaigns.campaigns.list firebaseml.compressionjobs.list firebaseml.models.list firebaseml.modelversions.list firebasenotifications.messages.list firebaserules.releases.list firebaserules.rulesets.list firebasestorage.buckets.list fleetengine.deliveryvehicles.list fleetengine.tasks.list fleetengine.vehicles.list gameservices.gameServerClusters.list gameservices.gameServerConfigs.list gameservices.gameServerDeployments.list gameservices.locations.list gameservices.operations.list gameservices.realms.list gcp.redisenterprise.com/databases.list gcp.redisenterprise.com/subscriptions.list genomics.datasets.getIamPolicy genomics.datasets.list genomics.operations.list gkebackup.backupPlans.getIamPolicy gkebackup.backupPlans.list gkebackup.backups.list gkebackup.locations.list gkebackup.operations.list gkebackup.restorePlans.getIamPolicy gkebackup.restorePlans.list gkebackup.restores.list gkebackup.volumeBackups.list gkebackup.volumeRestores.list gkehub.features.getIamPolicy gkehub.features.list gkehub.gateway.getIamPolicy gkehub.locations.list gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.list gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.list gkemulticloud.azureClients.list gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.list gkemulticloud.operations.list gkeonprem.bareMetalClusters.getIamPolicy gkeonprem.bareMetalClusters.list gkeonprem.bareMetalNodePools.getIamPolicy gkeonprem.bareMetalNodePools.list gkeonprem.locations.list gkeonprem.operations.list gkeonprem.vmwareClusters.getIamPolicy gkeonprem.vmwareClusters.list gkeonprem.vmwareNodePools.getIamPolicy gkeonprem.vmwareNodePools.list gsuiteaddons.deployments.list healthcare.annotationStores.getIamPolicy healthcare.annotationStores.list healthcare.annotations.list healthcare.attributeDefinitions.list healthcare.consentArtifacts.list healthcare.consentStores.getIamPolicy healthcare.consentStores.list healthcare.consents.list healthcare.datasets.getIamPolicy healthcare.datasets.list healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.fhirStores.getIamPolicy healthcare.fhirStores.list healthcare.hl7V2Messages.list healthcare.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.list healthcare.locations.list healthcare.operations.list healthcare.userDataMappings.list iam.denypolicies.list iam.googleapis.com/workforcePoolProviders.list iam.googleapis.com/workforcePools.getIamPolicy iam.googleapis.com/workforcePools.list iam.googleapis.com/workloadIdentityPoolProviders.list iam.googleapis.com/workloadIdentityPools.list iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iap.tunnel.getIamPolicy iap.tunnelDestGroups.getIamPolicy iap.tunnelDestGroups.list iap.tunnelInstances.getIamPolicy iap.tunnelLocations.getIamPolicy iap.tunnelZones.getIamPolicy iap.web.getIamPolicy iap.webServiceVersions.getIamPolicy iap.webServices.getIamPolicy iap.webTypes.getIamPolicy ids.endpoints.getIamPolicy ids.endpoints.list ids.locations.list ids.operations.list integrations.apigeeAuthConfigs.list integrations.apigeeCertificates.list integrations.apigeeExecutions.list integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.list integrations.apigeeSfdcChannels.list integrations.apigeeSfdcInstances.list integrations.apigeeSuspensions.list integrations.authConfigs.list integrations.certificates.list integrations.executions.list integrations.integrationVersions.list integrations.integrations.list integrations.securityAuthConfigs.list integrations.securityExecutions.list integrations.securityIntegTempVers.list integrations.securityIntegrationVers.list integrations.securityIntegrations.list integrations.sfdcChannels.list integrations.sfdcInstances.list integrations.suspensions.list issuerswitch.complaintTransactions.list issuerswitch.financialTransactions.list issuerswitch.mandateTransactions.list issuerswitch.metadataTransactions.list issuerswitch.operations.list issuerswitch.ruleMetadata.list issuerswitch.ruleMetadataValues.list issuerswitch.rules.list krmapihosting.krmApiHosts.getIamPolicy krmapihosting.krmApiHosts.list krmapihosting.locations.list krmapihosting.operations.list lifesciences.operations.list livestream.channels.list livestream.events.list livestream.inputs.list livestream.locations.list livestream.operations.list logging.buckets.list logging.exclusions.list logging.links.list logging.locations.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.list logging.operations.list logging.privateLogEntries.list logging.queries.list logging.sinks.list logging.views.list managedidentities.backups.getIamPolicy managedidentities.backups.list managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.locations.list managedidentities.operations.list managedidentities.peerings.getIamPolicy managedidentities.peerings.list managedidentities.sqlintegrations.list mapsadmin.clientMaps.list mapsadmin.clientStyleSheetSnapshots.list mapsadmin.clientStyles.list mapsadmin.styleSnapshots.list memcache.instances.list memcache.locations.list memcache.operations.list metastore.backups.list metastore.databases.getIamPolicy metastore.databases.list metastore.federations.getIamPolicy metastore.federations.list metastore.imports.list metastore.locations.list metastore.operations.list metastore.services.getIamPolicy metastore.services.list metastore.tables.getIamPolicy metastore.tables.list migrationcenter.assets.list migrationcenter.groups.list migrationcenter.importJobs.list migrationcenter.locations.list migrationcenter.operations.list migrationcenter.sources.list ml.jobs.getIamPolicy ml.jobs.list ml.locations.list ml.models.getIamPolicy ml.models.list ml.operations.list ml.studies.getIamPolicy ml.studies.list ml.trials.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.list monitoring.publicWidgets.list monitoring.services.list monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.list networkconnectivity.hubs.getIamPolicy networkconnectivity.hubs.list networkconnectivity.locations.list networkconnectivity.operations.list networkconnectivity.spokes.getIamPolicy networkconnectivity.spokes.list networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.locations.list networkmanagement.operations.list networksecurity.authorizationPolicies.getIamPolicy networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.getIamPolicy networksecurity.clientTlsPolicies.list networksecurity.locations.list networksecurity.operations.list networksecurity.serverTlsPolicies.getIamPolicy networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.getIamPolicy networkservices.endpointConfigSelectors.list networkservices.endpointPolicies.getIamPolicy networkservices.endpointPolicies.list networkservices.gateways.list networkservices.grpcRoutes.getIamPolicy networkservices.grpcRoutes.list networkservices.httpFilters.getIamPolicy networkservices.httpFilters.list networkservices.httpRoutes.getIamPolicy networkservices.httpRoutes.list networkservices.httpfilters.getIamPolicy networkservices.httpfilters.list networkservices.locations.list networkservices.meshes.getIamPolicy networkservices.meshes.list networkservices.operations.list networkservices.serviceBindings.list networkservices.tcpRoutes.getIamPolicy networkservices.tcpRoutes.list networkservices.tlsRoutes.list notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.list notebooks.operations.list notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.getIamPolicy notebooks.schedules.list ondemandscanning.operations.list opsconfigmonitoring.resourceMetadata.list orgpolicy.constraints.list orgpolicy.policies.list osconfig.guestPolicies.list osconfig.instanceOSPoliciesCompliances.list osconfig.inventories.list osconfig.osPolicyAssignmentReports.list osconfig.osPolicyAssignments.list osconfig.patchDeployments.list osconfig.patchJobs.list osconfig.vulnerabilityReports.list paymentsresellersubscription.products.list paymentsresellersubscription.promotions.list policysimulator.replayResults.list policysimulator.replays.list privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.list privateca.operations.list privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list proximitybeacon.attachments.list proximitybeacon.beacons.getIamPolicy proximitybeacon.beacons.list proximitybeacon.namespaces.getIamPolicy proximitybeacon.namespaces.list pubsub.schemas.getIamPolicy pubsub.schemas.list pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list pubsub.topics.getIamPolicy pubsub.topics.list pubsublite.operations.list pubsublite.reservations.list pubsublite.subscriptions.list pubsublite.topics.list recaptchaenterprise.keys.list recaptchaenterprise.relatedaccountgroupmemberships.list recaptchaenterprise.relatedaccountgroups.list recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.list recommender.cloudAssetInsights.list recommender.cloudsqlIdleInstanceRecommendations.list recommender.cloudsqlInstanceActivityInsights.list recommender.cloudsqlInstanceCpuUsageInsights.list recommender.cloudsqlInstanceDiskUsageTrendInsights.list recommender.cloudsqlInstanceMemoryUsageInsights.list recommender.cloudsqlInstanceOutOfDiskRecommendations.list recommender.cloudsqlInstancePerformanceInsights.list recommender.cloudsqlInstancePerformanceRecommendations.list recommender.cloudsqlInstanceSecurityInsights.list recommender.cloudsqlInstanceSecurityRecommendations.list recommender.cloudsqlOverprovisionedInstanceRecommendations.list recommender.commitmentUtilizationInsights.list recommender.computeAddressIdleResourceInsights.list recommender.computeAddressIdleResourceRecommendations.list recommender.computeDiskIdleResourceInsights.list recommender.computeDiskIdleResourceRecommendations.list recommender.computeFirewallInsights.list recommender.computeImageIdleResourceInsights.list recommender.computeImageIdleResourceRecommendations.list recommender.computeInstanceCpuUsageInsights.list recommender.computeInstanceCpuUsagePredictionInsights.list recommender.computeInstanceCpuUsageTrendInsights.list recommender.computeInstanceGroupManagerCpuUsageInsights.list recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceGroupManagerMemoryUsageInsights.list recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.list recommender.computeInstanceMemoryUsageInsights.list recommender.computeInstanceMemoryUsagePredictionInsights.list recommender.computeInstanceNetworkThroughputInsights.list recommender.containerDiagnosisInsights.list recommender.containerDiagnosisRecommendations.list recommender.costInsights.list recommender.dataflowDiagnosticsInsights.list recommender.errorReportingInsights.list recommender.errorReportingRecommendations.list recommender.gmpProjectManagementInsights.list recommender.gmpProjectManagementRecommendations.list recommender.gmpProjectProductSuggestionsInsights.list recommender.gmpProjectProductSuggestionsRecommendations.list recommender.gmpProjectQuotaInsights.list recommender.gmpProjectQuotaRecommendations.list recommender.iamPolicyInsights.list recommender.iamPolicyLateralMovementInsights.list recommender.iamPolicyRecommendations.list recommender.iamServiceAccountInsights.list recommender.locations.list recommender.loggingProductSuggestionContainerInsights.list recommender.loggingProductSuggestionContainerRecommendations.list recommender.monitoringProductSuggestionComputeInsights.list recommender.monitoringProductSuggestionComputeRecommendations.list recommender.networkAnalyzerCloudSqlInsights.list recommender.networkAnalyzerDynamicRouteInsights.list recommender.networkAnalyzerGkeConnectivityInsights.list recommender.networkAnalyzerGkeIpAddressInsights.list recommender.networkAnalyzerIpAddressInsights.list recommender.networkAnalyzerLoadBalancerInsights.list recommender.networkAnalyzerVpcConnectivityInsights.list recommender.resourcemanagerProjectUtilizationInsights.list recommender.resourcemanagerProjectUtilizationRecommendations.list recommender.runServiceIdentityInsights.list recommender.runServiceIdentityRecommendations.list recommender.spendBasedCommitmentInsights.list recommender.spendBasedCommitmentRecommendations.list recommender.usageCommitmentRecommendations.list redis.instances.list redis.locations.list redis.operations.list remotebuildexecution.instances.list remotebuildexecution.workerpools.list resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.hierarchyNodes.listTagBindings resourcemanager.organizations.getIamPolicy resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.tagHolds.list resourcemanager.tagKeys.getIamPolicy resourcemanager.tagKeys.list resourcemanager.tagValues.getIamPolicy resourcemanager.tagValues.list resourcesettings.settings.list retail.catalogs.list retail.controls.list retail.models.list retail.operations.list retail.products.list retail.servingConfigs.list riskmanager.operations.list riskmanager.policies.list riskmanager.reports.list rma.collectors.list rma.locations.list rma.operations.list run.configurations.list run.executions.list run.jobs.getIamPolicy run.jobs.list run.locations.list run.operations.list run.revisions.list run.routes.list run.services.getIamPolicy run.services.list run.tasks.list runtimeconfig.configs.getIamPolicy runtimeconfig.configs.list runtimeconfig.operations.list runtimeconfig.variables.getIamPolicy runtimeconfig.variables.list runtimeconfig.waiters.getIamPolicy runtimeconfig.waiters.list secretmanager.locations.list secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.versions.list securedlandingzone.overwatches.list securitycenter.assets.list securitycenter.bigQueryExports.list securitycenter.findings.list securitycenter.muteconfigs.list securitycenter.notificationconfig.list securitycenter.sources.getIamPolicy securitycenter.sources.list servicebroker.bindingoperations.list servicebroker.bindings.getIamPolicy servicebroker.bindings.list servicebroker.catalogs.getIamPolicy servicebroker.catalogs.list servicebroker.instanceoperations.list servicebroker.instances.getIamPolicy servicebroker.instances.list serviceconsumermanagement.tenancyu.list servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.locations.list servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.services.getIamPolicy servicedirectory.services.list servicemanagement.services.getIamPolicy servicemanagement.services.list servicenetworking.operations.list servicesecurityinsights.clusterSecurityInfo.list servicesecurityinsights.securityInfo.list servicesecurityinsights.workloadPolicies.list serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list spanner.backupOperations.list spanner.backups.getIamPolicy spanner.backups.list spanner.databaseOperations.list spanner.databaseRoles.list spanner.databases.getIamPolicy spanner.databases.list spanner.instanceConfigs.list spanner.instanceOperations.list spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.list speech.customClasses.list speech.operations.list speech.phraseSets.list speech.recognizers.list storage.buckets.getIamPolicy storage.buckets.list storage.hmacKeys.list storage.multipartUploads.list storage.objects.getIamPolicy storage.objects.list storagetransfer.agentpools.list storagetransfer.jobs.list storagetransfer.operations.list stream.locations.list stream.operations.list stream.streamContents.list stream.streamInstances.list timeseriesinsights.datasets.list timeseriesinsights.locations.list tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.tensorflowversions.list transcoder.jobTemplates.list transcoder.jobs.list transferappliance.appliances.list transferappliance.locations.list transferappliance.operations.list transferappliance.orders.list translationhub.portals.list videostitcher.cdnKeys.list videostitcher.liveAdTagDetails.list videostitcher.slates.list videostitcher.vodAdTagDetails.list videostitcher.vodStitchDetails.list visualinspection.annotationSets.list visualinspection.annotationSpecs.list visualinspection.annotations.list visualinspection.datasets.list visualinspection.images.list visualinspection.locations.list visualinspection.modelEvaluations.list visualinspection.models.list visualinspection.modules.list visualinspection.operations.list visualinspection.solutionArtifacts.list visualinspection.solutions.list vmmigration.cloneJobs.list vmmigration.cutoverJobs.list vmmigration.datacenterConnectors.list vmmigration.deployments.list vmmigration.groups.list vmmigration.locations.list vmmigration.migratingVms.list vmmigration.operations.list vmmigration.sources.list vmmigration.targets.list vmmigration.utilizationReports.list vpcaccess.connectors.list vpcaccess.locations.list vpcaccess.operations.list workflows.executions.list workflows.locations.list workflows.operations.list workflows.workflows.list workloadmanager.evaluations.list workloadmanager.executions.list workloadmanager.locations.list workloadmanager.operations.list workloadmanager.results.list workloadmanager.rules.list

KRM API Hosting roles

Role	Permissions
Config Controller Admin (`roles/krmapihosting.admin`) Full access to all Config Controller resources.	krmapihosting.* resourcemanager.projects.get resourcemanager.projects.list
Config Controller Viewer (`roles/krmapihosting.viewer`) Read-only access to all Config Controller resources.	krmapihosting.krmApiHosts.get krmapihosting.krmApiHosts.getIamPolicy krmapihosting.krmApiHosts.list krmapihosting.locations.* krmapihosting.operations.get krmapihosting.operations.list resourcemanager.projects.get resourcemanager.projects.list

Kubernetes Engine roles

Role	Permissions
Kubernetes Engine Admin (`roles/container.admin`) Provides access to full management of clusters and their Kubernetes API objects. To set a service account on nodes, you must also have the Service Account User role (`roles/iam.serviceAccountUser`) on the user-managed service account that your nodes will use. Lowest-level resources where you can grant this role: Project	container.* resourcemanager.projects.get resourcemanager.projects.list
Kubernetes Engine Cluster Admin (`roles/container.clusterAdmin`) Provides access to management of clusters. To set a service account on nodes, you must also have the Service Account User role (`roles/iam.serviceAccountUser`) on the user-managed service account that your nodes will use. Lowest-level resources where you can grant this role: Project	container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.operations.* resourcemanager.projects.get resourcemanager.projects.list
Kubernetes Engine Cluster Viewer (`roles/container.clusterViewer`) Provides access to get and list GKE clusters.	container.clusters.get container.clusters.list resourcemanager.projects.get resourcemanager.projects.list
Kubernetes Engine Developer (`roles/container.developer`) Provides access to Kubernetes API objects inside clusters. Lowest-level resources where you can grant this role: Project	container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.leases.* container.limitRanges.* container.localSubjectAccessReviews.* container.managedCertificates.* container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.selfSubjectRulesReviews.create container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container.storageVersionMigrations.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.create container.updateInfos.* container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.* container.volumeSnapshotClasses.* container.volumeSnapshotContents.* container.volumeSnapshots.* resourcemanager.projects.get resourcemanager.projects.list
Kubernetes Engine Host Service Agent User (`roles/container.hostServiceAgentUser`) Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project.	compute.firewalls.get container.hostServiceAgent.use dns.networks.bindDNSResponsePolicy dns.networks.bindPrivateDNSPolicy dns.networks.bindPrivateDNSZone dns.responsePolicies.* dns.responsePolicyRules.*
Kubernetes Engine Node Service Account (`roles/container.nodeServiceAccount`) Least privilege role to use as the service account for GKE Nodes.	autoscaling.sites.writeMetrics logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.list monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Kubernetes Engine Viewer (`roles/container.viewer`) Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects. Lowest-level resources where you can grant this role: Project	container.apiServices.get container.apiServices.getStatus container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.getStatus container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.getStatus container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getScale container.deployments.getStatus container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container.managedCertificates.get container.managedCertificates.list container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getScale container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container.storageStates.getStatus container.storageStates.list container.storageVersionMigrations.get container.storageVersionMigrations.getStatus container.storageVersionMigrations.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.create container.updateInfos.get container.updateInfos.list container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.get container.volumeAttachments.getStatus container.volumeAttachments.list container.volumeSnapshotClasses.get container.volumeSnapshotClasses.list container.volumeSnapshotContents.get container.volumeSnapshotContents.getStatus container.volumeSnapshotContents.list container.volumeSnapshots.get container.volumeSnapshots.list resourcemanager.projects.get resourcemanager.projects.list

Live Stream roles

Role	Permissions
Live Stream Editor ^Beta (`roles/livestream.editor`) Full access to Live Stream resources.	livestream.* resourcemanager.projects.get resourcemanager.projects.list
Live Stream Viewer ^Beta (`roles/livestream.viewer`) Read access to Live Stream resources.	livestream.channels.get livestream.channels.list livestream.events.get livestream.events.list livestream.inputs.get livestream.inputs.list livestream.locations.* livestream.operations.get livestream.operations.list resourcemanager.projects.get resourcemanager.projects.list

Logging roles

Role	Permissions
Logging Admin (`roles/logging.admin`) Provides all permissions necessary to use all features of Cloud Logging. Lowest-level resources where you can grant this role: Project	logging.buckets.copyLogEntries logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.fields.access logging.links.* logging.locations.* logging.logEntries.* logging.logMetrics.* logging.logServiceIndexes.list logging.logServices.list logging.logs.* logging.notificationRules.* logging.operations.* logging.privateLogEntries.list logging.queries.* logging.sinks.* logging.usage.get logging.views.* resourcemanager.projects.get resourcemanager.projects.list
Logs Bucket Writer (`roles/logging.bucketWriter`) Ability to write logs to a log bucket. Lowest-level resources where you can grant this role: Project	logging.buckets.write
Logs Configuration Writer (`roles/logging.configWriter`) Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. Lowest-level resources where you can grant this role: Project	logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.links.* logging.locations.* logging.logMetrics.* logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.* logging.operations.* logging.sinks.* logging.views.create logging.views.delete logging.views.get logging.views.list logging.views.update resourcemanager.projects.get resourcemanager.projects.list
Log Field Accessor (`roles/logging.fieldAccessor`) Ability to read restricted fields in a log bucket. Lowest-level resources where you can grant this role: Project	logging.fields.access
Log Link Accessor ^Beta (`roles/logging.linkViewer`) Ability to see links for a bucket.	logging.links.get logging.links.list
Logs Writer (`roles/logging.logWriter`) Provides the permissions to write log entries. Lowest-level resources where you can grant this role: Project	logging.logEntries.create
Private Logs Viewer (`roles/logging.privateLogViewer`) Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. Lowest-level resources where you can grant this role: Project	logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.privateLogEntries.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.access logging.views.get logging.views.list resourcemanager.projects.get
Logs View Accessor (`roles/logging.viewAccessor`) Ability to read logs in a view. Lowest-level resources where you can grant this role: Project	logging.logEntries.download logging.views.access logging.views.listLogs logging.views.listResourceKeys logging.views.listResourceValues
Logs Viewer (`roles/logging.viewer`) Provides access to view logs. Lowest-level resources where you can grant this role: Project	logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list resourcemanager.projects.get

Maps API Admin roles

Role	Permissions
Maps API Admin (`roles/mapsadmin.admin`) Read and Write all Maps Management and Maps Styles Resources.	mapsadmin.* resourcemanager.projects.get resourcemanager.projects.list
Maps API Viewer (`roles/mapsadmin.viewer`) Read all Maps Management and Maps Styles Resources.	mapsadmin.clientMaps.get mapsadmin.clientMaps.list mapsadmin.clientStyleSheetSnapshots.list mapsadmin.clientStyles.get mapsadmin.clientStyles.list mapsadmin.styleEditorConfigs.get mapsadmin.styleSnapshots.list resourcemanager.projects.get resourcemanager.projects.list

Memorystore Memcache roles

Role	Permissions
Cloud Memorystore Memcached Admin (`roles/memcache.admin`) Full access to Memcached instances and related resources.	compute.networks.list memcache.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Memorystore Memcached Editor (`roles/memcache.editor`) Read-Write access to Memcached instances and related resources.	memcache.instances.applyParameters memcache.instances.get memcache.instances.list memcache.instances.update memcache.instances.updateParameters memcache.locations.* memcache.operations.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Memorystore Memcached Viewer (`roles/memcache.viewer`) Read-only access to Memcached instances and related resources.	memcache.instances.get memcache.instances.list memcache.locations.* memcache.operations.get memcache.operations.list resourcemanager.projects.get resourcemanager.projects.list

Memorystore Redis roles

Role	Permissions
Cloud Memorystore Redis Admin (`roles/redis.admin`) Full control for all Memorystore for Redis resources.	compute.networks.list redis.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Cloud Memorystore Redis Editor (`roles/redis.editor`) Manage Memorystore for Redis instances. Can't create or delete instances.	compute.networks.list redis.instances.failover redis.instances.get redis.instances.list redis.instances.update redis.locations.* redis.operations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Cloud Memorystore Redis Viewer (`roles/redis.viewer`) Read-only access to all Memorystore for Redis resources.	redis.instances.get redis.instances.list redis.locations.* redis.operations.get redis.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

Mesh Management roles

Role	Permissions
Mesh Config Admin ^Beta (`roles/meshconfig.admin`) Full access to all mesh configuration resources	meshconfig.*
Mesh Config Viewer ^Beta (`roles/meshconfig.viewer`) Read access to mesh configuration	meshconfig.projects.get

Migration Center roles

Role	Permissions
Migration Center Admin ^Beta (`roles/migrationcenter.admin`) Full access to Migration Center all resources.	migrationcenter.* resourcemanager.projects.get resourcemanager.projects.list rma.*
Migration Center Viewer ^Beta (`roles/migrationcenter.viewer`) Read-only access to Migration Center all resources.	migrationcenter.assets.get migrationcenter.assets.list migrationcenter.groups.get migrationcenter.groups.list migrationcenter.importJobs.get migrationcenter.importJobs.list migrationcenter.locations.* migrationcenter.operations.get migrationcenter.operations.list migrationcenter.sources.get migrationcenter.sources.list resourcemanager.projects.get resourcemanager.projects.list

Monitoring roles

Role	Permissions
Monitoring Admin (`roles/monitoring.admin`) Provides the same access as the Monitoring Editor role (`roles/monitoring.editor`). Lowest-level resources where you can grant this role: Project	cloudnotifications.activities.list monitoring.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.*
Monitoring AlertPolicy Editor ^Beta (`roles/monitoring.alertPolicyEditor`) Read/write access to alerting policies.	monitoring.alertPolicies.*
Monitoring AlertPolicy Viewer ^Beta (`roles/monitoring.alertPolicyViewer`) Read-only access to alerting policies.	monitoring.alertPolicies.get monitoring.alertPolicies.list
Monitoring Dashboard Configuration Editor (`roles/monitoring.dashboardEditor`) Read/write access to dashboard configurations.	monitoring.dashboards.*
Monitoring Dashboard Configuration Viewer (`roles/monitoring.dashboardViewer`) Read-only access to dashboard configurations.	monitoring.dashboards.get monitoring.dashboards.list
Monitoring Editor (`roles/monitoring.editor`) Provides full access to information about all monitoring data and configurations. Lowest-level resources where you can grant this role: Project	cloudnotifications.activities.list monitoring.alertPolicies.* monitoring.dashboards.* monitoring.groups.* monitoring.metricDescriptors.* monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify monitoring.publicWidgets.* monitoring.services.* monitoring.slos.* monitoring.timeSeries.* monitoring.uptimeCheckConfigs.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.*
Monitoring Metric Writer (`roles/monitoring.metricWriter`) Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics. Lowest-level resources where you can grant this role: Project	monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create
Monitoring Metrics Scopes Admin ^Beta (`roles/monitoring.metricsScopesAdmin`) Access to add and remove monitored projects from metrics scopes.	monitoring.metricsScopes.link resourcemanager.projects.get resourcemanager.projects.list
Monitoring Metrics Scopes Viewer ^Beta (`roles/monitoring.metricsScopesViewer`) Read-only access to metrics scopes and their monitored projects.	resourcemanager.projects.get resourcemanager.projects.list
Monitoring NotificationChannel Editor ^Beta (`roles/monitoring.notificationChannelEditor`) Read/write access to notification channels.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify
Monitoring NotificationChannel Viewer ^Beta (`roles/monitoring.notificationChannelViewer`) Read-only access to notification channels.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list
Monitoring Services Editor (`roles/monitoring.servicesEditor`) Read/write access to services.	monitoring.services.* monitoring.slos.*
Monitoring Services Viewer (`roles/monitoring.servicesViewer`) Read-only access to services.	monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list
Monitoring Uptime Check Configuration Editor ^Beta (`roles/monitoring.uptimeCheckConfigEditor`) Read/write access to uptime check configurations.	monitoring.uptimeCheckConfigs.*
Monitoring Uptime Check Configuration Viewer ^Beta (`roles/monitoring.uptimeCheckConfigViewer`) Read-only access to uptime check configurations.	monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list
Monitoring Viewer (`roles/monitoring.viewer`) Provides read-only access to get and list information about all monitoring data and configurations. Lowest-level resources where you can grant this role: Project	cloudnotifications.activities.list monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get

Network Connectivity roles

Role Permissions

Hub & Spoke Admin
(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.*
resourcemanager.projects.get
resourcemanager.projects.list

Hub & Spoke Viewer
(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.locations.*
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
resourcemanager.projects.get
resourcemanager.projects.list

Spoke Admin
(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.locations.*
networkconnectivity.operations.get
networkconnectivity.operations.list
networkconnectivity.spokes.*
resourcemanager.projects.get
resourcemanager.projects.list

Network Management roles

Role Permissions

Network Management Admin
(roles/networkmanagement.admin)

Full access to Network Management resources.

