IAM basic and predefined roles reference

This page lists all basic and predefined roles for Identity and Access Management (IAM). To learn more about IAM roles, see Roles and permissions.

Basic roles

Basic roles are highly permissive roles that existed prior to the introduction of IAM. You can use basic roles to grant principals broad access to Google Cloud resources.

When you grant a basic role to a principal, the principal gets all of the permissions in the basic role. They also get any permissions that services provide to principals with basic roles—for example, permissions gained through Cloud Storage convenience values and BigQuery special group membership.

The following table summarizes the permissions that the basic roles give users across all Google Cloud services:

Basic roles Permissions
(roles/viewer)

Permissions for read-only actions that don't affect state, such as viewing (but not modifying) existing resources or data.

For a list of permissions in the Viewer role, see the role details in the Google Cloud console:

Go to Viewer role

(roles/editor)

All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.

The permissions in the Editor role let you create and delete resources for most Google Cloud services. However, the Editor role doesn't contain permissions to perform all actions for all services. For more information about how to check whether a role has the permissions that you need, see Role types.

For a list of permissions in the Editor role, see the role details in the Google Cloud console:

Go to Editor role

(roles/owner)

All Editor permissions, plus permissions for actions like the following:

  • Completing sensitive tasks, like creating App Engine applications
  • Managing roles and permissions for a project and all resources within the project
  • Setting up billing for a project

For a list of permissions in the Owner role, see the role details in the Google Cloud console:

Go to Owner role

Predefined roles

Predefined roles give granular access to specific Google Cloud resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.

The following table lists all IAM predefined roles, organized by service.

For more information about predefined roles, see Roles and permissions. For help choosing the most appropriate predefined roles, see Choose predefined roles.

Permissions

(roles/accessapproval.approver)

Ability to view or act on access approval requests and view configuration

accessapproval.requests.*

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accessapproval.configEditor)

Ability to update the Access Approval configuration

accessapproval.serviceAccounts.get

accessapproval.settings.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accessapproval.invalidator)

Ability to invalidate existing approved approval requests

accessapproval.requests.invalidate

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accessapproval.viewer)

Ability to view access approval requests and configuration

accessapproval.requests.get

accessapproval.requests.list

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/accesscontextmanager.gcpAccessAdmin)

Create, edit, and change Cloud access bindings.

accesscontextmanager.gcpUserAccessBindings.*

(roles/accesscontextmanager.gcpAccessReader)

Read access to Cloud access bindings.

accesscontextmanager.gcpUserAccessBindings.get

accesscontextmanager.gcpUserAccessBindings.list

(roles/accesscontextmanager.policyAdmin)

Full access to policies, access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.*

accesscontextmanager.authorizedOrgsDescs.*

accesscontextmanager.policies.*

accesscontextmanager.servicePerimeters.*

cloudasset.assets.searchAllResources

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accesscontextmanager.policyEditor)

Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.*

accesscontextmanager.authorizedOrgsDescs.*

accesscontextmanager.policies.create

accesscontextmanager.policies.delete

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.policies.update

accesscontextmanager.servicePerimeters.*

cloudasset.assets.searchAllResources

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accesscontextmanager.policyReader)

Read access to policies, access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.get

accesscontextmanager.accessLevels.list

accesscontextmanager.authorizedOrgsDescs.get

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accesscontextmanager.vpcScTroubleshooterViewer)

accesscontextmanager.accessLevels.get

accesscontextmanager.accessLevels.list

accesscontextmanager.authorizedOrgsDescs.get

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

logging.exclusions.get

logging.exclusions.list

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.sinks.get

logging.sinks.list

logging.usage.get

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/actions.Admin)

Access to edit and deploy an action

actions.*

firebase.projects.get

firebase.projects.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

(roles/actions.Viewer)

Access to view an action

actions.agent.get

actions.agentVersions.get

actions.agentVersions.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

Permissions

(roles/notebooks.admin)

Full access to Notebooks, all resources.

Lowest-level resources where you can grant this role:

  • Instance

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

notebooks.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/notebooks.legacyAdmin)

Full access to Notebooks all resources through compute API.

compute.*

notebooks.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/notebooks.legacyViewer)

Read-only access to Notebooks all resources through compute API.

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

notebooks.environments.get

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.get

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.checkUpgradability

notebooks.instances.get

notebooks.instances.getHealth

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.*

notebooks.operations.get

notebooks.operations.list

notebooks.runtimes.get

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.get

notebooks.schedules.getIamPolicy

notebooks.schedules.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/notebooks.runner)

Restricted access for running scheduled Notebooks.

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

notebooks.environments.get

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.create

notebooks.executions.get

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.checkUpgradability

notebooks.instances.create

notebooks.instances.get

notebooks.instances.getHealth

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.*

notebooks.operations.get

notebooks.operations.list

notebooks.runtimes.create

notebooks.runtimes.get

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.create

notebooks.schedules.get

notebooks.schedules.getIamPolicy

notebooks.schedules.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/notebooks.viewer)

Read-only access to Notebooks, all resources.

Lowest-level resources where you can grant this role:

  • Instance

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

notebooks.environments.get

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.get

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.checkUpgradability

notebooks.instances.get

notebooks.instances.getHealth

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.*

notebooks.operations.get

notebooks.operations.list

notebooks.runtimes.get

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.get

notebooks.schedules.getIamPolicy

notebooks.schedules.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/ml.admin)

Provides full access to AI Platform resources, and its jobs, operations, models, and versions.

Lowest-level resources where you can grant this role:

  • Project

ml.*

resourcemanager.projects.get

(roles/ml.developer)

Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.

Lowest-level resources where you can grant this role:

  • Project

ml.jobs.create

ml.jobs.get

ml.jobs.getIamPolicy

ml.jobs.list

ml.locations.*

ml.models.create

ml.models.get

ml.models.getIamPolicy

ml.models.list

ml.models.predict

ml.operations.get

ml.operations.list

ml.projects.getConfig

ml.studies.*

ml.trials.*

ml.versions.get

ml.versions.list

ml.versions.predict

resourcemanager.projects.get

(roles/ml.jobOwner)

Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.

Lowest-level resources where you can grant this role:

  • Job

ml.jobs.*

(roles/ml.modelOwner)

Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.

Lowest-level resources where you can grant this role:

  • Model

ml.models.*

ml.versions.*

(roles/ml.modelUser)

Provides permissions to read the model and its versions, and use them for prediction.

Lowest-level resources where you can grant this role:

  • Model

ml.models.get

ml.models.predict

ml.versions.get

ml.versions.list

ml.versions.predict

(roles/ml.operationOwner)

Provides full access to all permissions for a particular operation resource.

Lowest-level resources where you can grant this role:

  • Operation

ml.operations.*

(roles/ml.viewer)

Provides read-only access to AI Platform resources.

Lowest-level resources where you can grant this role:

  • Project

ml.jobs.get

ml.jobs.list

ml.locations.*

ml.models.get

ml.models.list

ml.operations.get

ml.operations.list

ml.projects.getConfig

ml.studies.get

ml.studies.getIamPolicy

ml.studies.list

ml.trials.get

ml.trials.list

ml.versions.get

ml.versions.list

resourcemanager.projects.get

Permissions

(roles/analyticshub.admin)

Administer Data Exchanges and Listings

analyticshub.dataExchanges.create

analyticshub.dataExchanges.delete

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.dataExchanges.setIamPolicy

analyticshub.dataExchanges.update

analyticshub.dataExchanges.viewSubscriptions

analyticshub.listings.create

analyticshub.listings.delete

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.listings.update

analyticshub.listings.viewSubscriptions

analyticshub.subscriptions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/analyticshub.listingAdmin)

Grants full control over the Listing, including updating, deleting and setting ACLs

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.delete

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.listings.update

analyticshub.listings.viewSubscriptions

resourcemanager.projects.get

resourcemanager.projects.list

(roles/analyticshub.publisher)

Can publish to Data Exchanges thus creating Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.create

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/analyticshub.subscriber)

Can browse Data Exchanges and subscribe to Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.dataExchanges.subscribe

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.subscribe

resourcemanager.projects.get

resourcemanager.projects.list

(roles/analyticshub.subscriptionOwner)

Grants full control over the Subscription, including updating and deleting

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.subscriptions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/analyticshub.viewer)

Can browse Data Exchanges and Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/androidmanagement.user)

Full access to manage devices.

androidmanagement.enterprises.manage

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/gkemulticloud.admin)

Admin access to Anthos Multi-cloud resources.

gkemulticloud.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkemulticloud.telemetryWriter)

Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

opsconfigmonitoring.resourceMetadata.write

(roles/gkemulticloud.viewer)

Viewer access to Anthos Multi-cloud resources.

gkemulticloud.attachedClusters.generateInstallManifest

gkemulticloud.attachedClusters.get

gkemulticloud.attachedClusters.list

gkemulticloud.attachedServerConfigs.get

gkemulticloud.awsClusters.generateAccessToken

gkemulticloud.awsClusters.get

gkemulticloud.awsClusters.list

gkemulticloud.awsNodePools.get

gkemulticloud.awsNodePools.list

gkemulticloud.awsServerConfigs.get

gkemulticloud.azureClients.get

gkemulticloud.azureClients.list

gkemulticloud.azureClusters.generateAccessToken

gkemulticloud.azureClusters.get

gkemulticloud.azureClusters.list

gkemulticloud.azureNodePools.get

gkemulticloud.azureNodePools.list

gkemulticloud.azureServerConfigs.get

gkemulticloud.operations.get

gkemulticloud.operations.list

gkemulticloud.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/apigateway.admin)

Full access to ApiGateway and related resources.

apigateway.*

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

serviceusage.services.get

serviceusage.services.list

(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get

apigateway.apiconfigs.getIamPolicy

apigateway.apiconfigs.list

apigateway.apis.get

apigateway.apis.getIamPolicy

apigateway.apis.list

apigateway.gateways.get

apigateway.gateways.getIamPolicy

apigateway.gateways.list

apigateway.locations.*

apigateway.operations.get

apigateway.operations.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/apigee.admin)

Full access to all apigee resource features

apigee.*

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/apigee.analyticsAgent)

Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization

apigee.datalocation.get

apigee.environments.getDataLocation

apigee.runtimeconfigs.get

(roles/apigee.analyticsEditor)

Analytics editor for an Apigee Organization

apigee.datacollectors.*

apigee.datastores.*

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.exports.*

apigee.hostqueries.*

apigee.hoststats.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.queries.*

apigee.reports.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.analyticsViewer)

Analytics viewer for an Apigee Organization

apigee.datacollectors.get

apigee.datacollectors.list

apigee.datastores.get

apigee.datastores.list

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.exports.get

apigee.exports.list

apigee.hostqueries.get

apigee.hostqueries.list

apigee.hoststats.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.queries.get

apigee.queries.list

apigee.reports.get

apigee.reports.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.apiAdminV2)

Full read/write access to all apigee API resources

apigee.apiproductattributes.*

apigee.apiproducts.*

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.keyvaluemapentries.*

apigee.keyvaluemaps.*

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.proxies.*

apigee.proxyrevisions.*

apigee.sharedflowrevisions.*

apigee.sharedflows.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.apiReaderV2)

Reader of apigee resources

apigee.apiproductattributes.get

apigee.apiproductattributes.list

apigee.apiproducts.get

apigee.apiproducts.list

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.keyvaluemapentries.get

apigee.keyvaluemapentries.list

apigee.keyvaluemaps.list

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.proxies.get

apigee.proxies.list

apigee.proxyrevisions.deploy

apigee.proxyrevisions.get

apigee.proxyrevisions.list

apigee.proxyrevisions.undeploy

apigee.sharedflowrevisions.deploy

apigee.sharedflowrevisions.get

apigee.sharedflowrevisions.list

apigee.sharedflowrevisions.undeploy

apigee.sharedflows.get

apigee.sharedflows.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.developerAdmin)

Developer admin of apigee resources

apigee.apiproductattributes.get

apigee.apiproductattributes.list

apigee.apiproducts.get

apigee.apiproducts.list

apigee.appgroupapps.*

apigee.appgroups.*

apigee.appkeys.*

apigee.apps.*

apigee.datacollectors.*

apigee.developerappattributes.*

apigee.developerapps.*

apigee.developerattributes.*

apigee.developerbalances.*

apigee.developermonetizationconfigs.*

apigee.developers.*

apigee.developersubscriptions.*

apigee.entitlements.get

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.hoststats.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.rateplans.get

apigee.rateplans.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/apigee.environmentAdmin)

Full read/write access to apigee environment resources, including deployments.

apigee.addonsconfig.*

apigee.archivedeployments.*

apigee.datacollectors.get

apigee.datacollectors.list

apigee.deployments.*

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getIamPolicy

apigee.environments.getStats

apigee.environments.list

apigee.environments.setIamPolicy

apigee.environments.update

apigee.flowhooks.*

apigee.ingressconfigs.get

apigee.keystorealiases.*

apigee.keystores.*

apigee.keyvaluemapentries.*

apigee.keyvaluemaps.*

apigee.maskconfigs.*

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.proxies.get

apigee.proxies.list

apigee.proxyrevisions.deploy

apigee.proxyrevisions.get

apigee.proxyrevisions.list

apigee.proxyrevisions.undeploy

apigee.references.*

apigee.resourcefiles.*

apigee.sharedflowrevisions.deploy

apigee.sharedflowrevisions.get

apigee.sharedflowrevisions.list

apigee.sharedflowrevisions.undeploy

apigee.sharedflows.get

apigee.sharedflows.list

apigee.targetservers.*

apigee.traceconfig.*

apigee.traceconfigoverrides.*

apigee.tracesessions.*

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/apigee.monetizationAdmin)

All permissions related to monetization

apigee.apiproducts.get

apigee.apiproducts.list

apigee.developerbalances.*

apigee.developermonetizationconfigs.*

apigee.developersubscriptions.*

apigee.entitlements.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.rateplans.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.portalAdmin)

Portal admin for an Apigee Organization

apigee.entitlements.get

apigee.organizations.get

apigee.organizations.list

apigee.portals.*

apigee.projectorganizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.readOnlyAdmin)

Viewer of all apigee resources

apigee.addonsconfig.get

apigee.apiproductattributes.get

apigee.apiproductattributes.list

apigee.apiproducts.get

apigee.apiproducts.list

apigee.appgroupapps.get

apigee.appgroupapps.list

apigee.appgroups.get

apigee.appgroups.list

apigee.appkeys.get

apigee.apps.*

apigee.archivedeployments.download

apigee.archivedeployments.get

apigee.archivedeployments.list

apigee.caches.list

apigee.canaryevaluations.get

apigee.datacollectors.get

apigee.datacollectors.list

apigee.datalocation.get

apigee.datastores.get

apigee.datastores.list

apigee.deployments.get

apigee.deployments.list

apigee.developerappattributes.get

apigee.developerappattributes.list

apigee.developerapps.get

apigee.developerapps.list

apigee.developerattributes.get

apigee.developerattributes.list

apigee.developerbalances.get

apigee.developermonetizationconfigs.get

apigee.developers.get

apigee.developers.list

apigee.developersubscriptions.get

apigee.developersubscriptions.list

apigee.endpointattachments.get

apigee.endpointattachments.list

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getDataLocation

apigee.environments.getIamPolicy

apigee.environments.getStats

apigee.environments.list

apigee.exports.get

apigee.exports.list

apigee.flowhooks.getSharedFlow

apigee.flowhooks.list

apigee.hostqueries.get

apigee.hostqueries.list

apigee.hostsecurityreports.get

apigee.hostsecurityreports.list

apigee.hoststats.get

apigee.ingressconfigs.get

apigee.instanceattachments.get

apigee.instanceattachments.list

apigee.instances.get

apigee.instances.list

apigee.keystorealiases.get

apigee.keystorealiases.list

apigee.keystores.get

apigee.keystores.list

apigee.keyvaluemapentries.get

apigee.keyvaluemapentries.list

apigee.keyvaluemaps.list

apigee.maskconfigs.get

apigee.nataddresses.get

apigee.nataddresses.list

apigee.operations.*

apigee.organizations.get

apigee.organizations.list

apigee.portals.get

apigee.portals.list

apigee.projectorganizations.get

apigee.proxies.get

apigee.proxies.list

apigee.proxyrevisions.get

apigee.proxyrevisions.list

apigee.queries.get

apigee.queries.list

apigee.rateplans.get

apigee.rateplans.list

apigee.references.get

apigee.references.list

apigee.reports.get

apigee.reports.list

apigee.resourcefiles.get

apigee.resourcefiles.list

apigee.runtimeconfigs.get

apigee.securityActions.get

apigee.securityActions.list

apigee.securityActionsConfig.get

apigee.securityFeedback.get

apigee.securityFeedback.list

apigee.securityIncidents.get

apigee.securityIncidents.list

apigee.securityProfileEnvironments.computeScore

apigee.securityProfiles.get

apigee.securityProfiles.list

apigee.securitySettings.get

apigee.securityStats.*

apigee.securityreports.get

apigee.securityreports.list

apigee.setupcontexts.get

apigee.sharedflowrevisions.get

apigee.sharedflowrevisions.list

apigee.sharedflows.get

apigee.sharedflows.list

apigee.targetservers.get

apigee.targetservers.list

apigee.traceconfig.get

apigee.traceconfigoverrides.get

apigee.traceconfigoverrides.list

apigee.tracesessions.get

apigee.tracesessions.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/apigee.runtimeAgent)

Curated set of permissions for a runtime agent to access Apigee Organization resources

apigee.canaryevaluations.*

apigee.entitlements.get

apigee.ingressconfigs.get

apigee.instances.reportStatus

apigee.operations.*

apigee.organizations.get

apigee.projectorganizations.get

apigee.runtimeconfigs.get

(roles/apigee.securityAdmin)

Security admin for an Apigee Organization

apigee.addonsconfig.get

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.list

apigee.hostsecurityreports.*

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.securityActions.*

apigee.securityActionsConfig.*

apigee.securityFeedback.*

apigee.securityIncidents.*

apigee.securityProfileEnvironments.*

apigee.securityProfiles.*

apigee.securitySettings.*

apigee.securityStats.*

apigee.securityreports.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.securityViewer)

