This page lists all basic and predefined roles for Identity and Access Management (IAM). To learn more about IAM roles, see Roles and permissions.
Basic roles
Basic roles are highly permissive roles that existed prior to the introduction of IAM. You can use basic roles to grant principals broad access to Google Cloud resources.
When you grant a basic role to a principal, the principal gets all of the permissions in the basic role. They also get any permissions that services provide to principals with basic roles—for example, permissions gained through Cloud Storage convenience values and BigQuery special group membership.
The following table summarizes the permissions that the basic roles give users across all Google Cloud services:
Basic roles | Permissions |
---|---|
Viewer(roles/viewer ) |
Permissions for read-only actions that don't affect state, such as viewing (but not modifying) existing resources or data. For a list of permissions in the Viewer role, see the role details in the Google Cloud console: |
Editor(roles/editor ) |
All viewer permissions, plus permissions for actions that modify state, such as changing existing resources. The permissions in the Editor role let you create and delete resources for most Google Cloud services. However, the Editor role doesn't contain permissions to perform all actions for all services. For more information about how to check whether a role has the permissions that you need, see Role types. For a list of permissions in the Editor role, see the role details in the Google Cloud console: |
Owner(roles/owner ) |
All Editor permissions, plus permissions for actions like the following:
For a list of permissions in the Owner role, see the role details in the Google Cloud console: |
Predefined roles
Predefined roles give granular access to specific Google Cloud resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.
The following table lists all IAM predefined roles, organized by service.
For more information about predefined roles, see Roles and permissions. For help choosing the most appropriate predefined roles, see Choose predefined roles.
Access Approval roles |
Permissions |
Access Approval Approver( Ability to view or act on access approval requests and view configuration |
accessapproval.requests.*
accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Approval Config Editor( Ability to update the Access Approval configuration |
accessapproval. accessapproval.settings.*
resourcemanager.projects.get resourcemanager.projects.list |
Access Approval Invalidator( Ability to invalidate existing approved approval requests |
accessapproval. accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Approval Viewer( Ability to view access approval requests and configuration |
accessapproval.requests.get accessapproval.requests.list accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager roles |
Permissions |
Cloud Access Binding Admin( Create, edit, and change Cloud access bindings. |
accesscontextmanager.
|
Cloud Access Binding Reader( Read access to Cloud access bindings. |
accesscontextmanager. accesscontextmanager. |
Access Context Manager Admin( Full access to policies, access levels, access zones and authorized orgs descs. |
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
cloudasset. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager Editor( Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs. |
accesscontextmanager.
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager.
accesscontextmanager.
cloudasset. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager Reader( Read access to policies, access levels, access zones and authorized orgs descs. |
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
VPC Service Controls Troubleshooter Viewer(
|
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.sinks.get logging.sinks.list logging.usage.get resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Actions roles |
Permissions |
Actions Admin( Access to edit and deploy an action |
actions.*
firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Actions Viewer( Access to view an action |
actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
AI Notebooks roles |
Permissions |
Notebooks Admin( Full access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Legacy Admin( Full access to Notebooks all resources through compute API. |
compute.*
notebooks.*
resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Legacy Viewer( Read-only access to Notebooks all resources through compute API. |
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Runner( Restricted access for running scheduled Notebooks. |
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Viewer( Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.*
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.*
compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute.
compute.
compute.
compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.*
compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.*
compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.*
compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.*
notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.*
notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
AI Platform roles |
Permissions |
AI Platform Admin( Provides full access to AI Platform resources, and its jobs, operations, models, and versions. Lowest-level resources where you can grant this role:
|
ml.*
resourcemanager.projects.get |
AI Platform Developer( Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Lowest-level resources where you can grant this role:
|
ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.*
ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.*
ml.trials.*
ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get |
AI Platform Job Owner( Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Lowest-level resources where you can grant this role:
|
ml.jobs.*
|
AI Platform Model Owner( Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Lowest-level resources where you can grant this role:
|
ml.models.*
ml.versions.*
|
AI Platform Model User( Provides permissions to read the model and its versions, and use them for prediction. Lowest-level resources where you can grant this role:
|
ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict |
AI Platform Operation Owner( Provides full access to all permissions for a particular operation resource. Lowest-level resources where you can grant this role:
|
ml.operations.*
|
AI Platform Viewer( Provides read-only access to AI Platform resources. Lowest-level resources where you can grant this role:
|
ml.jobs.get ml.jobs.list ml.locations.*
ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get |
Analytics Hub roles |
Permissions |
Analytics Hub Admin( Administer Data Exchanges and Listings |
analyticshub. analyticshub. analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub. analyticshub. analyticshub. analyticshub.listings.create analyticshub.listings.delete analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. analyticshub.listings.update analyticshub. analyticshub.subscriptions.*
resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Listing Admin( Grants full control over the Listing, including updating, deleting and setting ACLs |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.delete analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. analyticshub.listings.update analyticshub. resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Publisher( Can publish to Data Exchanges thus creating Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.create analyticshub.listings.get analyticshub. analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Subscriber( Can browse Data Exchanges and subscribe to Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Subscription Owner( Grants full control over the Subscription, including updating and deleting |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub.subscriptions.*
resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Viewer( Can browse Data Exchanges and Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list |
Android Management roles |
Permissions |
Android Management User( Full access to manage devices. |
androidmanagement. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Anthos Multi-cloud roles |
Permissions |
Anthos Multi-cloud Admin( Admin access to Anthos Multi-cloud resources. |
gkemulticloud.*
resourcemanager.projects.get resourcemanager.projects.list |
Anthos Multi-cloud Telemetry Writer( Grant access to write cluster telemetry data such as logs, metrics, and resource metadata. |
logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring.