Lowest-level resources where you can grant this role:

Project

networkmanagement.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Network Management Viewer
(roles/networkmanagement.viewer)

Read-only access to Network Management resources.

Lowest-level resources where you can grant this role:

Project

networkmanagement.config.get
networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.getIamPolicy
networkmanagement.connectivitytests.list
networkmanagement.locations.*
networkmanagement.operations.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

On-Demand Scanning roles

Role	Permissions
On-Demand Scanning Admin ^Beta (`roles/ondemandscanning.admin`) All permissions for On-Demand Scanning	ondemandscanning.*

Ops Config Monitoring roles

Role	Permissions
Ops Config Monitoring Resource Metadata Viewer ^Beta (`roles/opsconfigmonitoring.resourceMetadata.viewer`) Read-only access to resource metadata.	opsconfigmonitoring.resourceMetadata.list
Ops Config Monitoring Resource Metadata Writer ^Beta (`roles/opsconfigmonitoring.resourceMetadata.writer`) Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.	opsconfigmonitoring.resourceMetadata.write

Organization Policy roles

Role Permissions

Access Transparency Admin
(roles/axt.admin)

Enable Access Transparency for Organization

Lowest-level resources where you can grant this role:

Project

axt.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Organization Policy Administrator
(roles/orgpolicy.policyAdmin)

Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.

Lowest-level resources where you can grant this role:

Organization

orgpolicy.*

Organization Policy Viewer
(roles/orgpolicy.policyViewer)

Provides access to view Organization Policies on resources.

Lowest-level resources where you can grant this role:

Project

orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get

Other roles

Role	Permissions
Advisory Notifications Viewer ^Beta (`roles/advisorynotifications.viewer`) Grants view access in Advisory Notifications	advisorynotifications.* resourcemanager.organizations.get
Autoscaling Metrics Writer ^Beta (`roles/autoscaling.metricsWriter`) Access to write metrics for autoscaling site	autoscaling.sites.writeMetrics
Autoscaling Recommendations Reader ^Beta (`roles/autoscaling.recommendationsReader`) Access to read recommendations from autoscaling site	autoscaling.sites.readRecommendations
Autoscaling Site Admin ^Beta (`roles/autoscaling.sitesAdmin`) Full access to all autoscaling site features	autoscaling.* resourcemanager.projects.get resourcemanager.projects.list
Autoscaling State Writer ^Beta (`roles/autoscaling.stateWriter`) Access to write state for autoscaling site	autoscaling.sites.writeState
Bare Metal Solution Admin (`roles/baremetalsolution.admin`) Administrator of Bare Metal Solution resources	baremetalsolution.* resourcemanager.projects.get resourcemanager.projects.list
Bare Metal Solution Editor (`roles/baremetalsolution.editor`) Editor of Bare Metal Solution resources	baremetalsolution.* resourcemanager.projects.get resourcemanager.projects.list
Bare Metal Solution Instances Admin (`roles/baremetalsolution.instancesadmin`) Admin of Bare Metal Solution Instance resources	baremetalsolution.instances.* resourcemanager.projects.get resourcemanager.projects.list
Bare Metal Solution Instances Viewer (`roles/baremetalsolution.instancesviewer`) Viewer of Bare Metal Solution Instance resources	baremetalsolution.instancequotas.list baremetalsolution.instances.get baremetalsolution.instances.list resourcemanager.projects.get resourcemanager.projects.list
Luns Admin (`roles/baremetalsolution.lunsadmin`) Administrator of Bare Metal Solution Lun resources	baremetalsolution.luns.get baremetalsolution.luns.list
Luns Viewer (`roles/baremetalsolution.lunsviewer`) Viewer of Bare Metal Solution Lun resources	baremetalsolution.luns.get baremetalsolution.luns.list
Networks Admin (`roles/baremetalsolution.networksadmin`) Admin of Bare Metal Solution networks resources	baremetalsolution.networkquotas.list baremetalsolution.networks.*
NFS Shares Admin (`roles/baremetalsolution.nfssharesadmin`) Administrator of Bare Metal Solution NFS Share resources	baremetalsolution.nfsshares.*
NFS Shares Editor (`roles/baremetalsolution.nfsshareseditor`) Editor of Bare Metal Solution NFS Share resources	baremetalsolution.nfsshares.*
NFS Shares Viewer (`roles/baremetalsolution.nfssharesviewer`) Viewer of Bare Metal Solution NFS Share resources	baremetalsolution.nfsshares.get baremetalsolution.nfsshares.list
Bare Metal Solution Storage Admin (`roles/baremetalsolution.storageadmin`) Administrator of Bare Metal Solution storage resources	baremetalsolution.luns.* baremetalsolution.nfsshares.* baremetalsolution.snapshotschedulepolicies.* baremetalsolution.volumequotas.list baremetalsolution.volumes.* baremetalsolution.volumesnapshots.* resourcemanager.projects.get resourcemanager.projects.list
Bare Metal Solution Viewer (`roles/baremetalsolution.viewer`) Viewer of Bare Metal Solution resources	baremetalsolution.instancequotas.list baremetalsolution.instances.get baremetalsolution.instances.list baremetalsolution.luns.get baremetalsolution.luns.list baremetalsolution.networkquotas.list baremetalsolution.networks.get baremetalsolution.networks.list baremetalsolution.nfsshares.get baremetalsolution.nfsshares.list baremetalsolution.snapshotschedulepolicies.get baremetalsolution.snapshotschedulepolicies.list baremetalsolution.volumequotas.list baremetalsolution.volumes.get baremetalsolution.volumes.list baremetalsolution.volumesnapshots.get baremetalsolution.volumesnapshots.list resourcemanager.projects.get resourcemanager.projects.list
Volume Admin (`roles/baremetalsolution.volumesadmin`) Administrator of Bare Metal Solution volume resources	baremetalsolution.volumes.*
Volumes Editor (`roles/baremetalsolution.volumeseditor`) Editor of Bare Metal Solution volumes resources	baremetalsolution.volumequotas.list baremetalsolution.volumes.*
Volumes Viewer (`roles/baremetalsolution.volumessviewer`) Viewer of Bare Metal Solution volumes resources	baremetalsolution.volumes.get baremetalsolution.volumes.list
Batch Agent Reporter ^Beta (`roles/batch.agentReporter`) Reporter of batch agent states.	batch.states.report
Batch Job Administrator ^Beta (`roles/batch.jobsAdmin`) Administrator of batch Jobs	batch.jobs.* batch.locations.* batch.operations.* batch.tasks.* resourcemanager.projects.get resourcemanager.projects.list
Batch Job Viewer ^Beta (`roles/batch.jobsViewer`) Viewer of Batch Jobs, Task Groups and Tasks	batch.jobs.get batch.jobs.list batch.locations.* batch.operations.* batch.tasks.* resourcemanager.projects.get resourcemanager.projects.list
MigrationWorkflow Editor (`roles/bigquerymigration.editor`) Editor of EDW migration workflows.	bigquerymigration.locations.* bigquerymigration.subtasks.get bigquerymigration.subtasks.list bigquerymigration.workflows.create bigquerymigration.workflows.delete bigquerymigration.workflows.get bigquerymigration.workflows.list bigquerymigration.workflows.update
Task Orchestrator (`roles/bigquerymigration.orchestrator`) Orchestrator of EDW migration tasks.	bigquerymigration.subtasks.create bigquerymigration.taskTypes.orchestrateTask bigquerymigration.workflows.orchestrateTask bigquerymigration.workflows.writeLogs storage.objects.list
Migration Translation User (`roles/bigquerymigration.translationUser`) User of EDW migration SQL translation service.	bigquerymigration.translation.translate
MigrationWorkflow Viewer (`roles/bigquerymigration.viewer`) Viewer of EDW migration MigrationWorkflow.	bigquerymigration.locations.* bigquerymigration.subtasks.get bigquerymigration.subtasks.list bigquerymigration.workflows.get bigquerymigration.workflows.list
Task Worker (`roles/bigquerymigration.worker`) Worker that executes EDW migration subtasks.	bigquerymigration.subtaskTypes.executeTask bigquerymigration.subtasks.executeTask bigquerymigration.workflows.writeLogs storage.objects.create storage.objects.get storage.objects.list
Carbon Footprint Viewer (`roles/billing.carbonViewer`)	billing.accounts.get billing.accounts.getCarbonInformation billing.accounts.list
Care Studio Patients Viewer (`roles/carestudio.viewer`) This role can view all properties of Patients.	carestudio.* resourcemanager.projects.get resourcemanager.projects.list
Chronicle Service Admin (`roles/chroniclesm.admin`) Admins can view and modify Chronicle service details.	chroniclesm.*
Chronicle Service Viewer (`roles/chroniclesm.viewer`) Viewers can see Chronicle service details but not change them.	chroniclesm.gcpAssociations.get chroniclesm.gcpSettings.get
Cloud Optimization AI Admin ^Beta (`roles/cloudoptimization.admin`) Administrator of Cloud Optimization AI resources	cloudoptimization.*
Cloud Optimization AI Editor ^Beta (`roles/cloudoptimization.editor`) Editor of Cloud Optimization AI resources	cloudoptimization.*
Cloud Optimization AI Viewer ^Beta (`roles/cloudoptimization.viewer`) Viewer of Cloud Optimization AI resources	cloudoptimization.operations.get
Contact Center AI Platform Admin (`roles/contactcenteraiplatform.admin`) Full access to Contact Center AI Platform resources.	contactcenteraiplatform.* resourcemanager.projects.get resourcemanager.projects.list
Contact Center AI Platform Viewer (`roles/contactcenteraiplatform.viewer`) Readonly access to Contact Center AI Platform resources.	contactcenteraiplatform.contactCenters.get contactcenteraiplatform.contactCenters.list contactcenteraiplatform.locations.* contactcenteraiplatform.operations.get contactcenteraiplatform.operations.list resourcemanager.projects.get resourcemanager.projects.list
Contact Center AI Insights editor ^Beta (`roles/contactcenterinsights.editor`) Grants read and write access to all Contact Center AI Insights resources.	contactcenterinsights.*
Contact Center AI Insights viewer ^Beta (`roles/contactcenterinsights.viewer`) Grants read access to all Contact Center AI Insights resources.	contactcenterinsights.analyses.get contactcenterinsights.analyses.list contactcenterinsights.conversations.get contactcenterinsights.conversations.list contactcenterinsights.issueModels.get contactcenterinsights.issueModels.list contactcenterinsights.issues.get contactcenterinsights.issues.list contactcenterinsights.operations.* contactcenterinsights.phraseMatchers.get contactcenterinsights.phraseMatchers.list contactcenterinsights.settings.get
GKE Security Posture Viewer ^Beta (`roles/containersecurity.viewer`) Readonly access to GKE Security Posture resources.	containersecurity.* resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse Admin ^Beta (`roles/contentwarehouse.admin`) Grants full access to all the resources in Content Warehouse	contentwarehouse.* resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse Document Admin ^Beta (`roles/contentwarehouse.documentAdmin`) Grants full access to the document resource in Content Warehouse	contentwarehouse.documentSchemas.get contentwarehouse.documents.* contentwarehouse.rawDocuments.* resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse document creator ^Beta (`roles/contentwarehouse.documentCreator`) Grants access to create document in Content Warehouse	contentwarehouse.documentSchemas.get contentwarehouse.documentSchemas.list contentwarehouse.documents.create resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse Document Editor ^Beta (`roles/contentwarehouse.documentEditor`) Grants access to update document resource in Content Warehouse	contentwarehouse.documentSchemas.get contentwarehouse.documents.get contentwarehouse.documents.getIamPolicy contentwarehouse.documents.update contentwarehouse.rawDocuments.* resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse document schema viewer ^Beta (`roles/contentwarehouse.documentSchemaViewer`) Grants access to view the document schemas in Content Warehouse	contentwarehouse.documentSchemas.get contentwarehouse.documentSchemas.list resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse Viewer ^Beta (`roles/contentwarehouse.documentViewer`) Grants access to view all the resources in Content Warehouse	contentwarehouse.documentSchemas.get contentwarehouse.documents.get contentwarehouse.documents.getIamPolicy contentwarehouse.rawDocuments.download resourcemanager.projects.get resourcemanager.projects.list
Data Processing Controls Resource Admin (`roles/dataprocessing.admin`) Data processing controls admin who can fully manage data processing controls settings and view all datasource data.	billing.accounts.get billing.accounts.list dataprocessing.*
Data Processing Controls Data Source Manager (`roles/dataprocessing.dataSourceManager`) Data processing controls data source manager who can get, list, and update the underlying data.	dataprocessing.datasources.list dataprocessing.datasources.update
Early Access Center Administrator (`roles/earlyaccesscenter.admin`) Grants full access to the Early Access Center, including access to all DATA_READ and DATA_WRITE permissions. Including the ability to enroll into Early Access Campaigns.	earlyaccesscenter.*
Early Access Center Viewer (`roles/earlyaccesscenter.viewer`) Grants view access to the Early Access Center, including access to all DATA_READ but no DATA_WRITE permissions.	earlyaccesscenter.campaigns.get earlyaccesscenter.campaigns.list earlyaccesscenter.customerAllowlists.*
Essential Contacts Admin (`roles/essentialcontacts.admin`) Full access to all essential contacts	essentialcontacts.*
Essential Contacts Viewer (`roles/essentialcontacts.viewer`) Viewer for all essential contacts	essentialcontacts.contacts.get essentialcontacts.contacts.list
Firebase Cloud Messaging API Admin ^Beta (`roles/firebasecloudmessaging.admin`) Full read/write access to Firebase Cloud Messaging API resources.	cloudmessaging.messages.create fcmdata.deliverydata.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Crash Symbol Uploader (`roles/firebasecrash.symbolMappingsAdmin`) Full read/write access to symbol mapping file resources for Firebase Crash Reporting.	firebase.clients.get firebase.clients.list resourcemanager.projects.get
Identity Platform Admin ^Beta (`roles/identityplatform.admin`) Full access to Identity Platform resources.	firebaseauth.*
Identity Platform Viewer ^Beta (`roles/identityplatform.viewer`) Read access to Identity Platform resources.	firebaseauth.configs.get firebaseauth.users.get
Identity Toolkit Admin (`roles/identitytoolkit.admin`) Full access to Identity Toolkit resources.	firebaseauth.*
Identity Toolkit Viewer (`roles/identitytoolkit.viewer`) Read access to Identity Toolkit resources.	firebaseauth.configs.get firebaseauth.users.get
Apigee Integration Admin (`roles/integrations.apigeeIntegrationAdminRole`) A user that has full access to all Apigee integrations.	integrations.apigeeAuthConfigs.* integrations.apigeeCertificates.* integrations.apigeeExecutions.list integrations.apigeeIntegrationVers.* integrations.apigeeIntegrations.* integrations.apigeeSfdcChannels.* integrations.apigeeSfdcInstances.* integrations.apigeeSuspensions.* integrations.authConfigs.* integrations.certificates.* integrations.executions.list integrations.integrationVersions.create integrations.integrationVersions.delete integrations.integrationVersions.deploy integrations.integrationVersions.get integrations.integrationVersions.list integrations.integrationVersions.update integrations.integrations.* integrations.sfdcChannels.* integrations.sfdcInstances.* integrations.suspensions.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Integration Deployer (`roles/integrations.apigeeIntegrationDeployerRole`) A developer that can deploy/undeploy Apigee integrations to the integration runtime.	integrations.apigeeIntegrationVers.deploy integrations.apigeeIntegrationVers.get integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.list integrations.integrationVersions.deploy integrations.integrationVersions.get integrations.integrationVersions.list integrations.integrations.deploy integrations.integrations.get integrations.integrations.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Integration Editor (`roles/integrations.apigeeIntegrationEditorRole`) A developer that can list, create and update Apigee integrations.	integrations.apigeeAuthConfigs.create integrations.apigeeAuthConfigs.get integrations.apigeeAuthConfigs.list integrations.apigeeAuthConfigs.update integrations.apigeeCertificates.create integrations.apigeeCertificates.get integrations.apigeeCertificates.list integrations.apigeeCertificates.update integrations.apigeeExecutions.list integrations.apigeeIntegrationVers.* integrations.apigeeIntegrations.* integrations.apigeeSfdcChannels.create integrations.apigeeSfdcChannels.get integrations.apigeeSfdcChannels.list integrations.apigeeSfdcChannels.update integrations.apigeeSfdcInstances.create integrations.apigeeSfdcInstances.get integrations.apigeeSfdcInstances.list integrations.apigeeSfdcInstances.update integrations.authConfigs.create integrations.authConfigs.get integrations.authConfigs.list integrations.authConfigs.update integrations.certificates.get integrations.executions.list integrations.integrationVersions.create integrations.integrationVersions.delete integrations.integrationVersions.deploy integrations.integrationVersions.get integrations.integrationVersions.list integrations.integrationVersions.update integrations.integrations.create integrations.integrations.get integrations.integrations.invoke integrations.integrations.list integrations.integrations.update integrations.sfdcChannels.* integrations.sfdcInstances.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Integration Invoker (`roles/integrations.apigeeIntegrationInvokerRole`) A role that can invoke Apigee integrations.	integrations.apigeeExecutions.list integrations.apigeeIntegrationVers.get integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.* integrations.executions.list integrations.integrationVersions.get integrations.integrationVersions.invoke integrations.integrationVersions.list integrations.integrations.get integrations.integrations.invoke integrations.integrations.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Integration Viewer (`roles/integrations.apigeeIntegrationsViewer`) A developer that can list and view Apigee integrations.	integrations.apigeeAuthConfigs.list integrations.apigeeCertificates.list integrations.apigeeIntegrationVers.get integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.list integrations.apigeeSfdcChannels.list integrations.apigeeSfdcInstances.list integrations.authConfigs.get integrations.authConfigs.list integrations.certificates.get integrations.certificates.list integrations.executions.list integrations.integrationVersions.get integrations.integrationVersions.list integrations.integrations.get integrations.integrations.list integrations.sfdcChannels.list integrations.sfdcInstances.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Integration Approver (`roles/integrations.apigeeSuspensionResolver`) A role that can approve / reject Apigee integrations that contain a suspension/wait task.	integrations.apigeeSuspensions.* integrations.suspensions.* resourcemanager.projects.get resourcemanager.projects.list
Certificate Viewer (`roles/integrations.certificateViewer`) A developer that can list and view Certificates.	integrations.certificates.get resourcemanager.projects.get resourcemanager.projects.list
Application Integration Admin (`roles/integrations.integrationAdmin`) A user that has full access (CRUD) to all integrations.	integrations.apigeeAuthConfigs.* integrations.apigeeCertificates.* integrations.apigeeExecutions.list integrations.apigeeIntegrationVers.* integrations.apigeeIntegrations.* integrations.apigeeSfdcChannels.* integrations.apigeeSfdcInstances.* integrations.apigeeSuspensions.* integrations.authConfigs.* integrations.certificates.* integrations.executions.list integrations.integrationVersions.create integrations.integrationVersions.delete integrations.integrationVersions.deploy integrations.integrationVersions.get integrations.integrationVersions.list integrations.integrationVersions.update integrations.integrations.* integrations.sfdcChannels.* integrations.sfdcInstances.* integrations.suspensions.* resourcemanager.projects.get resourcemanager.projects.list
Application Integration Deployer (`roles/integrations.integrationDeployer`) A developer that can deploy/undeploy integrations to the integration runtime.	integrations.apigeeIntegrationVers.deploy integrations.apigeeIntegrationVers.get integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.list integrations.integrationVersions.deploy integrations.integrationVersions.get integrations.integrationVersions.list integrations.integrations.deploy integrations.integrations.get integrations.integrations.list resourcemanager.projects.get resourcemanager.projects.list
Application Integration Editor (`roles/integrations.integrationEditor`) A developer that can list, create and update integrations.	integrations.apigeeAuthConfigs.create integrations.apigeeAuthConfigs.get integrations.apigeeAuthConfigs.list integrations.apigeeAuthConfigs.update integrations.apigeeCertificates.create integrations.apigeeCertificates.get integrations.apigeeCertificates.list integrations.apigeeCertificates.update integrations.apigeeExecutions.list integrations.apigeeIntegrationVers.* integrations.apigeeIntegrations.* integrations.apigeeSfdcChannels.create integrations.apigeeSfdcChannels.get integrations.apigeeSfdcChannels.list integrations.apigeeSfdcChannels.update integrations.apigeeSfdcInstances.create integrations.apigeeSfdcInstances.get integrations.apigeeSfdcInstances.list integrations.apigeeSfdcInstances.update integrations.authConfigs.create integrations.authConfigs.get integrations.authConfigs.list integrations.authConfigs.update integrations.certificates.get integrations.executions.list integrations.integrationVersions.create integrations.integrationVersions.delete integrations.integrationVersions.deploy integrations.integrationVersions.get integrations.integrationVersions.list integrations.integrationVersions.update integrations.integrations.create integrations.integrations.get integrations.integrations.invoke integrations.integrations.list integrations.integrations.update integrations.sfdcChannels.* integrations.sfdcInstances.* resourcemanager.projects.get resourcemanager.projects.list
Application Integration Invoker (`roles/integrations.integrationInvoker`) A role that can invoke integrations.	integrations.apigeeExecutions.list integrations.apigeeIntegrationVers.get integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.* integrations.executions.list integrations.integrationVersions.get integrations.integrationVersions.invoke integrations.integrationVersions.list integrations.integrations.get integrations.integrations.invoke integrations.integrations.list resourcemanager.projects.get resourcemanager.projects.list
Application Integration Viewer (`roles/integrations.integrationViewer`) A developer that can list and view integrations.	integrations.apigeeAuthConfigs.list integrations.apigeeCertificates.list integrations.apigeeIntegrationVers.get integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.list integrations.apigeeSfdcChannels.list integrations.apigeeSfdcInstances.list integrations.authConfigs.get integrations.authConfigs.list integrations.certificates.get integrations.certificates.list integrations.executions.list integrations.integrationVersions.get integrations.integrationVersions.list integrations.integrations.get integrations.integrations.list integrations.sfdcChannels.list integrations.sfdcInstances.list resourcemanager.projects.get resourcemanager.projects.list
Security Integration Admin ^Beta (`roles/integrations.securityIntegrationAdmin`) A user that has full access to all Security integrations.	integrations.securityAuthConfigs.* integrations.securityExecutions.* integrations.securityIntegTempVers.* integrations.securityIntegrationVers.* integrations.securityIntegrations.*
Application Integration SFDC Instance Admin (`roles/integrations.sfdcInstanceAdmin`) A user that has full access (CRUD) to all SFDC instances.	integrations.sfdcChannels.* integrations.sfdcInstances.* resourcemanager.projects.get resourcemanager.projects.list
Application Integration SFDC Instance Editor (`roles/integrations.sfdcInstanceEditor`) A developer that can list, create and update integrations.	integrations.sfdcChannels.create integrations.sfdcChannels.get integrations.sfdcChannels.list integrations.sfdcChannels.update integrations.sfdcInstances.create integrations.sfdcInstances.get integrations.sfdcInstances.list integrations.sfdcInstances.update resourcemanager.projects.get resourcemanager.projects.list
Application Integration SFDC Instance Viewer (`roles/integrations.sfdcInstanceViewer`) A developer that can list and view SFDC instances.	integrations.sfdcChannels.get integrations.sfdcChannels.list integrations.sfdcInstances.get integrations.sfdcInstances.list resourcemanager.projects.get resourcemanager.projects.list
Application Integration Approver (`roles/integrations.suspensionResolver`) A role that can resolve suspended integrations.	integrations.apigeeSuspensions.* integrations.suspensions.* resourcemanager.projects.get resourcemanager.projects.list
Issuerswitch Admin ^Beta (`roles/issuerswitch.admin`) Access to all issuer switch roles	issuerswitch.* resourcemanager.projects.get resourcemanager.projects.list
Issuerswitch Resolutions Admin ^Beta (`roles/issuerswitch.resolutionsAdmin`) Full access to issuer switch resolutions	issuerswitch.complaintTransactions.list issuerswitch.complaints.* issuerswitch.disputes.* issuerswitch.operations.get resourcemanager.projects.get resourcemanager.projects.list
Issuerswitch Rules Admin ^Beta (`roles/issuerswitch.rulesAdmin`) Full access to issuer switch rules	issuerswitch.ruleMetadata.list issuerswitch.ruleMetadataValues.* issuerswitch.rules.list resourcemanager.projects.get resourcemanager.projects.list
Issuerswitch Rules Viewer ^Beta (`roles/issuerswitch.rulesViewer`) This role can view rules and related metadata.	issuerswitch.ruleMetadata.list issuerswitch.ruleMetadataValues.list issuerswitch.rules.list resourcemanager.projects.get resourcemanager.projects.list
Issuerswitch Transactions Viewer ^Beta (`roles/issuerswitch.transactionsViewer`) This role can view all transactions	issuerswitch.complaintTransactions.list issuerswitch.financialTransactions.list issuerswitch.mandateTransactions.list issuerswitch.metadataTransactions.list issuerswitch.operations.get issuerswitch.operations.list resourcemanager.projects.get resourcemanager.projects.list
OAuth Config Editor ^Beta (`roles/oauthconfig.editor`) Read/write access to OAuth config resources	clientauthconfig.* oauthconfig.*
OAuth Config Viewer ^Beta (`roles/oauthconfig.viewer`) Read-only access to OAuth config resources	clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.clients.get clientauthconfig.clients.list oauthconfig.clientpolicy.get oauthconfig.testusers.get oauthconfig.verification.get
Payments Reseller Admin ^Beta (`roles/paymentsresellersubscription.partnerAdmin`) Full access to all Payments Reseller resources, including subscriptions, products and promotions	paymentsresellersubscription.* resourcemanager.projects.get resourcemanager.projects.list
Payments Reseller Viewer ^Beta (`roles/paymentsresellersubscription.partnerViewer`) Read access to all Payments Reseller resources, including subscriptions, products and promotions	paymentsresellersubscription.products.list paymentsresellersubscription.promotions.list paymentsresellersubscription.subscriptions.get resourcemanager.projects.get resourcemanager.projects.list
Payments Reseller Products Viewer ^Beta (`roles/paymentsresellersubscription.productViewer`) Read access to Payments Reseller Product resource	paymentsresellersubscription.products.list resourcemanager.projects.get resourcemanager.projects.list
Payments Reseller Promotions Viewer ^Beta (`roles/paymentsresellersubscription.promotionViewer`) Read access to Payments Reseller Promotion resource	paymentsresellersubscription.promotions.list resourcemanager.projects.get resourcemanager.projects.list
Payments Reseller Subscriptions Editor ^Beta (`roles/paymentsresellersubscription.subscriptionEditor`) Write access to Payments Reseller Subscription resource	paymentsresellersubscription.subscriptions.* resourcemanager.projects.get resourcemanager.projects.list
Payments Reseller Subscriptions Viewer ^Beta (`roles/paymentsresellersubscription.subscriptionViewer`) Read access to Payments Reseller Subscription resource	paymentsresellersubscription.subscriptions.get resourcemanager.projects.get resourcemanager.projects.list
Activity Analysis Viewer ^Beta (`roles/policyanalyzer.activityAnalysisViewer`) Viewer user that can read all activity analysis.	policyanalyzer.*
Simulator Admin ^Beta (`roles/policysimulator.admin`) Admin user that can run and access replays.	policysimulator.*
Recommendations Exporter ^Beta (`roles/recommender.exporter`) Exporter of Recommendations	recommender.resources.export
Remote Build Execution Action Cache Writer ^Beta (`roles/remotebuildexecution.actionCacheWriter`) Remote Build Execution Action Cache Writer	remotebuildexecution.actions.set remotebuildexecution.blobs.create
Remote Build Execution Artifact Admin ^Beta (`roles/remotebuildexecution.artifactAdmin`) Remote Build Execution Artifact Admin	remotebuildexecution.actions.create remotebuildexecution.actions.delete remotebuildexecution.actions.get remotebuildexecution.blobs.* remotebuildexecution.logstreams.*
Remote Build Execution Artifact Creator ^Beta (`roles/remotebuildexecution.artifactCreator`) Remote Build Execution Artifact Creator	remotebuildexecution.actions.create remotebuildexecution.actions.get remotebuildexecution.blobs.* remotebuildexecution.logstreams.*
Remote Build Execution Artifact Viewer ^Beta (`roles/remotebuildexecution.artifactViewer`) Remote Build Execution Artifact Viewer	remotebuildexecution.actions.get remotebuildexecution.blobs.get remotebuildexecution.logstreams.get
Remote Build Execution Configuration Admin ^Beta (`roles/remotebuildexecution.configurationAdmin`) Remote Build Execution Configuration Admin	remotebuildexecution.instances.* remotebuildexecution.workerpools.*
Remote Build Execution Configuration Viewer ^Beta (`roles/remotebuildexecution.configurationViewer`) Remote Build Execution Configuration Viewer	remotebuildexecution.instances.get remotebuildexecution.instances.list remotebuildexecution.workerpools.get remotebuildexecution.workerpools.list
Remote Build Execution Logstream Writer ^Beta (`roles/remotebuildexecution.logstreamWriter`) Remote Build Execution Logstream Writer	remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
Remote Build Execution Reservation Admin ^Beta (`roles/remotebuildexecution.reservationAdmin`) Remote Build Execution Reservation Admin	remotebuildexecution.actions.create remotebuildexecution.actions.delete remotebuildexecution.actions.get
Remote Build Execution Worker ^Beta (`roles/remotebuildexecution.worker`) Remote Build Execution Worker	remotebuildexecution.actions.update remotebuildexecution.blobs.* remotebuildexecution.botsessions.* remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
Retail Admin (`roles/retail.admin`) Full access to Retail api resources.	automlrecommendations.apiKeys.create automlrecommendations.apiKeys.delete automlrecommendations.catalogItems.* automlrecommendations.catalogs.* automlrecommendations.eventStores.getStats automlrecommendations.events.* automlrecommendations.placements.* automlrecommendations.recommendations.* retail.*
Retail Editor (`roles/retail.editor`) Full access to Retail api resources except purge, rejoin, and setSponsorship.	automlrecommendations.apiKeys.create automlrecommendations.apiKeys.delete automlrecommendations.catalogItems.* automlrecommendations.catalogs.* automlrecommendations.eventStores.getStats automlrecommendations.events.create automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* retail.attributesConfigs.addCatalogAttribute retail.attributesConfigs.exportCatalogAttributes retail.attributesConfigs.get retail.attributesConfigs.importCatalogAttributes retail.attributesConfigs.replaceCatalogAttribute retail.attributesConfigs.update retail.catalogs.* retail.controls.* retail.models.* retail.operations.* retail.placements.* retail.products.create retail.products.delete retail.products.export retail.products.get retail.products.import retail.products.list retail.products.update retail.retailProjects.get retail.servingConfigs.* retail.userEvents.create retail.userEvents.import
Retail Viewer (`roles/retail.viewer`) Grants access to read all resources in Retail.	automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.getStats automlrecommendations.events.list automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.list retail.attributesConfigs.exportCatalogAttributes retail.attributesConfigs.get retail.catalogs.completeQuery retail.catalogs.list retail.controls.export retail.controls.get retail.controls.list retail.models.list retail.operations.* retail.placements.* retail.products.export retail.products.get retail.products.list retail.retailProjects.get retail.servingConfigs.get retail.servingConfigs.list retail.servingConfigs.predict retail.servingConfigs.search
Cloud RuntimeConfig Admin (`roles/runtimeconfig.admin`) Full access to RuntimeConfig resources.	runtimeconfig.*
SLZ BQDW Blueprint Organization Level Remediator ^Beta (`roles/securedlandingzone.bqdwOrgRemediator`) Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.	accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list accesscontextmanager.servicePerimeters.update
SLZ BQDW Blueprint Project Level Remediator ^Beta (`roles/securedlandingzone.bqdwProjectRemediator`) Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy bigquery.datasets.update cloudkms.cryptoKeys.get cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.cryptoKeys.setIamPolicy cloudkms.cryptoKeys.update cloudkms.keyRings.getIamPolicy cloudkms.keyRings.setIamPolicy pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy pubsub.topics.update resourcemanager.projects.update serviceusage.services.use storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy storage.buckets.update
Overwatch Activator ^Beta (`roles/securedlandingzone.overwatchActivator`) This role can activate or suspend Overwatches	resourcemanager.projects.get resourcemanager.projects.list securedlandingzone.overwatches.activate securedlandingzone.overwatches.suspend
Overwatch Admin ^Beta (`roles/securedlandingzone.overwatchAdmin`) Full access to Overwatches	resourcemanager.projects.get resourcemanager.projects.list securedlandingzone.*
Overwatch Viewer ^Beta (`roles/securedlandingzone.overwatchViewer`) This role can view all properties of Overwatches	resourcemanager.projects.get resourcemanager.projects.list securedlandingzone.operations.get securedlandingzone.overwatches.get securedlandingzone.overwatches.list
Security Insights Viewer ^Beta (`roles/servicesecurityinsights.securityInsightsViewer`) Read-only access to Security Insights resources	servicesecurityinsights.*
Cloud Speech Administrator (`roles/speech.admin`) Grants full access to all resources in Speech-to-text	speech.*
Cloud Speech Client (`roles/speech.client`) Grants access to the recognition APIs.	speech.adaptations.execute speech.customClasses.get speech.customClasses.list speech.operations.get speech.operations.list speech.operations.wait speech.phraseSets.get speech.phraseSets.list speech.recognizers.get speech.recognizers.list speech.recognizers.recognize
Cloud Speech Editor (`roles/speech.editor`) Grants access to edit resources in Speech-to-text	speech.adaptations.execute speech.customClasses.* speech.operations.* speech.phraseSets.* speech.recognizers.*
Subscribe with Google Developer ^Beta (`roles/subscribewithgoogledeveloper.developer`) Access DevTools for Subscribe with Google	resourcemanager.projects.get resourcemanager.projects.list subscribewithgoogledeveloper.tools.get
Timeseries Insights DataSet Editor ^Beta (`roles/timeseriesinsights.datasetsEditor`) Edit access to DataSets.	timeseriesinsights.*
Timeseries Insights DataSet Owner ^Beta (`roles/timeseriesinsights.datasetsOwner`) Full access to DataSets.	timeseriesinsights.*
Timeseries Insights DataSet Viewer ^Beta (`roles/timeseriesinsights.datasetsViewer`) Read-only access (List and Query) to DataSets.	timeseriesinsights.datasets.evaluate timeseriesinsights.datasets.list timeseriesinsights.datasets.query timeseriesinsights.locations.*
Traffic Director Client ^Beta (`roles/trafficdirector.client`) Fetch service configurations and report metrics.	trafficdirector.*
Translation Hub Admin ^Beta (`roles/translationhub.admin`) Admin of Translation Hub	automl.models.get automl.models.list automl.models.predict cloudtranslate.glossaries.create cloudtranslate.glossaries.delete cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict resourcemanager.projects.get resourcemanager.projects.list translationhub.*
Translation Hub Portal User ^Beta (`roles/translationhub.portalUser`) Portal user of Translation Hub	automl.models.get automl.models.list automl.models.predict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict resourcemanager.projects.get resourcemanager.projects.list translationhub.portals.get translationhub.portals.list
Visual Inspection AI Solution Editor (`roles/visualinspection.editor`) Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics	visualinspection.annotationSets.* visualinspection.annotationSpecs.* visualinspection.annotations.* visualinspection.datasets.* visualinspection.images.* visualinspection.locations.get visualinspection.locations.list visualinspection.modelEvaluations.* visualinspection.models.* visualinspection.modules.* visualinspection.operations.* visualinspection.solutionArtifacts.* visualinspection.solutions.*
Visual Inspection AI Usage Metrics Reporter (`roles/visualinspection.usageMetricsReporter`) ReportUsageMetric access to Visual Inspection AI Service	visualinspection.locations.reportUsageMetrics
Visual Inspection AI Viewer (`roles/visualinspection.viewer`) Read access to Visual Inspection AI resources	visualinspection.annotationSets.get visualinspection.annotationSets.list visualinspection.annotationSpecs.get visualinspection.annotationSpecs.list visualinspection.annotations.get visualinspection.annotations.list visualinspection.datasets.export visualinspection.datasets.get visualinspection.datasets.list visualinspection.images.get visualinspection.images.list visualinspection.locations.get visualinspection.locations.list visualinspection.modelEvaluations.* visualinspection.models.get visualinspection.models.list visualinspection.modules.get visualinspection.modules.list visualinspection.operations.* visualinspection.solutionArtifacts.get visualinspection.solutionArtifacts.list visualinspection.solutionArtifacts.predict visualinspection.solutions.get visualinspection.solutions.list