Security viewer for an Apigee Organization

apigee.addonsconfig.get

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.list

apigee.hostsecurityreports.get

apigee.hostsecurityreports.list

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.securityActions.get

apigee.securityActions.list

apigee.securityActionsConfig.get

apigee.securityFeedback.get

apigee.securityFeedback.list

apigee.securityIncidents.get

apigee.securityIncidents.list

apigee.securityProfileEnvironments.computeScore

apigee.securityProfiles.get

apigee.securityProfiles.list

apigee.securitySettings.get

apigee.securityStats.*

apigee.securityreports.get

apigee.securityreports.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.synchronizerManager)

Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization

apigee.environments.get

apigee.environments.manageRuntime

apigee.ingressconfigs.get

(roles/apigeeconnect.Admin)

Admin of Apigee Connect

apigeeconnect.connections.list

(roles/apigeeconnect.Agent)

Ability to set up Apigee Connect agent between external clusters and Google.

apigeeconnect.endpoints.connect

Permissions

(roles/apigeeregistry.admin)

Full access to Cloud Apigee Registry Registry and Runtime resources.

apigeeregistry.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigeeregistry.editor)

Edit access to Cloud Apigee Registry Registry resources.

apigeeregistry.apis.create

apigeeregistry.apis.delete

apigeeregistry.apis.get

apigeeregistry.apis.getIamPolicy

apigeeregistry.apis.list

apigeeregistry.apis.update

apigeeregistry.artifacts.create

apigeeregistry.artifacts.delete

apigeeregistry.artifacts.get

apigeeregistry.artifacts.getIamPolicy

apigeeregistry.artifacts.list

apigeeregistry.artifacts.update

apigeeregistry.deployments.*

apigeeregistry.specs.create

apigeeregistry.specs.delete

apigeeregistry.specs.get

apigeeregistry.specs.getIamPolicy

apigeeregistry.specs.list

apigeeregistry.specs.update

apigeeregistry.versions.create

apigeeregistry.versions.delete

apigeeregistry.versions.get

apigeeregistry.versions.getIamPolicy

apigeeregistry.versions.list

apigeeregistry.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigeeregistry.viewer)

Read-only access to Cloud Apigee Registry Registry resources.

apigeeregistry.apis.get

apigeeregistry.apis.list

apigeeregistry.artifacts.get

apigeeregistry.artifacts.list

apigeeregistry.deployments.get

apigeeregistry.deployments.list

apigeeregistry.specs.get

apigeeregistry.specs.list

apigeeregistry.versions.get

apigeeregistry.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigeeregistry.worker)

The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.

apigeeregistry.apis.get

apigeeregistry.apis.list

apigeeregistry.apis.update

apigeeregistry.artifacts.create

apigeeregistry.artifacts.delete

apigeeregistry.artifacts.get

apigeeregistry.artifacts.list

apigeeregistry.artifacts.update

apigeeregistry.deployments.get

apigeeregistry.deployments.list

apigeeregistry.deployments.update

apigeeregistry.specs.get

apigeeregistry.specs.list

apigeeregistry.specs.update

apigeeregistry.versions.get

apigeeregistry.versions.list

apigeeregistry.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/appengine.appAdmin)

Read/Write/Modify access to all application configuration and settings.

To deploy new versions, a principal must have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.applications.update

appengine.instances.*

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

appengine.operations.*

appengine.runtimes.actAsAdmin

appengine.services.*

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.appCreator)

Ability to create the App Engine resource for the project.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.appViewer)

Read-only access to all application configuration and settings.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.codeViewer)

Read-only access to all application configuration, settings, and deployed source code.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.getFileContents

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.debugger)

Ability to read or manage v2 instances.

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.*

appengine.operations.*

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.deployer)

Read-only access to all application configuration and settings.

To deploy new versions, you must also have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

Cannot modify existing versions other than deleting versions that are not receiving traffic.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.services.get

appengine.services.list

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.uploadArtifacts

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.memcacheDataAdmin)

Can get, set, delete, and flush App Engine Memcache items.

appengine.applications.get

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.serviceAdmin)

Read-only access to all application configuration and settings.

Write access to module-level and version-level settings. Cannot deploy a new version.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.delete

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.services.*

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/artifactregistry.admin)

Administrator access to create and manage repositories.

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.*

artifactregistry.projectsettings.*

artifactregistry.pythonpackages.*

artifactregistry.repositories.create

artifactregistry.repositories.createTagBinding

artifactregistry.repositories.delete

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.deleteTagBinding

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.setIamPolicy

artifactregistry.repositories.update

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.*

artifactregistry.versions.*

artifactregistry.yumartifacts.create

(roles/artifactregistry.createOnPushRepoAdmin)

Access to manage artifacts in repositories, as well as create new repositories on push

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.*

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.createOnPush

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.*

artifactregistry.versions.*

artifactregistry.yumartifacts.create

(roles/artifactregistry.createOnPushWriter)

Access to read and write repository items, as well as create new repositories on push

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.createOnPush

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

(roles/artifactregistry.reader)

Access to read repository items.

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

(roles/artifactregistry.repoAdmin)

Access to manage artifacts in repositories.

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.*

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.*

artifactregistry.versions.*

artifactregistry.yumartifacts.create

(roles/artifactregistry.writer)

Access to read and write repository items.

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

Permissions

(roles/assuredworkloads.admin)

Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

assuredworkloads.*

bigquery.config.update

logging.settings.update

orgpolicy.policy.*

resourcemanager.folders.create

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredworkloads.editor)

Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

assuredworkloads.*

bigquery.config.update

logging.settings.update

orgpolicy.policy.*

resourcemanager.folders.create

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredworkloads.reader)

Grants read access to all Assured Workloads resources and CRM resources - project/folder

assuredworkloads.operations.*

assuredworkloads.violations.get

assuredworkloads.violations.list

assuredworkloads.workload.get

assuredworkloads.workload.list

orgpolicy.policy.get

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/automl.admin)

Full access to all AutoML resources

Lowest-level resources where you can grant this role:

  • Dataset
  • Model

automl.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/automl.editor)

Editor of all AutoML resources

Lowest-level resources where you can grant this role:

  • Dataset
  • Model

automl.annotationSpecs.*

automl.annotations.*

automl.columnSpecs.*

automl.datasets.create

automl.datasets.delete

automl.datasets.export

automl.datasets.get

automl.datasets.import

automl.datasets.list

automl.datasets.update

automl.examples.*

automl.files.*

automl.humanAnnotationTasks.*

automl.locations.get

automl.locations.list

automl.modelEvaluations.*

automl.models.create

automl.models.delete

automl.models.deploy

automl.models.export

automl.models.get

automl.models.list

automl.models.predict

automl.models.undeploy

automl.operations.*

automl.tableSpecs.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/automl.predictor)

Predict using models

Lowest-level resources where you can grant this role:

  • Model

automl.models.predict

resourcemanager.projects.get

resourcemanager.projects.list

(roles/automl.viewer)

Viewer of all AutoML resources

Lowest-level resources where you can grant this role:

  • Dataset
  • Model

automl.annotationSpecs.get

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.get

automl.columnSpecs.list

automl.datasets.get

automl.datasets.list

automl.examples.get

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.get

automl.humanAnnotationTasks.list

automl.locations.get

automl.locations.list

automl.modelEvaluations.get

automl.modelEvaluations.list

automl.models.get

automl.models.list

automl.operations.get

automl.operations.list

automl.tableSpecs.get

automl.tableSpecs.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/backupdr.admin)

Provides full access to all Backup and DR resources.

backupdr.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.backupUser)

Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.

backupdr.locations.*

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.get

backupdr.managementServers.list

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackups

backupdr.managementServers.manageHosts

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.cloudStorageOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

(roles/backupdr.computeEngineOperator)

Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.

compute.addresses.list

compute.addresses.use

compute.diskTypes.*

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.machineTypes.*

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.mountUser)

Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.

backupdr.locations.*

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.list

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.restoreUser)

Allows the user to restore or mount from a backup. This role cannot create a backup plan.

backupdr.locations.*

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.list

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.user)

Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.userv2)

Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.

backupdr.locations.*

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackupPlans

backupdr.managementServers.manageBackups

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageJobs

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.viewer)

Provides read-only access to all Backup and DR resources.

backupdr.locations.*

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/gkebackup.admin)

Full access to all Backup for GKE resources.

gkebackup.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkebackup.backupAdmin)

Allows administrators to manage all BackupPlan and Backup resources.

gkebackup.backupPlans.*

gkebackup.backups.*

gkebackup.locations.*

gkebackup.operations.get

gkebackup.operations.list

gkebackup.volumeBackups.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkebackup.delegatedBackupAdmin)

Allows administrators to manage Backup resources for specific BackupPlans

gkebackup.backupPlans.get

gkebackup.backups.*

gkebackup.volumeBackups.*

(roles/gkebackup.delegatedRestoreAdmin)

Allows administrators to manage Restore resources for specific RestorePlans

gkebackup.restorePlans.get

gkebackup.restores.*

gkebackup.volumeRestores.*

(roles/gkebackup.restoreAdmin)

Allows administrators to manage all RestorePlan and Restore resources.

gkebackup.backupPlans.get

gkebackup.backupPlans.list

gkebackup.backups.get

gkebackup.backups.getBackupIndex

gkebackup.backups.list

gkebackup.locations.*

gkebackup.operations.get

gkebackup.operations.list

gkebackup.restorePlans.*

gkebackup.restores.*

gkebackup.volumeBackups.*

gkebackup.volumeRestores.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkebackup.viewer)

Read-only access to all Backup for GKE resources.

gkebackup.backupPlans.get

gkebackup.backupPlans.getIamPolicy

gkebackup.backupPlans.list

gkebackup.backups.get

gkebackup.backups.getBackupIndex

gkebackup.backups.list

gkebackup.locations.*

gkebackup.operations.get

gkebackup.operations.list

gkebackup.restorePlans.get

gkebackup.restorePlans.getIamPolicy

gkebackup.restorePlans.list

gkebackup.restores.get

gkebackup.restores.list

gkebackup.volumeBackups.*

gkebackup.volumeRestores.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/baremetalsolution.admin)

Administrator of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.*

baremetalsolution.luns.*

baremetalsolution.maintenanceevents.*

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

baremetalsolution.nfsshares.*

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.*

baremetalsolution.sshKeys.*

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

baremetalsolution.volumesnapshots.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.editor)

Editor of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.*

baremetalsolution.luns.*

baremetalsolution.maintenanceevents.*

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

baremetalsolution.nfsshares.*

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.*

baremetalsolution.sshKeys.*

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

baremetalsolution.volumesnapshots.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.instancesadmin)

Admin of Bare Metal Solution Instance resources

baremetalsolution.instances.*

baremetalsolution.operations.get

baremetalsolution.osimages.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.instancesviewer)

Viewer of Bare Metal Solution Instance resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.get

baremetalsolution.instances.list

baremetalsolution.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.lunsadmin)

Administrator of Bare Metal Solution Lun resources

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.operations.get

(roles/baremetalsolution.lunsviewer)

Viewer of Bare Metal Solution Lun resources

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.operations.get

(roles/baremetalsolution.maintenanceeventsadmin)

Administrator of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.*

(roles/baremetalsolution.maintenanceeventseditor)

Editor of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.*

(roles/baremetalsolution.maintenanceeventsviewer)

Viewer of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.get

baremetalsolution.maintenanceevents.list

(roles/baremetalsolution.networksadmin)

Admin of Bare Metal Solution networks resources

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

baremetalsolution.operations.get

(roles/baremetalsolution.nfssharesadmin)

Administrator of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.*

baremetalsolution.operations.get

(roles/baremetalsolution.nfsshareseditor)

Editor of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.*

baremetalsolution.operations.get

(roles/baremetalsolution.nfssharesviewer)

Viewer of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.get

baremetalsolution.nfsshares.list

baremetalsolution.operations.get

(roles/baremetalsolution.osimagesviewer)

Viewer of Bare Metal Solution OS images resources

baremetalsolution.osimages.list

(roles/baremetalsolution.procurementsadmin)

Administrator of Bare Metal Solution Procurements

baremetalsolution.procurements.*

baremetalsolution.skus.list

(roles/baremetalsolution.procurementseditor)

Editor of Bare Metal Solution Procurements

baremetalsolution.procurements.*

baremetalsolution.skus.list

(roles/baremetalsolution.procurementsviewer)

Viewer of Bare Metal Solution Procurements

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

(roles/baremetalsolution.storageadmin)

Administrator of Bare Metal Solution storage resources

baremetalsolution.luns.*

baremetalsolution.nfsshares.*

baremetalsolution.operations.get

baremetalsolution.snapshotschedulepolicies.*

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

baremetalsolution.volumesnapshots.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.viewer)

Viewer of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.get

baremetalsolution.instances.list

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.maintenanceevents.get

baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.get

baremetalsolution.networks.list

baremetalsolution.nfsshares.get

baremetalsolution.nfsshares.list

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.get

baremetalsolution.snapshotschedulepolicies.list

baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.get

baremetalsolution.volumes.list

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.volumesadmin)

Administrator of Bare Metal Solution volume resources

baremetalsolution.operations.get

baremetalsolution.volumes.*

(roles/baremetalsolution.volumeseditor)

Editor of Bare Metal Solution volumes resources

baremetalsolution.operations.get

baremetalsolution.volumequotas.list

baremetalsolution.volumes.create

baremetalsolution.volumes.delete

baremetalsolution.volumes.get

baremetalsolution.volumes.list

baremetalsolution.volumes.rename

baremetalsolution.volumes.resize

baremetalsolution.volumes.update

(roles/baremetalsolution.volumesnapshotsadmin)

Administrator of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.*

(roles/baremetalsolution.volumesnapshotseditor)

Editor of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.create

baremetalsolution.volumesnapshots.delete

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

(roles/baremetalsolution.volumesnapshotsviewer)

Viewer of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

(roles/baremetalsolution.volumessviewer)

Viewer of Bare Metal Solution volumes resources

baremetalsolution.operations.get

baremetalsolution.volumes.get

baremetalsolution.volumes.list

Permissions

(roles/beyondcorp.admin)

Full access to all Cloud BeyondCorp resources.

beyondcorp.appConnections.*

beyondcorp.appConnectors.*

beyondcorp.appGateways.*

beyondcorp.clientConnectorServices.create

beyondcorp.clientConnectorServices.delete

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientConnectorServices.setIamPolicy

beyondcorp.clientConnectorServices.update

beyondcorp.clientGateways.*

beyondcorp.locations.*

beyondcorp.operations.*

beyondcorp.subscriptions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/beyondcorp.clientConnectorAdmin)

Full access to all BeyondCorp Client Connector resources.

beyondcorp.clientConnectorServices.create

beyondcorp.clientConnectorServices.delete

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientConnectorServices.setIamPolicy

beyondcorp.clientConnectorServices.update

beyondcorp.clientGateways.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/beyondcorp.clientConnectorServiceUser)

Access Client Connector Service

beyondcorp.clientConnectorServices.access

(roles/beyondcorp.clientConnectorViewer)

Read-only access to all BeyondCorp Client Connector resources.

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientGateways.get

beyondcorp.clientGateways.getIamPolicy

beyondcorp.clientGateways.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/beyondcorp.partnerServiceDelegateAdmin)

Delegates access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.

beyondcorp.operations.*

beyondcorp.partnerTenants.*

beyondcorp.proxyConfigs.*

resourcemanager.organizations.get

(roles/beyondcorp.partnerServiceDelegateViewer)

Delegates read-only access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.

beyondcorp.partnerTenants.get

beyondcorp.partnerTenants.list

beyondcorp.proxyConfigs.get

beyondcorp.proxyConfigs.list

resourcemanager.organizations.get

(roles/beyondcorp.subscriptionAdmin)

Full access to all BeyondCorp Subscription resources.

beyondcorp.subscriptions.*

resourcemanager.organizations.get

(roles/beyondcorp.subscriptionViewer)

Read-only access to all BeyondCorp Subscription resources.

beyondcorp.subscriptions.get

beyondcorp.subscriptions.list

resourcemanager.organizations.get

(roles/beyondcorp.viewer)

Read-only access to all Cloud BeyondCorp resources.

beyondcorp.appConnections.get

beyondcorp.appConnections.getIamPolicy

beyondcorp.appConnections.list

beyondcorp.appConnectors.get

beyondcorp.appConnectors.getIamPolicy

beyondcorp.appConnectors.list

beyondcorp.appGateways.get

beyondcorp.appGateways.getIamPolicy

beyondcorp.appGateways.list

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientGateways.get

beyondcorp.clientGateways.getIamPolicy

beyondcorp.clientGateways.list

beyondcorp.locations.*

beyondcorp.operations.get

beyondcorp.operations.list

beyondcorp.subscriptions.get

beyondcorp.subscriptions.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/bigquery.admin)

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

Lowest-level resources where you can grant this role:

  • Datasets
  • Row access policies
  • Tables
  • Views

bigquery.bireservations.*

bigquery.capacityCommitments.*

bigquery.config.*

bigquery.connections.*

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.jobs.*

bigquery.models.*

bigquery.readsessions.*

bigquery.reservationAssignments.*

bigquery.reservations.*

bigquery.routines.*

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.tables.*

bigquery.transfers.*

bigquerymigration.translation.translate

dataform.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.connectionAdmin)

bigquery.connections.*

(roles/bigquery.connectionUser)

bigquery.connections.get

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.use

(roles/bigquery.dataEditor)

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.models.*

bigquery.routines.*

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.dataOwner)

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Share the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.config.get

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.models.*

bigquery.routines.*

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.dataViewer)

When applied to a table or view, this role provides permissions to:

  • Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to list all of the resources in the dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata with applicable APIs and in queries.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.createSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.filteredDataViewer)

Access to view filtered table data defined by a row access policy

bigquery.rowAccessPolicies.getFilteredData

(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

Lowest-level resources where you can grant this role:

  • Project

bigquery.config.get

bigquery.jobs.create

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.metadataViewer)

When applied to a table or view, this role provides permissions to:

  • Read metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • List tables and views in the dataset.
  • Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.get

bigquery.tables.getIamPolicy

bigquery.tables.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.readSessionUser)

Provides the ability to create and use read sessions.

Lowest-level resources where you can grant this role:

  • Project

bigquery.readsessions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.resourceAdmin)

Administers BigQuery workloads, including slot assignments, commitments, and reservations.

bigquery.bireservations.*

bigquery.capacityCommitments.*

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservations.*

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.resourceEditor)

Manages BigQuery workloads, but is unable to create or modify slot commitments.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.resourceViewer)

Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.studioAdmin)

Combination role of BigQuery Admin, Dataform Admin, and Notebook Runtime Admin.