monitoring.
monitoring.timeSeries.create opsconfigmonitoring. |
Anthos Multi-cloud Viewer( Viewer access to Anthos Multi-cloud resources. |
gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud. gkemulticloud. gkemulticloud.azureClients.get gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list |
API Gateway roles |
Permissions |
ApiGateway Admin( Full access to ApiGateway and related resources. |
apigateway.*
monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list |
ApiGateway Viewer( Read-only access to ApiGateway and related resources. |
apigateway.apiconfigs.get apigateway. apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway. apigateway.gateways.list apigateway.locations.*
apigateway.operations.get apigateway.operations.list monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list |
Apigee roles |
Permissions |
Apigee Organization Admin( Full access to all apigee resource features |
apigee.*
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Analytics Agent( Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization |
apigee.datalocation.get apigee. apigee.runtimeconfigs.get |
Apigee Analytics Editor( Analytics editor for an Apigee Organization |
apigee.datacollectors.*
apigee.datastores.*
apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.*
apigee.hostqueries.*
apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee. apigee.queries.*
apigee.reports.*
resourcemanager.projects.get resourcemanager.projects.list |
Apigee Analytics Viewer( Analytics viewer for an Apigee Organization |
apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee. apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee API Admin( Full read/write access to all apigee API resources |
apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.organizations.get apigee.organizations.list apigee. apigee.proxies.*
apigee.proxyrevisions.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
resourcemanager.projects.get resourcemanager.projects.list |
Apigee API Reader( Reader of apigee resources |
apigee. apigee. apigee.apiproducts.get apigee.apiproducts.list apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee. apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee. apigee.sharedflowrevisions.get apigee. apigee. apigee.sharedflows.get apigee.sharedflows.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee Developer Admin( Developer admin of apigee resources |
apigee. apigee. apigee.apiproducts.get apigee.apiproducts.list apigee.appgroupapps.*
apigee.appgroups.*
apigee.appkeys.*
apigee.apps.*
apigee.datacollectors.*
apigee.
apigee.developerapps.*
apigee.developerattributes.*
apigee.developerbalances.*
apigee.
apigee.developers.*
apigee.
apigee.entitlements.get apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee. apigee.rateplans.get apigee.rateplans.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Environment Admin( Full read/write access to apigee environment resources, including deployments. |
apigee.addonsconfig.*
apigee.archivedeployments.*
apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.*
apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee. apigee.environments.getStats apigee.environments.list apigee. apigee.environments.update apigee.flowhooks.*
apigee.ingressconfigs.get apigee.keystorealiases.*
apigee.keystores.*
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.maskconfigs.*
apigee.organizations.get apigee.organizations.list apigee. apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.*
apigee.resourcefiles.*
apigee. apigee.sharedflowrevisions.get apigee. apigee. apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.*
apigee.traceconfig.*
apigee.traceconfigoverrides.*
apigee.tracesessions.*
resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Monetization Admin( All permissions related to monetization |
apigee.apiproducts.get apigee.apiproducts.list apigee.developerbalances.*
apigee.
apigee.
apigee.entitlements.get apigee.organizations.get apigee.organizations.list apigee. apigee.rateplans.*
resourcemanager.projects.get resourcemanager.projects.list |
Apigee Portal Admin( Portal admin for an Apigee Organization |
apigee.entitlements.get apigee.organizations.get apigee.organizations.list apigee.portals.*
apigee. resourcemanager.projects.get resourcemanager.projects.list |
Apigee Read-only Admin( Viewer of all apigee resources |
apigee.addonsconfig.get apigee. apigee. apigee.apiproducts.get apigee.apiproducts.list apigee.appgroupapps.get apigee.appgroupapps.list apigee.appgroups.get apigee.appgroups.list apigee.appkeys.get apigee.apps.*
apigee. apigee.archivedeployments.get apigee.archivedeployments.list apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datalocation.get apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee. apigee. apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee. apigee.developerbalances.get apigee. apigee.developers.get apigee.developers.list apigee. apigee. apigee.endpointattachments.get apigee. apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee. apigee. apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hostsecurityreports.get apigee. apigee.hoststats.get apigee.ingressconfigs.get apigee.instanceattachments.get apigee. apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.nataddresses.get apigee.nataddresses.list apigee.operations.*
apigee.organizations.get apigee.organizations.list apigee.portals.get apigee.portals.list apigee. apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.rateplans.get apigee.rateplans.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.runtimeconfigs.get apigee.securityActions.get apigee.securityActions.list apigee. apigee.securityIncidents.get apigee.securityIncidents.list apigee. apigee.securityProfiles.get apigee.securityProfiles.list apigee.securityStats.*
apigee.securityreports.get apigee.securityreports.list apigee.setupcontexts.get apigee.sharedflowrevisions.get apigee. apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.traceconfig.get apigee. apigee. apigee.tracesessions.get apigee.tracesessions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Runtime Agent( Curated set of permissions for a runtime agent to access Apigee Organization resources |
apigee.canaryevaluations.*
apigee.entitlements.get apigee.ingressconfigs.get apigee.instances.reportStatus apigee.operations.*
apigee.organizations.get apigee. apigee.runtimeconfigs.get |
Apigee Security Admin( Security admin for an Apigee Organization |
apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.*
apigee.organizations.get apigee.organizations.list apigee. apigee.securityActions.*
apigee.securityActionsConfig.*
apigee.securityIncidents.*
apigee.