Project roles

Role Permissions

Browser
(roles/browser)

Read access to browse the hierarchy for a project, including the folder, organization, and allow policy. This role doesn't include permission to view resources in the project.

Lowest-level resources where you can grant this role:

Project

resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Proximity Beacon roles

Role	Permissions
Beacon Attachment Editor (`roles/proximitybeacon.attachmentEditor`) Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.	proximitybeacon.attachments.* proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.namespaces.list resourcemanager.projects.get resourcemanager.projects.list
Beacon Attachment Publisher (`roles/proximitybeacon.attachmentPublisher`) Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.	proximitybeacon.beacons.attach proximitybeacon.beacons.get proximitybeacon.beacons.list resourcemanager.projects.get resourcemanager.projects.list
Beacon Attachment Viewer (`roles/proximitybeacon.attachmentViewer`) Can view all attachments under a namespace; no beacon or namespace permissions.	proximitybeacon.attachments.get proximitybeacon.attachments.list resourcemanager.projects.get resourcemanager.projects.list
Beacon Editor (`roles/proximitybeacon.beaconEditor`) Necessary access to register, modify, and view beacons; no attachment or namespace permissions.	proximitybeacon.beacons.create proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.beacons.update resourcemanager.projects.get resourcemanager.projects.list

Pub/Sub roles

Role	Permissions
Pub/Sub Admin (`roles/pubsub.admin`) Provides full access to topics and subscriptions. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	pubsub.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Pub/Sub Editor (`roles/pubsub.editor`) Provides access to modify topics and subscriptions, and access to publish and consume messages. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Pub/Sub Publisher (`roles/pubsub.publisher`) Provides access to publish messages to a topic. Lowest-level resources where you can grant this role: Topic	pubsub.topics.publish
Pub/Sub Subscriber (`roles/pubsub.subscriber`) Provides access to consume messages from a subscription and to attach subscriptions to a topic. Lowest-level resources where you can grant this role: Snapshot Subscription Topic	pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription
Pub/Sub Viewer (`roles/pubsub.viewer`) Provides access to view topics and subscriptions. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.get pubsub.snapshots.list pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.get pubsub.topics.list resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Pub/Sub Lite roles

Role	Permissions
Pub/Sub Lite Admin (`roles/pubsublite.admin`) Full access to topics, subscriptions and reservations.	pubsublite.*
Pub/Sub Lite Editor (`roles/pubsublite.editor`) Modify topics, subscriptions and reservations, publish and consume messages.	pubsublite.*
Pub/Sub Lite Publisher (`roles/pubsublite.publisher`) Publish messages to a topic.	pubsublite.topics.getPartitions pubsublite.topics.publish
Pub/Sub Lite Subscriber (`roles/pubsublite.subscriber`) Subscribe to and read messages from a topic.	pubsublite.operations.get pubsublite.subscriptions.getCursor pubsublite.subscriptions.seek pubsublite.subscriptions.setCursor pubsublite.subscriptions.subscribe pubsublite.topics.computeHeadCursor pubsublite.topics.computeMessageStats pubsublite.topics.computeTimeCursor pubsublite.topics.getPartitions pubsublite.topics.subscribe
Pub/Sub Lite Viewer (`roles/pubsublite.viewer`) View topics, subscriptions and reservations.	pubsublite.operations.* pubsublite.reservations.get pubsublite.reservations.list pubsublite.reservations.listTopics pubsublite.subscriptions.get pubsublite.subscriptions.getCursor pubsublite.subscriptions.list pubsublite.topics.get pubsublite.topics.getPartitions pubsublite.topics.list pubsublite.topics.listSubscriptions

Rapid Migration Assessment roles

Role	Permissions
Rapid Migration Assessment Admin ^Beta (`roles/rma.admin`) Full access to Rapid Migration Assessment all resources.	resourcemanager.projects.get resourcemanager.projects.list rma.*
Rapid Migration Assessment Runner ^Beta (`roles/rma.runner`) Update and Read access to Rapid Migration Assessment all resources.	resourcemanager.projects.get resourcemanager.projects.list rma.annotations.get rma.collectors.get rma.collectors.list rma.collectors.update rma.locations.* rma.operations.get rma.operations.list
Rapid Migration Assessment Viewer ^Beta (`roles/rma.viewer`) Read-only access to Rapid Migration Assessment all resources.	resourcemanager.projects.get resourcemanager.projects.list rma.annotations.get rma.collectors.get rma.collectors.list rma.locations.* rma.operations.get rma.operations.list

reCAPTCHA Enterprise roles

Role	Permissions
reCAPTCHA Enterprise Admin ^Beta (`roles/recaptchaenterprise.admin`) Access to view and modify reCAPTCHA Enterprise keys	monitoring.timeSeries.list recaptchaenterprise.keys.* recaptchaenterprise.metrics.get recaptchaenterprise.projectmetadata.* resourcemanager.projects.get resourcemanager.projects.list
reCAPTCHA Enterprise Agent ^Beta (`roles/recaptchaenterprise.agent`) Access to create and annotate reCAPTCHA Enterprise assessments	recaptchaenterprise.assessments.* recaptchaenterprise.relatedaccountgroupmemberships.list recaptchaenterprise.relatedaccountgroups.list resourcemanager.projects.get resourcemanager.projects.list
reCAPTCHA Enterprise Viewer ^Beta (`roles/recaptchaenterprise.viewer`) Access to view reCAPTCHA Enterprise keys and metrics	monitoring.timeSeries.list recaptchaenterprise.keys.get recaptchaenterprise.keys.list recaptchaenterprise.metrics.get recaptchaenterprise.projectmetadata.get resourcemanager.projects.get resourcemanager.projects.list

Recommendations AI roles

Role	Permissions
Recommendations AI Admin ^Beta (`roles/automlrecommendations.admin`) Full access to all Recommendations AI resources.	automlrecommendations.* resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.catalogs.update retail.operations.* retail.placements.* retail.products.create retail.products.delete retail.products.export retail.products.get retail.products.import retail.products.list retail.products.update retail.retailProjects.get retail.userEvents.* serviceusage.services.get serviceusage.services.list
Recommendations AI Admin Viewer ^Beta (`roles/automlrecommendations.adminViewer`) Viewer of all Recommendations AI resources.	automlrecommendations.apiKeys.list automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.getStats automlrecommendations.events.list automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.list resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.operations.* retail.placements.* retail.products.export retail.products.get retail.products.list retail.retailProjects.get serviceusage.services.get serviceusage.services.list
Recommendations AI Editor ^Beta (`roles/automlrecommendations.editor`) Editor of all Recommendations AI resources.	automlrecommendations.apiKeys.create automlrecommendations.apiKeys.list automlrecommendations.catalogItems.* automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.getStats automlrecommendations.events.create automlrecommendations.events.list automlrecommendations.placements.create automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.create automlrecommendations.recommendations.list automlrecommendations.recommendations.pause automlrecommendations.recommendations.resume automlrecommendations.recommendations.update resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.catalogs.update retail.operations.* retail.placements.* retail.products.create retail.products.delete retail.products.export retail.products.get retail.products.import retail.products.list retail.products.update retail.retailProjects.get retail.userEvents.create retail.userEvents.import serviceusage.services.get serviceusage.services.list
Recommendations AI Viewer ^Beta (`roles/automlrecommendations.viewer`) Viewer of all Recommendations AI resources except `apiKeys`. To view all resources, including `apiKeys`, grant the Recommendations AI Admin Viewer role (`roles/automlrecommendations.adminViewer`).	automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.getStats automlrecommendations.events.list automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.list resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.operations.* retail.placements.* retail.products.export retail.products.get retail.products.list retail.retailProjects.get serviceusage.services.get serviceusage.services.list