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.create

aiplatform.notebookRuntimeTemplates.delete

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimeTemplates.setIamPolicy

aiplatform.notebookRuntimes.*

aiplatform.operations.list

bigquery.bireservations.*

bigquery.capacityCommitments.*

bigquery.config.*

bigquery.connections.*

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.jobs.*

bigquery.models.*

bigquery.readsessions.*

bigquery.reservationAssignments.*

bigquery.reservations.*

bigquery.routines.*

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.tables.*

bigquery.transfers.*

bigquerymigration.translation.translate

compute.reservations.get

compute.reservations.list

dataform.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.studioUser)

Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, and Notebook Runtime User.

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimes.assign

aiplatform.notebookRuntimes.get

aiplatform.notebookRuntimes.list

aiplatform.operations.list

bigquery.config.get

bigquery.jobs.create

bigquery.readsessions.*

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.user)

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Lowest-level resources where you can grant this role:

  • Dataset

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.jobs.create

bigquery.jobs.list

bigquery.models.list

bigquery.readsessions.*

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.list

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.list

bigquery.transfers.get

bigquerymigration.translation.translate

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquerydatapolicy.maskedReader)

Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns

bigquery.dataPolicies.maskedGet

Permissions

(roles/billing.admin)

Provides access to see and manage all aspects of billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.close

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.move

billing.accounts.redeemPromotion

billing.accounts.removeFromOrganization

billing.accounts.reopen

billing.accounts.setIamPolicy

billing.accounts.update

billing.accounts.updatePaymentInfo

billing.accounts.updateUsageExportSpec

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

billing.billingAccountSkuGroupSkus.*

billing.billingAccountSkuGroups.*

billing.billingAccountSkus.*

billing.budgets.*

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.*

billing.subscriptions.*

cloudasset.assets.searchAllResources

cloudnotifications.activities.list

cloudsupport.properties.get

cloudsupport.techCases.*

commerceoffercatalog.*

compute.commitments.*

consumerprocurement.accounts.*

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

consumerprocurement.orderAttributions.*

consumerprocurement.orders.*

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

logging.logEntries.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.privateLogEntries.list

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.*

recommender.computeAddressIdleResourceRecommendations.get

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceRecommendations.get

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeImageIdleResourceRecommendations.get

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.get

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceIdleResourceRecommendations.get

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.get

recommender.computeInstanceMachineTypeRecommendations.list

recommender.costInsights.*

recommender.costRecommendations.*

recommender.resourcemanagerProjectUtilizationRecommendations.get

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.spendBasedCommitmentInsights.*

recommender.spendBasedCommitmentRecommendations.*

recommender.spendBasedCommitmentRecommenderConfig.*

recommender.usageCommitmentRecommendations.*

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

resourcemanager.projects.get

resourcemanager.projects.list

(roles/billing.costsManager)

Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.updateUsageExportSpec

billing.budgets.*

billing.resourceAssociations.list

recommender.costInsights.*

(roles/billing.creator)

Provides access to create billing accounts.

Lowest-level resources where you can grant this role:

  • Organization

billing.accounts.create

resourcemanager.organizations.get

(roles/billing.projectManager)

When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

(roles/billing.user)

When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

(roles/billing.viewer)

View billing account cost and pricing information, transactions, and billing and commitment recommendations.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

billing.billingAccountSkuGroupSkus.*

billing.billingAccountSkuGroups.*

billing.billingAccountSkus.*

billing.budgets.get

billing.budgets.list

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.list

billing.subscriptions.get

billing.subscriptions.list

commerceoffercatalog.*

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.costInsights.get

recommender.costInsights.list

recommender.costRecommendations.*

recommender.spendBasedCommitmentInsights.get

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.get

recommender.spendBasedCommitmentRecommendations.list

recommender.spendBasedCommitmentRecommenderConfig.get

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

Permissions

(roles/binaryauthorization.attestorsAdmin)

Administrator of Binary Authorization Attestors

binaryauthorization.attestors.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.attestorsEditor)

Editor of Binary Authorization Attestors

binaryauthorization.attestors.create

binaryauthorization.attestors.delete

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.update

binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.attestorsVerifier)

Caller of Binary Authorization Attestors VerifyImageAttested

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.attestorsViewer)

Viewer of Binary Authorization Attestors

binaryauthorization.attestors.get

binaryauthorization.attestors.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.policyAdmin)

Administrator of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.*

binaryauthorization.platformPolicies.*

binaryauthorization.policy.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.policyEditor)

Editor of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get

binaryauthorization.continuousValidationConfig.update

binaryauthorization.platformPolicies.*

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

binaryauthorization.policy.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.policyEvaluator)

Evaluator of Binary Authorization Policy

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.policyViewer)

Viewer of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/privateca.admin)

Full access to all CA Service resources.

privateca.*

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

(roles/privateca.auditor)

Read-only access to all CA Service resources.

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.*

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/privateca.caManager)

Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.

privateca.caPools.create

privateca.caPools.delete

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.caPools.update

privateca.certificateAuthorities.create

privateca.certificateAuthorities.delete

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateAuthorities.update

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateRevocationLists.update

privateca.certificateTemplates.create

privateca.certificateTemplates.delete

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificateTemplates.update

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.certificates.update

privateca.locations.*

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.create

privateca.reusableConfigs.delete

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

privateca.reusableConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

(roles/privateca.certificateManager)

Create certificates and read-only access for CA Service resources.

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificates.create

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.*

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/privateca.certificateRequester)

Request certificates from CA Service.

privateca.certificates.create

(roles/privateca.poolReader)

Read CA Pools in CA Service.

privateca.caPools.get

(roles/privateca.templateUser)

Read, list and use certificate templates.

privateca.certificateTemplates.get

privateca.certificateTemplates.list

privateca.certificateTemplates.use

(roles/privateca.workloadCertificateRequester)

Request certificates from CA Service with caller's identity.

privateca.certificates.createForSelf

Permissions

(roles/certificatemanager.editor)

Edit access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.create

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certissuanceconfigs.update

certificatemanager.certissuanceconfigs.use

certificatemanager.certmapentries.create

certificatemanager.certmapentries.get

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmapentries.update

certificatemanager.certmaps.create

certificatemanager.certmaps.get

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certmaps.update

certificatemanager.certmaps.use

certificatemanager.certs.create

certificatemanager.certs.get

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.certs.update

certificatemanager.certs.use

certificatemanager.dnsauthorizations.create

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.update

certificatemanager.dnsauthorizations.use

certificatemanager.locations.*

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.create

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

certificatemanager.trustconfigs.update

certificatemanager.trustconfigs.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/certificatemanager.owner)

Full access to Certificate Manager all resources.

certificatemanager.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/certificatemanager.viewer)

Read-only access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.get

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmaps.get

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certs.get

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.locations.*

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/chat.owner)

Can view and modify bot configurations

chat.*

(roles/chat.reader)

Can view bot configurations

chat.bots.get

Permissions

(roles/chronicle.admin)

Full access to the Chronicle API services, including global settings.

chronicle.ais.*

chronicle.analyticValues.list

chronicle.analytics.list

chronicle.bigQueryAccess.provide

chronicle.cases.countPriorities

chronicle.collectors.*

chronicle.conversations.*

chronicle.curatedRuleSetCategories.*

chronicle.curatedRuleSetDeployments.*

chronicle.curatedRuleSets.*

chronicle.curatedRules.*

chronicle.dashboards.*

chronicle.dataAccessLabels.*

chronicle.dataAccessScopes.*

chronicle.dataExports.*

chronicle.dataTaps.*

chronicle.entities.*

chronicle.entityRiskScores.queryEntityRiskScores

chronicle.errorNotificationConfigs.*

chronicle.events.*

chronicle.extensionValidationReports.*

chronicle.feedServiceAccounts.fetch

chronicle.feedSourceTypeSchemas.list

chronicle.feeds.*

chronicle.findingsGraphs.*

chronicle.findingsRefinementDeployments.*

chronicle.findingsRefinements.*

chronicle.forwarders.*

chronicle.globalDataAccessScopes.permit

chronicle.instances.generateSoarAuthJwt

chronicle.instances.get

chronicle.instances.report

chronicle.iocMatches.*

chronicle.iocState.*

chronicle.iocs.*

chronicle.legacies.*

chronicle.logTypeSchemas.list

chronicle.logTypes.list

chronicle.logs.*

chronicle.messages.*

chronicle.multitenantDirectories.get

chronicle.operations.*

chronicle.parserExtensions.*

chronicle.parsers.*

chronicle.parsingErrors.list

chronicle.preferenceSets.*

chronicle.referenceLists.*

chronicle.retrohunts.*

chronicle.riskConfigs.*

chronicle.ruleDeployments.*

chronicle.ruleExecutionErrors.list

chronicle.rules.*

chronicle.searchQueries.*

chronicle.validationErrors.list

chronicle.validationReports.get

chronicle.watchlists.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.editor)

Modify Access to Chronicle API resources.

chronicle.ais.*

chronicle.analyticValues.list

chronicle.analytics.list

chronicle.cases.countPriorities

chronicle.collectors.get

chronicle.collectors.list

chronicle.conversations.*

chronicle.curatedRuleSetCategories.*

chronicle.curatedRuleSetDeployments.*

chronicle.curatedRuleSets.*

chronicle.curatedRules.*

chronicle.dashboards.*

chronicle.dataAccessScopes.list

chronicle.dataExports.*

chronicle.dataTaps.*

chronicle.entities.*

chronicle.entityRiskScores.queryEntityRiskScores

chronicle.errorNotificationConfigs.get

chronicle.errorNotificationConfigs.list

chronicle.events.*

chronicle.findingsGraphs.*

chronicle.findingsRefinementDeployments.*

chronicle.findingsRefinements.*

chronicle.forwarders.generate

chronicle.forwarders.get

chronicle.forwarders.list

chronicle.globalDataAccessScopes.permit

chronicle.instances.generateSoarAuthJwt

chronicle.instances.get

chronicle.instances.report

chronicle.legacies.legacyBatchGetCases

chronicle.legacies.legacyCalculateAlertStats

chronicle.legacies.legacyFetchAlertsView

chronicle.legacies.legacyFetchUdmSearchCsv

chronicle.legacies.legacyFetchUdmSearchView

chronicle.legacies.legacyFindAssetEvents

chronicle.legacies.legacyFindRawLogs

chronicle.legacies.legacyFindUdmEvents

chronicle.legacies.legacyGetAlert

chronicle.legacies.legacyGetCuratedRulesTrends

chronicle.legacies.legacyGetDetection

chronicle.legacies.legacyGetFinding

chronicle.legacies.legacyGetRuleCounts

chronicle.legacies.legacyGetRulesTrends

chronicle.legacies.legacyRunTestRule

chronicle.legacies.legacySearchAlerts

chronicle.legacies.legacySearchArtifactEvents

chronicle.legacies.legacySearchArtifactIoCDetails

chronicle.legacies.legacySearchAssetEvents

chronicle.legacies.legacySearchCuratedDetections

chronicle.legacies.legacySearchCustomerStats

chronicle.legacies.legacySearchDetections

chronicle.legacies.legacySearchDomainsRecentlyRegistered

chronicle.legacies.legacySearchDomainsTimingStats

chronicle.legacies.legacySearchEnterpriseWideAlerts

chronicle.legacies.legacySearchEnterpriseWideIoCs

chronicle.legacies.legacySearchFindings

chronicle.legacies.legacySearchIngestionStats

chronicle.legacies.legacySearchIoCInsights

chronicle.legacies.legacySearchRawLogs

chronicle.legacies.legacySearchRuleDetectionCountBuckets

chronicle.legacies.legacySearchRuleDetectionEvents

chronicle.legacies.legacySearchRuleResults

chronicle.legacies.legacySearchRulesAlerts

chronicle.legacies.legacySearchUserEvents

chronicle.legacies.legacyStreamDetectionAlerts

chronicle.legacies.legacyTestRuleStreaming

chronicle.legacies.legacyUpdateAlert

chronicle.legacies.legacyUpdateFinding

chronicle.logTypeSchemas.list

chronicle.logs.*

chronicle.messages.*

chronicle.multitenantDirectories.get

chronicle.operations.*

chronicle.preferenceSets.*

chronicle.referenceLists.*

chronicle.retrohunts.*

chronicle.riskConfigs.*

chronicle.ruleDeployments.*

chronicle.ruleExecutionErrors.list

chronicle.rules.create

chronicle.rules.get

chronicle.rules.list

chronicle.rules.listRevisions

chronicle.rules.update

chronicle.rules.verifyRuleText

chronicle.searchQueries.*

chronicle.watchlists.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.limitedViewer)

Grants read-only access to Chronicle API resources, excluding Rules and Retrohunts.

chronicle.analyticValues.list

chronicle.analytics.list

chronicle.cases.countPriorities

chronicle.conversations.get

chronicle.conversations.list

chronicle.dashboards.get

chronicle.dashboards.list

chronicle.dashboards.schedule

chronicle.entities.find

chronicle.entities.findRelatedEntities

chronicle.entities.get

chronicle.entities.queryEntityRiskScoreModifications

chronicle.entities.searchEntities

chronicle.entities.summarize

chronicle.entities.summarizeFromQuery

chronicle.entityRiskScores.queryEntityRiskScores

chronicle.errorNotificationConfigs.get

chronicle.errorNotificationConfigs.list

chronicle.events.batchGet

chronicle.events.findUdmFieldValues

chronicle.events.get

chronicle.events.queryProductSourceStats

chronicle.events.searchRawLogs

chronicle.events.udmSearch

chronicle.events.validateQuery

chronicle.findingsGraphs.*

chronicle.findingsRefinementDeployments.get

chronicle.findingsRefinementDeployments.list

chronicle.findingsRefinements.computeActivity

chronicle.findingsRefinements.computeAllActivities

chronicle.findingsRefinements.get

chronicle.findingsRefinements.list

chronicle.findingsRefinements.test

chronicle.globalDataAccessScopes.permit

chronicle.instances.get

chronicle.legacies.legacyBatchGetCases

chronicle.legacies.legacyCalculateAlertStats

chronicle.legacies.legacyFetchAlertsView

chronicle.legacies.legacyFetchUdmSearchCsv

chronicle.legacies.legacyFetchUdmSearchView

chronicle.legacies.legacyFindAssetEvents

chronicle.legacies.legacyFindRawLogs

chronicle.legacies.legacyFindUdmEvents

chronicle.legacies.legacyGetAlert

chronicle.legacies.legacyGetFinding

chronicle.legacies.legacySearchAlerts

chronicle.legacies.legacySearchArtifactEvents

chronicle.legacies.legacySearchArtifactIoCDetails

chronicle.legacies.legacySearchAssetEvents

chronicle.legacies.legacySearchDomainsRecentlyRegistered

chronicle.legacies.legacySearchDomainsTimingStats

chronicle.legacies.legacySearchEnterpriseWideAlerts

chronicle.legacies.legacySearchEnterpriseWideIoCs

chronicle.legacies.legacySearchFindings

chronicle.legacies.legacySearchIoCInsights

chronicle.legacies.legacySearchRawLogs

chronicle.legacies.legacySearchUserEvents

chronicle.logTypeSchemas.list

chronicle.logs.export

chronicle.logs.get

chronicle.logs.list

chronicle.messages.get

chronicle.messages.list

chronicle.multitenantDirectories.get

chronicle.operations.get

chronicle.operations.list

chronicle.operations.streamSearch

chronicle.operations.wait

chronicle.preferenceSets.*

chronicle.searchQueries.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.restrictedDataAccess)

Grants access to data controlled by Data Access Scopes. Intended to be refined by IAM Conditions.

chronicle.dataAccessScopes.permit

(roles/chronicle.restrictedDataAccessViewer)

Grants readonly access to Chronicle API resources without global data access scope.

chronicle.ais.*

chronicle.dataAccessScopes.list

chronicle.entities.find

chronicle.entities.findRelatedEntities

chronicle.entities.get

chronicle.entities.list

chronicle.entities.searchEntities

chronicle.entities.summarize

chronicle.entities.summarizeFromQuery

chronicle.events.batchGet

chronicle.events.findUdmFieldValues

chronicle.events.get

chronicle.events.queryProductSourceStats

chronicle.events.searchRawLogs

chronicle.events.udmSearch

chronicle.events.validateQuery

chronicle.findingsGraphs.*

chronicle.instances.generateSoarAuthJwt

chronicle.instances.get

chronicle.instances.report

chronicle.legacies.legacyBatchGetCases

chronicle.legacies.legacyCalculateAlertStats

chronicle.legacies.legacyFetchAlertsView

chronicle.legacies.legacyFetchUdmSearchCsv

chronicle.legacies.legacyFetchUdmSearchView

chronicle.legacies.legacyFindAssetEvents

chronicle.legacies.legacyFindRawLogs

chronicle.legacies.legacyFindUdmEvents

chronicle.legacies.legacyGetAlert

chronicle.legacies.legacyGetFinding

chronicle.legacies.legacyGetRuleCounts

chronicle.legacies.legacyGetRulesTrends

chronicle.legacies.legacyRunTestRule

chronicle.legacies.legacySearchArtifactEvents

chronicle.legacies.legacySearchArtifactIoCDetails

chronicle.legacies.legacySearchAssetEvents

chronicle.legacies.legacySearchDomainsRecentlyRegistered

chronicle.legacies.legacySearchDomainsTimingStats

chronicle.legacies.legacySearchFindings

chronicle.legacies.legacySearchIoCInsights

chronicle.legacies.legacySearchRawLogs

chronicle.legacies.legacySearchRuleDetectionCountBuckets

chronicle.legacies.legacySearchRuleDetectionEvents

chronicle.legacies.legacySearchRuleResults

chronicle.legacies.legacySearchRulesAlerts

chronicle.legacies.legacySearchUserEvents

chronicle.logs.get

chronicle.logs.list

chronicle.operations.get

chronicle.operations.list

chronicle.operations.streamSearch

chronicle.operations.wait

chronicle.retrohunts.get

chronicle.retrohunts.list

chronicle.riskConfigs.get

chronicle.ruleDeployments.get

chronicle.ruleDeployments.list

chronicle.ruleExecutionErrors.list

chronicle.rules.get

chronicle.rules.list

chronicle.rules.listRevisions

chronicle.rules.verifyRuleText

chronicle.watchlists.get

chronicle.watchlists.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.soarAdmin)