apigee.securityProfiles.*
apigee.securityStats.*
apigee.securityreports.*
resourcemanager.projects.get resourcemanager.projects.list |
Apigee Security Viewer( Security viewer for an Apigee Organization |
apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.get apigee. apigee.organizations.get apigee.organizations.list apigee. apigee.securityActions.get apigee.securityActions.list apigee. apigee.securityIncidents.get apigee.securityIncidents.list apigee. apigee.securityProfiles.get apigee.securityProfiles.list apigee.securityStats.*
apigee.securityreports.get apigee.securityreports.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee Synchronizer Manager( Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization |
apigee.environments.get apigee. apigee.ingressconfigs.get |
Apigee Connect Admin( Admin of Apigee Connect |
apigeeconnect.connections.list |
Apigee Connect Agent( Ability to set up Apigee Connect agent between external clusters and Google. |
apigeeconnect. |
Apigee Registry roles |
Permissions |
Cloud Apigee Registry Admin Beta( Full access to Cloud Apigee Registry Registry and Runtime resources. |
apigeeregistry.*
resourcemanager.projects.get resourcemanager.projects.list |
Cloud Apigee Registry Editor Beta( Edit access to Cloud Apigee Registry Registry resources. |
apigeeregistry.apis.create apigeeregistry.apis.delete apigeeregistry.apis.get apigeeregistry. apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry. apigeeregistry. apigeeregistry.artifacts.get apigeeregistry. apigeeregistry.artifacts.list apigeeregistry. apigeeregistry.deployments.*
apigeeregistry.specs.create apigeeregistry.specs.delete apigeeregistry.specs.get apigeeregistry. apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.create apigeeregistry.versions.delete apigeeregistry.versions.get apigeeregistry. apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list |
Cloud Apigee Registry Viewer Beta( Read-only access to Cloud Apigee Registry Registry resources. |
apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry.deployments.get apigeeregistry. apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.versions.get apigeeregistry.versions.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Apigee Registry Worker Beta( The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts. |
apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry. apigeeregistry. apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry. apigeeregistry.deployments.get apigeeregistry. apigeeregistry. apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.get apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list |
App Engine roles |
Permissions |
App Engine Admin( Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have the
Service Account User
( Lowest-level resources where you can grant this role:
|
appengine.applications.get appengine.applications.update appengine.instances.*
appengine.memcache.addKey appengine.memcache.flush appengine.memcache.get appengine.memcache.update appengine.operations.*
appengine.runtimes.actAsAdmin appengine.services.*
appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list |
App Engine Creator( Ability to create the App Engine resource for the project. Lowest-level resources where you can grant this role:
|
appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list |
App Engine Viewer( Read-only access to all application configuration and settings. Lowest-level resources where you can grant this role:
|
appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.*
appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list |
App Engine Code Viewer( Read-only access to all application configuration, settings, and deployed source code. Lowest-level resources where you can grant this role:
|
appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.*
appengine.services.get appengine.services.list appengine.versions.get appengine. appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list |
App Engine Managed VM Debug Access( Ability to read or manage v2 instances. |
appengine.applications.get appengine.instances.*
appengine.operations.*
appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list |
App Engine Deployer( Read-only access to all application configuration and settings. To deploy new versions, you must also have the
Service Account User
( Cannot modify existing versions other than deleting versions that are not receiving traffic. Lowest-level resources where you can grant this role:
|
appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.*
appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list artifactregistry. artifactregistry. artifactregistry. resourcemanager.projects.get resourcemanager.projects.list |
App Engine Memcache Data Admin( Can get, set, delete, and flush App Engine Memcache items. |
appengine.applications.get appengine.memcache.addKey appengine.memcache.flush appengine.memcache.get appengine.memcache.update resourcemanager.projects.get resourcemanager.projects.list |
App Engine Service Admin( Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version. Lowest-level resources where you can grant this role:
|
appengine.applications.get appengine.instances.delete appengine.instances.get appengine.instances.list appengine.operations.*
appengine.services.*
appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list |
Artifact Registry roles |
Permissions |
Artifact Registry Administrator( Administrator access to create and manage repositories. |
artifactregistry.
artifactregistry.
artifactregistry.files.*
artifactregistry. artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.*
|