Recommender roles

Role	Permissions
BigQuery Slot Recommender Admin ^Beta (`roles/recommender.bigQueryCapacityCommitmentsAdmin`) Admin of BigQuery Capacity Commitments insights and recommendations.	recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Recommender Billing Account Admin ^Beta (`roles/recommender.bigQueryCapacityCommitmentsBillingAccountAdmin`) Billing Account Admin of BigQuery Capacity Commitments insights and recommendations.	billing.accounts.get billing.accounts.list recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.*
BigQuery Recommender Billing Account Viewer ^Beta (`roles/recommender.bigQueryCapacityCommitmentsBillingAccountViewer`) Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations.	billing.accounts.get billing.accounts.list recommender.bigqueryCapacityCommitmentsInsights.get recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.get recommender.bigqueryCapacityCommitmentsRecommendations.list
BigQuery Recommender Project Admin ^Beta (`roles/recommender.bigQueryCapacityCommitmentsProjectAdmin`) Project Admin of BigQuery Capacity Commitments insights and recommendations.	recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Recommender Project Viewer ^Beta (`roles/recommender.bigQueryCapacityCommitmentsProjectViewer`) Project Viewer of BigQuery Capacity Commitments insights and recommendations.	recommender.bigqueryCapacityCommitmentsInsights.get recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.get recommender.bigqueryCapacityCommitmentsRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Slot Recommender Viewer ^Beta (`roles/recommender.bigQueryCapacityCommitmentsViewer`) Viewer of BigQuery Capacity Commitments insights and recommendations.	recommender.bigqueryCapacityCommitmentsInsights.get recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.get recommender.bigqueryCapacityCommitmentsRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Billing Account Usage Commitment Recommender Admin ^Beta (`roles/recommender.billingAccountCudAdmin`) Admin of Billing Account Usage Commitment Recommender.	billing.accounts.get billing.accounts.list recommender.commitmentUtilizationInsights.* recommender.usageCommitmentRecommendations.*
Billing Account Usage Commitment Recommender Viewer ^Beta (`roles/recommender.billingAccountCudViewer`) Viewer of Billing Account Usage Commitment Recommender.	billing.accounts.get billing.accounts.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list
Cloud Asset Insights Admin (`roles/recommender.cloudAssetInsightsAdmin`) Admin of all Cloud Asset insights.	recommender.cloudAssetInsights.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Asset Insights Viewer (`roles/recommender.cloudAssetInsightsViewer`) Viewer of all Cloud Asset insights.	recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list resourcemanager.projects.get resourcemanager.projects.list
Cloud SQL Recommender Admin ^Beta (`roles/recommender.cloudsqlAdmin`) Admin of Cloud SQL insights and recommendations.	recommender.cloudsqlIdleInstanceRecommendations.* recommender.cloudsqlInstanceActivityInsights.* recommender.cloudsqlInstanceCpuUsageInsights.* recommender.cloudsqlInstanceDiskUsageTrendInsights.* recommender.cloudsqlInstanceMemoryUsageInsights.* recommender.cloudsqlInstanceOutOfDiskRecommendations.* recommender.cloudsqlInstancePerformanceInsights.* recommender.cloudsqlInstancePerformanceRecommendations.* recommender.cloudsqlInstanceSecurityInsights.* recommender.cloudsqlInstanceSecurityRecommendations.* recommender.cloudsqlOverprovisionedInstanceRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
Cloud SQL Recommender Viewer ^Beta (`roles/recommender.cloudsqlViewer`) Viewer of Cloud SQL insights and recommendations.	recommender.cloudsqlIdleInstanceRecommendations.get recommender.cloudsqlIdleInstanceRecommendations.list recommender.cloudsqlInstanceActivityInsights.get recommender.cloudsqlInstanceActivityInsights.list recommender.cloudsqlInstanceCpuUsageInsights.get recommender.cloudsqlInstanceCpuUsageInsights.list recommender.cloudsqlInstanceDiskUsageTrendInsights.get recommender.cloudsqlInstanceDiskUsageTrendInsights.list recommender.cloudsqlInstanceMemoryUsageInsights.get recommender.cloudsqlInstanceMemoryUsageInsights.list recommender.cloudsqlInstanceOutOfDiskRecommendations.get recommender.cloudsqlInstanceOutOfDiskRecommendations.list recommender.cloudsqlInstancePerformanceInsights.get recommender.cloudsqlInstancePerformanceInsights.list recommender.cloudsqlInstancePerformanceRecommendations.get recommender.cloudsqlInstancePerformanceRecommendations.list recommender.cloudsqlInstanceSecurityInsights.get recommender.cloudsqlInstanceSecurityInsights.list recommender.cloudsqlInstanceSecurityRecommendations.get recommender.cloudsqlInstanceSecurityRecommendations.list recommender.cloudsqlOverprovisionedInstanceRecommendations.get recommender.cloudsqlOverprovisionedInstanceRecommendations.list resourcemanager.projects.get resourcemanager.projects.list
Compute Recommender Admin (`roles/recommender.computeAdmin`) Admin of compute recommendations.	recommender.computeAddressIdleResourceInsights.* recommender.computeAddressIdleResourceRecommendations.* recommender.computeDiskIdleResourceInsights.* recommender.computeDiskIdleResourceRecommendations.* recommender.computeImageIdleResourceInsights.* recommender.computeImageIdleResourceRecommendations.* recommender.computeInstanceCpuUsageInsights.* recommender.computeInstanceCpuUsagePredictionInsights.* recommender.computeInstanceCpuUsageTrendInsights.* recommender.computeInstanceGroupManagerCpuUsageInsights.* recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.* recommender.computeInstanceGroupManagerCpuUsageTrendInsights.* recommender.computeInstanceGroupManagerMachineTypeRecommendations.* recommender.computeInstanceGroupManagerMemoryUsageInsights.* recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.* recommender.computeInstanceIdleResourceRecommendations.* recommender.computeInstanceMachineTypeRecommendations.* recommender.computeInstanceMemoryUsageInsights.* recommender.computeInstanceMemoryUsagePredictionInsights.* recommender.computeInstanceNetworkThroughputInsights.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Compute Recommender Viewer (`roles/recommender.computeViewer`) Viewer of compute recommendations.	recommender.computeAddressIdleResourceInsights.get recommender.computeAddressIdleResourceInsights.list recommender.computeAddressIdleResourceRecommendations.get recommender.computeAddressIdleResourceRecommendations.list recommender.computeDiskIdleResourceInsights.get recommender.computeDiskIdleResourceInsights.list recommender.computeDiskIdleResourceRecommendations.get recommender.computeDiskIdleResourceRecommendations.list recommender.computeImageIdleResourceInsights.get recommender.computeImageIdleResourceInsights.list recommender.computeImageIdleResourceRecommendations.get recommender.computeImageIdleResourceRecommendations.list recommender.computeInstanceCpuUsageInsights.get recommender.computeInstanceCpuUsageInsights.list recommender.computeInstanceCpuUsagePredictionInsights.get recommender.computeInstanceCpuUsagePredictionInsights.list recommender.computeInstanceCpuUsageTrendInsights.get recommender.computeInstanceCpuUsageTrendInsights.list recommender.computeInstanceGroupManagerCpuUsageInsights.get recommender.computeInstanceGroupManagerCpuUsageInsights.list recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list recommender.computeInstanceGroupManagerMachineTypeRecommendations.get recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceGroupManagerMemoryUsageInsights.get recommender.computeInstanceGroupManagerMemoryUsageInsights.list recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list recommender.computeInstanceIdleResourceRecommendations.get recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.get recommender.computeInstanceMachineTypeRecommendations.list recommender.computeInstanceMemoryUsageInsights.get recommender.computeInstanceMemoryUsageInsights.list recommender.computeInstanceMemoryUsagePredictionInsights.get recommender.computeInstanceMemoryUsagePredictionInsights.list recommender.computeInstanceNetworkThroughputInsights.get recommender.computeInstanceNetworkThroughputInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
GKE Diagnosis Recommender Admin ^Beta (`roles/recommender.containerDiagnosisAdmin`) Admin of GKE Diagnosis Insights and Recommendations.	recommender.containerDiagnosisInsights.* recommender.containerDiagnosisRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
GKE Diagnosis Recommender Viewer ^Beta (`roles/recommender.containerDiagnosisViewer`) Viewer of GKE Diagnosis Insights and Recommendations.	recommender.containerDiagnosisInsights.get recommender.containerDiagnosisInsights.list recommender.containerDiagnosisRecommendations.get recommender.containerDiagnosisRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Dataflow Diagnostics Admin (`roles/recommender.dataflowDiagnosticsAdmin`) Admin of Diagnostics recommendations.	recommender.dataflowDiagnosticsInsights.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Dataflow Diagnostics Viewer (`roles/recommender.dataflowDiagnosticsViewer`) Viewer of Diagnostics recommendations.	recommender.dataflowDiagnosticsInsights.get recommender.dataflowDiagnosticsInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Error Reporting Recommender Admin (`roles/recommender.errorReportingAdmin`) Admin of Error Reporting Insights and Recommendations.	recommender.errorReportingInsights.* recommender.errorReportingRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Error Reporting Recommender Viewer (`roles/recommender.errorReportingViewer`) Viewer of Error Reporting Insights and Recommendations.	recommender.errorReportingInsights.get recommender.errorReportingInsights.list recommender.errorReportingRecommendations.get recommender.errorReportingRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Firewall Recommender Admin (`roles/recommender.firewallAdmin`) Admin of Firewall insights and recommendations.	monitoring.timeSeries.list recommender.computeFirewallInsights.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Firewall Recommender Viewer (`roles/recommender.firewallViewer`) Viewer of Firewall insights and recommendations.	monitoring.timeSeries.list recommender.computeFirewallInsights.get recommender.computeFirewallInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Google Maps Platform Insights/Recommendations Admin (`roles/recommender.gmpAdmin`) Admin of all Google Maps Platform insights and recommendations.	recommender.gmpProjectManagementInsights.* recommender.gmpProjectManagementRecommendations.* recommender.gmpProjectProductSuggestionsInsights.* recommender.gmpProjectProductSuggestionsRecommendations.* recommender.gmpProjectQuotaInsights.* recommender.gmpProjectQuotaRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
Google Maps Platform Insights/Recommendations Viewer (`roles/recommender.gmpViewer`) Viewer of all Google Maps Platform insights and recommendations.	recommender.gmpProjectManagementInsights.get recommender.gmpProjectManagementInsights.list recommender.gmpProjectManagementRecommendations.get recommender.gmpProjectManagementRecommendations.list recommender.gmpProjectProductSuggestionsInsights.get recommender.gmpProjectProductSuggestionsInsights.list recommender.gmpProjectProductSuggestionsRecommendations.get recommender.gmpProjectProductSuggestionsRecommendations.list recommender.gmpProjectQuotaInsights.get recommender.gmpProjectQuotaInsights.list recommender.gmpProjectQuotaRecommendations.get recommender.gmpProjectQuotaRecommendations.list resourcemanager.projects.get resourcemanager.projects.list
IAM Recommender Admin (`roles/recommender.iamAdmin`) Admin of IAM recommendations.	recommender.iamPolicyInsights.* recommender.iamPolicyLateralMovementInsights.* recommender.iamPolicyRecommendations.* recommender.iamServiceAccountInsights.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
IAM Recommender Viewer (`roles/recommender.iamViewer`) Viewer of IAM recommendations.	recommender.iamPolicyInsights.get recommender.iamPolicyInsights.list recommender.iamPolicyLateralMovementInsights.get recommender.iamPolicyLateralMovementInsights.list recommender.iamPolicyRecommendations.get recommender.iamPolicyRecommendations.list recommender.iamServiceAccountInsights.get recommender.iamServiceAccountInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer Recommender Admin ^Alpha (`roles/recommender.networkAnalyzerAdmin`) Admin of Network Analyzer Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerCloudSqlInsights.* recommender.networkAnalyzerDynamicRouteInsights.* recommender.networkAnalyzerGkeConnectivityInsights.* recommender.networkAnalyzerGkeIpAddressInsights.* recommender.networkAnalyzerIpAddressInsights.* recommender.networkAnalyzerLoadBalancerInsights.* resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer Cloud SQL Recommender Admin ^Alpha (`roles/recommender.networkAnalyzerCloudSqlAdmin`) Admin of Network Analyzer Cloud SQL Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerCloudSqlInsights.* resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer Cloud SQL Recommender Viewer ^Alpha (`roles/recommender.networkAnalyzerCloudSqlViewer`) Viewer of Network Analyzer Cloud SQL Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerCloudSqlInsights.get recommender.networkAnalyzerCloudSqlInsights.list resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer Dynamic Route Recommender Admin ^Alpha (`roles/recommender.networkAnalyzerDynamicRouteAdmin`) Admin of Network Analyzer Dynamic Route Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerDynamicRouteInsights.* resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer Dynamic Route Recommender Viewer ^Alpha (`roles/recommender.networkAnalyzerDynamicRouteViewer`) Viewer of Network Analyzer Dynamic Route Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerDynamicRouteInsights.get recommender.networkAnalyzerDynamicRouteInsights.list resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer GKE Connectivity Recommender Admin ^Alpha (`roles/recommender.networkAnalyzerGkeConnectivityAdmin`) Admin of Network Analyzer GKE Connectivity Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerGkeConnectivityInsights.* resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer GKE Connectivity Recommender Viewer ^Alpha (`roles/recommender.networkAnalyzerGkeConnectivityViewer`) Viewer of Network Analyzer GKE Connectivity Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerGkeConnectivityInsights.get recommender.networkAnalyzerGkeConnectivityInsights.list resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer GKE IP Address Recommender Admin ^Alpha (`roles/recommender.networkAnalyzerGkeIpAddressAdmin`) Admin of Network Analyzer GKE IP Address Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerGkeIpAddressInsights.* resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer GKE IP Address Recommender Viewer ^Alpha (`roles/recommender.networkAnalyzerGkeIpAddressViewer`) Viewer of Network Analyzer GKE IP Address Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerGkeIpAddressInsights.get recommender.networkAnalyzerGkeIpAddressInsights.list resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer IP Address Recommender Admin ^Alpha (`roles/recommender.networkAnalyzerIpAddressAdmin`) Admin of Network Analyzer IP Address Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerIpAddressInsights.* resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer IP Address Recommender Viewer ^Alpha (`roles/recommender.networkAnalyzerIpAddressViewer`) Viewer of Network Analyzer IP Address Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerIpAddressInsights.get recommender.networkAnalyzerIpAddressInsights.list resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer Load Balancer Recommender Admin ^Beta (`roles/recommender.networkAnalyzerLoadBalancerAdmin`) Admin of Network Analyzer Load Balancer Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerLoadBalancerInsights.* resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer Load Balancer Recommender Viewer ^Beta (`roles/recommender.networkAnalyzerLoadBalancerViewer`) Viewer of Network Analyzer Load Balancer Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerLoadBalancerInsights.get recommender.networkAnalyzerLoadBalancerInsights.list resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer Recommender Viewer ^Beta (`roles/recommender.networkAnalyzerViewer`) Viewer of Network Analyzer Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerCloudSqlInsights.get recommender.networkAnalyzerCloudSqlInsights.list recommender.networkAnalyzerDynamicRouteInsights.get recommender.networkAnalyzerDynamicRouteInsights.list recommender.networkAnalyzerGkeConnectivityInsights.get recommender.networkAnalyzerGkeConnectivityInsights.list recommender.networkAnalyzerGkeIpAddressInsights.get recommender.networkAnalyzerGkeIpAddressInsights.list recommender.networkAnalyzerIpAddressInsights.get recommender.networkAnalyzerIpAddressInsights.list recommender.networkAnalyzerLoadBalancerInsights.get recommender.networkAnalyzerLoadBalancerInsights.list recommender.networkAnalyzerVpcConnectivityInsights.get recommender.networkAnalyzerVpcConnectivityInsights.list resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer VPC Connectivity Recommender Admin ^Beta (`roles/recommender.networkAnalyzerVpcConnectivityAdmin`) Admin of Network Analyzer VPC Connectivity Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerVpcConnectivityInsights.* resourcemanager.projects.get resourcemanager.projects.list
Network Analyzer VPC Connectivity Recommender Viewer ^Beta (`roles/recommender.networkAnalyzerVpcConnectivityViewer`) Viewer of Network Analyzer VPC Connectivity Insights and Recommendations.	recommender.locations.* recommender.networkAnalyzerVpcConnectivityInsights.get recommender.networkAnalyzerVpcConnectivityInsights.list resourcemanager.projects.get resourcemanager.projects.list
Product Suggestion Recommenders Admin ^Beta (`roles/recommender.productSuggestionAdmin`) Admin of all Product Suggestion insights and recommendations.	recommender.locations.* recommender.loggingProductSuggestionContainerInsights.* recommender.loggingProductSuggestionContainerRecommendations.* recommender.monitoringProductSuggestionComputeInsights.* recommender.monitoringProductSuggestionComputeRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
Product Suggestion Recommenders Viewer ^Beta (`roles/recommender.productSuggestionViewer`) Viewer of all Product Suggestion insights and recommendations.	recommender.locations.* recommender.loggingProductSuggestionContainerInsights.get recommender.loggingProductSuggestionContainerInsights.list recommender.loggingProductSuggestionContainerRecommendations.get recommender.loggingProductSuggestionContainerRecommendations.list recommender.monitoringProductSuggestionComputeInsights.get recommender.monitoringProductSuggestionComputeInsights.list recommender.monitoringProductSuggestionComputeRecommendations.get recommender.monitoringProductSuggestionComputeRecommendations.list resourcemanager.projects.get resourcemanager.projects.list
Project Usage Commitment Recommender Admin ^Beta (`roles/recommender.projectCudAdmin`) Admin of Project Usage Commitment Recommender.	recommender.commitmentUtilizationInsights.* recommender.locations.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
Project Usage Commitment Recommender Viewer ^Beta (`roles/recommender.projectCudViewer`) Viewer of Project Usage Commitment Recommender.	recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.locations.* recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list resourcemanager.projects.get resourcemanager.projects.list
Project Utilization Recommender Admin (`roles/recommender.projectUtilAdmin`) Admin of Project Utilization insights and recommendations.	recommender.resourcemanagerProjectUtilizationInsights.* recommender.resourcemanagerProjectUtilizationRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
Project Utilization Recommender Viewer (`roles/recommender.projectUtilViewer`) Viewer of Project Utilization insights and recommendations.	recommender.resourcemanagerProjectUtilizationInsights.get recommender.resourcemanagerProjectUtilizationInsights.list recommender.resourcemanagerProjectUtilizationRecommendations.get recommender.resourcemanagerProjectUtilizationRecommendations.list resourcemanager.projects.get resourcemanager.projects.list
Spend Based Commitment Recommender Admin ^Beta (`roles/recommender.ucsAdmin`) Admin of Spend Based Commitment Recommender.	billing.accounts.get billing.accounts.list recommender.locations.* recommender.spendBasedCommitmentInsights.* recommender.spendBasedCommitmentRecommendations.*
Spend Based Commitment Recommender Viewer ^Beta (`roles/recommender.ucsViewer`) Viewer of Spend Based Commitment Recommender.	billing.accounts.get billing.accounts.list recommender.locations.* recommender.spendBasedCommitmentInsights.get recommender.spendBasedCommitmentInsights.list recommender.spendBasedCommitmentRecommendations.get recommender.spendBasedCommitmentRecommendations.list

Resource Manager roles

Role	Permissions
Folder Admin (`roles/resourcemanager.folderAdmin`) Provides all available permissions for working with folders. Lowest-level resources where you can grant this role: Folder	orgpolicy.constraints.list orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.move resourcemanager.projects.setIamPolicy
Folder Creator (`roles/resourcemanager.folderCreator`) Provides permissions needed to browse the hierarchy and create folders. Lowest-level resources where you can grant this role: Folder	orgpolicy.constraints.list orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list
Folder Editor (`roles/resourcemanager.folderEditor`) Provides permission to modify folders as well as to view a folder's allow policy. Lowest-level resources where you can grant this role: Folder	orgpolicy.constraints.list orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.delete resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.undelete resourcemanager.folders.update resourcemanager.projects.get resourcemanager.projects.list
Folder IAM Admin (`roles/resourcemanager.folderIamAdmin`) Provides permissions to administer allow policies on folders. Lowest-level resources where you can grant this role: Folder	resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.setIamPolicy
Folder Mover (`roles/resourcemanager.folderMover`) Provides permission to move projects and folders into and out of a parent organization or folder. Lowest-level resources where you can grant this role: Folder	resourcemanager.folders.move resourcemanager.projects.move
Folder Viewer (`roles/resourcemanager.folderViewer`) Provides permission to get a folder and list the folders and projects below a resource. Lowest-level resources where you can grant this role: Folder	orgpolicy.constraints.list orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list
Project Lien Modifier (`roles/resourcemanager.lienModifier`) Provides access to modify Liens on projects. Lowest-level resources where you can grant this role: Project	resourcemanager.projects.updateLiens
Organization Administrator (`roles/resourcemanager.organizationAdmin`) Access to manage IAM policies and view organization policies for organizations, folders, and projects. Lowest-level resources where you can grant this role: Project	orgpolicy.constraints.list orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.organizations.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy
Organization Viewer (`roles/resourcemanager.organizationViewer`) Provides access to view an organization. Lowest-level resources where you can grant this role: Organization	resourcemanager.organizations.get
Project Creator (`roles/resourcemanager.projectCreator`) Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project. Lowest-level resources where you can grant this role: Folder	resourcemanager.organizations.get resourcemanager.projects.create
Project Deleter (`roles/resourcemanager.projectDeleter`) Provides access to delete Google Cloud projects. Lowest-level resources where you can grant this role: Folder	resourcemanager.projects.delete
Project IAM Admin (`roles/resourcemanager.projectIamAdmin`) Provides permissions to administer allow policies on projects. Lowest-level resources where you can grant this role: Project	resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy
Project Mover (`roles/resourcemanager.projectMover`) Provides access to update and move projects. Lowest-level resources where you can grant this role: Project	resourcemanager.projects.get resourcemanager.projects.move resourcemanager.projects.update
Tag Administrator (`roles/resourcemanager.tagAdmin`) Access to create, delete, update, and manage access to Tags	resourcemanager.tagHolds.* resourcemanager.tagKeys.* resourcemanager.tagValues.*
Tag Hold Administrator (`roles/resourcemanager.tagHoldAdmin`) Access to create, delete and list TagHolds under a TagValue	resourcemanager.tagHolds.*
Tag User (`roles/resourcemanager.tagUser`) Access to list Tags and manage their associations with resources	artifactregistry.repositories.createTagBinding artifactregistry.repositories.deleteTagBinding artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings bigquery.datasets.createTagBinding bigquery.datasets.deleteTagBinding bigquery.datasets.listTagBindings bigtable.instances.createTagBinding bigtable.instances.deleteTagBinding bigtable.instances.listEffectiveTags bigtable.instances.listTagBindings cloudkms.keyRings.createTagBinding cloudkms.keyRings.deleteTagBinding cloudkms.keyRings.listEffectiveTags cloudkms.keyRings.listTagBindings cloudsql.instances.createTagBinding cloudsql.instances.deleteTagBinding cloudsql.instances.listEffectiveTags cloudsql.instances.listTagBindings compute.disks.createTagBinding compute.disks.deleteTagBinding compute.disks.listEffectiveTags compute.disks.listTagBindings compute.images.createTagBinding compute.images.deleteTagBinding compute.images.listEffectiveTags compute.images.listTagBindings compute.instances.createTagBinding compute.instances.deleteTagBinding compute.instances.listEffectiveTags compute.instances.listTagBindings compute.snapshots.createTagBinding compute.snapshots.deleteTagBinding compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings container.clusters.createTagBinding container.clusters.deleteTagBinding container.clusters.listEffectiveTags container.clusters.listTagBindings datastream.connectionProfiles.createTagBinding datastream.connectionProfiles.deleteTagBinding datastream.connectionProfiles.listEffectiveTags datastream.connectionProfiles.listTagBindings datastream.privateConnections.createTagBinding datastream.privateConnections.deleteTagBinding datastream.privateConnections.listEffectiveTags datastream.privateConnections.listTagBindings datastream.streams.createTagBinding datastream.streams.deleteTagBinding datastream.streams.listEffectiveTags datastream.streams.listTagBindings domains.registrations.createTagBinding domains.registrations.deleteTagBinding domains.registrations.listEffectiveTags domains.registrations.listTagBindings file.backups.createTagBinding file.backups.deleteTagBinding file.backups.listEffectiveTags file.backups.listTagBindings file.instances.createTagBinding file.instances.deleteTagBinding file.instances.listEffectiveTags file.instances.listTagBindings file.snapshots.createTagBinding file.snapshots.deleteTagBinding file.snapshots.listEffectiveTags file.snapshots.listTagBindings managedidentities.domains.createTagBinding managedidentities.domains.deleteTagBinding managedidentities.domains.listEffectiveTags managedidentities.domains.listTagBindings resourcemanager.hierarchyNodes.* resourcemanager.projects.get resourcemanager.tagKeys.get resourcemanager.tagKeys.list resourcemanager.tagValueBindings.* resourcemanager.tagValues.get resourcemanager.tagValues.list run.services.createTagBinding run.services.deleteTagBinding run.services.listEffectiveTags run.services.listTagBindings storage.buckets.createTagBinding storage.buckets.deleteTagBinding storage.buckets.listEffectiveTags storage.buckets.listTagBindings
Tag Viewer (`roles/resourcemanager.tagViewer`) Access to list Tags and their associations with resources	artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings bigquery.datasets.listTagBindings bigtable.instances.listEffectiveTags bigtable.instances.listTagBindings cloudkms.keyRings.listEffectiveTags cloudkms.keyRings.listTagBindings cloudsql.instances.listEffectiveTags cloudsql.instances.listTagBindings compute.disks.listEffectiveTags compute.disks.listTagBindings compute.images.listEffectiveTags compute.images.listTagBindings compute.instances.listEffectiveTags compute.instances.listTagBindings compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings container.clusters.listEffectiveTags container.clusters.listTagBindings datastream.connectionProfiles.listEffectiveTags datastream.connectionProfiles.listTagBindings datastream.privateConnections.listEffectiveTags datastream.privateConnections.listTagBindings datastream.streams.listEffectiveTags datastream.streams.listTagBindings domains.registrations.listEffectiveTags domains.registrations.listTagBindings file.backups.listEffectiveTags file.backups.listTagBindings file.instances.listEffectiveTags file.instances.listTagBindings file.snapshots.listEffectiveTags file.snapshots.listTagBindings managedidentities.domains.listEffectiveTags managedidentities.domains.listTagBindings resourcemanager.hierarchyNodes.listEffectiveTags resourcemanager.hierarchyNodes.listTagBindings resourcemanager.tagHolds.list resourcemanager.tagKeys.get resourcemanager.tagKeys.list resourcemanager.tagValues.get resourcemanager.tagValues.list run.services.listEffectiveTags run.services.listTagBindings storage.buckets.listEffectiveTags storage.buckets.listTagBindings

Resource Settings roles

Role Permissions

Resource Settings Administrator
(roles/resourcesettings.admin)

Provides admin capabilities to set Resource Setting Values on resources.