Grants admin access to Chronicle SOAR.

chronicle.instances.soarAdmin

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.soarThreatManager)

Grants threat manager access to Chronicle SOAR.

chronicle.instances.soarThreatManager

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.soarVulnerabilityManager)

Grants vulnerability manager access to Chronicle SOAR.

chronicle.instances.soarVulnerabilityManager

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.viewer)

Read-only access to the Chronicle API resources.

chronicle.ais.*

chronicle.analyticValues.list

chronicle.analytics.list

chronicle.cases.countPriorities

chronicle.collectors.get

chronicle.collectors.list

chronicle.conversations.get

chronicle.conversations.list

chronicle.curatedRuleSetCategories.*

chronicle.curatedRuleSetDeployments.get

chronicle.curatedRuleSetDeployments.list

chronicle.curatedRuleSets.*

chronicle.curatedRules.*

chronicle.dashboards.get

chronicle.dashboards.list

chronicle.dashboards.schedule

chronicle.dataAccessScopes.list

chronicle.dataExports.fetchLogTypesAvailableForExport

chronicle.dataExports.get

chronicle.dataTaps.get

chronicle.dataTaps.list

chronicle.entities.find

chronicle.entities.findRelatedEntities

chronicle.entities.get

chronicle.entities.list

chronicle.entities.queryEntityRiskScoreModifications

chronicle.entities.searchEntities

chronicle.entities.summarize

chronicle.entities.summarizeFromQuery

chronicle.entityRiskScores.queryEntityRiskScores

chronicle.errorNotificationConfigs.get

chronicle.errorNotificationConfigs.list

chronicle.events.batchGet

chronicle.events.findUdmFieldValues

chronicle.events.get

chronicle.events.queryProductSourceStats

chronicle.events.searchRawLogs

chronicle.events.udmSearch

chronicle.events.validateQuery

chronicle.findingsGraphs.*

chronicle.findingsRefinementDeployments.get

chronicle.findingsRefinementDeployments.list

chronicle.findingsRefinements.computeActivity

chronicle.findingsRefinements.computeAllActivities

chronicle.findingsRefinements.get

chronicle.findingsRefinements.list

chronicle.findingsRefinements.test

chronicle.forwarders.generate

chronicle.forwarders.get

chronicle.forwarders.list

chronicle.globalDataAccessScopes.permit

chronicle.instances.generateSoarAuthJwt

chronicle.instances.get

chronicle.instances.report

chronicle.legacies.legacyBatchGetCases

chronicle.legacies.legacyCalculateAlertStats

chronicle.legacies.legacyFetchAlertsView

chronicle.legacies.legacyFetchUdmSearchCsv

chronicle.legacies.legacyFetchUdmSearchView

chronicle.legacies.legacyFindAssetEvents

chronicle.legacies.legacyFindRawLogs

chronicle.legacies.legacyFindUdmEvents

chronicle.legacies.legacyGetAlert

chronicle.legacies.legacyGetCuratedRulesTrends

chronicle.legacies.legacyGetDetection

chronicle.legacies.legacyGetFinding

chronicle.legacies.legacyGetRuleCounts

chronicle.legacies.legacyGetRulesTrends

chronicle.legacies.legacyRunTestRule

chronicle.legacies.legacySearchAlerts

chronicle.legacies.legacySearchArtifactEvents

chronicle.legacies.legacySearchArtifactIoCDetails

chronicle.legacies.legacySearchAssetEvents

chronicle.legacies.legacySearchCuratedDetections

chronicle.legacies.legacySearchCustomerStats

chronicle.legacies.legacySearchDetections

chronicle.legacies.legacySearchDomainsRecentlyRegistered

chronicle.legacies.legacySearchDomainsTimingStats

chronicle.legacies.legacySearchEnterpriseWideAlerts

chronicle.legacies.legacySearchEnterpriseWideIoCs

chronicle.legacies.legacySearchFindings

chronicle.legacies.legacySearchIngestionStats

chronicle.legacies.legacySearchIoCInsights

chronicle.legacies.legacySearchRawLogs

chronicle.legacies.legacySearchRuleDetectionCountBuckets

chronicle.legacies.legacySearchRuleDetectionEvents

chronicle.legacies.legacySearchRuleResults

chronicle.legacies.legacySearchRulesAlerts

chronicle.legacies.legacySearchUserEvents

chronicle.legacies.legacyStreamDetectionAlerts

chronicle.legacies.legacyTestRuleStreaming

chronicle.logTypeSchemas.list

chronicle.logs.export

chronicle.logs.get

chronicle.logs.list

chronicle.messages.get

chronicle.messages.list

chronicle.multitenantDirectories.get

chronicle.operations.get

chronicle.operations.list

chronicle.operations.streamSearch

chronicle.operations.wait

chronicle.preferenceSets.*

chronicle.referenceLists.get

chronicle.referenceLists.list

chronicle.referenceLists.verifyReferenceList

chronicle.retrohunts.get

chronicle.retrohunts.list

chronicle.riskConfigs.get

chronicle.ruleDeployments.get

chronicle.ruleDeployments.list

chronicle.ruleExecutionErrors.list

chronicle.rules.get

chronicle.rules.list

chronicle.rules.listRevisions

chronicle.rules.verifyRuleText

chronicle.searchQueries.*

chronicle.watchlists.get

chronicle.watchlists.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/alloydb.admin)

Full access to Cloud AlloyDB all resources.

alloydb.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/alloydb.client)

Connectivity access to Cloud AlloyDB instances.

alloydb.clusters.generateClientCertificate

alloydb.clusters.get

alloydb.instances.connect

alloydb.instances.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/alloydb.databaseUser)

Role allowing access to login as a database user.

alloydb.clusters.get

alloydb.instances.get

alloydb.users.login

resourcemanager.projects.get

resourcemanager.projects.list

(roles/alloydb.viewer)

Read-only access to Cloud AlloyDB all resources.

alloydb.backups.get

alloydb.backups.list

alloydb.backups.listEffectiveTags

alloydb.backups.listTagBindings

alloydb.clusters.get

alloydb.clusters.list

alloydb.clusters.listEffectiveTags

alloydb.clusters.listTagBindings

alloydb.databases.list

alloydb.instances.get

alloydb.instances.list

alloydb.locations.*

alloydb.operations.get

alloydb.operations.list

alloydb.supportedDatabaseFlags.*

alloydb.users.get

alloydb.users.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/cloudasset.owner)

Full access to cloud assets metadata

cloudasset.*

recommender.cloudAssetInsights.*

recommender.locations.*

(roles/cloudasset.viewer)

Read only access to cloud assets metadata

cloudasset.assets.*

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

Permissions

(roles/bigtable.admin)

Administers all Bigtable instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.

Lowest-level resources where you can grant this role:

  • Table

bigtable.*

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.*

resourcemanager.projects.get

(roles/bigtable.reader)

Provides read-only access to the data stored within Bigtable tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.

Lowest-level resources where you can grant this role:

  • Table

bigtable.appProfiles.get

bigtable.appProfiles.list

bigtable.backups.get

bigtable.backups.list

bigtable.clusters.get

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.get

bigtable.instances.list

bigtable.instances.ping

bigtable.keyvisualizer.*

bigtable.locations.list

bigtable.tables.checkConsistency

bigtable.tables.generateConsistencyToken

bigtable.tables.get

bigtable.tables.list

bigtable.tables.readRows

bigtable.tables.sampleRowKeys

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.*

resourcemanager.projects.get

(roles/bigtable.user)

Provides read-write access to the data stored within Bigtable tables. Intended for application developers or service accounts.

Lowest-level resources where you can grant this role:

  • Table

bigtable.appProfiles.get

bigtable.appProfiles.list

bigtable.backups.get

bigtable.backups.list

bigtable.clusters.get

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.get

bigtable.instances.list

bigtable.instances.ping

bigtable.keyvisualizer.*

bigtable.locations.list

bigtable.tables.checkConsistency

bigtable.tables.generateConsistencyToken

bigtable.tables.get

bigtable.tables.list

bigtable.tables.mutateRows

bigtable.tables.readRows

bigtable.tables.sampleRowKeys

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.*

resourcemanager.projects.get

(roles/bigtable.viewer)

Provides no data access. Intended as a minimal set of permissions to access the Google Cloud console for Bigtable.

Lowest-level resources where you can grant this role:

  • Table

bigtable.appProfiles.get

bigtable.appProfiles.list

bigtable.backups.get

bigtable.backups.list

bigtable.clusters.get

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.get

bigtable.instances.list

bigtable.instances.listEffectiveTags

bigtable.instances.listTagBindings

bigtable.locations.list

bigtable.tables.checkConsistency

bigtable.tables.generateConsistencyToken

bigtable.tables.get

bigtable.tables.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.list

resourcemanager.projects.get

Permissions

(roles/cloudbuild.builds.approver)

Can approve or reject pending builds.

cloudbuild.builds.approve

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.operations.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudbuild.builds.builder)

Provides access to perform builds.

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.createOnPush

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.operations.*

cloudbuild.workerpools.use

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

logging.logEntries.create

logging.logEntries.list

logging.views.access

pubsub.topics.create

pubsub.topics.publish

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/cloudbuild.builds.editor)

Provides access to create and cancel builds.

Lowest-level resources where you can grant this role:

  • Project

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.operations.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudbuild.builds.viewer)

Provides access to view builds.

Lowest-level resources where you can grant this role:

  • Project

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.operations.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudbuild.connectionAdmin)

Can manage connections and repositories.

cloudbuild.connections.*

cloudbuild.operations.*

cloudbuild.repositories.create

cloudbuild.repositories.delete

cloudbuild.repositories.fetchGitRefs

cloudbuild.repositories.get

cloudbuild.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudbuild.connectionViewer)

Can view and list connections and repositories.

cloudbuild.connections.fetchLinkableRepositories

cloudbuild.connections.get

cloudbuild.connections.getIamPolicy

cloudbuild.connections.list

cloudbuild.repositories.fetchGitRefs

cloudbuild.repositories.get

cloudbuild.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudbuild.integrationsEditor)

Can update Integrations

cloudbuild.integrations.get

cloudbuild.integrations.list

cloudbuild.integrations.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudbuild.integrationsOwner)

Can create/delete Integrations

cloudbuild.integrations.*

compute.firewalls.create

compute.firewalls.get

compute.firewalls.list

compute.networks.get

compute.networks.updatePolicy

compute.regions.get

compute.subnetworks.get

compute.subnetworks.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudbuild.integrationsViewer)

Can view Integrations

cloudbuild.integrations.get

cloudbuild.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudbuild.readTokenAccessor)

Can view the connection and access its read-only token.

cloudbuild.connections.get

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.get

(roles/cloudbuild.tokenAccessor)

Can view the connection and access its read/write and read-only tokens.

cloudbuild.connections.get

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.accessReadWriteToken

cloudbuild.repositories.get

cloudbuild.repositories.list

(roles/cloudbuild.workerPoolEditor)

Can update and view WorkerPools

cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudbuild.workerPoolOwner)

Can create, delete, update, and view WorkerPools

cloudbuild.workerpools.create

cloudbuild.workerpools.delete

cloudbuild.workerpools.get

cloudbuild.workerpools.list

cloudbuild.workerpools.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudbuild.workerPoolUser)

Can run builds in the WorkerPool

cloudbuild.workerpools.use

(roles/cloudbuild.workerPoolViewer)

Can view WorkerPools

cloudbuild.workerpools.get

cloudbuild.workerpools.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/composer.ServiceAgentV2Ext)

Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.setIamPolicy

(roles/composer.admin)

Provides full control of Cloud Composer resources.

Lowest-level resources where you can grant this role:

  • Project

composer.*

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/composer.environmentAndStorageObjectAdmin)

Provides full control of Cloud Composer resources and of the objects in all project buckets.

Lowest-level resources where you can grant this role:

  • Project

composer.*

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.objects.*

(roles/composer.environmentAndStorageObjectUser)

Read and use access to Cloud Composer resources and read access to Cloud Storage objects.

composer.dags.*

composer.environments.get

composer.environments.list

composer.imageversions.list

composer.operations.get

composer.operations.list

composer.userworkloadsconfigmaps.get

composer.userworkloadsconfigmaps.list

composer.userworkloadssecrets.get

composer.userworkloadssecrets.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

(roles/composer.environmentAndStorageObjectViewer)

Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.

Lowest-level resources where you can grant this role:

  • Project

composer.dags.*

composer.environments.get

composer.environments.list

composer.imageversions.list

composer.operations.get

composer.operations.list

composer.userworkloadsconfigmaps.get

composer.userworkloadsconfigmaps.list

composer.userworkloadssecrets.get

composer.userworkloadssecrets.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

(roles/composer.sharedVpcAgent)

Role that should be assigned to Composer Agent service account in Shared VPC host project

compute.networkAttachments.create

compute.networkAttachments.delete

compute.networkAttachments.get

compute.networkAttachments.update

compute.networks.access

compute.networks.addPeering

compute.networks.get

compute.networks.list

compute.networks.listPeeringRoutes

compute.networks.removePeering

compute.networks.updatePeering

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regions.*

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zones.*

dns.managedZones.get

dns.managedZones.list

dns.networks.targetWithPeeringZone

(roles/composer.user)

Provides the permissions necessary to list and get Cloud Composer environments and operations.

Lowest-level resources where you can grant this role:

  • Project

composer.dags.*

composer.environments.get

composer.environments.list

composer.imageversions.list

composer.operations.get

composer.operations.list

composer.userworkloadsconfigmaps.get

composer.userworkloadsconfigmaps.list

composer.userworkloadssecrets.get

composer.userworkloadssecrets.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/composer.worker)

Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.

Lowest-level resources where you can grant this role:

  • Project

artifactregistry.*

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.operations.*

cloudbuild.workerpools.use

composer.environments.get

container.*

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

datalineage.events.create

datalineage.processes.create

datalineage.processes.get

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.update

logging.logEntries.create

logging.logEntries.list

logging.logEntries.route

logging.views.access

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.*

orgpolicy.policy.get

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.delete

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisRecommendations.*

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.objects.*

Permissions

(roles/connectors.admin)

Full access to all resources of Connectors Service.

connectors.actions.*

connectors.connections.create

connectors.connections.delete

connectors.connections.executeSqlQuery

connectors.connections.get

connectors.connections.getConnectionSchemaMetadata

connectors.connections.getIamPolicy

connectors.connections.getRuntimeActionSchema

connectors.connections.getRuntimeEntitySchema

connectors.connections.list

connectors.connections.setIamPolicy

connectors.connections.update

connectors.connectors.*

connectors.customConnectorVersions.*

connectors.customConnectors.*

connectors.endpointAttachments.*

connectors.entities.*

connectors.entityTypes.list

connectors.eventSubscriptions.*

connectors.eventtypes.*

connectors.locations.*

connectors.managedZones.*

connectors.operations.*

connectors.providers.*

connectors.regionalSettings.*

connectors.runtimeconfig.get

connectors.schemaMetadata.refresh

connectors.settings.*

connectors.versions.*

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.secrets.getIamPolicy

(roles/connectors.customConnectorAdmin)

Custom Connector is a global resource which creates custom connector within the given target project. This role grants Admin access to Custom Connector resources

connectors.customConnectorVersions.*

connectors.customConnectors.*

connectors.locations.*

(roles/connectors.customConnectorViewer)

Custom Connector is a global resource which creates custom connector within the given target project. This role grants Read-only access to Custom Connector & Custom Connector Version resources.

connectors.customConnectorVersions.get

connectors.customConnectorVersions.getIamPolicy

connectors.customConnectorVersions.list

connectors.customConnectors.get

connectors.customConnectors.getIamPolicy

connectors.customConnectors.list

connectors.locations.*

(roles/connectors.endpointAttachmentAdmin)

Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources.

connectors.endpointAttachments.*

connectors.locations.*

(roles/connectors.endpointAttachmentViewer)

Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources

connectors.endpointAttachments.get

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.locations.*

(roles/connectors.eventSubscriptionAdmin)

Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources

connectors.eventSubscriptions.*

(roles/connectors.eventSubscriptionViewer)

Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources.

connectors.eventSubscriptions.get

connectors.eventSubscriptions.list

(roles/connectors.invoker)

Full Access to invoke all operations on Connections.

connectors.actions.*

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entityTypes.list

(roles/connectors.listener)

Full Access to listen events by connections.

connectors.connections.listenEvent

(roles/connectors.managedZoneAdmin)

Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources

connectors.locations.*

connectors.managedZones.*

(roles/connectors.managedZoneViewer)

Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources.

connectors.locations.*

connectors.managedZones.get

connectors.managedZones.getIamPolicy

connectors.managedZones.list

(roles/connectors.viewer)

Read-only access to Connectors all resources.

connectors.connections.get

connectors.connections.getConnectionSchemaMetadata

connectors.connections.getIamPolicy

connectors.connections.getRuntimeActionSchema

connectors.connections.getRuntimeEntitySchema

connectors.connections.list

connectors.connectors.*

connectors.customConnectorVersions.get

connectors.customConnectorVersions.getIamPolicy

connectors.customConnectorVersions.list

connectors.customConnectors.get

connectors.customConnectors.getIamPolicy

connectors.customConnectors.list

connectors.endpointAttachments.get

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.eventSubscriptions.get

connectors.eventSubscriptions.list

connectors.eventtypes.*

connectors.locations.*

connectors.managedZones.get

connectors.managedZones.getIamPolicy

connectors.managedZones.list

connectors.operations.get

connectors.operations.list

connectors.providers.*

connectors.regionalSettings.get

connectors.runtimeconfig.get

connectors.settings.get

connectors.versions.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/datafusion.accessor)

Read-only access to Cloud Data Fusion Instances. Use it on instance level along with the namespace grants to provide access to the specific namespace.

datafusion.instances.get

datafusion.instances.getIamPolicy

datafusion.instances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datafusion.admin)

Full access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

  • Project

datafusion.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datafusion.developer)

Access Cloud Data Fusion Instances, develop and run pipelines.