Lowest-level resources where you can grant this role:

Organization

resourcesettings.*

Resource Settings Viewer
(roles/resourcesettings.viewer)

Provides capabilities to view Resource Settings and Resource Setting Values on resources.

resourcesettings.settings.get
resourcesettings.settings.list

Risk Manager roles

Role	Permissions
Risk Manager Admin ^Beta (`roles/riskmanager.admin`) Grants all Risk Manager permissions	resourcemanager.projects.get resourcemanager.projects.list riskmanager.*
Risk Manager Editor ^Beta (`roles/riskmanager.editor`) Access to edit Risk Manager resources	resourcemanager.projects.get resourcemanager.projects.list riskmanager.operations.* riskmanager.policies.* riskmanager.reports.create riskmanager.reports.delete riskmanager.reports.get riskmanager.reports.list riskmanager.serviceAccount.create riskmanager.settings.*
Risk Manager Report Reviewer ^Beta (`roles/riskmanager.reviewer`) Access to review Risk Manager reports	resourcemanager.projects.get resourcemanager.projects.list riskmanager.operations.get riskmanager.operations.list riskmanager.reports.get riskmanager.reports.list riskmanager.reports.review
Risk Manager Viewer ^Beta (`roles/riskmanager.viewer`) Access to view Risk Manager resources	resourcemanager.projects.get resourcemanager.projects.list riskmanager.operations.get riskmanager.operations.list riskmanager.policies.* riskmanager.reports.get riskmanager.reports.list riskmanager.settings.get

Roles roles

Role	Permissions
Organization Role Administrator (`roles/iam.organizationRoleAdmin`) Provides access to administer all custom roles in the organization and the projects below it. Lowest-level resources where you can grant this role: Organization	iam.roles.* resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Organization Role Viewer (`roles/iam.organizationRoleViewer`) Provides read access to all custom roles in the organization and the projects below it. Lowest-level resources where you can grant this role: Organization	iam.roles.get iam.roles.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Role Administrator (`roles/iam.roleAdmin`) Provides access to all custom roles in the project. Lowest-level resources where you can grant this role: Project	iam.roles.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy
Role Viewer (`roles/iam.roleViewer`) Provides read access to all custom roles in the project. Lowest-level resources where you can grant this role: Project	iam.roles.get iam.roles.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy

Secret Manager roles

Role	Permissions
Secret Manager Admin (`roles/secretmanager.admin`) Full access to administer Secret Manager resources. Lowest-level resources where you can grant this role: Secret	resourcemanager.projects.get resourcemanager.projects.list secretmanager.*
Secret Manager Secret Accessor (`roles/secretmanager.secretAccessor`) Allows accessing the payload of secrets. Lowest-level resources where you can grant this role: Secret	resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.access
Secret Manager Secret Version Adder (`roles/secretmanager.secretVersionAdder`) Allows adding versions to existing secrets. Lowest-level resources where you can grant this role: Secret	resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.add
Secret Manager Secret Version Manager (`roles/secretmanager.secretVersionManager`) Allows creating and managing versions of existing secrets. Lowest-level resources where you can grant this role: Secret	resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.add secretmanager.versions.destroy secretmanager.versions.disable secretmanager.versions.enable secretmanager.versions.get secretmanager.versions.list
Secret Manager Viewer (`roles/secretmanager.viewer`) Allows viewing metadata of all Secret Manager resources Lowest-level resources where you can grant this role: Secret	resourcemanager.projects.get resourcemanager.projects.list secretmanager.locations.* secretmanager.secrets.get secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.versions.get secretmanager.versions.list

Security Center roles

Role	Permissions
Security Center Admin (`roles/securitycenter.admin`) Admin(super user) access to security center Lowest-level resources where you can grant this role: Project	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Security Center Admin Editor (`roles/securitycenter.adminEditor`) Admin Read-write access to security center Lowest-level resources where you can grant this role: Project	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.update securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findingexternalsystems.update securitycenter.findings.* securitycenter.findingsecuritymarks.update securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.rapidvulnerabilitydetectionsettings.calculate securitycenter.rapidvulnerabilitydetectionsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.get securitycenter.userinterfacemetadata.get securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Admin Read access to security center Lowest-level resources where you can grant this role: Project	cloudsecurityscanner.crawledurls.list cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.bigQueryExports.get securitycenter.bigQueryExports.list securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.muteconfigs.get securitycenter.muteconfigs.list securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.rapidvulnerabilitydetectionsettings.calculate securitycenter.rapidvulnerabilitydetectionsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.subscription.get securitycenter.userinterfacemetadata.get securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Security Center Asset Security Marks Writer (`roles/securitycenter.assetSecurityMarksWriter`) Write access to asset security marks Lowest-level resources where you can grant this role: Project	securitycenter.assetsecuritymarks.update securitycenter.userinterfacemetadata.get
Security Center Assets Discovery Runner (`roles/securitycenter.assetsDiscoveryRunner`) Run asset discovery access to assets Lowest-level resources where you can grant this role: Organization	securitycenter.assets.runDiscovery securitycenter.userinterfacemetadata.get
Security Center Assets Viewer (`roles/securitycenter.assetsViewer`) Read access to assets Lowest-level resources where you can grant this role: Project	resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.userinterfacemetadata.get
Security Center BigQuery Exports Editor (`roles/securitycenter.bigQueryExportsEditor`) Read-Write access to security center BigQuery Exports	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.bigQueryExports.*
Security Center BigQuery Exports Viewer (`roles/securitycenter.bigQueryExportsViewer`) Read access to security center BigQuery Exports	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.bigQueryExports.get securitycenter.bigQueryExports.list
Security Center External Systems Editor (`roles/securitycenter.externalSystemsEditor`) Write access to security center external systems	securitycenter.findingexternalsystems.update
Security Center Finding Security Marks Writer (`roles/securitycenter.findingSecurityMarksWriter`) Write access to finding security marks Lowest-level resources where you can grant this role: Project	securitycenter.findingsecuritymarks.update securitycenter.userinterfacemetadata.get
Security Center Findings Bulk Mute Editor (`roles/securitycenter.findingsBulkMuteEditor`) Ability to mute findings in bulk	securitycenter.findings.bulkMuteUpdate
Security Center Findings Editor (`roles/securitycenter.findingsEditor`) Read-write access to findings Lowest-level resources where you can grant this role: Project	resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get securitycenter.findings.bulkMuteUpdate securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.findings.setMute securitycenter.findings.setState securitycenter.findings.update securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.get
Security Center Findings Mute Setter (`roles/securitycenter.findingsMuteSetter`) Set mute access to findings	securitycenter.findings.setMute
Security Center Findings State Setter (`roles/securitycenter.findingsStateSetter`) Set state access to findings Lowest-level resources where you can grant this role: Project	securitycenter.findings.setState securitycenter.userinterfacemetadata.get
Security Center Findings Viewer (`roles/securitycenter.findingsViewer`) Read access to findings Lowest-level resources where you can grant this role: Project	resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.get
Security Center Findings Workflow State Setter ^Beta (`roles/securitycenter.findingsWorkflowStateSetter`) Set workflow state access to findings Lowest-level resources where you can grant this role: Project	securitycenter.findings.setWorkflowState securitycenter.userinterfacemetadata.get
Security Center Mute Configurations Editor (`roles/securitycenter.muteConfigsEditor`) Read-Write access to security center mute configurations	securitycenter.muteconfigs.*
Security Center Mute Configurations Viewer (`roles/securitycenter.muteConfigsViewer`) Read access to security center mute configurations	securitycenter.muteconfigs.get securitycenter.muteconfigs.list
Security Center Notification Configurations Editor (`roles/securitycenter.notificationConfigEditor`) Write access to notification configurations Lowest-level resources where you can grant this role: Organization	securitycenter.notificationconfig.* securitycenter.userinterfacemetadata.get
Security Center Notification Configurations Viewer (`roles/securitycenter.notificationConfigViewer`) Read access to notification configurations Lowest-level resources where you can grant this role: Organization	securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.userinterfacemetadata.get
Security Center Settings Admin (`roles/securitycenter.settingsAdmin`) Admin(super user) access to security center settings Lowest-level resources where you can grant this role: Project	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.* securitycenter.eventthreatdetectionsettings.* securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.* securitycenter.rapidvulnerabilitydetectionsettings.* securitycenter.securitycentersettings.* securitycenter.securityhealthanalyticssettings.* securitycenter.subscription.get securitycenter.userinterfacemetadata.get securitycenter.virtualmachinethreatdetectionsettings.* securitycenter.websecurityscannersettings.*
Security Center Settings Editor (`roles/securitycenter.settingsEditor`) Read-Write access to security center settings Lowest-level resources where you can grant this role: Project	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.* securitycenter.eventthreatdetectionsettings.* securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.* securitycenter.rapidvulnerabilitydetectionsettings.* securitycenter.securitycentersettings.* securitycenter.securityhealthanalyticssettings.* securitycenter.subscription.get securitycenter.userinterfacemetadata.get securitycenter.virtualmachinethreatdetectionsettings.* securitycenter.websecurityscannersettings.*
Security Center Settings Viewer (`roles/securitycenter.settingsViewer`) Read access to security center settings Lowest-level resources where you can grant this role: Project	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.bigQueryExports.get securitycenter.bigQueryExports.list securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.muteconfigs.get securitycenter.muteconfigs.list securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.rapidvulnerabilitydetectionsettings.calculate securitycenter.rapidvulnerabilitydetectionsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.subscription.get securitycenter.userinterfacemetadata.get securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get
Security Center Sources Admin (`roles/securitycenter.sourcesAdmin`) Admin access to sources Lowest-level resources where you can grant this role: Organization	resourcemanager.organizations.get securitycenter.sources.* securitycenter.userinterfacemetadata.get
Security Center Sources Editor (`roles/securitycenter.sourcesEditor`) Read-write access to sources Lowest-level resources where you can grant this role: Organization	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.userinterfacemetadata.get
Security Center Sources Viewer (`roles/securitycenter.sourcesViewer`) Read access to sources Lowest-level resources where you can grant this role: Project	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.get

Serverless VPC Access roles

Role	Permissions
Serverless VPC Access Admin (`roles/vpcaccess.admin`) Full access to all Serverless VPC Access resources	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.*
Serverless VPC Access User (`roles/vpcaccess.user`) User of Serverless VPC Access connectors	compute.networks.access resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.connectors.use vpcaccess.locations.list vpcaccess.operations.*
Serverless VPC Access Viewer (`roles/vpcaccess.viewer`) Viewer of all Serverless VPC Access resources	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.locations.list vpcaccess.operations.*

Service Accounts roles

Role	Permissions
Service Account Admin (`roles/iam.serviceAccountAdmin`) Create and manage service accounts. Lowest-level resources where you can grant this role: Service Account	iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.disable iam.serviceAccounts.enable iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iam.serviceAccounts.undelete iam.serviceAccounts.update resourcemanager.projects.get resourcemanager.projects.list
Create Service Accounts (`roles/iam.serviceAccountCreator`) Access to create service accounts.	iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
Delete Service Accounts (`roles/iam.serviceAccountDeleter`) Access to delete service accounts.	iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
Service Account Key Admin (`roles/iam.serviceAccountKeyAdmin`) Create and manage (and rotate) service account keys. Lowest-level resources where you can grant this role: Service Account	iam.serviceAccountKeys.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
Service Account OpenID Connect Identity Token Creator (`roles/iam.serviceAccountOpenIdTokenCreator`) Create OpenID Connect (OIDC) identity tokens	iam.serviceAccounts.getOpenIdToken
Service Account Token Creator (`roles/iam.serviceAccountTokenCreator`) Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). Lowest-level resources where you can grant this role: Service Account	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt resourcemanager.projects.get resourcemanager.projects.list
Service Account User (`roles/iam.serviceAccountUser`) Run operations as the service account. Lowest-level resources where you can grant this role: Service Account	iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
View Service Accounts (`roles/iam.serviceAccountViewer`) Read access to service accounts, metadata, and keys.	iam.serviceAccountKeys.get iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
Workload Identity User (`roles/iam.workloadIdentityUser`) Impersonate service accounts from GKE Workloads	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.list