datafusion.artifacts.get

datafusion.artifacts.list

datafusion.instances.get

datafusion.instances.getIamPolicy

datafusion.instances.list

datafusion.locations.*

datafusion.operations.get

datafusion.operations.list

datafusion.pipelineConnections.get

datafusion.pipelineConnections.list

datafusion.pipelineConnections.use

datafusion.pipelines.*

datafusion.profiles.get

datafusion.profiles.list

datafusion.secureKeys.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datafusion.operator)

Access Cloud Data Fusion Instances, operate namespaces and related resources.

datafusion.artifacts.*

datafusion.instances.get

datafusion.instances.getIamPolicy

datafusion.instances.list

datafusion.locations.*

datafusion.operations.get

datafusion.operations.list

datafusion.pipelineConnections.get

datafusion.pipelineConnections.list

datafusion.pipelineConnections.use

datafusion.pipelines.create

datafusion.pipelines.delete

datafusion.pipelines.execute

datafusion.pipelines.get

datafusion.pipelines.list

datafusion.pipelines.update

datafusion.profiles.*

datafusion.secureKeys.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datafusion.runner)

Access to Cloud Data Fusion runtime resources.

datafusion.instances.runtime

(roles/datafusion.viewer)

Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

  • Project

datafusion.artifacts.get

datafusion.artifacts.list

datafusion.instances.get

datafusion.instances.getIamPolicy

datafusion.instances.list

datafusion.locations.*

datafusion.operations.get

datafusion.operations.list

datafusion.pipelineConnections.get

datafusion.pipelineConnections.list

datafusion.pipelines.get

datafusion.pipelines.list

datafusion.profiles.get

datafusion.profiles.list

datafusion.secureKeys.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/datalabeling.admin)

Full access to all Data Labeling resources

datalabeling.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalabeling.editor)

Editor of all Data Labeling resources

datalabeling.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalabeling.viewer)

Viewer of all Data Labeling resources

datalabeling.annotateddatasets.get

datalabeling.annotateddatasets.list

datalabeling.annotationspecsets.get

datalabeling.annotationspecsets.list

datalabeling.dataitems.*

datalabeling.datasets.get

datalabeling.datasets.list

datalabeling.examples.*

datalabeling.instructions.get

datalabeling.instructions.list

datalabeling.operations.get

datalabeling.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/dataplex.admin)

Full access to all Dataplex resources.

cloudasset.assets.analyzeIamPolicy

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

dataplex.assetActions.list

dataplex.assets.create

dataplex.assets.delete

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.assets.setIamPolicy

dataplex.assets.update

dataplex.content.*

dataplex.dataAttributeBindings.*

dataplex.dataAttributes.*

dataplex.dataTaxonomies.*

dataplex.datascans.*

dataplex.entities.*

dataplex.environments.*

dataplex.lakeActions.list

dataplex.lakes.*

dataplex.locations.*

dataplex.operations.*

dataplex.partitions.*

dataplex.tasks.*

dataplex.zoneActions.list

dataplex.zones.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.aspectTypeOwner)

Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.

dataplex.aspectTypes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.aspectTypeUser)

Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.

dataplex.aspectTypes.get

dataplex.aspectTypes.list

dataplex.aspectTypes.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.bindingAdmin)

Full access on DataAttribute Bindig resources.

dataplex.dataAttributeBindings.*

(roles/dataplex.catalogAdmin)

Has full access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries.

dataplex.aspectTypes.*

dataplex.entries.*

dataplex.entryGroups.*

dataplex.entryTypes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.catalogEditor)

Has write access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Cannot set IAM policies on resources

dataplex.aspectTypes.create

dataplex.aspectTypes.delete

dataplex.aspectTypes.get

dataplex.aspectTypes.getIamPolicy

dataplex.aspectTypes.list

dataplex.aspectTypes.update

dataplex.aspectTypes.use

dataplex.entries.*

dataplex.entryGroups.create

dataplex.entryGroups.delete

dataplex.entryGroups.get

dataplex.entryGroups.getIamPolicy

dataplex.entryGroups.list

dataplex.entryGroups.update

dataplex.entryGroups.useContactsAspect

dataplex.entryGroups.useGenericAspect

dataplex.entryGroups.useGenericEntry

dataplex.entryGroups.useOverviewAspect

dataplex.entryGroups.useSchemaAspect

dataplex.entryTypes.create

dataplex.entryTypes.delete

dataplex.entryTypes.get

dataplex.entryTypes.getIamPolicy

dataplex.entryTypes.list

dataplex.entryTypes.update

dataplex.entryTypes.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.catalogViewer)

Has read access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Can view IAM policies on Catalog resources.

dataplex.aspectTypes.get

dataplex.aspectTypes.getIamPolicy

dataplex.aspectTypes.list

dataplex.entries.get

dataplex.entries.list

dataplex.entryGroups.get

dataplex.entryGroups.getIamPolicy

dataplex.entryGroups.list

dataplex.entryTypes.get

dataplex.entryTypes.getIamPolicy

dataplex.entryTypes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.dataOwner)

Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.ownData

dataplex.assets.readData

dataplex.assets.writeData

(roles/dataplex.dataReader)

Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.readData

(roles/dataplex.dataScanAdmin)

Full access to DataScan resources.

dataplex.datascans.*

dataplex.operations.get

dataplex.operations.list

(roles/dataplex.dataScanCreator)

Access to create new DataScan resources.

dataplex.datascans.create

dataplex.datascans.get

dataplex.datascans.list

dataplex.operations.get

(roles/dataplex.dataScanDataViewer)

Read access to DataScan resources and additional contents.

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

(roles/dataplex.dataScanEditor)

Write access to DataScan resources.

dataplex.datascans.create

dataplex.datascans.delete

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.run

dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

(roles/dataplex.dataScanViewer)

Read access to DataScan resources.

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

(roles/dataplex.dataWriter)

Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.

dataplex.assets.writeData

(roles/dataplex.developer)

Allows running data analytics workloads in a lake.

dataplex.content.*

dataplex.environments.execute

dataplex.environments.get

dataplex.environments.list

dataplex.tasks.cancel

dataplex.tasks.create

dataplex.tasks.delete

dataplex.tasks.get

dataplex.tasks.list

dataplex.tasks.run

dataplex.tasks.update

(roles/dataplex.editor)

Write access to Dataplex resources.

cloudasset.assets.analyzeIamPolicy

dataplex.assetActions.list

dataplex.assets.create

dataplex.assets.delete

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.assets.update

dataplex.content.delete

dataplex.content.get

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.dataAttributeBindings.create

dataplex.dataAttributeBindings.delete

dataplex.dataAttributeBindings.get

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributeBindings.update

dataplex.dataAttributes.bind

dataplex.dataAttributes.create

dataplex.dataAttributes.delete

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataAttributes.update

dataplex.dataTaxonomies.configureDataAccess

dataplex.dataTaxonomies.configureResourceAccess

dataplex.dataTaxonomies.create

dataplex.dataTaxonomies.delete

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.dataTaxonomies.update

dataplex.datascans.create

dataplex.datascans.delete

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.run

dataplex.datascans.update

dataplex.environments.create

dataplex.environments.delete

dataplex.environments.get

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.environments.update

dataplex.lakeActions.list

dataplex.lakes.create

dataplex.lakes.delete

dataplex.lakes.get

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.lakes.update

dataplex.operations.*

dataplex.tasks.cancel

dataplex.tasks.create

dataplex.tasks.delete

dataplex.tasks.get

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.tasks.run

dataplex.tasks.update

dataplex.zoneActions.list

dataplex.zones.create

dataplex.zones.delete

dataplex.zones.get

dataplex.zones.getIamPolicy

dataplex.zones.list

dataplex.zones.update

(roles/dataplex.entryGroupOwner)

Owns Entry Groups and Entries inside of them.

dataplex.aspectTypes.get

dataplex.aspectTypes.list

dataplex.aspectTypes.use

dataplex.entries.*

dataplex.entryGroups.*

dataplex.entryTypes.get

dataplex.entryTypes.list

dataplex.entryTypes.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.entryOwner)

Owns Metadata Entries.

dataplex.aspectTypes.get

dataplex.aspectTypes.list

dataplex.aspectTypes.use

dataplex.entries.*

dataplex.entryGroups.get

dataplex.entryGroups.useContactsAspect

dataplex.entryGroups.useGenericAspect

dataplex.entryGroups.useGenericEntry

dataplex.entryGroups.useOverviewAspect

dataplex.entryGroups.useSchemaAspect

dataplex.entryTypes.get

dataplex.entryTypes.list

dataplex.entryTypes.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.entryTypeOwner)

Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.

dataplex.entryTypes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.entryTypeUser)

Grants access to use Entry Types to create/modify Entries of those types.

dataplex.entryTypes.get

dataplex.entryTypes.list

dataplex.entryTypes.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.metadataReader)

Read only access to metadata.

dataplex.assets.get

dataplex.assets.list

dataplex.entities.get

dataplex.entities.list

dataplex.partitions.get

dataplex.partitions.list

dataplex.zones.get

dataplex.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.metadataWriter)

Write and Read access to metadata.

dataplex.assets.get

dataplex.assets.list

dataplex.entities.*

dataplex.partitions.*

dataplex.zones.get

dataplex.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataplex.securityAdmin)

Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.

dataplex.dataTaxonomies.configureDataAccess

dataplex.dataTaxonomies.configureResourceAccess

(roles/dataplex.storageDataOwner)

Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.datasets.get

bigquery.models.create

bigquery.models.delete

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.models.updateData

bigquery.models.updateMetadata

bigquery.routines.create

bigquery.routines.delete

bigquery.routines.get

bigquery.routines.list

bigquery.routines.update

bigquery.tables.create

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/dataplex.storageDataReader)

Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.datasets.get

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

storage.buckets.get

storage.objects.get

storage.objects.list

(roles/dataplex.storageDataWriter)

Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.

bigquery.tables.updateData

storage.objects.create

storage.objects.delete

storage.objects.update

(roles/dataplex.taxonomyAdmin)

Full access to DataTaxonomy, DataAttribute resources.

dataplex.dataAttributes.*

dataplex.dataTaxonomies.create

dataplex.dataTaxonomies.delete

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.dataTaxonomies.setIamPolicy

dataplex.dataTaxonomies.update

(roles/dataplex.taxonomyViewer)

Read access on DataTaxonomy, DataAttribute resources.

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

(roles/dataplex.viewer)

Read access to Dataplex resources.

cloudasset.assets.analyzeIamPolicy

dataplex.assetActions.list

dataplex.assets.get

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.content.get

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.dataAttributeBindings.get

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributes.get

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataTaxonomies.get

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.datascans.get

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.environments.get

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.lakeActions.list

dataplex.lakes.get

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.operations.get

dataplex.operations.list

dataplex.tasks.get

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.zoneActions.list

dataplex.zones.get

dataplex.zones.getIamPolicy

dataplex.zones.list

Permissions

(roles/clouddebugger.agent)

Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.

Lowest-level resources where you can grant this role:

  • Service Account

clouddebugger.breakpoints.list

clouddebugger.breakpoints.listActive

clouddebugger.breakpoints.update

clouddebugger.debuggees.create

(roles/clouddebugger.user)

Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

Lowest-level resources where you can grant this role:

  • Project

clouddebugger.breakpoints.create

clouddebugger.breakpoints.delete

clouddebugger.breakpoints.get

clouddebugger.breakpoints.list

clouddebugger.debuggees.list

Permissions

(roles/clouddeploy.admin)

Full control of Cloud Deploy resources.

clouddeploy.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.approver)

Permission to approve or reject rollouts.

clouddeploy.config.get

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.operations.*

clouddeploy.rollouts.approve

clouddeploy.rollouts.get

clouddeploy.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.customTargetTypeAdmin)

Permission to manage CustomTargetType resources

clouddeploy.config.get

clouddeploy.customTargetTypes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.developer)

Permission to manage deployment configuration without permission to access operational resources, such as targets.

clouddeploy.automationRuns.get

clouddeploy.automationRuns.list

clouddeploy.automations.get

clouddeploy.automations.list

clouddeploy.config.get

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.update

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.operations.*

clouddeploy.releases.*

clouddeploy.rollouts.get

clouddeploy.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.jobRunner)

Permission to execute Cloud Deploy work without permission to deliver to a target.

clouddeploy.config.get

logging.logEntries.create

storage.objects.create

storage.objects.get

storage.objects.list

(roles/clouddeploy.operator)

Permission to manage deployment configuration.

clouddeploy.automationRuns.*

clouddeploy.automations.*

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.deliveryPipelines.create

clouddeploy.deliveryPipelines.delete

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.update

clouddeploy.jobRuns.*

clouddeploy.locations.*

clouddeploy.operations.*

clouddeploy.releases.*

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.ignoreJob

clouddeploy.rollouts.list

clouddeploy.rollouts.retryJob

clouddeploy.rollouts.rollback

clouddeploy.targets.create

clouddeploy.targets.delete

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.releaser)

Permission to create Cloud Deploy releases and rollouts.

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.deliveryPipelines.get

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.operations.*

clouddeploy.releases.create

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.advance

clouddeploy.rollouts.cancel

clouddeploy.rollouts.create

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.rollouts.rollback

clouddeploy.targets.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/clouddeploy.viewer)

Can view Cloud Deploy resources.

clouddeploy.automationRuns.get

clouddeploy.automationRuns.list

clouddeploy.automations.get

clouddeploy.automations.list

clouddeploy.config.get

clouddeploy.customTargetTypes.get

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.deliveryPipelines.get

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.jobRuns.get

clouddeploy.jobRuns.list

clouddeploy.locations.*

clouddeploy.operations.get

clouddeploy.operations.list

clouddeploy.releases.get

clouddeploy.releases.list

clouddeploy.rollouts.get

clouddeploy.rollouts.list

clouddeploy.targets.get

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/dlp.admin)

Administer DLP including jobs and templates.

dlp.analyzeRiskTemplates.*

dlp.charts.get

dlp.columnDataProfiles.*

dlp.connections.*

dlp.deidentifyTemplates.*

dlp.estimates.*

dlp.inspectFindings.list

dlp.inspectTemplates.*

dlp.jobTriggers.*

dlp.jobs.*

dlp.kms.encrypt

dlp.locations.*

dlp.projectDataProfiles.*

dlp.storedInfoTypes.*

dlp.subscriptions.*

dlp.tableDataProfiles.get

dlp.tableDataProfiles.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

(roles/dlp.analyzeRiskTemplatesEditor)

Edit DLP analyze risk templates.

dlp.analyzeRiskTemplates.*

(roles/dlp.analyzeRiskTemplatesReader)

Read DLP analyze risk templates.

dlp.analyzeRiskTemplates.get

dlp.analyzeRiskTemplates.list

(roles/dlp.columnDataProfilesReader)

Read DLP column profiles.

dlp.columnDataProfiles.*

(roles/dlp.connectionsAdmin)

Manage DLP Connections.

dlp.connections.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dlp.connectionsReader)

View DLP Connections.

dlp.connections.get

dlp.connections.list

dlp.connections.search

(roles/dlp.dataProfilesAdmin)

Manage DLP profiles.

dlp.charts.get

dlp.columnDataProfiles.*

dlp.projectDataProfiles.*

dlp.tableDataProfiles.*

(roles/dlp.dataProfilesReader)

Read DLP profiles.

dlp.charts.get

dlp.columnDataProfiles.*

dlp.projectDataProfiles.*

dlp.tableDataProfiles.get

dlp.tableDataProfiles.list

(roles/dlp.deidentifyTemplatesEditor)

Edit DLP de-identify templates.

dlp.deidentifyTemplates.*

(roles/dlp.deidentifyTemplatesReader)

Read DLP de-identify templates.

dlp.deidentifyTemplates.get

dlp.deidentifyTemplates.list

(roles/dlp.estimatesAdmin)

Manage DLP Cost Estimates.

dlp.estimates.*

(roles/dlp.inspectFindingsReader)

Read DLP stored findings.

dlp.inspectFindings.list

(roles/dlp.inspectTemplatesEditor)

Edit DLP inspect templates.

dlp.inspectTemplates.*

(roles/dlp.inspectTemplatesReader)

Read DLP inspect templates.

dlp.inspectTemplates.get

dlp.inspectTemplates.list

(roles/dlp.jobTriggersEditor)

Edit job triggers configurations.

dlp.jobTriggers.*

(roles/dlp.jobTriggersReader)

Read job triggers.

dlp.jobTriggers.get

dlp.jobTriggers.list

(roles/dlp.jobsEditor)

Edit and create jobs

dlp.jobs.*

dlp.kms.encrypt

(roles/dlp.jobsReader)

Read jobs

dlp.jobs.get

dlp.jobs.list

(roles/dlp.orgdriver)

Permissions needed by the DLP service account to generate data profiles within an organization or folder.