Service Agents roles

Role	Permissions
Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Gives Vertex AI Custom Code the proper permissions.	aiplatform.annotationSpecs.* aiplatform.annotations.* aiplatform.artifacts.* aiplatform.batchPredictionJobs.* aiplatform.contexts.* aiplatform.customJobs.* aiplatform.dataItems.* aiplatform.dataLabelingJobs.* aiplatform.datasets.* aiplatform.deploymentResourcePools.* aiplatform.edgeDeploymentJobs.* aiplatform.edgeDeviceDebugInfo.get aiplatform.edgeDevices.* aiplatform.endpoints.* aiplatform.entityTypes.create aiplatform.entityTypes.delete aiplatform.entityTypes.deleteFeatureValues aiplatform.entityTypes.exportFeatureValues aiplatform.entityTypes.get aiplatform.entityTypes.importFeatureValues aiplatform.entityTypes.list aiplatform.entityTypes.readFeatureValues aiplatform.entityTypes.streamingReadFeatureValues aiplatform.entityTypes.update aiplatform.entityTypes.writeFeatureValues aiplatform.executions.* aiplatform.features.* aiplatform.featurestores.batchReadFeatureValues aiplatform.featurestores.create aiplatform.featurestores.delete aiplatform.featurestores.exportFeatures aiplatform.featurestores.get aiplatform.featurestores.importFeatures aiplatform.featurestores.list aiplatform.featurestores.readFeatures aiplatform.featurestores.update aiplatform.featurestores.writeFeatures aiplatform.humanInTheLoops.* aiplatform.hyperparameterTuningJobs.* aiplatform.indexEndpoints.* aiplatform.indexes.* aiplatform.locations.* aiplatform.metadataSchemas.* aiplatform.metadataStores.* aiplatform.modelDeploymentMonitoringJobs.* aiplatform.modelEvaluationSlices.* aiplatform.modelEvaluations.* aiplatform.models.* aiplatform.nasJobs.* aiplatform.operations.list aiplatform.pipelineJobs.* aiplatform.specialistPools.* aiplatform.studies.* aiplatform.tensorboardExperiments.* aiplatform.tensorboardRuns.* aiplatform.tensorboardTimeSeries.* aiplatform.tensorboards.create aiplatform.tensorboards.delete aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.tensorboards.update aiplatform.trainingPipelines.* aiplatform.trials.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.versions.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.readsessions.create bigquery.readsessions.getData bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.update bigquery.tables.updateData iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Gives Vertex AI the permissions it needs to function.	aiplatform.annotationSpecs.* aiplatform.annotations.* aiplatform.artifacts.* aiplatform.batchPredictionJobs.* aiplatform.contexts.* aiplatform.customJobs.* aiplatform.dataItems.* aiplatform.dataLabelingJobs.* aiplatform.datasets.* aiplatform.deploymentResourcePools.* aiplatform.edgeDeploymentJobs.* aiplatform.edgeDeviceDebugInfo.get aiplatform.edgeDevices.* aiplatform.endpoints.* aiplatform.entityTypes.create aiplatform.entityTypes.delete aiplatform.entityTypes.deleteFeatureValues aiplatform.entityTypes.exportFeatureValues aiplatform.entityTypes.get aiplatform.entityTypes.importFeatureValues aiplatform.entityTypes.list aiplatform.entityTypes.readFeatureValues aiplatform.entityTypes.streamingReadFeatureValues aiplatform.entityTypes.update aiplatform.entityTypes.writeFeatureValues aiplatform.executions.* aiplatform.features.* aiplatform.featurestores.batchReadFeatureValues aiplatform.featurestores.create aiplatform.featurestores.delete aiplatform.featurestores.exportFeatures aiplatform.featurestores.get aiplatform.featurestores.importFeatures aiplatform.featurestores.list aiplatform.featurestores.readFeatures aiplatform.featurestores.update aiplatform.featurestores.writeFeatures aiplatform.humanInTheLoops.* aiplatform.hyperparameterTuningJobs.* aiplatform.indexEndpoints.* aiplatform.indexes.* aiplatform.locations.* aiplatform.metadataSchemas.* aiplatform.metadataStores.* aiplatform.modelDeploymentMonitoringJobs.* aiplatform.modelEvaluationSlices.* aiplatform.modelEvaluations.* aiplatform.models.* aiplatform.nasJobs.* aiplatform.operations.list aiplatform.pipelineJobs.* aiplatform.specialistPools.* aiplatform.studies.* aiplatform.tensorboardExperiments.* aiplatform.tensorboardRuns.* aiplatform.tensorboardTimeSeries.* aiplatform.tensorboards.create aiplatform.tensorboards.delete aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.tensorboards.update aiplatform.trainingPipelines.* aiplatform.trials.* artifactregistry.repositories.create artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.get artifactregistry.versions.get automl.datasets.export automl.datasets.get automl.datasets.list automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.tableSpecs.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.models.create bigquery.models.export bigquery.models.getData bigquery.readsessions.create bigquery.readsessions.getData bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.update bigquery.tables.updateData bigtable.tables.get bigtable.tables.list bigtable.tables.readRows compute.machineTypes.get dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* datalabeling.annotateddatasets.get datalabeling.datasets.export datalabeling.datasets.get datalabeling.datasets.list datalabeling.operations.get iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken logging.logEntries.create ml.models.list ml.operations.get ml.versions.get ml.versions.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
AlloyDB Service Agent (`roles/alloydb.serviceAgent`) Gives the AlloyDB service account permission to manage customer resources	alloydb.clusters.list
Anthos Service Agent (`roles/anthos.serviceAgent`) Gives the Anthos service agent access to Google Cloud resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list serviceusage.services.get serviceusage.services.list
Anthos Audit Service Agent (`roles/anthosaudit.serviceAgent`) Gives the Anthos Audit service agent access to Cloud Platform resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
Anthos Config Management Service Agent (`roles/anthosconfigmanagement.serviceAgent`) Gives the Anthos Config Management service agent access to Google Cloud resources.	container.clusters.get gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
Anthos Identity Service Agent (`roles/anthosidentityservice.serviceAgent`) Gives the Anthos Identity service agent access to Google Cloud resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Gives the Anthos Service Mesh service agent access to Cloud Platform resources.	container.backendConfigs.* container.clusterRoleBindings.* container.clusterRoles.* container.clusters.get container.clusters.update container.configMaps.* container.customResourceDefinitions.create container.customResourceDefinitions.get container.customResourceDefinitions.list container.customResourceDefinitions.update container.daemonSets.create container.daemonSets.delete container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.daemonSets.update container.deployments.get container.deployments.list container.events.get container.events.list container.jobs.create container.jobs.delete container.jobs.get container.jobs.list container.jobs.update container.mutatingWebhookConfigurations.create container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.mutatingWebhookConfigurations.update container.namespaces.create container.namespaces.get container.namespaces.list container.operations.get container.pods.get container.pods.list container.secrets.* container.serviceAccounts.create container.serviceAccounts.delete container.serviceAccounts.get container.serviceAccounts.list container.serviceAccounts.update container.services.get container.services.list container.thirdPartyObjects.create container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyObjects.update container.validatingWebhookConfigurations.create container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.validatingWebhookConfigurations.update gkehub.features.get gkehub.gateway.delete gkehub.gateway.get gkehub.gateway.patch gkehub.gateway.post gkehub.gateway.put gkehub.locations.* gkehub.memberships.get gkehub.memberships.list logging.logEntries.create meshconfig.projects.init monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create serviceusage.services.get serviceusage.services.use
Anthos Support Service Agent (`roles/anthossupport.serviceAgent`) Gives the Anthos Support Service Agent access to Cloud Platform resource.	gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.gateway.get gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get
Cloud API Gateway Service Agent (`roles/apigateway.serviceAgent`) Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken servicemanagement.services.check servicemanagement.services.quota servicemanagement.services.report
Cloud API Gateway Management Service Agent (`roles/apigateway_management.serviceAgent`) Gives Cloud API Gateway service account access to retrieve a Service configuration.	iam.serviceAccounts.get servicemanagement.services.create servicemanagement.services.delete servicemanagement.services.get servicemanagement.services.list servicemanagement.services.update serviceusage.services.get
Apigee Service Agent (`roles/apigee.serviceAgent`) Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.	apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.create apigee.appkeys.delete apigee.appkeys.manage apigee.apps.get apigee.canaryevaluations.* apigee.developerapps.* apigee.developers.create apigee.developers.delete apigee.developers.get apigee.environments.get apigee.environments.getDataLocation apigee.environments.manageRuntime apigee.ingressconfigs.get apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.proxyrevisions.get apigee.runtimeconfigs.get cloudtrace.traces.patch iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.buckets.create logging.buckets.get logging.buckets.list logging.views.create logging.views.get logging.views.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create
App Development Experience Service Agent (`roles/appdevelopmentexperience.serviceAgent`) Give the App Development Experience service agent access to Cloud Platform resources.	container.clusters.get container.clusters.update gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
App Engine Standard Environment Service Agent (`roles/appengine.serviceAgent`) Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.	datastore.databases.get datastore.entities.create datastore.entities.delete datastore.entities.get datastore.entities.list datastore.entities.update datastore.indexes.list datastore.namespaces.* datastore.statistics.* iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob
App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.	billing.accounts.get cloudbuild.builds.create cloudbuild.builds.get compute.addresses.create compute.addresses.delete compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get compute.autoscalers.update compute.backendServices.create compute.backendServices.delete compute.backendServices.get compute.backendServices.list compute.backendServices.update compute.backendServices.use compute.disks.list compute.firewalls.* compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute.globalAddresses.create compute.globalAddresses.delete compute.globalAddresses.get compute.globalAddresses.use compute.globalForwardingRules.create compute.globalForwardingRules.delete compute.globalForwardingRules.get compute.globalOperations.get compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.update compute.healthChecks.useReadOnly compute.httpHealthChecks.create compute.httpHealthChecks.delete compute.httpHealthChecks.get compute.httpHealthChecks.use compute.httpHealthChecks.useReadOnly compute.httpsHealthChecks.create compute.httpsHealthChecks.delete compute.httpsHealthChecks.get compute.httpsHealthChecks.update compute.httpsHealthChecks.use compute.httpsHealthChecks.useReadOnly compute.images.get compute.images.useReadOnly compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.update compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.use compute.machineTypes.get compute.networks.create compute.networks.delete compute.networks.get compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.create compute.regionBackendServices.delete compute.regionBackendServices.get compute.regionBackendServices.list compute.regionBackendServices.update compute.regionBackendServices.use compute.regionOperations.get compute.regions.get compute.routes.get compute.routes.list compute.subnetworks.delete compute.subnetworks.get compute.targetHttpProxies.create compute.targetHttpProxies.delete compute.targetHttpProxies.get compute.targetHttpProxies.use compute.targetHttpsProxies.create compute.targetHttpsProxies.delete compute.targetHttpsProxies.get compute.targetHttpsProxies.setSslCertificates compute.targetHttpsProxies.use compute.urlMaps.create compute.urlMaps.delete compute.urlMaps.get compute.urlMaps.update compute.urlMaps.use compute.zoneOperations.get compute.zoneOperations.list compute.zones.* deploymentmanager.compositeTypes.get deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.typeProviders.create deploymentmanager.typeProviders.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create logging.logMetrics.create logging.logMetrics.delete logging.logMetrics.get logging.logMetrics.update resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list
Artifact Registry Service Agent (`roles/artifactregistry.serviceAgent`) Gives the Artifact Registry service account access to managed resources.	artifactregistry.repositories.downloadArtifacts artifactregistry.versions.delete pubsub.topics.publish
Assured Workloads Service Agent (`roles/assuredworkloads.serviceAgent`) Gives the Assured Workloads service account access to create KMS keyrings and keys, and to monitor Assured Workloads.	cloudkms.cryptoKeys.create cloudkms.keyRings.create serviceusage.services.enable serviceusage.services.use
AutoML Service Agent (`roles/automl.serviceAgent`) AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.	bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.update bigquery.tables.updateData bigtable.tables.get bigtable.tables.list bigtable.tables.readRows serviceusage.services.use storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.	bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData cloudnotifications.activities.list dataflow.jobs.* dataflow.messages.list dataflow.metrics.get logging.logEntries.create monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get storage.buckets.create storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Google Batch Service Agent (`roles/batch.serviceAgent`) Gives Google Batch account access to manage customer resources.	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instanceTemplates.useReadOnly compute.instances.addAccessConfig compute.instances.addMaintenancePolicies compute.instances.addResourcePolicies compute.instances.attachDisk compute.instances.create compute.instances.createTagBinding compute.instances.delete compute.instances.deleteAccessConfig compute.instances.deleteTagBinding compute.instances.detachDisk compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.instances.osAdminLogin compute.instances.osLogin compute.instances.removeMaintenancePolicies compute.instances.removeResourcePolicies compute.instances.reset compute.instances.resume compute.instances.sendDiagnosticInterrupt compute.instances.setDeletionProtection compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineResources compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.suspend compute.instances.update compute.instances.updateAccessConfig compute.instances.updateDisplayDevice compute.instances.updateNetworkInterface compute.instances.updateSecurity compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.instances.use compute.instances.useReadOnly compute.licenses.get compute.licenses.list compute.machineImages.create compute.machineImages.delete compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineImages.useReadOnly compute.machineTypes.* compute.networkEndpointGroups.attachNetworkEndpoints compute.networkEndpointGroups.create compute.networkEndpointGroups.delete compute.networkEndpointGroups.detachNetworkEndpoints compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionNetworkEndpointGroups.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
BigQuery Connection Service Agent (`roles/bigqueryconnection.serviceAgent`) Gives BigQuery Connection Service access to Cloud SQL instances in user projects.	cloudsql.instances.connect cloudsql.instances.get logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create
BigQuery Data Transfer Service Agent (`roles/bigquerydatatransfer.serviceAgent`) Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project.	bigquery.config.get bigquery.jobs.create iam.serviceAccounts.getAccessToken logging.logEntries.create resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`) Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested cloudasset.assets.exportResource cloudasset.feeds.create cloudasset.feeds.delete cloudasset.feeds.get cloudasset.feeds.update containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.listOccurrences containeranalysis.occurrences.get containeranalysis.occurrences.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.	bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.delete bigquery.tables.get bigquery.tables.update bigquery.tables.updateData pubsub.topics.publish storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.objects.create storage.objects.delete storage.objects.get
Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Gives Cloud Build service account access to managed resources.	artifactregistry.aptartifacts.create artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.create binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use compute.firewalls.get compute.firewalls.list compute.networks.get compute.subnetworks.get containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update iam.serviceAccounts.get iam.serviceAccounts.getAccessToken logging.logEntries.create logging.logEntries.list logging.privateLogEntries.list logging.views.access pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Gives Cloud Deploy Service Account access to managed resources.	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.workerpools.use iam.serviceAccounts.actAs logging.logEntries.create pubsub.topics.get pubsub.topics.publish servicemanagement.services.report serviceusage.services.use storage.buckets.create storage.buckets.get
Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Gives Cloud Functions service account access to managed resources.	artifactregistry.* clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.operations.* compute.globalOperations.get compute.networks.access eventarc.channelConnections.create eventarc.channelConnections.delete eventarc.channelConnections.get eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channelConnections.publish eventarc.channels.attach eventarc.channels.create eventarc.channels.delete eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.channels.publish eventarc.channels.undelete eventarc.channels.update eventarc.googleChannelConfigs.* eventarc.locations.* eventarc.operations.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update firebasedatabase.instances.get firebasedatabase.instances.update iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob pubsub.subscriptions.* pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.get pubsub.topics.list recommender.locations.* recommender.runServiceIdentityInsights.* recommender.runServiceIdentityRecommendations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.configurations.* run.executions.* run.jobs.create run.jobs.delete run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.run run.jobs.update run.locations.list run.operations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update run.tasks.* serviceusage.quotas.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.use source.repos.get source.repos.list storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use
Cloud IoT Core Service Agent (`roles/cloudiot.serviceAgent`) Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.	logging.logEntries.create pubsub.topics.publish
Cloud KMS Service Agent (`roles/cloudkms.serviceAgent`) Gives Cloud KMS service account access to managed resources.	cloudasset.assets.listCloudkmsCryptoKeys
Cloud Optimization Service Agent (`roles/cloudoptimization.serviceAgent`) Grants Cloud Optimization Service Account access to read and write data in the user project.	storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Scheduler Service Agent (`roles/cloudscheduler.serviceAgent`) Grants Cloud Scheduler Service Account access to manage resources.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.logEntries.create pubsub.topics.publish
Cloud SQL Service Agent (`roles/cloudsql.serviceAgent`) Grants Cloud SQL access to services and APIs in the user project	cloudsql.instances.get
Cloud Tasks Service Agent (`roles/cloudtasks.serviceAgent`) Grants Cloud Tasks Service Account access to manage resources.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.logEntries.create
Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Give Cloud TPUs service account access to managed resources	compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionFirewallPolicies.get compute.regionFirewallPolicies.list compute.regionFirewallPolicies.use compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create networkconnectivity.locations.* networkconnectivity.operations.* networksecurity.* networkservices.* pubsub.* resourcemanager.projects.get resourcemanager.projects.list servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.createPeeredDnsDomain servicenetworking.services.deletePeeredDnsDomain servicenetworking.services.get servicenetworking.services.listPeeredDnsDomains serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.*
Cloud Translation API Service Agent (`roles/cloudtranslate.serviceAgent`) Gives Cloud Translation Service Account access to consumer resources.	automl.datasets.export automl.datasets.get automl.datasets.list automl.models.get automl.models.list automl.operations.get storage.buckets.get storage.objects.create storage.objects.get storage.objects.list
Compliance Scanning Service Agent (`roles/compliancescanning.ServiceAgent`) Gives Compliance Scanning the access it needs to analyze containers and VMs for compliance and create occurrences using the Container Analysis API	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list compute.images.get compute.images.list compute.images.useReadOnly compute.instances.get compute.instances.getGuestAttributes compute.instances.list compute.zones.* containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Composer API service agent can manage environments.	appengine.applications.get appengine.applications.update appengine.instances.* appengine.memcache.addKey appengine.memcache.flush appengine.memcache.get appengine.memcache.update appengine.operations.* appengine.runtimes.actAsAdmin appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update artifactregistry.repositories.create artifactregistry.repositories.delete artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.update cloudnotifications.activities.list cloudsql.* compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionFirewallPolicies.get compute.regionFirewallPolicies.list compute.regionFirewallPolicies.use compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container.* deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.links.* logging.locations.* logging.logEntries.create logging.logMetrics.* logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.* logging.operations.* logging.sinks.* logging.views.create logging.views.delete logging.views.get logging.views.list logging.views.update monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list networkconnectivity.locations.* networkconnectivity.operations.* networksecurity.* networkservices.* opsconfigmonitoring.resourceMetadata.list orgpolicy.policy.get pubsub.* recommender.cloudsqlIdleInstanceRecommendations.* recommender.cloudsqlInstanceActivityInsights.* recommender.cloudsqlInstanceCpuUsageInsights.* recommender.cloudsqlInstanceDiskUsageTrendInsights.* recommender.cloudsqlInstanceMemoryUsageInsights.* recommender.cloudsqlInstanceOutOfDiskRecommendations.* recommender.cloudsqlInstancePerformanceInsights.* recommender.cloudsqlInstancePerformanceRecommendations.* recommender.cloudsqlInstanceSecurityInsights.* recommender.cloudsqlInstanceSecurityRecommendations.* recommender.cloudsqlOverprovisionedInstanceRecommendations.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.createPeeredDnsDomain servicenetworking.services.deletePeeredDnsDomain servicenetworking.services.get servicenetworking.services.listPeeredDnsDomains serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.* storage.multipartUploads.* storage.objects.* trafficdirector.*
Compute Engine Service Agent (`roles/compute.serviceAgent`) Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.	cloudnotifications.activities.list compute.addresses.use compute.addresses.useInternal compute.disks.create compute.disks.setLabels compute.disks.use compute.disks.useReadOnly compute.images.useReadOnly compute.instanceGroupManagers.get compute.instanceTemplates.useReadOnly compute.instances.create compute.instances.createTagBinding compute.instances.setDeletionProtection compute.instances.setLabels compute.instances.setMetadata compute.instances.setServiceAccount compute.instances.setTags compute.instances.updateDisplayDevice compute.machineImages.useReadOnly compute.networks.use compute.networks.useExternalIp compute.resourcePolicies.use compute.snapshots.useReadOnly compute.subnetworks.use compute.subnetworks.useExternalIp iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signJwt logging.logEntries.create monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get storage.objects.create storage.objects.get storage.objects.list storage.objects.update
Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage.	bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.get bigquery.tables.update bigquery.tables.updateData datalabeling.dataitems.* datalabeling.datasets.create datalabeling.datasets.delete datalabeling.datasets.export datalabeling.datasets.get datalabeling.datasets.import datalabeling.operations.get datalabeling.operations.list dialogflow.conversationDatasets.* dialogflow.conversationModels.* dialogflow.documents.* dialogflow.operations.get dialogflow.participants.suggest dialogflow.sessions.detectIntent pubsub.topics.get pubsub.topics.publish storage.objects.get storage.objects.list
Kubernetes Engine Node Service Agent (`roles/container.nodeServiceAgent`) Minimal set of permission required by a GKE node to support standard capabilities such as logging and monitoring export, and image pulls.	autoscaling.sites.writeMetrics logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.list monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.	bigquery.datasets.create bigquery.datasets.get bigquery.tables.create bigquery.tables.get bigquery.tables.update bigquery.tables.updateData binaryauthorization.policy.evaluatePolicy certificatemanager.certmapentries.create certificatemanager.certmapentries.delete certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmapentries.update certificatemanager.certmaps.create certificatemanager.certmaps.delete certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certmaps.update certificatemanager.certmaps.use certificatemanager.certs.create certificatemanager.certs.delete certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.certs.update certificatemanager.certs.use certificatemanager.dnsauthorizations.create certificatemanager.dnsauthorizations.delete certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.dnsauthorizations.update certificatemanager.dnsauthorizations.use compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.* compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.nodeGroups.get compute.packetMirrorings.* compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionFirewallPolicies.* compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.* compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.* compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container.* dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.getIamPolicy dns.managedZones.list dns.managedZones.update dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.getIamPolicy dns.policies.list dns.policies.update dns.projects.get dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* file.* iam.serviceAccounts.actAs iam.serviceAccounts.get logging.logEntries.create meshconfig.projects.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.* networkconnectivity.locations.* networkconnectivity.operations.* networksecurity.* networkservices.* pubsub.topics.create pubsub.topics.get pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.createPeeredDnsDomain servicenetworking.services.deletePeeredDnsDomain servicenetworking.services.get servicenetworking.services.listPeeredDnsDomains serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use tpu.locations.* tpu.nodes.create tpu.nodes.delete tpu.nodes.get tpu.nodes.list tpu.operations.* trafficdirector.*
Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Gives Container Analysis API the access it needs to function	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list
Container Registry Service Agent (`roles/containerregistry.ServiceAgent`) Access for Container Registry	pubsub.topics.publish storage.objects.get storage.objects.getIamPolicy storage.objects.list
Container Scanner Service Agent (`roles/containerscanning.ServiceAgent`) Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Container Threat Detection Service Agent (`roles/containerthreatdetection.serviceAgent`) Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.	container.apiServices.get container.apiServices.getStatus container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.getStatus container.certificateSigningRequests.list container.clusterRoleBindings.* container.clusterRoles.* container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.create container.customResourceDefinitions.delete container.customResourceDefinitions.get container.customResourceDefinitions.getStatus container.customResourceDefinitions.list container.customResourceDefinitions.update container.daemonSets.* container.deployments.get container.deployments.getScale container.deployments.getStatus container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container.managedCertificates.get container.managedCertificates.list container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.networkPolicies.update container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.attach container.pods.create container.pods.delete container.pods.exec container.pods.get container.pods.getLogs container.pods.getStatus container.pods.list container.pods.portForward container.pods.update container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.* container.roles.* container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.secrets.create container.secrets.delete container.secrets.list container.secrets.update container.serviceAccounts.create container.serviceAccounts.delete container.serviceAccounts.get container.serviceAccounts.list container.serviceAccounts.update container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getScale container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container.storageStates.getStatus container.storageStates.list container.storageVersionMigrations.get container.storageVersionMigrations.getStatus container.storageVersionMigrations.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.create container.updateInfos.get container.updateInfos.list container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.get container.volumeAttachments.getStatus container.volumeAttachments.list container.volumeSnapshotClasses.get container.volumeSnapshotClasses.list container.volumeSnapshotContents.get container.volumeSnapshotContents.getStatus container.volumeSnapshotContents.list container.volumeSnapshots.get container.volumeSnapshots.list resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Gives the Content Warehouse service account to manage customer resources	cloudfunctions.functions.invoke pubsub.topics.publish pubsublite.topics.publish storage.objects.get storage.objects.list
Data Connectors Service Agent (`roles/dataconnectors.serviceAgent`) Gives Data Connectors service agent permission to access the virtual private cloud	compute.globalOperations.get compute.networks.access vpcaccess.connectors.get vpcaccess.connectors.use
Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.overrideTimeTravelRestrictions bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration.translation.translate clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create cloudnotifications.activities.list compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionFirewallPolicies.get compute.regionFirewallPolicies.list compute.regionFirewallPolicies.use compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.links.* logging.locations.* logging.logEntries.create logging.logMetrics.* logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.* logging.operations.* logging.sinks.* logging.views.create logging.views.delete logging.views.get logging.views.list logging.views.update monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list networkconnectivity.locations.* networkconnectivity.operations.* networksecurity.* networkservices.* opsconfigmonitoring.resourceMetadata.list orgpolicy.policy.get pubsub.* recommender.dataflowDiagnosticsInsights.* resourcemanager.projects.get resourcemanager.projects.list servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.createPeeredDnsDomain servicenetworking.services.deletePeeredDnsDomain servicenetworking.services.get servicenetworking.services.listPeeredDnsDomains serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use stackdriver.projects.get storage.buckets.* storage.multipartUploads.* storage.objects.* trafficdirector.*
Dataform Service Agent (`roles/dataform.serviceAgent`) Gives permission for the Dataform API to access a secret from Secret Manager	resourcemanager.projects.get resourcemanager.projects.list
Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.	bigquery.config.get bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.create bigquery.models.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* bigtable.* compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalOperations.get compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.addPeering compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.update compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.batches.* dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.start dataproc.clusters.stop dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.cancel dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.list dns.networks.bindPrivateDNSZone dns.networks.targetWithPeeringZone firebase.projects.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* networkconnectivity.locations.* networkconnectivity.operations.get networkconnectivity.operations.list networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointPolicies.get networkservices.endpointPolicies.list networkservices.gateways.get networkservices.gateways.list networkservices.grpcRoutes.get networkservices.grpcRoutes.list networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpRoutes.get networkservices.httpRoutes.list networkservices.httpfilters.get networkservices.httpfilters.list networkservices.locations.* networkservices.meshes.get networkservices.meshes.list networkservices.operations.get networkservices.operations.list networkservices.serviceBindings.get networkservices.serviceBindings.list networkservices.tcpRoutes.get networkservices.tcpRoutes.list networkservices.tlsRoutes.get networkservices.tlsRoutes.list orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginPartitionedDmlTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.list spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instanceConfigs.* spanner.instances.get spanner.instances.list spanner.sessions.* storage.buckets.* storage.multipartUploads.* storage.objects.* trafficdirector.*
Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.files.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.get bigquery.tables.getData ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.* ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.* ml.trials.* ml.versions.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project.	appengine.applications.get cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudscheduler.* compute.machineTypes.get compute.projects.get compute.regions.list compute.zones.list dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list orgpolicy.policy.get recommender.dataflowDiagnosticsInsights.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.overrideTimeTravelRestrictions bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration.translation.translate dataplex.assets.getIamPolicy dataplex.environments.execute dataplex.environments.get dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.zones.getIamPolicy dataproc.autoscalingPolicies.create dataproc.batches.cancel dataproc.batches.create dataproc.batches.get dataproc.jobs.delete dataproc.jobs.get dataproc.operations.cancel dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.instantiateInline firebase.projects.get iam.serviceAccounts.actAs logging.logEntries.create metastore.services.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.report serviceusage.services.use storage.buckets.* storage.multipartUploads.* storage.objects.*
Dataprep Service Agent (`roles/dataprep.serviceAgent`) Dataprep service identity. Includes access to service accounts.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.list bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration.translation.translate cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list orgpolicy.policy.get recommender.dataflowDiagnosticsInsights.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.list storage.multipartUploads.* storage.objects.*
Dataproc Service Agent (`roles/dataproc.serviceAgent`) Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.firewalls.get compute.firewalls.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeTypes.get compute.projects.get compute.regionNetworkEndpointGroups.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container.clusterRoleBindings.* container.clusterRoles.* container.clusters.get container.clusters.update container.customResourceDefinitions.create container.customResourceDefinitions.delete container.customResourceDefinitions.get container.customResourceDefinitions.list container.customResourceDefinitions.update container.namespaces.create container.namespaces.delete container.namespaces.get container.namespaces.list container.namespaces.update container.operations.get container.roleBindings.* container.roles.bind container.roles.escalate dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.getIamPolicy dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.* dataproc.jobs.* firebase.projects.get iam.serviceAccounts.actAs metastore.services.get orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Data Studio Service Agent (`roles/datastudio.serviceAgent`) Grants Data Studio Service Account access to manage resources.	bigquery.jobs.create
Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Gives Dialogflow Service Account access to resources on behalf of user project for intent detection in integrations (Facebook Messenger, Slack, Telephony, etc.).	cloudfunctions.functions.invoke dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.* dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.* dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.* dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.* dialogflow.sessions.* dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list logging.logEntries.create pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use speech.adaptations.execute speech.customClasses.get speech.customClasses.list speech.phraseSets.get speech.phraseSets.list speech.recognizers.get speech.recognizers.list storage.objects.create storage.objects.get storage.objects.list
DLP API Service Agent (`roles/dlp.serviceAgent`) Gives the Cloud DLP API service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub, and Cloud KMS.	appengine.applications.get bigquery.config.get bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.create bigquery.jobs.get bigquery.jobs.update bigquery.models.* bigquery.readsessions.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* cloudasset.assets.analyzeIamPolicy cloudasset.assets.exportResource cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.locations.get cloudkms.locations.list datacatalog.categories.fineGrainedGet datacatalog.tagTemplates.* datastore.databases.get datastore.databases.getMetadata datastore.entities.* datastore.indexes.list datastore.namespaces.* datastore.statistics.* dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobs.* dlp.kms.encrypt firebase.projects.get orgpolicy.policy.get pubsub.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use storage.buckets.* storage.multipartUploads.* storage.objects.*
DocumentAI Core Service Agent (`roles/documentaicore.serviceAgent`) Gives DocumentAI Core Service Account access to consumer resources.	automl.models.predict documentai.humanReviewConfigs.review storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Endpoints Service Agent (`roles/endpoints.serviceAgent`) Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.	servicemanagement.services.check servicemanagement.services.get servicemanagement.services.quota servicemanagement.services.report
Endpoints Portal Service Agent (`roles/endpointsportal.serviceAgent`) Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.	servicemanagement.services.get servicemanagement.services.list source.repos.get
Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Gives Enterprise Knowledge Graph Service Account access to consumer resources.	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.readsessions.create bigquery.readsessions.getData bigquery.tables.create bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Eventarc Service Agent (`roles/eventarc.serviceAgent`) Gives Eventarc service account access to managed resources.	cloudfunctions.functions.get compute.instanceGroupManagers.get container.clusters.get container.deployments.create container.deployments.delete container.deployments.get container.deployments.list container.deployments.update container.namespaces.create container.namespaces.delete container.namespaces.get container.namespaces.list container.serviceAccounts.create container.serviceAccounts.delete container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.list eventarc.channels.publish iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken monitoring.timeSeries.create pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update run.jobs.get run.services.get serviceusage.services.use storage.buckets.get storage.buckets.update workflows.workflows.get
Cloud Filestore Service Agent (`roles/file.serviceAgent`) Gives Cloud Filestore service account access to managed resources.	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.networks.updatePeering compute.routes.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
Firebase App Distribution Admin SDK Service Agent (`roles/firebase.appDistributionSdkServiceAgent`) Read and write access to Firebase App Distribution with the Admin SDK	firebaseappdistro.*
Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.	apikeys.keys.create apikeys.keys.get apikeys.keys.list apikeys.keys.update appengine.applications.* appengine.operations.get appengine.services.list clientauthconfig.brands.create clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.getWithSecret clientauthconfig.clients.list clientauthconfig.clients.update firebase.clients.create firebase.clients.delete firebase.clients.get firebase.clients.undelete firebase.projects.* firebaseauth.configs.create firebaseauth.configs.get firebaseauth.configs.update firebaserules.releases.create firebaserules.releases.delete firebaserules.releases.get firebaserules.rulesets.create iam.roles.get iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy resourcemanager.projects.update servicemanagement.services.bind serviceusage.services.enable serviceusage.services.get serviceusage.services.use storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy
Firebase Admin SDK Administrator Service Agent (`roles/firebase.sdkAdminServiceAgent`) Read and write access to Firebase products available in the Admin SDK	appengine.applications.get cloudconfig.* cloudmessaging.messages.create datastore.databases.get datastore.databases.getMetadata datastore.databases.list datastore.entities.* datastore.indexes.get datastore.indexes.list datastore.namespaces.* datastore.statistics.* firebase.clients.* firebase.projects.get firebase.projects.update firebaseappcheck.* firebaseauth.configs.create firebaseauth.configs.get firebaseauth.configs.update firebaseauth.users.* firebasedatabase.* firebasehosting.* firebaseml.* firebasenotifications.* firebaserules.releases.get firebaserules.releases.list firebaserules.releases.update firebaserules.rulesets.create firebaserules.rulesets.delete firebaserules.rulesets.get firebaserules.rulesets.list orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list resourcemanager.projects.update storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.multipartUploads.* storage.objects.*
Firebase SDK Provisioning Service Agent (`roles/firebase.sdkProvisioningServiceAgent`) Access to provision apps with the Admin SDK.	apikeys.keys.list clientauthconfig.clients.list cloudmessaging.messages.create firebase.clients.create servicemanagement.services.bind serviceusage.services.enable
Firebase App Check Service Agent (`roles/firebaseappcheck.serviceAgent`) Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise and Play Integrity API.	recaptchaenterprise.assessments.* serviceusage.services.use
Firebase Extensions API Service Agent (`roles/firebasemods.serviceAgent`) Grants Firebase Extensions API Service Account access to manage resources.	appengine.applications.get artifactregistry.packages.delete cloudfunctions.functions.getIamPolicy cloudfunctions.functions.setIamPolicy cloudtasks.locations.* cloudtasks.queues.* cloudtasks.tasks.create cloudtasks.tasks.fullView deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* eventarc.channels.create eventarc.channels.delete eventarc.channels.get eventarc.channels.setIamPolicy iam.serviceAccounts.actAs iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list resourcemanager.projects.updateLiens run.services.getIamPolicy run.services.setIamPolicy serviceusage.quotas.get serviceusage.services.enable serviceusage.services.get serviceusage.services.list
Cloud Storage for Firebase Service Agent (`roles/firebasestorage.serviceAgent`) Access to Cloud Storage for Firebase through API and SDK.	storage.buckets.get storage.buckets.getIamPolicy storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list storage.objects.update
Firestore Service Agent (`roles/firestore.serviceAgent`) Gives Firestore service account access to managed resources.	storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list
Cloud Firewall Insights Service Agent (`roles/firewallinsights.serviceAgent`) Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.	compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.instanceGroups.list compute.instances.get compute.instances.list compute.networks.getEffectiveFirewalls compute.networks.list compute.projects.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list
FleetEngine Service Agent (`roles/fleetengine.serviceAgent`) Grants the FleetEngine Service Account access to manage resources.	bigquery.config.get bigquery.datasets.get bigquery.jobs.create bigquery.tables.getData resourcemanager.projects.get resourcemanager.projects.list
Game Services Service Agent (`roles/gameservices.serviceAgent`) Gives Game Services Service Account access to GCP resources.	container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.create container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoleBindings.update container.clusterRoles.bind container.clusterRoles.create container.clusterRoles.escalate container.clusterRoles.get container.clusterRoles.list container.clusterRoles.update container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.leases.* container.limitRanges.* container.localSubjectAccessReviews.* container.managedCertificates.* container.mutatingWebhookConfigurations.* container.namespaces.* container.networkPolicies.* container.nodes.* container.operations.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.create container.roleBindings.get container.roleBindings.list container.roles.bind container.roles.create container.roles.escalate container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.selfSubjectRulesReviews.create container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container.storageVersionMigrations.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.create container.updateInfos.* container.validatingWebhookConfigurations.* container.volumeAttachments.* container.volumeSnapshotClasses.* container.volumeSnapshotContents.* container.volumeSnapshots.* gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list iam.serviceAccounts.actAs resourcemanager.projects.get resourcemanager.projects.list
Genomics Service Agent (`roles/genomics.serviceAgent`) Gives Genomics Service Account access to compute resources. Includes access to service accounts.	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
Backup for GKE Service Agent (`roles/gkebackup.serviceAgent`) Grants the Backup for GKE Service Account access to managed resources.	compute.disks.create compute.disks.createSnapshot compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.useReadOnly compute.globalOperations.get compute.regionOperations.get compute.snapshots.delete compute.snapshots.get compute.zoneOperations.get container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.leases.* container.limitRanges.* container.localSubjectAccessReviews.* container.managedCertificates.* container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.selfSubjectRulesReviews.create container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container.storageVersionMigrations.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.create container.updateInfos.* container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.* container.volumeSnapshotClasses.* container.volumeSnapshotContents.* container.volumeSnapshots.* gkebackup.operations.get resourcemanager.projects.get resourcemanager.projects.list resourcemanager.projects.updateLiens
GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Gives the GKE Hub service agent access to Cloud Platform resources.	container.clusterRoleBindings.* container.clusterRoles.* container.clusters.get container.clusters.update container.customResourceDefinitions.create container.customResourceDefinitions.delete container.customResourceDefinitions.get container.customResourceDefinitions.list container.customResourceDefinitions.update container.namespaces.get container.thirdPartyObjects.* gkehub.features.create gkehub.features.get gkehub.features.list gkehub.fleet.create gkehub.fleet.get gkehub.locations.* gkehub.memberships.create gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.list gkehub.operations.get gkemulticloud.awsClusters.get gkemulticloud.azureClusters.get gkeonprem.bareMetalClusters.get gkeonprem.vmwareClusters.get serviceusage.services.get serviceusage.services.list
Anthos Multi-Cloud Service Agent (`roles/gkemulticloud.serviceAgent`) Grants the Anthos Multi-Cloud Service Account access to manage resources.	gkehub.features.* gkehub.fleet.* gkehub.locations.* gkehub.memberships.* gkehub.operations.* gkemulticloud.awsClusters.delete gkemulticloud.awsNodePools.delete gkemulticloud.azureClients.delete gkemulticloud.azureClusters.delete gkemulticloud.azureNodePools.delete resourcemanager.projects.get resourcemanager.projects.list
Healthcare Service Agent (`roles/healthcare.serviceAgent`) Gives the Healthcare Service Account access to networks,Kubernetes engine, and pubsub resources.	cloudnotifications.activities.list monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Integrations Service Agent (`roles/integrations.serviceAgent`) Service agent that grants access to execute an integration.	cloudfunctions.functions.invoke cloudsql.instances.connect cloudsql.instances.get connectors.actions.* connectors.connections.executeSqlQuery connectors.entities.* connectors.entityTypes.list integrations.apigeeAuthConfigs.* integrations.apigeeCertificates.* integrations.apigeeExecutions.list integrations.apigeeIntegrationVers.* integrations.apigeeIntegrations.* integrations.apigeeSfdcChannels.* integrations.apigeeSfdcInstances.* integrations.apigeeSuspensions.* integrations.authConfigs.* integrations.certificates.* integrations.executions.list integrations.integrationVersions.create integrations.integrationVersions.delete integrations.integrationVersions.deploy integrations.integrationVersions.get integrations.integrationVersions.list integrations.integrationVersions.update integrations.integrations.* integrations.sfdcChannels.* integrations.sfdcInstances.* integrations.suspensions.* pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list run.jobs.run run.routes.invoke serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Service account role used to setup authentication for the control plane used by KubeRun Events.	cloudscheduler.jobs.create cloudscheduler.jobs.delete cloudscheduler.jobs.get logging.sinks.create logging.sinks.delete logging.sinks.get pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.setIamPolicy resourcemanager.projects.get storage.buckets.get storage.buckets.update
KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Service account role used to setup authentication for the data plane used by KubeRun Events.	cloudtrace.traces.patch monitoring.timeSeries.create pubsub.subscriptions.consume pubsub.subscriptions.get pubsub.topics.get pubsub.topics.publish resourcemanager.projects.get
Cloud Life Sciences Service Agent (`roles/lifesciences.serviceAgent`) Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
Live Stream Service Agent (`roles/livestream.serviceAgent`) Uploads media files to customer Cloud Storage buckets.	storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Logging Service Agent (`roles/logging.serviceAgent`) Grants a Cloud Logging Service Account the ability to create and link datasets.	bigquery.datasets.create bigquery.datasets.link
Cloud Managed Identities Service Agent (`roles/managedidentities.serviceAgent`) Gives Managed Identities service account access to managed resources.	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.list dns.managedZones.update dns.networks.bindPrivateDNSPolicy dns.networks.bindPrivateDNSZone dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.get dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Downloads and uploads media files from and to customer Cloud Storage buckets.	pubsub.topics.get pubsub.topics.publish storage.objects.create storage.objects.delete storage.objects.get transcoder.jobs.create transcoder.jobs.delete transcoder.jobs.get
Cloud Memorystore Memcached Service Agent (`roles/memcache.serviceAgent`) Gives Cloud Memorystore Memcached service account access to managed resource	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
Mesh Config Service Agent (`roles/meshconfig.serviceAgent`) Apply mesh configuration	compute.backendServices.create compute.backendServices.delete compute.backendServices.get compute.backendServices.list compute.backendServices.setSecurityPolicy compute.backendServices.update compute.backendServices.use compute.firewalls.* compute.globalForwardingRules.create compute.globalForwardingRules.delete compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.setLabels compute.globalForwardingRules.setTarget compute.globalOperations.get compute.globalOperations.list compute.healthChecks.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.get compute.networks.updatePolicy compute.networks.use compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.create compute.targetHttpsProxies.delete compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetHttpsProxies.setSslCertificates compute.targetHttpsProxies.setSslPolicy compute.targetHttpsProxies.setUrlMap compute.targetHttpsProxies.use compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* networksecurity.clientTlsPolicies.create networksecurity.clientTlsPolicies.delete networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.update networksecurity.serverTlsPolicies.create networksecurity.serverTlsPolicies.delete networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.update networkservices.endpointConfigSelectors.create networkservices.endpointConfigSelectors.delete networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.update networkservices.httpFilters.create networkservices.httpFilters.delete networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpFilters.update networkservices.httpfilters.create networkservices.httpfilters.delete networkservices.httpfilters.get networkservices.httpfilters.list networkservices.httpfilters.update
Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Anthos Service Mesh Managed Control Plane Agent	container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.* container.clusterRoleBindings.* container.clusterRoles.* container.clusters.get container.clusters.getCredentials container.clusters.list container.clusters.update container.componentStatuses.* container.configMaps.* container.controllerRevisions.* container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container.horizontalPodAutoscalers.* container.hostServiceAgent.use container.ingresses.* container.initializerConfigurations.* container.jobs.* container.leases.* container.limitRanges.* container.localSubjectAccessReviews.* container.managedCertificates.* container.mutatingWebhookConfigurations.* container.namespaces.* container.networkPolicies.* container.nodes.* container.operations.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.* container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.* container.roles.* container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.selfSubjectRulesReviews.create container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container.storageVersionMigrations.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.create container.updateInfos.* container.validatingWebhookConfigurations.* container.volumeAttachments.* container.volumeSnapshotClasses.* container.volumeSnapshotContents.* container.volumeSnapshots.* gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.gateway.* gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.use
Mesh Data Plane Service Agent (`roles/meshdataplane.serviceAgent`) Run user-space Istio components	cloudtrace.traces.patch compute.forwardingRules.get compute.globalForwardingRules.get logging.logEntries.create meshconfig.projects.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create serviceusage.services.use
Dataproc Metastore Service Agent (`roles/metastore.serviceAgent`) Gives the Dataproc Metastore service account access to managed resources.	compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.use compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute.forwardingRules.pscCreate compute.forwardingRules.pscDelete compute.globalAddresses.createInternal compute.globalAddresses.deleteInternal compute.globalAddresses.get compute.globalAddresses.list compute.globalOperations.get compute.globalOperations.list compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.regionOperations.get compute.subnetworks.get compute.subnetworks.use metastore.databases.setIamPolicy metastore.services.get metastore.tables.setIamPolicy servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Migration Center Service Agent (`roles/migrationcenter.serviceAgent`) Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products.	storage.objects.get vmmigration.migratingVms.create
AI Platform Service Agent (`roles/ml.serviceAgent`) AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.updateData firebase.projects.get iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Monitoring Service Agent (`roles/monitoring.notificationServiceAgent`) Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.	servicedirectory.networks.access servicedirectory.services.resolve serviceusage.services.use
Multi Cluster Ingress Service Agent (`roles/multiclusteringress.serviceAgent`) Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.	certificatemanager.certmapentries.create certificatemanager.certmapentries.delete certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmapentries.update certificatemanager.certmaps.create certificatemanager.certmaps.delete certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certmaps.update certificatemanager.certmaps.use certificatemanager.certs.create certificatemanager.certs.delete certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.certs.update certificatemanager.certs.use certificatemanager.dnsauthorizations.create certificatemanager.dnsauthorizations.delete certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.dnsauthorizations.update certificatemanager.dnsauthorizations.use compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.backendServices.* compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.create compute.globalAddresses.delete compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.* compute.healthChecks.* compute.networkEndpointGroups.get compute.networkEndpointGroups.use compute.networks.updatePolicy compute.networks.use compute.regionBackendServices.* compute.regionHealthChecks.* compute.regionSslCertificates.* compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.use compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.urlMaps.* container.backendConfigs.* container.clusters.get container.customResourceDefinitions.create container.customResourceDefinitions.delete container.customResourceDefinitions.get container.customResourceDefinitions.list container.customResourceDefinitions.update container.deployments.* container.events.create container.events.update container.frontendConfigs.* container.namespaces.list container.secrets.get container.secrets.list container.services.* container.thirdPartyObjects.* gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list serviceusage.services.get serviceusage.services.list
Multi-cluster metering Service Agent (`roles/multiclustermetering.serviceAgent`) Gives the Multi-cluster metering service agent access to CloudPlatform resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
GCP Network Management Service Agent (`roles/networkmanagement.serviceAgent`) Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.	cloudsql.instances.get cloudsql.instances.list compute.addresses.get compute.addresses.list compute.backendServices.get compute.backendServices.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.list compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.packetMirrorings.get compute.packetMirrorings.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list container.clusters.get container.clusters.list container.nodes.get container.nodes.list
AI Platform Notebooks Service Agent (`roles/notebooks.serviceAgent`) Provide access for notebooks service agent to manage notebook instances in user projects	aiplatform.customJobs.cancel aiplatform.customJobs.create aiplatform.customJobs.get aiplatform.customJobs.list compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.* compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* dataproc.clusters.get dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.list ml.jobs.create ml.jobs.get ml.jobs.list notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud OS Config Service Agent (`roles/osconfig.serviceAgent`) Grants OS Config Service Account access to Google Compute Engine instances.	compute.instances.get compute.instances.getGuestAttributes compute.instances.list compute.instances.setMetadata compute.zones.* containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update iam.serviceAccounts.actAs resourcemanager.projects.get resourcemanager.projects.list
Cloud Pub/Sub Service Agent (`roles/pubsub.serviceAgent`) Grants Cloud Pub/Sub Service Account access to manage resources.	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt resourcemanager.projects.get resourcemanager.projects.list
RMA Service Agent (`roles/rapidmigrationassessment.serviceAgent`) Gives RMA service account access to MC resources.	autoscaling.sites.writeMetrics cloudasset.assets.exportResource cloudasset.feeds.create logging.logEntries.create migrationcenter.assets.list migrationcenter.assets.reportFrames migrationcenter.importJobs.get migrationcenter.importJobs.list migrationcenter.sources.create migrationcenter.sources.delete migrationcenter.sources.get migrationcenter.sources.update monitoring.metricDescriptors.create monitoring.metricDescriptors.list monitoring.timeSeries.create resourcemanager.projects.get
Cloud Memorystore Redis Service Agent (`roles/redis.serviceAgent`) Gives Cloud Memorystore Redis service account access to managed resource	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.projects.get compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
Remote Build Execution Service Agent (`roles/remotebuildexecution.serviceAgent`) Gives Remote Build Execution service account access to managed resources.	remotebuildexecution.actions.update remotebuildexecution.blobs.* remotebuildexecution.botsessions.* remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
Retail Service Agent (`roles/retail.serviceAgent`) Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Google Cloud's operations suite metrics for customer projects.	bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData cloudnotifications.activities.list dataflow.jobs.* dataflow.messages.list dataflow.metrics.get logging.logEntries.create monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get storage.buckets.create storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Risk Manager Service Agent (`roles/riskmanager.serviceAgent`) Service agent that grants Risk Manager service access to fetch findings for generating Reports	cloudasset.assets.* recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.bigQueryExports.get securitycenter.bigQueryExports.list securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.muteconfigs.get securitycenter.muteconfigs.list securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.rapidvulnerabilitydetectionsettings.calculate securitycenter.rapidvulnerabilitydetectionsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.subscription.get securitycenter.userinterfacemetadata.get securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get
Cloud Run Service Agent (`roles/run.serviceAgent`) Gives Cloud Run service account access to managed resources.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list binaryauthorization.platformPolicies.evaluatePolicy binaryauthorization.policy.evaluatePolicy clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.globalOperations.get compute.networks.access compute.networks.get compute.subnetworks.get compute.subnetworks.use iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.routes.invoke serviceusage.services.use storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use
Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Grants Secured Landing Zone service account permissions to manage resources in the customer project	cloudasset.assets.exportOrgPolicy cloudasset.assets.exportResource cloudasset.feeds.create cloudasset.feeds.delete cloudasset.feeds.update logging.logEntries.list pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.getIamPolicy pubsub.topics.setIamPolicy resourcemanager.projects.get securitycenter.assetsecuritymarks.update securitycenter.findings.list securitycenter.findings.update securitycenter.sources.list securitycenter.sources.update serviceusage.services.use
Security Center Automation Service Agent (`roles/securitycenter.automationServiceAgent`) Security Center automation service agent can configure GCP resources to enable security scanning.	cloudasset.feeds.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.services.enable
Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Center Control service agent can monitor and configure GCP resources and import security findings.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list bigquery.datasets.get binaryauthorization.policy.get cloudasset.assets.* cloudasset.feeds.* cloudsecurityscanner.* cloudsql.instances.connect cloudsql.instances.get cloudsql.users.list compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* container.apiServices.get container.apiServices.getStatus container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.getStatus container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.getStatus container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getScale container.deployments.getStatus container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container.managedCertificates.get container.managedCertificates.list container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getScale container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container.storageStates.getStatus container.storageStates.list container.storageVersionMigrations.get container.storageVersionMigrations.getStatus container.storageVersionMigrations.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.create container.updateInfos.get container.updateInfos.list container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.get container.volumeAttachments.getStatus container.volumeAttachments.list container.volumeSnapshotClasses.get container.volumeSnapshotClasses.list container.volumeSnapshotContents.get container.volumeSnapshotContents.getStatus container.volumeSnapshotContents.list container.volumeSnapshots.get container.volumeSnapshots.list dlp.jobs.get dlp.jobs.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list monitoring.alertPolicies.get monitoring.alertPolicies.list orgpolicy.policies.list orgpolicy.policy.get recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.update securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findingexternalsystems.update securitycenter.findings.* securitycenter.findingsecuritymarks.update securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.rapidvulnerabilitydetectionsettings.calculate securitycenter.rapidvulnerabilitydetectionsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.get securitycenter.userinterfacemetadata.get securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.enable serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list
Security Center Integration Executor Service Agent (`roles/securitycenter.integrationExecutorServiceAgent`) Gives Security Center access to execute Integrations.	integrations.securityExecutions.cancel integrations.securityExecutions.list integrations.securityIntegrations.invoke
Security Center Notification Service Agent (`roles/securitycenter.notificationServiceAgent`) Security Center service agent can publish notifications to Pub/Sub topics.	pubsub.topics.publish
Security Health Analytics Service Agent (`roles/securitycenter.securityHealthAnalyticsServiceAgent`) Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get bigquery.datasets.get binaryauthorization.policy.get cloudasset.assets.* cloudasset.feeds.* cloudsecurityscanner.* cloudsql.instances.connect cloudsql.instances.get cloudsql.users.list compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* container.clusters.get container.clusters.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list monitoring.alertPolicies.get monitoring.alertPolicies.list orgpolicy.policy.get recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.update securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findingexternalsystems.update securitycenter.findings.* securitycenter.findingsecuritymarks.update securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.rapidvulnerabilitydetectionsettings.calculate securitycenter.rapidvulnerabilitydetectionsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.get securitycenter.userinterfacemetadata.get securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get
Google Cloud Security Response Service Agent (`roles/securitycenter.securityResponseServiceAgent`) Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks	compute.instances.deleteAccessConfig compute.instances.get compute.instances.setMetadata iam.serviceAccounts.actAs pubsub.topics.publish securitycenter.findings.list storage.buckets.get storage.buckets.update
Security Center Service Agent (`roles/securitycenter.serviceAgent`) Security Center service agent can scan GCP resources and import security scans.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list bigquery.datasets.get binaryauthorization.policy.get cloudasset.assets.* cloudasset.feeds.* cloudsecurityscanner.* cloudsql.instances.connect cloudsql.instances.get cloudsql.users.list compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* container.apiServices.get container.apiServices.getStatus container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.getStatus container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.getStatus container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getScale container.deployments.getStatus container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container.managedCertificates.get container.managedCertificates.list container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getScale container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container.storageStates.getStatus container.storageStates.list container.storageVersionMigrations.get container.storageVersionMigrations.getStatus container.storageVersionMigrations.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.create container.updateInfos.get container.updateInfos.list container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.get container.volumeAttachments.getStatus container.volumeAttachments.list container.volumeSnapshotClasses.get container.volumeSnapshotClasses.list container.volumeSnapshotContents.get container.volumeSnapshotContents.getStatus container.volumeSnapshotContents.list container.volumeSnapshots.get container.volumeSnapshots.list dlp.jobs.get dlp.jobs.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list monitoring.alertPolicies.get monitoring.alertPolicies.list orgpolicy.policies.list orgpolicy.policy.get recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.update securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findingexternalsystems.update securitycenter.findings.* securitycenter.findingsecuritymarks.update securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.rapidvulnerabilitydetectionsettings.calculate securitycenter.rapidvulnerabilitydetectionsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.get securitycenter.userinterfacemetadata.get securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list
Service Directory Service Agent (`roles/servicedirectory.serviceAgent`) Give the Service Directory service agent access to Cloud Platform resources.	container.clusters.get gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.create servicedirectory.endpoints.delete servicedirectory.endpoints.get servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.endpoints.update servicedirectory.locations.* servicedirectory.namespaces.associatePrivateZone servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.namespaces.update servicedirectory.networks.attach servicedirectory.services.bind servicedirectory.services.create servicedirectory.services.delete servicedirectory.services.get servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.resolve servicedirectory.services.update
Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) Gives permission to manage network configuration, such as establishing network peering, necessary for service producers	compute.globalAddresses.get compute.globalAddresses.list compute.globalOperations.get compute.networks.addPeering compute.networks.create compute.networks.delete compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.update compute.networks.updatePeering compute.networks.updatePolicy compute.projects.get compute.regionOperations.get compute.routers.get compute.routers.list compute.routes.list compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.getIamPolicy dns.managedZones.list dns.managedZones.update dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.getIamPolicy dns.policies.list dns.policies.update dns.projects.get dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Source Repositories Service Agent (`roles/sourcerepo.serviceAgent`) Allow Cloud Source Repositories to integrate with other Cloud services.	iam.serviceAccounts.getAccessToken pubsub.topics.publish
Cloud Speech-to-Text Service Agent (`roles/speech.serviceAgent`) Gives Speech-to-Text service account access to Cloud Storage resources.	storage.objects.create storage.objects.get storage.objects.list storage.objects.update
Dataform Service Agent (`roles/sqlx.serviceAgent`) Gives permission for the Dataform API to access a secret from Secret Manager	resourcemanager.projects.get resourcemanager.projects.list
Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Grants Storage Transfer Service Agent permissions required to run transfers	pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.publish pubsub.topics.update
Cloud TPU API Service Agent (`roles/tpu.serviceAgent`) Give Cloud TPUs service account access to managed resources	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.zones.* monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
Transcoder Service Agent (`roles/transcoder.serviceAgent`) Downloads and uploads media files from and to customer Cloud Storage buckets. Publishes status updates to customer Pub/Sub.	pubsub.topics.publish storage.objects.create storage.objects.delete storage.objects.get transcoder.jobs.delete
Visual Inspection AI Service Agent (`roles/visualinspection.serviceAgent`) Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs.	aiplatform.* artifactregistry.* firebase.projects.get orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) Can create and manage resources to support serverless application to connect to virtual private cloud.	billing.accounts.get compute.autoscalers.* compute.disks.create compute.firewalls.* compute.healthChecks.* compute.httpHealthChecks.create compute.httpHealthChecks.delete compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpHealthChecks.use compute.httpHealthChecks.useReadOnly compute.httpsHealthChecks.create compute.httpsHealthChecks.delete compute.httpsHealthChecks.get compute.httpsHealthChecks.update compute.httpsHealthChecks.use compute.httpsHealthChecks.useReadOnly compute.images.get compute.images.useReadOnly compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.update compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.useReadOnly compute.instances.create compute.instances.delete compute.instances.get compute.instances.getGuestAttributes compute.instances.list compute.instances.reset compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.use compute.machineTypes.get compute.networks.get compute.networks.use compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.zoneOperations.get compute.zoneOperations.list compute.zones.* deploymentmanager.compositeTypes.get deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.typeProviders.create deploymentmanager.typeProviders.get logging.logEntries.create logging.logMetrics.create logging.logMetrics.delete logging.logMetrics.get logging.logMetrics.update resourcemanager.projects.get
Cloud Web Security Scanner Service Agent (`roles/websecurityscanner.serviceAgent`) Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.	appengine.applications.get cloudasset.assets.listResource compute.addresses.list compute.backendServices.get compute.forwardingRules.get compute.globalForwardingRules.get compute.sslCertificates.list compute.targetHttpProxies.get compute.targetHttpsProxies.get compute.urlMaps.get
Cloud Workflows Service Agent (`roles/workflows.serviceAgent`) Gives Cloud Workflows service account access to managed resources.	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken
Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`) Gives the Workload Certificate service agent access to Cloud Platform resources.	container.clusters.get container.clusters.update container.customResourceDefinitions.create container.customResourceDefinitions.get container.customResourceDefinitions.list gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list serviceconsumermanagement.tenancyu.addResource serviceconsumermanagement.tenancyu.create serviceconsumermanagement.tenancyu.delete serviceconsumermanagement.tenancyu.removeResource serviceusage.services.use
Workload Manager Service Agent (`roles/workloadmanager.serviceAgent`) Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring.	cloudasset.assets.exportAccessPolicy cloudasset.assets.exportIamPolicy cloudasset.assets.exportOSInventories cloudasset.assets.exportOrgPolicy cloudasset.assets.exportResource cloudasset.assets.searchAllResources monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.list

Service Consumer Management roles

Role	Permissions
Admin of Tenancy Units ^Beta (`roles/serviceconsumermanagement.tenancyUnitsAdmin`) Administrate tenancy units	serviceconsumermanagement.tenancyu.*
Viewer of Tenancy Units ^Beta (`roles/serviceconsumermanagement.tenancyUnitsViewer`) View tenancy units	serviceconsumermanagement.tenancyu.list

Service Directory roles

Role	Permissions
Service Directory Admin (`roles/servicedirectory.admin`) Full control of all Service Directory resources and permissions.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.* servicedirectory.locations.* servicedirectory.namespaces.* servicedirectory.networks.attach servicedirectory.services.*
Service Directory Editor (`roles/servicedirectory.editor`) Edit Service Directory resources.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.create servicedirectory.endpoints.delete servicedirectory.endpoints.get servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.endpoints.update servicedirectory.locations.* servicedirectory.namespaces.associatePrivateZone servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.namespaces.update servicedirectory.networks.attach servicedirectory.services.bind servicedirectory.services.create servicedirectory.services.delete servicedirectory.services.get servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.resolve servicedirectory.services.update
Service Directory Network Attacher (`roles/servicedirectory.networkAttacher`) Gives access to attach VPC Networks to Service Directory Endpoints	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.networks.attach
Private Service Connect Authorized Service (`roles/servicedirectory.pscAuthorizedService`) Gives access to VPC Networks via Service Directory	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.networks.access
Service Directory Viewer (`roles/servicedirectory.viewer`) View Service Directory resources.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.get servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.locations.* servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.services.get servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.resolve

Service Management roles

Role	Permissions
Cloud Run Service Agent (`roles/serverless.serviceAgent`) Gives Cloud Run service account access to managed resources.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list binaryauthorization.platformPolicies.evaluatePolicy binaryauthorization.policy.evaluatePolicy clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.globalOperations.get compute.networks.access compute.networks.get compute.subnetworks.get compute.subnetworks.use iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.routes.invoke serviceusage.services.use storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use
Service Management Administrator (`roles/servicemanagement.admin`) Full control of Google Service Management resources.	monitoring.timeSeries.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list serviceconsumermanagement.* servicemanagement.* serviceusage.quotas.get serviceusage.services.get
Service Config Editor (`roles/servicemanagement.configEditor`) Access to update the service config and create rollouts.	servicemanagement.services.get servicemanagement.services.update
Quota Administrator ^Beta (`roles/servicemanagement.quotaAdmin`) Provides access to administer service quotas. Lowest-level resources where you can grant this role: Project	monitoring.timeSeries.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.* serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list
Quota Viewer ^Beta (`roles/servicemanagement.quotaViewer`) Provides access to view service quotas. Lowest-level resources where you can grant this role: Project	monitoring.timeSeries.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Service Reporter (`roles/servicemanagement.reporter`) Can report usage of a service during runtime.	servicemanagement.services.report
Service Consumer (`roles/servicemanagement.serviceConsumer`) Can enable the service.	servicemanagement.services.bind
Service Controller (`roles/servicemanagement.serviceController`) Can check preconditions and report usage of a service during runtime. Lowest-level resources where you can grant this role: Project	servicemanagement.services.check servicemanagement.services.get servicemanagement.services.quota servicemanagement.services.report

Service Networking roles

Role	Permissions
Service Networking Admin ^Beta (`roles/servicenetworking.networksAdmin`) Full control of service networking with projects.	servicenetworking.*

Service Usage roles

Role	Permissions
API Keys Admin (`roles/serviceusage.apiKeysAdmin`) Ability to create, delete, update, get and list API keys for a project.	apikeys.* serviceusage.apiKeys.* serviceusage.operations.get
API Keys Viewer (`roles/serviceusage.apiKeysViewer`) Ability to get and list API keys for a project.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup
Service Usage Admin (`roles/serviceusage.serviceUsageAdmin`) Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.operations.* serviceusage.quotas.* serviceusage.services.*
Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`) Ability to inspect service states and operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
Service Usage Viewer (`roles/serviceusage.serviceUsageViewer`) Ability to inspect service states and operations for a consumer project.	monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Source roles

Role Permissions

Source Repository Administrator
(roles/source.admin)

Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies.