Lowest-level resources where you can grant this role:

  • Folder

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.connections.updateTag

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.jobs.create

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.models.*

bigquery.readsessions.*

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.*

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

bigquery.transfers.get

bigquerymigration.translation.translate

cloudasset.assets.*

cloudsql.instances.connect

cloudsql.instances.get

cloudsql.instances.login

datacatalog.categories.fineGrainedGet

datacatalog.entries.updateTag

datacatalog.entryGroups.updateTag

datacatalog.tagTemplates.create

datacatalog.tagTemplates.get

datacatalog.tagTemplates.getTag

datacatalog.tagTemplates.use

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

dlp.analyzeRiskTemplates.*

dlp.charts.get

dlp.columnDataProfiles.*

dlp.connections.*

dlp.deidentifyTemplates.*

dlp.estimates.*

dlp.inspectFindings.list

dlp.inspectTemplates.*

dlp.jobTriggers.*

dlp.jobs.*

dlp.kms.encrypt

dlp.locations.*

dlp.projectDataProfiles.*

dlp.storedInfoTypes.*

dlp.subscriptions.*

dlp.tableDataProfiles.get

dlp.tableDataProfiles.list

pubsub.topics.updateTag

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

(roles/dlp.projectDataProfilesReader)

Read DLP project profiles.

dlp.projectDataProfiles.*

(roles/dlp.projectdriver)

Permissions needed by the DLP service account to generate data profiles within a project.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.connections.updateTag

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.jobs.create

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.models.*

bigquery.readsessions.*

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.*

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

bigquery.transfers.get

bigquerymigration.translation.translate

cloudasset.assets.*

cloudsql.instances.connect

cloudsql.instances.get

cloudsql.instances.login

datacatalog.categories.fineGrainedGet

datacatalog.entries.updateTag

datacatalog.entryGroups.updateTag

datacatalog.tagTemplates.create

datacatalog.tagTemplates.get

datacatalog.tagTemplates.getTag

datacatalog.tagTemplates.use

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

dlp.analyzeRiskTemplates.*

dlp.charts.get

dlp.columnDataProfiles.*

dlp.connections.*

dlp.deidentifyTemplates.*

dlp.estimates.*

dlp.inspectFindings.list

dlp.inspectTemplates.*

dlp.jobTriggers.*

dlp.jobs.*

dlp.kms.encrypt

dlp.locations.*

dlp.projectDataProfiles.*

dlp.storedInfoTypes.*

dlp.subscriptions.*

dlp.tableDataProfiles.get

dlp.tableDataProfiles.list

pubsub.topics.updateTag

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

(roles/dlp.reader)

Read DLP entities, such as jobs and templates.

dlp.analyzeRiskTemplates.get

dlp.analyzeRiskTemplates.list

dlp.deidentifyTemplates.get

dlp.deidentifyTemplates.list

dlp.inspectFindings.list

dlp.inspectTemplates.get

dlp.inspectTemplates.list

dlp.jobTriggers.get

dlp.jobTriggers.list

dlp.jobs.get

dlp.jobs.list

dlp.locations.*

dlp.storedInfoTypes.get

dlp.storedInfoTypes.list

(roles/dlp.storedInfoTypesEditor)

Edit DLP stored info types.

dlp.storedInfoTypes.*

(roles/dlp.storedInfoTypesReader)

Read DLP stored info types.

dlp.storedInfoTypes.get

dlp.storedInfoTypes.list

(roles/dlp.subscriptionsAdmin)

Manage DLP subscriptions.

dlp.subscriptions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dlp.subscriptionsReader)

View DLP subscriptions.

dlp.subscriptions.get

dlp.subscriptions.list

(roles/dlp.tableDataProfilesAdmin)

Manage DLP table profiles.

dlp.tableDataProfiles.*

(roles/dlp.tableDataProfilesReader)

Read DLP table profiles.

dlp.tableDataProfiles.get

dlp.tableDataProfiles.list

(roles/dlp.user)

Inspect, Redact, and De-identify Content

dlp.kms.encrypt

dlp.locations.*

serviceusage.services.use

Permissions

(roles/domains.admin)

Full access to Cloud Domains Registrations and related resources.

domains.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/domains.viewer)

Read-only access to Cloud Domains Registrations and related resources.

domains.locations.*

domains.operations.get

domains.operations.list

domains.registrations.get

domains.registrations.getIamPolicy

domains.registrations.list

domains.registrations.listEffectiveTags

domains.registrations.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/file.editor)

Read-write access to Filestore instances and related resources.

file.*

(roles/file.viewer)

Read-only access to Filestore instances and related resources.

file.backups.get

file.backups.list

file.backups.listEffectiveTags

file.backups.listTagBindings

file.instances.get

file.instances.list

file.instances.listEffectiveTags

file.instances.listTagBindings

file.locations.*

file.operations.get

file.operations.list

file.snapshots.listEffectiveTags

file.snapshots.listTagBindings

Permissions

(roles/financialservices.admin)

Full access to all Financial Services API resources.

financialservices.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/financialservices.viewer)

View access to all Financial Services API resources.

financialservices.locations.*

financialservices.operations.get

financialservices.operations.list

financialservices.v1backtests.exportMetadata

financialservices.v1backtests.get

financialservices.v1backtests.list

financialservices.v1datasets.get

financialservices.v1datasets.list

financialservices.v1engineconfigs.exportMetadata

financialservices.v1engineconfigs.get

financialservices.v1engineconfigs.list

financialservices.v1engineversions.*

financialservices.v1instances.exportRegisteredParties

financialservices.v1instances.get

financialservices.v1instances.list

financialservices.v1models.exportMetadata

financialservices.v1models.get

financialservices.v1models.list

financialservices.v1predictions.exportMetadata

financialservices.v1predictions.get

financialservices.v1predictions.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/cloudfunctions.admin)

Full access to functions, operations and locations.

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.operations.*

cloudfunctions.*

eventarc.*

recommender.cloudFunctionsPerformanceInsights.*

recommender.cloudFunctionsPerformanceRecommendations.*

recommender.locations.*

recommender.runServiceCostInsights.*

recommender.runServiceCostRecommendations.*

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityRecommendations.*

recommender.runServicePerformanceInsights.*

recommender.runServicePerformanceRecommendations.*

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityRecommendations.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

run.*

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudfunctions.developer)

Read and write access to all functions-related resources.

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.operations.*

cloudfunctions.functions.call

cloudfunctions.functions.create

cloudfunctions.functions.delete

cloudfunctions.functions.get

cloudfunctions.functions.invoke

cloudfunctions.functions.list

cloudfunctions.functions.sourceCodeGet

cloudfunctions.functions.sourceCodeSet

cloudfunctions.functions.update

cloudfunctions.locations.list

cloudfunctions.operations.*

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.googleChannelConfigs.*

eventarc.locations.*

eventarc.operations.*

eventarc.providers.*

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

recommender.cloudFunctionsPerformanceInsights.*

recommender.cloudFunctionsPerformanceRecommendations.*

recommender.locations.*

recommender.runServiceCostInsights.*

recommender.runServiceCostRecommendations.*

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityRecommendations.*

recommender.runServicePerformanceInsights.*

recommender.runServicePerformanceRecommendations.*

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityRecommendations.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

run.executions.*

run.jobs.create

run.jobs.delete

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.jobs.run

run.jobs.runWithOverrides

run.jobs.update

run.locations.list

run.operations.*

run.revisions.*

run.routes.*

run.services.create

run.services.delete

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.services.update

run.tasks.*

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudfunctions.invoker)

Ability to invoke 1st gen HTTP functions with restricted access. 2nd gen functions need the Cloud Run Invoker role instead.

cloudfunctions.functions.invoke

(roles/cloudfunctions.viewer)

Read-only access to functions and locations.

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.operations.*

cloudfunctions.functions.get

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.locations.list

cloudfunctions.operations.*

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

eventarc.operations.get

eventarc.operations.list

eventarc.providers.*

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

recommender.cloudFunctionsPerformanceInsights.get

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.get

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.locations.*

recommender.runServiceCostInsights.get

recommender.runServiceCostInsights.list

recommender.runServiceCostRecommendations.get

recommender.runServiceCostRecommendations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServicePerformanceInsights.get

recommender.runServicePerformanceInsights.list

recommender.runServicePerformanceRecommendations.get

recommender.runServicePerformanceRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

run.executions.get

run.executions.list

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.locations.list

run.operations.get

run.operations.list

run.revisions.get

run.revisions.list

run.routes.get

run.routes.list

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.tasks.*

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/healthcare.annotationEditor)

Create, delete, update, read and list annotations.

healthcare.annotationStores.get

healthcare.annotationStores.list

healthcare.annotations.*

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.annotationReader)

Read and list annotations in an Annotation store.

healthcare.annotationStores.get

healthcare.annotationStores.list

healthcare.annotations.get

healthcare.annotations.list

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.annotationStoreAdmin)

Administer Annotation stores.

healthcare.annotationStores.*

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.annotationStoreViewer)

List Annotation Stores in a dataset.

healthcare.annotationStores.get

healthcare.annotationStores.list

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.attributeDefinitionEditor)

Edit AttributeDefinition objects.

healthcare.attributeDefinitions.*

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.attributeDefinitionReader)

Read AttributeDefinition objects in a consent store.

healthcare.attributeDefinitions.get

healthcare.attributeDefinitions.list

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.consentArtifactAdmin)

Administer ConsentArtifact objects.

healthcare.consentArtifacts.*

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.consentArtifactEditor)

Edit ConsentArtifact objects.

healthcare.consentArtifacts.create

healthcare.consentArtifacts.get

healthcare.consentArtifacts.list

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.consentArtifactReader)

Read ConsentArtifact objects in a consent store.

healthcare.consentArtifacts.get

healthcare.consentArtifacts.list

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.consentEditor)

Edit Consent objects.

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.consents.*

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.consentReader)

Read Consent objects in a consent store.

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.consents.get

healthcare.consents.list

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.consentStoreAdmin)

Administer Consent stores.

healthcare.consentStores.*

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.consentStoreViewer)

List Consent Stores in a dataset.

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.datasetAdmin)

Administer Healthcare Datasets.

healthcare.datasets.*

healthcare.locations.*

healthcare.operations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.datasetViewer)

List the Healthcare Datasets in a project.

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.dicomEditor)

Edit DICOM images individually and in bulk.

healthcare.datasets.get

healthcare.datasets.list

healthcare.dicomStores.dicomWebDelete

healthcare.dicomStores.dicomWebRead

healthcare.dicomStores.dicomWebWrite

healthcare.dicomStores.export

healthcare.dicomStores.get

healthcare.dicomStores.import

healthcare.dicomStores.list

healthcare.locations.*

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.dicomStoreAdmin)

Administer DICOM stores.

healthcare.datasets.get

healthcare.datasets.list

healthcare.dicomStores.create

healthcare.dicomStores.deidentify

healthcare.dicomStores.delete

healthcare.dicomStores.dicomWebDelete

healthcare.dicomStores.get

healthcare.dicomStores.getIamPolicy

healthcare.dicomStores.list

healthcare.dicomStores.setIamPolicy

healthcare.dicomStores.update

healthcare.locations.*

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.dicomStoreViewer)

List DICOM Stores in a dataset.

healthcare.datasets.get

healthcare.datasets.list

healthcare.dicomStores.get

healthcare.dicomStores.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.dicomViewer)

Retrieve DICOM images from a DICOM store.

healthcare.datasets.get

healthcare.datasets.list

healthcare.dicomStores.dicomWebRead

healthcare.dicomStores.export

healthcare.dicomStores.get

healthcare.dicomStores.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.fhirResourceEditor)

Create, delete, update, read and search FHIR resources.

healthcare.datasets.get

healthcare.datasets.list

healthcare.fhirResources.create

healthcare.fhirResources.delete

healthcare.fhirResources.get

healthcare.fhirResources.patch

healthcare.fhirResources.translateConceptMap

healthcare.fhirResources.update

healthcare.fhirStores.executeBundle

healthcare.fhirStores.get

healthcare.fhirStores.list

healthcare.fhirStores.searchResources

healthcare.locations.*

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.fhirResourceReader)

Read and search FHIR resources.

healthcare.datasets.get

healthcare.datasets.list

healthcare.fhirResources.get

healthcare.fhirResources.translateConceptMap

healthcare.fhirStores.executeBundle

healthcare.fhirStores.get

healthcare.fhirStores.list

healthcare.fhirStores.searchResources

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.fhirStoreAdmin)

Administer FHIR resource stores.

healthcare.datasets.get

healthcare.datasets.list

healthcare.fhirResources.purge

healthcare.fhirStores.applyConsents

healthcare.fhirStores.configureSearch

healthcare.fhirStores.create

healthcare.fhirStores.deidentify

healthcare.fhirStores.delete

healthcare.fhirStores.explainDataAccess

healthcare.fhirStores.export

healthcare.fhirStores.get

healthcare.fhirStores.getIamPolicy

healthcare.fhirStores.import

healthcare.fhirStores.list

healthcare.fhirStores.rollback

healthcare.fhirStores.setIamPolicy

healthcare.fhirStores.update

healthcare.locations.*

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.fhirStoreViewer)

List FHIR Stores in a dataset.

healthcare.datasets.get

healthcare.datasets.list

healthcare.fhirStores.get

healthcare.fhirStores.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.hl7V2Consumer)

List and read HL7v2 messages, update message labels, and publish new messages.

healthcare.datasets.get

healthcare.datasets.list

healthcare.hl7V2Messages.create

healthcare.hl7V2Messages.get

healthcare.hl7V2Messages.list

healthcare.hl7V2Messages.update

healthcare.hl7V2Stores.get

healthcare.hl7V2Stores.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.hl7V2Editor)

Read, write, and delete access to HL7v2 messages.

healthcare.datasets.get

healthcare.datasets.list

healthcare.hl7V2Messages.*

healthcare.hl7V2Stores.get

healthcare.hl7V2Stores.list

healthcare.locations.*

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.hl7V2Ingest)

Ingest HL7v2 messages received from a source network.

healthcare.datasets.get

healthcare.datasets.list

healthcare.hl7V2Messages.ingest

healthcare.hl7V2Stores.get

healthcare.hl7V2Stores.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.hl7V2StoreAdmin)

Administer HL7v2 Stores.

healthcare.datasets.get

healthcare.datasets.list

healthcare.hl7V2Stores.*

healthcare.locations.*

healthcare.operations.cancel

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.hl7V2StoreViewer)

View HL7v2 Stores in a dataset.

healthcare.datasets.get

healthcare.datasets.list

healthcare.hl7V2Stores.get

healthcare.hl7V2Stores.list

healthcare.locations.*

healthcare.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.nlpServiceViewer)

Extract and analyze medical entities from a given text.

healthcare.locations.*

healthcare.nlpservice.analyzeEntities

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.userDataMappingEditor)

Edit UserDataMapping objects.

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

healthcare.userDataMappings.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/healthcare.userDataMappingReader)

Read UserDataMapping objects in a consent store.

healthcare.consentStores.checkDataAccess

healthcare.consentStores.evaluateUserConsents

healthcare.consentStores.get

healthcare.consentStores.list

healthcare.consentStores.queryAccessibleData

healthcare.datasets.get

healthcare.datasets.list

healthcare.locations.*

healthcare.operations.get

healthcare.userDataMappings.get

healthcare.userDataMappings.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/iap.admin)

Provides full access to Identity-Aware Proxy resources.

iap.tunnel.*

iap.tunnelDestGroups.getIamPolicy

iap.tunnelDestGroups.setIamPolicy

iap.tunnelInstances.getIamPolicy

iap.tunnelInstances.setIamPolicy

iap.tunnelLocations.*

iap.tunnelZones.*

iap.web.getIamPolicy

iap.web.setIamPolicy

iap.webServiceVersions.getIamPolicy

iap.webServiceVersions.setIamPolicy

iap.webServices.getIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.getIamPolicy

iap.webTypes.setIamPolicy

(roles/iap.httpsResourceAccessor)

Provides permission to access HTTPS resources which use Identity-Aware Proxy.

iap.webServiceVersions.accessViaIAP

(roles/iap.remediatorUser)

Remediate IAP resource

iap.tunnelDestGroups.remediate

iap.tunnelinstances.remediate

iap.webServiceVersions.remediate

(roles/iap.settingsAdmin)

Administrator of IAP Settings.

iap.projects.*

iap.web.getSettings

iap.web.updateSettings

iap.webServiceVersions.getSettings

iap.webServiceVersions.updateSettings

iap.webServices.getSettings

iap.webServices.updateSettings

iap.webTypes.getSettings

iap.webTypes.updateSettings

(roles/iap.tunnelDestGroupEditor)

Edit Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.create

iap.tunnelDestGroups.delete

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

iap.tunnelDestGroups.update

(roles/iap.tunnelDestGroupViewer)

View Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

(roles/iap.tunnelResourceAccessor)

Access Tunnel resources which use Identity-Aware Proxy

iap.tunnelDestGroups.accessViaIAP

iap.tunnelInstances.accessViaIAP

Permissions

(roles/ids.admin)

Full access to Cloud IDS all resources.

ids.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/ids.viewer)

Read-only access to Cloud IDS all resources.

ids.endpoints.get

ids.endpoints.getIamPolicy

ids.endpoints.list

ids.locations.*

ids.operations.get

ids.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/cloudiot.admin)

Full control of all Cloud IoT resources and permissions.

cloudiot.*

cloudiottoken.*

(roles/cloudiot.deviceController)

Access to update the device configuration, but not to create or delete devices.

cloudiot.devices.get

cloudiot.devices.list

cloudiot.devices.sendCommand

cloudiot.devices.updateConfig

cloudiot.registries.get

cloudiot.registries.list

cloudiottoken.tokensettings.get

(roles/cloudiot.editor)

Read-write access to all Cloud IoT resources.

cloudiot.devices.*

cloudiot.registries.create

cloudiot.registries.delete

cloudiot.registries.get

cloudiot.registries.list

cloudiot.registries.update

cloudiottoken.*

(roles/cloudiot.provisioner)

Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry.

cloudiot.devices.*

cloudiot.registries.get

cloudiot.registries.list

cloudiottoken.tokensettings.get

(roles/cloudiot.viewer)

Read-only access to all Cloud IoT resources.

cloudiot.devices.get

cloudiot.devices.list

cloudiot.registries.get

cloudiot.registries.list

cloudiottoken.tokensettings.get

Permissions

(roles/cloudkms.admin)

Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.create

cloudkms.cryptoKeyVersions.destroy

cloudkms.cryptoKeyVersions.get

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeyVersions.restore

cloudkms.cryptoKeyVersions.update

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.cryptoKeys.*

cloudkms.ekmConfigs.*

cloudkms.ekmConnections.*

cloudkms.importJobs.*

cloudkms.keyRings.*

cloudkms.locations.get

cloudkms.locations.list

cloudkms.locations.optOutKeyDeletionMsa

resourcemanager.projects.get

(roles/cloudkms.cryptoKeyDecrypter)

Provides ability to use Cloud KMS resources for decrypt operations only.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Enables Decrypt operations via other Google Cloud services

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.cryptoKeyEncrypter)

Provides ability to use Cloud KMS resources for encrypt operations only.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.cryptoKeyEncrypterDecrypter)

Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Enables Encrypt and Decrypt operations via other Google Cloud services

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.cryptoKeyEncrypterViaDelegation)

Enables Encrypt operations via other Google Cloud services

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.cryptoOperator)

Enables all Crypto Operations.

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.generateRandomBytes

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.ekmConnectionsAdmin)

Enables management of EkmConnections.

cloudkms.ekmConfigs.get

cloudkms.ekmConfigs.update

cloudkms.ekmConnections.create

cloudkms.ekmConnections.get

cloudkms.ekmConnections.list

cloudkms.ekmConnections.update

cloudkms.ekmConnections.verifyConnectivity

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.expertRawAesCbc)

Enables raw AES-CBC keys management.

cloudkms.cryptoKeyVersions.manageRawAesCbcKeys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.expertRawAesCtr)

Enables raw AES-CTR keys management.

cloudkms.cryptoKeyVersions.manageRawAesCtrKeys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.expertRawPKCS1)

Enables raw PKCS#1 keys management.

cloudkms.cryptoKeyVersions.manageRawPKCS1Keys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.importer)

Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations

cloudkms.importJobs.create

cloudkms.importJobs.get

cloudkms.importJobs.list

cloudkms.importJobs.useToImport

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.protectedResourcesViewer)

Enables viewing protected resources.

cloudkms.protectedResources.search

(roles/cloudkms.publicKeyViewer)

Enables GetPublicKey operations

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.signer)

Enables Sign operations

cloudkms.cryptoKeyVersions.useToSign

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.signerVerifier)

Enables Sign, Verify, and GetPublicKey operations

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.verifier)

Enables Verify and GetPublicKey operations

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.viewer)

Enables Get and List operations.

cloudkms.cryptoKeyVersions.get

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.list

cloudkms.ekmConfigs.get

cloudkms.ekmConnections.get

cloudkms.ekmConnections.list

cloudkms.importJobs.get

cloudkms.importJobs.list

cloudkms.keyRings.get

cloudkms.keyRings.list

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Permissions

(roles/lifesciences.admin)

Full control of Cloud Life Sciences resources.

lifesciences.*

(roles/lifesciences.editor)

Access to read and edit Cloud Life Sciences resources.

lifesciences.*

(roles/lifesciences.viewer)

Access to read Cloud Life Sciences resources.

lifesciences.operations.get

lifesciences.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/lifesciences.workflowsRunner)

Full access to operate on Cloud Life Sciences workflows.

lifesciences.*

Permissions

(roles/managedidentities.admin)

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.

managedidentities.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.backupAdmin)

Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level

managedidentities.backups.*

managedidentities.domains.get

managedidentities.locations.*

managedidentities.operations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.backupViewer)

Read-only access to Google Cloud Managed Identities Backup and related resources.

managedidentities.backups.get

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.domains.get

managedidentities.locations.*

managedidentities.operations.get

managedidentities.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.domainAdmin)

Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.

managedidentities.backups.*

managedidentities.domains.attachTrust

managedidentities.domains.checkMigrationPermission

managedidentities.domains.createTagBinding

managedidentities.domains.delete

managedidentities.domains.deleteTagBinding

managedidentities.domains.detachTrust

managedidentities.domains.disableMigration

managedidentities.domains.domainJoinMachine

managedidentities.domains.enableMigration

managedidentities.domains.extendSchema

managedidentities.domains.get

managedidentities.domains.getIamPolicy

managedidentities.domains.listEffectiveTags

managedidentities.domains.listTagBindings

managedidentities.domains.reconfigureTrust

managedidentities.domains.resetpassword

managedidentities.domains.restore

managedidentities.domains.update

managedidentities.domains.updateLDAPSSettings

managedidentities.domains.validateTrust

managedidentities.locations.*

managedidentities.operations.get

managedidentities.operations.list

managedidentities.sqlintegrations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.domainJoin)

Access to domain join VMs with Cloud AD

managedidentities.domains.domainJoinMachine

managedidentities.domains.get

(roles/managedidentities.peeringAdmin)

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level

managedidentities.locations.*

managedidentities.operations.*

managedidentities.peerings.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.peeringViewer)

Read-only access to Google Cloud Managed Identities Peering and related resources.

managedidentities.locations.*

managedidentities.operations.get

managedidentities.operations.list

managedidentities.peerings.get

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/managedidentities.viewer)

Read-only access to Google Cloud Managed Identities Domains and related resources.

managedidentities.backups.get

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.domains.get

managedidentities.domains.getIamPolicy

managedidentities.domains.list

managedidentities.domains.listEffectiveTags

managedidentities.domains.listTagBindings

managedidentities.locations.*

managedidentities.operations.get

managedidentities.operations.list

managedidentities.peerings.get

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

managedidentities.sqlintegrations.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/commercebusinessenablement.admin)

Admin of Various Provider Configuration resources

commercebusinessenablement.leadgenConfig.*

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.*

commercebusinessenablement.resellerRestrictions.*

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.paymentConfigAdmin)

Administration of Payment Configuration resource

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.paymentConfig.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.paymentConfigViewer)

Viewer of Payment Configuration resource

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.paymentConfig.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.rebatesAdmin)

Provides admin access to rebates

commercebusinessenablement.operations.*

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.refunds.*

(roles/commercebusinessenablement.rebatesViewer)

Provides read-only access to rebates

commercebusinessenablement.operations.get

commercebusinessenablement.operations.list

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.refunds.get

commercebusinessenablement.refunds.list

(roles/commercebusinessenablement.resellerDiscountAdmin)

Provides admin access to reseller discount offers

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerDiscountConfig.get

commercebusinessenablement.resellerDiscountOffers.*

commercebusinessenablement.resellerPrivateOfferPlans.*

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.resellerDiscountViewer)

Provides read-only access to reseller discount offers

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerDiscountConfig.get

commercebusinessenablement.resellerDiscountOffers.list

commercebusinessenablement.resellerPrivateOfferPlans.get

commercebusinessenablement.resellerPrivateOfferPlans.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercebusinessenablement.viewer)

Viewer of Various Provider Configuration resource

commercebusinessenablement.leadgenConfig.get

commercebusinessenablement.partnerAccounts.*

commercebusinessenablement.partnerInfo.get

commercebusinessenablement.resellerConfig.get

commercebusinessenablement.resellerRestrictions.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceoffercatalog.offersViewer)

Allows viewing offers

commerceoffercatalog.*

(roles/commerceorggovernance.admin)

Full access to Organization Governance APIs

commerceorggovernance.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceorggovernance.viewer)

Full access to Organization Governance read-only APIs.

commerceorggovernance.collections.get

commerceorggovernance.collections.list

commerceorggovernance.consumerSharingPolicies.get

commerceorggovernance.organizationSettings.get

commerceorggovernance.populateCollectionJobs.list

commerceorggovernance.services.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercepricemanagement.eventsViewer)

Allows viewing key events for an offer

commerceprice.events.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commercepricemanagement.privateOffersAdmin)

Allows managing private offers

commerceagreementpublishing.*

commerceprice.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/commercepricemanagement.viewer)

Allows viewing offers, free trials, skus

commerceagreementpublishing.agreements.get

commerceagreementpublishing.agreements.list

commerceagreementpublishing.documents.get

commerceagreementpublishing.documents.list

commerceprice.privateoffers.get

commerceprice.privateoffers.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/commerceproducer.admin)

Grants full access to all resources in Cloud Commerce Producer API.

commercebusinessenablement.partnerInfo.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceproducer.viewer)

Grants read access to all resources in Cloud Commerce Producer API.

commercebusinessenablement.partnerInfo.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/consumerprocurement.entitlementManager)

Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.entitlements.*

consumerprocurement.freeTrials.*

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/consumerprocurement.entitlementViewer)

Allows inspecting entitlements and service states for a consumer project.

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.entitlements.*

consumerprocurement.freeTrials.get

consumerprocurement.freeTrials.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/consumerprocurement.eventsViewer)

Allows viewing key events for an offer

consumerprocurement.events.*

(roles/consumerprocurement.orderAdmin)

Allows managing purchases.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

commerceoffercatalog.*

consumerprocurement.accounts.*

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

consumerprocurement.orderAttributions.*

consumerprocurement.orders.*

(roles/consumerprocurement.orderViewer)

Allows inspecting purchases.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.credits.list

commerceoffercatalog.*

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

(roles/consumerprocurement.procurementAdmin)

Allows managing purchases, consents at both billing account and project level.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

commerceoffercatalog.*

consumerprocurement.*

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/consumerprocurement.procurementViewer)

Allows inspecting purchases, consents and entitlements and service states for a consumer project.

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.credits.list

commerceoffercatalog.*

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.entitlements.*

consumerprocurement.freeTrials.get

consumerprocurement.freeTrials.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/cloudmigration.inframanager)

Ability to create and manage Compute VMs to run Velostrata Infrastructure

cloudmigration.velostrataendpoints.connect

compute.addresses.*

compute.diskTypes.*

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.globalOperations.get

compute.images.get

compute.images.list

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.reset

compute.instances.setDiskAutoDelete

compute.instances.setLabels

compute.instances.setMachineType

compute.instances.setMetadata

compute.instances.setMinCpuPlatform

compute.instances.setScheduling

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.startWithEncryptionKey

compute.instances.stop

compute.instances.update

compute.instances.updateNetworkInterface

compute.instances.updateShieldedInstanceConfig

compute.instances.use

compute.licenseCodes.get

compute.licenseCodes.list

compute.licenseCodes.update

compute.licenseCodes.use

compute.licenses.get

compute.licenses.list

compute.machineTypes.*

compute.networks.get

compute.networks.list

compute.networks.use

compute.networks.useExternalIp

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.list

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.*

gkehub.endpoints.connect

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.buckets.update

(roles/cloudmigration.storageaccess)

Ability to access migration storage

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/cloudmigration.velostrataconnect)

Ability to set up connection between Velostrata Manager and Google

cloudmigration.velostrataendpoints.connect

gkehub.endpoints.connect

(roles/vmmigration.admin)

Ability to view and edit all VM Migration objects

resourcemanager.projects.get

resourcemanager.projects.list

vmmigration.*

(roles/vmmigration.viewer)

Ability to view all VM Migration objects

resourcemanager.projects.get

resourcemanager.projects.list

vmmigration.cloneJobs.get

vmmigration.cloneJobs.list

vmmigration.cutoverJobs.get

vmmigration.cutoverJobs.list

vmmigration.datacenterConnectors.get

vmmigration.datacenterConnectors.list

vmmigration.deployments.get

vmmigration.deployments.list

vmmigration.groups.get

vmmigration.groups.list

vmmigration.locations.*

vmmigration.migratingVms.get

vmmigration.migratingVms.list

vmmigration.operations.get

vmmigration.operations.list

vmmigration.replicationCycles.*

vmmigration.sources.get

vmmigration.sources.list

vmmigration.targets.get

vmmigration.targets.list

vmmigration.utilizationReports.get

vmmigration.utilizationReports.list

Permissions

(roles/cloudprivatecatalog.consumer)

Can browse catalogs in the target resource context.

cloudprivatecatalog.targets.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudprivatecatalogproducer.admin)

Can manage catalog and view its associations.

cloudprivatecatalog.targets.get

cloudprivatecatalogproducer.associations.*

cloudprivatecatalogproducer.catalogAssociations.*

cloudprivatecatalogproducer.catalogs.*

cloudprivatecatalogproducer.producerCatalogs.*

cloudprivatecatalogproducer.products.*

cloudprivatecatalogproducer.targets.*

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudprivatecatalogproducer.manager)

Can manage associations between a catalog and a target resource.

cloudprivatecatalog.targets.get

cloudprivatecatalogproducer.associations.*

cloudprivatecatalogproducer.catalogAssociations.*

cloudprivatecatalogproducer.catalogs.get

cloudprivatecatalogproducer.catalogs.list

cloudprivatecatalogproducer.producerCatalogs.get

cloudprivatecatalogproducer.producerCatalogs.list

cloudprivatecatalogproducer.targets.*

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudprivatecatalogproducer.orgAdmin)

Can manage catalog org settings.

cloudprivatecatalog.targets.get

cloudprivatecatalogproducer.*

commerceorggovernance.organizationSettings.*

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/cloudprofiler.agent)

Cloud Profiler agents are allowed to register and provide the profiling data.

cloudprofiler.profiles.create

cloudprofiler.profiles.update

(roles/cloudprofiler.user)

Cloud Profiler users are allowed to query and view the profiling data.

cloudprofiler.profiles.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/run.admin)

Full control over all Cloud Run resources.

Lowest-level resources where you can grant this role:

  • Cloud Run service
  • Cloud Run job

recommender.locations.*

recommender.runServiceCostInsights.*

recommender.runServiceCostRecommendations.*

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityRecommendations.*

recommender.runServicePerformanceInsights.*

recommender.runServicePerformanceRecommendations.*

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

run.*

(roles/run.developer)

Read and write access to all Cloud Run resources.

Lowest-level resources where you can grant this role:

  • Cloud Run service
  • Cloud Run job

recommender.locations.*

recommender.runServiceCostInsights.*

recommender.runServiceCostRecommendations.*

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityRecommendations.*

recommender.runServicePerformanceInsights.*

recommender.runServicePerformanceRecommendations.*

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

run.executions.*

run.jobs.create

run.jobs.delete

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.jobs.run

run.jobs.runWithOverrides

run.jobs.update

run.locations.list

run.operations.*

run.revisions.*

run.routes.*

run.services.create

run.services.delete

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.services.update

run.tasks.*

(roles/run.invoker)

Can invoke a Cloud Run service.

Lowest-level resources where you can grant this role:

  • Cloud Run service
  • Cloud Run job

run.executions.cancel

run.jobs.run

run.routes.invoke

(roles/run.viewer)

Can view the state of all Cloud Run resources, including IAM policies.

Lowest-level resources where you can grant this role:

  • Cloud Run service
  • Cloud Run job

recommender.locations.*

recommender.runServiceCostInsights.get

recommender.runServiceCostInsights.list

recommender.runServiceCostRecommendations.get

recommender.runServiceCostRecommendations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServicePerformanceInsights.get

recommender.runServicePerformanceInsights.list

recommender.runServicePerformanceRecommendations.get

recommender.runServicePerformanceRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

run.executions.get

run.executions.list

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.locations.list

run.operations.get

run.operations.list

run.revisions.get

run.revisions.list

run.routes.get

run.routes.list

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.tasks.*

Permissions

(roles/cloudscheduler.admin)

Full access to jobs and executions.

Note that a Cloud Scheduler Admin (or any custom role with the permission cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the project.

appengine.applications.get

cloudscheduler.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/cloudscheduler.jobRunner)

Access to run jobs.

appengine.applications.get

cloudscheduler.jobs.fullView

cloudscheduler.jobs.run

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/cloudscheduler.viewer)

Get and list access to jobs, executions, and locations.

appengine.applications.get

cloudscheduler.jobs.fullView

cloudscheduler.jobs.get

cloudscheduler.jobs.list

cloudscheduler.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/cloudsecurityscanner.editor)

Full access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

cloudsecurityscanner.*

compute.addresses.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudsecurityscanner.runner)

Read access to Scan and ScanRun, plus the ability to start scans

Lowest-level resources where you can grant this role:

  • Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scanruns.stop

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

cloudsecurityscanner.scans.run

(roles/cloudsecurityscanner.viewer)

Read access to all Web Security Scanner resources

Lowest-level resources where you can grant this role:

  • Project

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/servicebroker.admin)

Full access to ServiceBroker resources.

servicebroker.*

(roles/servicebroker.operator)

Operational access to the ServiceBroker resources.

servicebroker.bindingoperations.*

servicebroker.bindings.create

servicebroker.bindings.delete

servicebroker.bindings.get

servicebroker.bindings.list

servicebroker.catalogs.create

servicebroker.catalogs.delete

servicebroker.catalogs.get

servicebroker.catalogs.list

servicebroker.instanceoperations.*

servicebroker.instances.create

servicebroker.instances.delete

servicebroker.instances.get

servicebroker.instances.list

servicebroker.instances.update

Permissions

(roles/spanner.admin)

Has complete access to all Spanner resources in a Google Cloud project. A principal with this role can:

  • Grant and revoke permissions to other principals for all Spanner resources in the project.
  • Allocate and delete chargeable Spanner resources.
  • Issue get/list/modify operations on Cloud Spanner resources.
  • Read from and write to all Cloud Spanner databases in the project.
  • Fetch project metadata.

Lowest-level resources where you can grant this role:

  • Project

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.*

(roles/spanner.backupAdmin)

A principal with this role can:

  • Create, view, update, and delete backups.
  • View and manage a backup's allow policy.

This role cannot restore a database from a backup.

Lowest-level resources where you can grant this role:

  • Instance

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backupOperations.*

spanner.backups.copy

spanner.backups.create

spanner.backups.delete

spanner.backups.get

spanner.backups.getIamPolicy

spanner.backups.list

spanner.backups.setIamPolicy

spanner.backups.update

spanner.databases.createBackup

spanner.databases.get

spanner.databases.list

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

(roles/spanner.backupWriter)

This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them.

Lowest-level resources where you can grant this role:

  • Instance

spanner.backupOperations.get

spanner.backupOperations.list

spanner.backups.copy

spanner.backups.create

spanner.backups.get

spanner.backups.list

spanner.databases.createBackup

spanner.databases.get

spanner.databases.list

spanner.instances.get

(roles/spanner.databaseAdmin)

A principal with this role can:

  • Get/list all Spanner instances in the project.
  • Create/list/drop databases in an instance.
  • Grant/revoke access to databases in the project.
  • Read from and write to all Cloud Spanner databases in the project.

Lowest-level resources where you can grant this role:

  • Instance

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.databaseOperations.*

spanner.databaseRoles.*

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.create

spanner.databases.drop

spanner.databases.get

spanner.databases.getDdl

spanner.databases.getIamPolicy

spanner.databases.list

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.setIamPolicy

spanner.databases.update

spanner.databases.updateDdl

spanner.databases.updateTag

spanner.databases.useDataBoost

spanner.databases.useRoleBasedAccess

spanner.databases.write

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.getIamPolicy

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

spanner.sessions.*

(roles/spanner.databaseReader)

A principal with this role can:

  • Read from the Spanner database.
  • Execute SQL queries on the database.
  • View schema for the database.

Lowest-level resources where you can grant this role:

  • Database

spanner.databases.beginReadOnlyTransaction

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.instances.get

spanner.sessions.*

(roles/spanner.databaseRoleUser)

In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.

spanner.databaseRoles.use

(roles/spanner.databaseUser)

A principal with this role can:

  • Read from and write to the Spanner database.
  • Execute SQL queries on the database, including DML and Partitioned DML.
  • View and update schema for the database.

Lowest-level resources where you can grant this role:

  • Database

spanner.databaseOperations.*

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.getDdl

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.updateDdl

spanner.databases.updateTag

spanner.databases.write

spanner.instances.get

spanner.sessions.*

(roles/spanner.fineGrainedAccessUser)

Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions.

spanner.databaseRoles.list

spanner.databases.useRoleBasedAccess

(roles/spanner.restoreAdmin)

A principal with this role can restore databases from backups.