Lowest-level resources where you can grant this role:

Repository

source.*

Source Repository Reader
(roles/source.reader)

Provides permissions to list, clone, fetch, and browse repositories.

Lowest-level resources where you can grant this role:

Repository

source.repos.get
source.repos.list

Source Repository Writer
(roles/source.writer)

Provides permissions to list, clone, fetch, browse, and update repositories.

Lowest-level resources where you can grant this role:

Repository

source.repos.get
source.repos.list
source.repos.update

Stackdriver roles

Role	Permissions
Stackdriver Accounts Editor (`roles/stackdriver.accounts.editor`) Read/write access to manage Stackdriver account structure.	resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.projects.*
Stackdriver Accounts Viewer (`roles/stackdriver.accounts.viewer`) Read-only access to get and list information about Stackdriver account structure.	resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Stackdriver Resource Metadata Writer ^Beta (`roles/stackdriver.resourceMetadata.writer`) Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.	stackdriver.resourceMetadata.write

Stream roles

Role	Permissions
Stream Admin (`roles/stream.admin`) Full access to Stream all resources.	resourcemanager.projects.get resourcemanager.projects.list stream.*
Stream Content Admin (`roles/stream.contentAdmin`) Full access to all StreamContent resources.	resourcemanager.projects.get resourcemanager.projects.list stream.streamContents.*
Stream Content Builder (`roles/stream.contentBuilder`) Read and build access to StreamContent resources.	resourcemanager.projects.get resourcemanager.projects.list stream.streamContents.build stream.streamContents.get stream.streamContents.list
Stream Instance Admin (`roles/stream.instanceAdmin`) Full access to all StreamInstance resources and Read access to all StreamContent resources.	resourcemanager.projects.get resourcemanager.projects.list stream.streamContents.get stream.streamContents.list stream.streamInstances.*
Stream Viewer (`roles/stream.viewer`) Read-only access to Stream all resources.	resourcemanager.projects.get resourcemanager.projects.list stream.locations.* stream.operations.get stream.operations.list stream.streamContents.get stream.streamContents.list stream.streamInstances.get stream.streamInstances.list

Support roles

Role	Permissions
Support Account Administrator (`roles/cloudsupport.admin`) Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information. Lowest-level resources where you can grant this role: Organization	cloudsupport.accounts.* cloudsupport.operations.get cloudsupport.properties.get resourcemanager.organizations.get
Tech Support Editor (`roles/cloudsupport.techSupportEditor`) Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support). See the Cloud Support documentation for more information.	cloudsupport.properties.get cloudsupport.techCases.* resourcemanager.projects.get resourcemanager.projects.list
Tech Support Viewer (`roles/cloudsupport.techSupportViewer`) Read-only access to technical support cases (applicable for GCP Customer Care and Maps support). See the Cloud Support documentation for more information.	cloudsupport.properties.get cloudsupport.techCases.get cloudsupport.techCases.list resourcemanager.projects.get resourcemanager.projects.list
Support Account Viewer (`roles/cloudsupport.viewer`) Read-only access to details of a support account. This does not allow viewing cases. See the Cloud Support documentation for more information. Lowest-level resources where you can grant this role: Organization	cloudsupport.accounts.get cloudsupport.accounts.getUserRoles cloudsupport.accounts.list cloudsupport.properties.get

Third-party Partner roles

Role	Permissions
Dell EMC Cloud OneFS Admin ^Beta (`roles/dellemccloudonefs.admin`) This role is managed by Dell EMC, not Google.	cloudonefs.isiloncloud.com/* resourcemanager.projects.get resourcemanager.projects.list
Dell EMC Cloud OneFS User ^Beta (`roles/dellemccloudonefs.user`) This role is managed by Dell EMC, not Google.	cloudonefs.isiloncloud.com/clusters.create cloudonefs.isiloncloud.com/clusters.delete cloudonefs.isiloncloud.com/clusters.get cloudonefs.isiloncloud.com/clusters.list cloudonefs.isiloncloud.com/clusters.update cloudonefs.isiloncloud.com/fileshares.* resourcemanager.projects.get resourcemanager.projects.list
Dell EMC Cloud OneFS Viewer ^Beta (`roles/dellemccloudonefs.viewer`) This role is managed by Dell EMC, not Google.	cloudonefs.isiloncloud.com/clusters.get cloudonefs.isiloncloud.com/clusters.list cloudonefs.isiloncloud.com/fileshares.get cloudonefs.isiloncloud.com/fileshares.list resourcemanager.projects.get resourcemanager.projects.list
NetApp Cloud Volumes Admin ^Beta (`roles/netappcloudvolumes.admin`) This role is managed by NetApp, not Google.	cloudvolumesgcp-api.netapp.com/* resourcemanager.projects.get resourcemanager.projects.list
NetApp Cloud Volumes Viewer ^Beta (`roles/netappcloudvolumes.viewer`) This role is managed by NetApp, not Google.	cloudvolumesgcp-api.netapp.com/activeDirectories.get cloudvolumesgcp-api.netapp.com/activeDirectories.list cloudvolumesgcp-api.netapp.com/ipRanges.list cloudvolumesgcp-api.netapp.com/jobs.* cloudvolumesgcp-api.netapp.com/regions.list cloudvolumesgcp-api.netapp.com/serviceLevels.list cloudvolumesgcp-api.netapp.com/snapshots.get cloudvolumesgcp-api.netapp.com/snapshots.list cloudvolumesgcp-api.netapp.com/volumes.get cloudvolumesgcp-api.netapp.com/volumes.list resourcemanager.projects.get resourcemanager.projects.list
Redis Enterprise Cloud Admin ^Beta (`roles/redisenterprisecloud.admin`) This role is managed by Redis Labs, not Google.	gcp.redisenterprise.com/* resourcemanager.projects.get resourcemanager.projects.list
Redis Enterprise Cloud Viewer ^Beta (`roles/redisenterprisecloud.viewer`) This role is managed by Redis Labs, not Google.	gcp.redisenterprise.com/databases.get gcp.redisenterprise.com/databases.list gcp.redisenterprise.com/subscriptions.get gcp.redisenterprise.com/subscriptions.list resourcemanager.projects.get resourcemanager.projects.list

Transcoder roles

Role	Permissions
Transcoder Admin (`roles/transcoder.admin`) Full access to all transcoder resources.	resourcemanager.projects.get resourcemanager.projects.list transcoder.*
Transcoder Viewer (`roles/transcoder.viewer`) Viewer of all transcoder resources.	resourcemanager.projects.get resourcemanager.projects.list transcoder.jobTemplates.get transcoder.jobTemplates.list transcoder.jobs.get transcoder.jobs.list

Transfer Appliance roles

Role	Permissions
Transfer Appliance Admin ^Beta (`roles/transferappliance.admin`) Full access to Transfer Appliance all resources.	resourcemanager.projects.get resourcemanager.projects.list transferappliance.*
Transfer Appliance Viewer ^Beta (`roles/transferappliance.viewer`) Read-only access to Transfer Appliance all resources.	resourcemanager.projects.get resourcemanager.projects.list transferappliance.appliances.get transferappliance.appliances.list transferappliance.locations.* transferappliance.operations.get transferappliance.operations.list transferappliance.orders.get transferappliance.orders.list

Vertex AI roles

Role	Permissions
Vertex AI Administrator ^Beta (`roles/aiplatform.admin`) Grants full access to all resources in Vertex AI	aiplatform.* resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store EntityType owner ^Beta (`roles/aiplatform.entityTypeOwner`) Provides full access to all permissions for a particular entity type resource. Lowest-level resources where you can grant this role: Entity type	aiplatform.entityTypes.delete aiplatform.entityTypes.deleteFeatureValues aiplatform.entityTypes.exportFeatureValues aiplatform.entityTypes.get aiplatform.entityTypes.getIamPolicy aiplatform.entityTypes.importFeatureValues aiplatform.entityTypes.readFeatureValues aiplatform.entityTypes.setIamPolicy aiplatform.entityTypes.streamingReadFeatureValues aiplatform.entityTypes.update aiplatform.entityTypes.writeFeatureValues aiplatform.features.* aiplatform.featurestores.batchReadFeatureValues resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store Admin ^Beta (`roles/aiplatform.featurestoreAdmin`) Grants full access to all resources in Vertex AI Feature Store Lowest-level resources where you can grant this role: Entity type	aiplatform.entityTypes.* aiplatform.features.* aiplatform.featurestores.* aiplatform.operations.list resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store Data Viewer ^Beta (`roles/aiplatform.featurestoreDataViewer`) This role provides permissions to read Feature data. Lowest-level resources where you can grant this role: Entity type	aiplatform.entityTypes.exportFeatureValues aiplatform.entityTypes.get aiplatform.entityTypes.readFeatureValues aiplatform.entityTypes.streamingReadFeatureValues aiplatform.features.get aiplatform.features.list aiplatform.featurestores.batchReadFeatureValues resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store Data Writer ^Beta (`roles/aiplatform.featurestoreDataWriter`) This role provides permissions to read and write Feature data. Lowest-level resources where you can grant this role: Entity type	aiplatform.entityTypes.deleteFeatureValues aiplatform.entityTypes.exportFeatureValues aiplatform.entityTypes.get aiplatform.entityTypes.importFeatureValues aiplatform.entityTypes.readFeatureValues aiplatform.entityTypes.streamingReadFeatureValues aiplatform.entityTypes.writeFeatureValues aiplatform.features.get aiplatform.features.list aiplatform.featurestores.batchReadFeatureValues resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store Instance Creator ^Beta (`roles/aiplatform.featurestoreInstanceCreator`) Administrator of Featurestore resources, but not the child resources under Featurestores. Lowest-level resources where you can grant this role: Featurestore	aiplatform.featurestores.create aiplatform.featurestores.delete aiplatform.featurestores.get aiplatform.featurestores.list aiplatform.featurestores.update
Vertex AI Feature Store Resource Viewer ^Beta (`roles/aiplatform.featurestoreResourceViewer`) Viewer of all resources in Vertex AI Feature Store but cannot make changes. Lowest-level resources where you can grant this role: Entity type	aiplatform.entityTypes.get aiplatform.entityTypes.list aiplatform.features.get aiplatform.features.list aiplatform.featurestores.get aiplatform.featurestores.list aiplatform.operations.list resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store User ^Beta (`roles/aiplatform.featurestoreUser`) Deprecated. Use featurestoreAdmin instead.	aiplatform.entityTypes.* aiplatform.features.* aiplatform.featurestores.* aiplatform.operations.list resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Migration Service User ^Beta (`roles/aiplatform.migrator`) Grants access to use migration service in Vertex AI	aiplatform.migratableResources.*
Vertex AI Tensorboard Web App User ^Beta (`roles/aiplatform.tensorboardWebAppUser`) Grants access to the Vertex AI Tensorboard web app. Using the web app will incur charges.	aiplatform.tensorboards.recordAccess
Vertex AI User ^Beta (`roles/aiplatform.user`) Grants access to use all resource in Vertex AI	aiplatform.annotationSpecs.* aiplatform.annotations.* aiplatform.artifacts.* aiplatform.batchPredictionJobs.* aiplatform.contexts.* aiplatform.customJobs.* aiplatform.dataItems.* aiplatform.dataLabelingJobs.* aiplatform.datasets.* aiplatform.deploymentResourcePools.* aiplatform.edgeDeploymentJobs.* aiplatform.edgeDeviceDebugInfo.get aiplatform.edgeDevices.* aiplatform.endpoints.* aiplatform.entityTypes.create aiplatform.entityTypes.delete aiplatform.entityTypes.deleteFeatureValues aiplatform.entityTypes.exportFeatureValues aiplatform.entityTypes.get aiplatform.entityTypes.importFeatureValues aiplatform.entityTypes.list aiplatform.entityTypes.readFeatureValues aiplatform.entityTypes.streamingReadFeatureValues aiplatform.entityTypes.update aiplatform.entityTypes.writeFeatureValues aiplatform.executions.* aiplatform.features.* aiplatform.featurestores.batchReadFeatureValues aiplatform.featurestores.create aiplatform.featurestores.delete aiplatform.featurestores.exportFeatures aiplatform.featurestores.get aiplatform.featurestores.importFeatures aiplatform.featurestores.list aiplatform.featurestores.readFeatures aiplatform.featurestores.update aiplatform.featurestores.writeFeatures aiplatform.humanInTheLoops.* aiplatform.hyperparameterTuningJobs.* aiplatform.indexEndpoints.* aiplatform.indexes.* aiplatform.locations.* aiplatform.metadataSchemas.* aiplatform.metadataStores.* aiplatform.modelDeploymentMonitoringJobs.* aiplatform.modelEvaluationSlices.* aiplatform.modelEvaluations.* aiplatform.models.* aiplatform.nasJobs.* aiplatform.operations.list aiplatform.pipelineJobs.* aiplatform.specialistPools.* aiplatform.studies.* aiplatform.tensorboardExperiments.* aiplatform.tensorboardRuns.* aiplatform.tensorboardTimeSeries.* aiplatform.tensorboards.create aiplatform.tensorboards.delete aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.tensorboards.update aiplatform.trainingPipelines.* aiplatform.trials.* resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Viewer ^Beta (`roles/aiplatform.viewer`) Grants access to view all resource in Vertex AI	aiplatform.annotationSpecs.get aiplatform.annotationSpecs.list aiplatform.annotations.get aiplatform.annotations.list aiplatform.artifacts.get aiplatform.artifacts.list aiplatform.batchPredictionJobs.get aiplatform.batchPredictionJobs.list aiplatform.contexts.get aiplatform.contexts.list aiplatform.contexts.queryContextLineageSubgraph aiplatform.customJobs.get aiplatform.customJobs.list aiplatform.dataItems.get aiplatform.dataItems.list aiplatform.dataLabelingJobs.get aiplatform.dataLabelingJobs.list aiplatform.datasets.get aiplatform.datasets.list aiplatform.deploymentResourcePools.get aiplatform.deploymentResourcePools.list aiplatform.deploymentResourcePools.queryDeployedModels aiplatform.edgeDeploymentJobs.get aiplatform.edgeDeploymentJobs.list aiplatform.edgeDeviceDebugInfo.get aiplatform.edgeDevices.get aiplatform.edgeDevices.list aiplatform.endpoints.get aiplatform.endpoints.list aiplatform.entityTypes.get aiplatform.entityTypes.list aiplatform.executions.get aiplatform.executions.list aiplatform.executions.queryExecutionInputsAndOutputs aiplatform.features.get aiplatform.features.list aiplatform.featurestores.get aiplatform.featurestores.list aiplatform.humanInTheLoops.get aiplatform.humanInTheLoops.list aiplatform.hyperparameterTuningJobs.get aiplatform.hyperparameterTuningJobs.list aiplatform.indexEndpoints.get aiplatform.indexEndpoints.list aiplatform.indexes.get aiplatform.indexes.list aiplatform.locations.* aiplatform.metadataSchemas.get aiplatform.metadataSchemas.list aiplatform.metadataStores.get aiplatform.metadataStores.list aiplatform.modelDeploymentMonitoringJobs.get aiplatform.modelDeploymentMonitoringJobs.list aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies aiplatform.modelEvaluationSlices.* aiplatform.modelEvaluations.get aiplatform.modelEvaluations.list aiplatform.models.get aiplatform.models.list aiplatform.nasJobs.get aiplatform.nasJobs.list aiplatform.operations.list aiplatform.pipelineJobs.get aiplatform.pipelineJobs.list aiplatform.specialistPools.get aiplatform.specialistPools.list aiplatform.specialistPools.update aiplatform.studies.get aiplatform.studies.list aiplatform.tensorboardExperiments.get aiplatform.tensorboardExperiments.list aiplatform.tensorboardRuns.get aiplatform.tensorboardRuns.list aiplatform.tensorboardTimeSeries.batchRead aiplatform.tensorboardTimeSeries.get aiplatform.tensorboardTimeSeries.list aiplatform.tensorboardTimeSeries.read aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.trainingPipelines.get aiplatform.trainingPipelines.list aiplatform.trials.get aiplatform.trials.list resourcemanager.projects.get resourcemanager.projects.list

Video Stitcher roles

Role	Permissions
Video Stitcher Admin ^Beta (`roles/videostitcher.admin`) Full access to all video stitcher resources.	resourcemanager.projects.get resourcemanager.projects.list videostitcher.*
Video Stitcher User ^Beta (`roles/videostitcher.user`) Full access to video stitcher sessions.	resourcemanager.projects.get resourcemanager.projects.list videostitcher.liveSessions.* videostitcher.vodSessions.*
Video Stitcher Viewer ^Beta (`roles/videostitcher.viewer`) Read-only access to video stitcher resources.	resourcemanager.projects.get resourcemanager.projects.list videostitcher.cdnKeys.get videostitcher.cdnKeys.list videostitcher.liveAdTagDetails.* videostitcher.liveSessions.get videostitcher.slates.get videostitcher.slates.list videostitcher.vodAdTagDetails.* videostitcher.vodSessions.get videostitcher.vodStitchDetails.*

VMwareEngine roles

Role	Permissions
VMware Engine Service Admin (`roles/vmwareengine.vmwareengineAdmin`) Admin has full access to VMware Engine Service	resourcemanager.projects.get resourcemanager.projects.list vmwareengine.*
VMware Engine Service Viewer (`roles/vmwareengine.vmwareengineViewer`) Viewer has read-only access to VMware Engine Service	resourcemanager.projects.get resourcemanager.projects.list vmwareengine.services.view

Workflows roles

Role	Permissions
Workflows Admin (`roles/workflows.admin`) Full access to workflows and related resources.	resourcemanager.projects.get resourcemanager.projects.list workflows.*
Workflows Editor (`roles/workflows.editor`) Read and write access to workflows and related resources.	resourcemanager.projects.get resourcemanager.projects.list workflows.*
Workflows Invoker (`roles/workflows.invoker`) Access to execute workflows and manage the executions.	resourcemanager.projects.get resourcemanager.projects.list workflows.callbacks.send workflows.executions.*
Workflows Viewer (`roles/workflows.viewer`) Read-only access to workflows and related resources.	resourcemanager.projects.get resourcemanager.projects.list workflows.executions.get workflows.executions.list workflows.locations.* workflows.operations.get workflows.operations.list workflows.workflows.get workflows.workflows.list

Workforce Pools roles

Role	Permissions
IAM Workforce Pool Admin ^Beta (`roles/iam.workforcePoolAdmin`) Full rights to create and manage all workforce pools in the org, along with the ability to delegate permissions to other admins.	iam.workforcePoolProviders.* iam.workforcePoolSubjects.* iam.workforcePools.*
IAM Workforce Pool Editor ^Beta (`roles/iam.workforcePoolEditor`) Rights to edit a particular instance of a workforce pool.	iam.googleapis.com/workforcePools.get iam.googleapis.com/workforcePools.list iam.googleapis.com/workforcePools.update iam.workforcePoolProviders.*
IAM Workforce Pool Viewer ^Beta (`roles/iam.workforcePoolViewer`) Rights to read workforce pool.	iam.googleapis.com/workforcePoolProviders.get iam.googleapis.com/workforcePoolProviders.list iam.googleapis.com/workforcePools.get iam.googleapis.com/workforcePools.list

Workload Identity Pools roles

Role	Permissions
IAM Workload Identity Pool Admin ^Beta (`roles/iam.workloadIdentityPoolAdmin`) Full rights to create and manage workload identity pools.	iam.workloadIdentityPoolProviders.* iam.workloadIdentityPools.* resourcemanager.projects.get resourcemanager.projects.list
IAM Workload Identity Pool Viewer ^Beta (`roles/iam.workloadIdentityPoolViewer`) Read access to workload identity pools.	iam.googleapis.com/workloadIdentityPoolProviders.get iam.googleapis.com/workloadIdentityPoolProviders.list iam.googleapis.com/workloadIdentityPools.get iam.googleapis.com/workloadIdentityPools.list resourcemanager.projects.get resourcemanager.projects.list

Workload Manager roles

Role	Permissions
Workload Manager Admin ^Beta (`roles/workloadmanager.admin`) Full access to Workload Manager all resources.	resourcemanager.projects.get resourcemanager.projects.list workloadmanager.*
Workload Manager Viewer ^Beta (`roles/workloadmanager.viewer`) Read-only access to Workload Manager all resources.	resourcemanager.projects.get resourcemanager.projects.list workloadmanager.evaluations.get workloadmanager.evaluations.list workloadmanager.executions.get workloadmanager.executions.list workloadmanager.results.list workloadmanager.rules.list
Workload Manager Worker ^Beta (`roles/workloadmanager.worker`) The role used by Workload Manager application runners to read and update workloads.	resourcemanager.projects.get resourcemanager.projects.list workloadmanager.evaluations.* workloadmanager.executions.* workloadmanager.results.list workloadmanager.rules.list

Custom roles

In addition to the predefined roles, IAM also provides the ability to create customized IAM roles. You can create a custom IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding custom roles and Creating and managing custom roles for more information.

What's next

Learn how to grant IAM roles to principals.
Find out how to choose the most appropriate predefined roles.
Learn about custom roles.
Use the Policy Troubleshooter to understand why a user does or doesn't have access to a resource or have permission to call an API.