If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups.

Lowest-level resources where you can grant this role:

  • Instance

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.backups.get

spanner.backups.list

spanner.backups.restoreDatabase

spanner.databaseOperations.cancel

spanner.databaseOperations.get

spanner.databaseOperations.list

spanner.databases.create

spanner.databases.get

spanner.databases.list

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

(roles/spanner.viewer)

A principal with this role can:

  • View all Spanner instances (but cannot modify instances).
  • View all Spanner databases (but cannot modify or read from databases).

For example, you can combine this role with the roles/spanner.databaseUser role to grant a user with access to a specific database, but only view access to other instances and databases.

This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud console.

Lowest-level resources where you can grant this role:

  • Project

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

spanner.databases.list

spanner.instanceConfigs.get

spanner.instanceConfigs.list

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

Permissions

(roles/cloudsql.admin)

Provides full control of Cloud SQL resources.

Lowest-level resources where you can grant this role:

  • Project

cloudaicompanion.entitlements.get

cloudsql.*

recommender.cloudsqlIdleInstanceRecommendations.*

recommender.cloudsqlInstanceActivityInsights.*

recommender.cloudsqlInstanceCpuUsageInsights.*

recommender.cloudsqlInstanceDiskUsageTrendInsights.*

recommender.cloudsqlInstanceMemoryUsageInsights.*

recommender.cloudsqlInstanceOomProbabilityInsights.*

recommender.cloudsqlInstanceOutOfDiskRecommendations.*

recommender.cloudsqlInstancePerformanceInsights.*

recommender.cloudsqlInstancePerformanceRecommendations.*

recommender.cloudsqlInstanceReliabilityInsights.*

recommender.cloudsqlInstanceReliabilityRecommendations.*

recommender.cloudsqlInstanceSecurityInsights.*

recommender.cloudsqlInstanceSecurityRecommendations.*

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*

recommender.cloudsqlOverprovisionedInstanceRecommendations.*

recommender.cloudsqlUnderProvisionedInstanceRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudsql.client)

Provides connectivity access to Cloud SQL instances.

Lowest-level resources where you can grant this role:

  • Project

cloudsql.instances.connect

cloudsql.instances.get

(roles/cloudsql.editor)

Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.

Lowest-level resources where you can grant this role:

  • Project

cloudaicompanion.entitlements.get

cloudsql.backupRuns.create

cloudsql.backupRuns.get

cloudsql.backupRuns.list

cloudsql.databases.create

cloudsql.databases.get

cloudsql.databases.list

cloudsql.databases.update

cloudsql.instances.addServerCa

cloudsql.instances.connect

cloudsql.instances.export

cloudsql.instances.failover

cloudsql.instances.get

cloudsql.instances.getDiskShrinkConfig

cloudsql.instances.list

cloudsql.instances.listEffectiveTags

cloudsql.instances.listServerCas

cloudsql.instances.listTagBindings

cloudsql.instances.migrate

cloudsql.instances.performDiskShrink

cloudsql.instances.reencrypt

cloudsql.instances.resetReplicaSize

cloudsql.instances.restart

cloudsql.instances.rotateServerCa

cloudsql.instances.truncateLog

cloudsql.instances.update

cloudsql.schemas.view

cloudsql.sslCerts.get

cloudsql.sslCerts.list

cloudsql.users.get

cloudsql.users.list

recommender.cloudsqlIdleInstanceRecommendations.*

recommender.cloudsqlInstanceActivityInsights.*

recommender.cloudsqlInstanceCpuUsageInsights.*

recommender.cloudsqlInstanceDiskUsageTrendInsights.*

recommender.cloudsqlInstanceMemoryUsageInsights.*

recommender.cloudsqlInstanceOomProbabilityInsights.*

recommender.cloudsqlInstanceOutOfDiskRecommendations.*

recommender.cloudsqlInstancePerformanceInsights.*

recommender.cloudsqlInstancePerformanceRecommendations.*

recommender.cloudsqlInstanceReliabilityInsights.*

recommender.cloudsqlInstanceReliabilityRecommendations.*

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*

recommender.cloudsqlOverprovisionedInstanceRecommendations.*

recommender.cloudsqlUnderProvisionedInstanceRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudsql.instanceUser)

Role allowing access to a Cloud SQL instance

cloudsql.instances.get

cloudsql.instances.login

(roles/cloudsql.schemaViewer)

Role allowing access to the Cloud SQL instance schema on Dataplex

cloudsql.schemas.view

(roles/cloudsql.viewer)

Provides read-only access to Cloud SQL resources.

Lowest-level resources where you can grant this role:

  • Project

cloudaicompanion.entitlements.get

cloudsql.backupRuns.get

cloudsql.backupRuns.list

cloudsql.databases.get

cloudsql.databases.list

cloudsql.instances.export

cloudsql.instances.get

cloudsql.instances.getDiskShrinkConfig

cloudsql.instances.list

cloudsql.instances.listEffectiveTags

cloudsql.instances.listServerCas

cloudsql.instances.listTagBindings

cloudsql.sslCerts.get

cloudsql.sslCerts.list

cloudsql.users.get

cloudsql.users.list

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceActivityInsights.get

recommender.cloudsqlInstanceActivityInsights.list

recommender.cloudsqlInstanceCpuUsageInsights.get

recommender.cloudsqlInstanceCpuUsageInsights.list

recommender.cloudsqlInstanceDiskUsageTrendInsights.get

recommender.cloudsqlInstanceDiskUsageTrendInsights.list

recommender.cloudsqlInstanceMemoryUsageInsights.get

recommender.cloudsqlInstanceMemoryUsageInsights.list

recommender.cloudsqlInstanceOomProbabilityInsights.get

recommender.cloudsqlInstanceOomProbabilityInsights.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.get

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceInsights.get

recommender.cloudsqlInstancePerformanceInsights.list

recommender.cloudsqlInstancePerformanceRecommendations.get

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityInsights.get

recommender.cloudsqlInstanceReliabilityInsights.list

recommender.cloudsqlInstanceReliabilityRecommendations.get

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.get

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/storage.admin)

Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

Lowest-level resources where you can grant this role:

  • Bucket

firebase.projects.get

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

(roles/storage.folderAdmin)

Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

(roles/storage.hmacKeyAdmin)

Full control of Cloud Storage HMAC keys.

firebase.projects.get

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.hmacKeys.*

(roles/storage.insightsCollectorService)

Read-only access to Cloud Storage Inventory metadata for Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.buckets.getObjectInsights

(roles/storage.objectAdmin)

Grants full control of objects, including listing, creating, viewing, and deleting objects.

Lowest-level resources where you can grant this role:

  • Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.objects.*

(roles/storage.objectCreator)

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

Lowest-level resources where you can grant this role:

  • Bucket

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.managedFolders.create

storage.multipartUploads.abort

storage.multipartUploads.create

storage.multipartUploads.listParts

storage.objects.create

(roles/storage.objectUser)

Access to create, read, update and delete objects and multipart uploads in GCS.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.restore

storage.objects.update

(roles/storage.objectViewer)

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

Lowest-level resources where you can grant this role:

  • Bucket

resourcemanager.projects.get

resourcemanager.projects.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

(roles/storagetransfer.admin)

Create, update and manage transfer jobs and operations.

resourcemanager.projects.get

resourcemanager.projects.list

storagetransfer.*

(roles/storagetransfer.transferAgent)

Perform transfers from an agent.

monitoring.timeSeries.create

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

storagetransfer.agentpools.report

storagetransfer.operations.assign

storagetransfer.operations.get

storagetransfer.operations.report

(roles/storagetransfer.user)

Create and update storage transfer jobs and operations.

resourcemanager.projects.get

resourcemanager.projects.list

storagetransfer.agentpools.create

storagetransfer.agentpools.get

storagetransfer.agentpools.list

storagetransfer.agentpools.report

storagetransfer.agentpools.update

storagetransfer.jobs.create

storagetransfer.jobs.get

storagetransfer.jobs.list

storagetransfer.jobs.run

storagetransfer.jobs.update

storagetransfer.operations.*

storagetransfer.projects.getServiceAccount

(roles/storagetransfer.viewer)

Read access to storage transfer jobs and operations.

resourcemanager.projects.get

resourcemanager.projects.list

storagetransfer.agentpools.get

storagetransfer.agentpools.list

storagetransfer.jobs.get

storagetransfer.jobs.list

storagetransfer.operations.get

storagetransfer.operations.list

storagetransfer.projects.getServiceAccount

Permissions

(roles/storage.legacyBucketOwner)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.bucketOperations.*

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.enableObjectRetention

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

storage.buckets.restore

storage.buckets.setIamPolicy

storage.buckets.update

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

(roles/storage.legacyBucketReader)

Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.buckets.get

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.list

storage.objects.list

(roles/storage.legacyBucketWriter)

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.buckets.get

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.objects.create

storage.objects.delete

storage.objects.list

storage.objects.restore

storage.objects.setRetention

(roles/storage.legacyObjectOwner)

Grants permission to view and edit objects and their metadata, including ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.objects.get

storage.objects.getIamPolicy

storage.objects.overrideUnlockedRetention

storage.objects.setIamPolicy

storage.objects.setRetention

storage.objects.update

(roles/storage.legacyObjectReader)

Grants permission to view objects and their metadata, excluding ACLs.

Lowest-level resources where you can grant this role:

  • Bucket

storage.objects.get

Permissions

(roles/cloudjobdiscovery.admin)

Access to Cloud Talent Solution Self-Service Tools.

cloudjobdiscovery.tools.access

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudjobdiscovery.jobsEditor)

Write access to all job data in Cloud Talent Solution.

cloudjobdiscovery.companies.*

cloudjobdiscovery.events.create

cloudjobdiscovery.jobs.*

cloudjobdiscovery.tenants.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudjobdiscovery.jobsViewer)

Read access to all job data in Cloud Talent Solution.

cloudjobdiscovery.companies.get

cloudjobdiscovery.companies.list

cloudjobdiscovery.jobs.get

cloudjobdiscovery.jobs.search

cloudjobdiscovery.tenants.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudjobdiscovery.profilesEditor)

Write access to all profile data in Cloud Talent Solution.

cloudjobdiscovery.events.create

cloudjobdiscovery.profiles.*

cloudjobdiscovery.tenants.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudjobdiscovery.profilesViewer)

Read access to all profile data in Cloud Talent Solution.

cloudjobdiscovery.profiles.get

cloudjobdiscovery.profiles.search

cloudjobdiscovery.tenants.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/cloudtasks.admin)

Full access to queues and tasks.

cloudtasks.*

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtasks.enqueuer)

Access to create tasks.

cloudtasks.tasks.create

cloudtasks.tasks.fullView

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtasks.queueAdmin)

Admin access to queues.

cloudtasks.locations.*

cloudtasks.queues.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtasks.taskDeleter)

Access to delete tasks.

cloudtasks.tasks.delete

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtasks.taskRunner)

Access to run tasks.

cloudtasks.tasks.fullView

cloudtasks.tasks.run

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtasks.viewer)

Get and list access to tasks, queues, and locations.

cloudtasks.cmekConfig.get

cloudtasks.locations.*

cloudtasks.queues.get

cloudtasks.queues.list

cloudtasks.tasks.fullView

cloudtasks.tasks.get

cloudtasks.tasks.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/tpu.admin)

Full access to TPU nodes and related resources.

resourcemanager.projects.get

resourcemanager.projects.list

tpu.*

(roles/tpu.viewer)

Read-only access to TPU nodes and related resources.

resourcemanager.projects.get

resourcemanager.projects.list

tpu.acceleratortypes.*

tpu.locations.*

tpu.nodes.get

tpu.nodes.list

tpu.operations.*

tpu.runtimeversions.*

tpu.tensorflowversions.*

(roles/tpu.xpnAgent)

Can use shared VPC network (XPN) for the TPU VMs.

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.update

compute.globalOperations.get

compute.networks.get

compute.networks.list

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.routes.list

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

Permissions

(roles/cloudtrace.admin)

Provides full access to the Trace console and read-write access to traces.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtrace.agent)

For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.traces.patch

(roles/cloudtrace.user)

Provides full access to the Trace console and read access to traces.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.insights.*

cloudtrace.stats.get

cloudtrace.tasks.*

cloudtrace.traces.get

cloudtrace.traces.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/cloudtranslate.admin)

Full access to all Cloud Translation resources

automl.models.get

automl.models.predict

cloudtranslate.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtranslate.editor)

Editor of all Cloud Translation resources

automl.models.get

automl.models.predict

cloudtranslate.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtranslate.user)

User of Cloud Translation and AutoML models

automl.models.get

automl.models.predict

cloudtranslate.adaptiveMtDatasets.get

cloudtranslate.adaptiveMtDatasets.list

cloudtranslate.adaptiveMtDatasets.predict

cloudtranslate.adaptiveMtFiles.get

cloudtranslate.adaptiveMtFiles.list

cloudtranslate.adaptiveMtSentences.list

cloudtranslate.customModels.get

cloudtranslate.customModels.list

cloudtranslate.customModels.predict

cloudtranslate.datasets.get

cloudtranslate.datasets.list

cloudtranslate.generalModels.*

cloudtranslate.glossaries.batchDocPredict

cloudtranslate.glossaries.batchPredict

cloudtranslate.glossaries.docPredict

cloudtranslate.glossaries.get

cloudtranslate.glossaries.list

cloudtranslate.glossaries.predict

cloudtranslate.glossaryentries.get

cloudtranslate.glossaryentries.list

cloudtranslate.languageDetectionModels.predict

cloudtranslate.locations.*

cloudtranslate.operations.get

cloudtranslate.operations.list

cloudtranslate.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtranslate.viewer)

Viewer of all Translation resources

automl.models.get

cloudtranslate.adaptiveMtDatasets.get

cloudtranslate.adaptiveMtDatasets.list

cloudtranslate.adaptiveMtFiles.get

cloudtranslate.adaptiveMtFiles.list

cloudtranslate.adaptiveMtSentences.list

cloudtranslate.customModels.get

cloudtranslate.customModels.list

cloudtranslate.datasets.get

cloudtranslate.datasets.list

cloudtranslate.generalModels.get

cloudtranslate.glossaries.get

cloudtranslate.glossaries.list

cloudtranslate.glossaryentries.get

cloudtranslate.glossaryentries.list

cloudtranslate.locations.*

cloudtranslate.operations.get

cloudtranslate.operations.list

cloudtranslate.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/workstations.admin)

Grants CRUD access to all Workstation resources.

compute.acceleratorTypes.*

compute.machineTypes.*

compute.networks.get

compute.networks.list

compute.subnetworks.get

compute.subnetworks.list

compute.zones.*

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.get

workstations.workstationClusters.*

workstations.workstationConfigs.*

workstations.workstations.create

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.getIamPolicy

workstations.workstations.list

workstations.workstations.setIamPolicy

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.update

(roles/workstations.networkAdmin)

Grants ability to connect a Workstation Cluster to a shared VPC network.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalOperations.get

compute.networks.get

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

(roles/workstations.operationViewer)

Grants ability to view Cloud Workstations API operations.

workstations.operations.get

(roles/workstations.user)

Grants runtime access to Workstation resources.

workstations.operations.get

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.update

workstations.workstations.use

(roles/workstations.workstationCreator)

Grants ability to create Workstation resources.

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.get

workstations.workstationClusters.get

workstations.workstationClusters.list

workstations.workstationConfigs.get

workstations.workstations.create

Permissions

(roles/compute.admin)

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Node group
  • Node template
  • Snapshot Beta

compute.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.futureReservationAdmin)

compute.acceleratorTypes.list

compute.futureReservations.cancel

compute.futureReservations.create

compute.futureReservations.delete

compute.futureReservations.get

compute.futureReservations.list

compute.futureReservations.update

compute.instanceTemplates.list

compute.machineTypes.list

compute.regions.list

compute.reservations.create

compute.zones.list

(roles/compute.futureReservationUser)

compute.acceleratorTypes.list

compute.futureReservations.create

compute.futureReservations.delete

compute.futureReservations.get

compute.futureReservations.list

compute.futureReservations.update

compute.instanceTemplates.list

compute.machineTypes.list

compute.regions.list

compute.reservations.create

compute.zones.list

(roles/compute.futureReservationViewer)

compute.acceleratorTypes.list

compute.futureReservations.get

compute.futureReservations.list

compute.instanceTemplates.list

compute.machineTypes.list

compute.regions.list

compute.zones.list

(roles/compute.imageUser)

Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

Lowest-level resources where you can grant this role:

  • ImageBeta

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.instanceAdmin)

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Snapshot Beta

compute.acceleratorTypes.*

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.diskTypes.*

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.get

compute.instanceTemplates.*

compute.instances.*

compute.licenses.get

compute.licenses.list

compute.machineImages.*

compute.machineTypes.*

compute.networkEndpointGroups.*

compute.networks.get

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regionNetworkEndpointGroups.*

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.useReadOnly

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.instanceAdmin.v1)

Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.

If you grant a user this role only at an instance level, then that user cannot create new instances.

compute.acceleratorTypes.*

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.diskTypes.*

compute.disks.*

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.*

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.*

compute.instanceTemplates.*

compute.instances.*

compute.instantSnapshots.*

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.*

compute.licenses.*

compute.machineImages.*

compute.machineTypes.*

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEndpointGroups.*

compute.networks.get

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.*

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.*

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.loadBalancerAdmin)

Permissions to create, modify, and delete load balancers and associate resources.

For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.

Lowest-level resources where you can grant this role:

  • InstanceBeta

certificatemanager.certmaps.get

certificatemanager.certmaps.list

certificatemanager.certmaps.use

compute.addresses.*

compute.backendBuckets.*

compute.backendServices.*

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.forwardingRules.*

compute.globalAddresses.*

compute.globalForwardingRules.*

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.*

compute.httpHealthChecks.*

compute.httpsHealthChecks.*

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroups.*

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.use

compute.instances.useReadOnly

compute.networkEndpointGroups.*

compute.networks.get

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.projects.get

compute.regionBackendServices.*

compute.regionHealthCheckServices.*

compute.regionHealthChecks.*

compute.regionNetworkEndpointGroups.*

compute.regionNotificationEndpoints.*

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSecurityPolicies.use

compute.regionSslCertificates.*

compute.regionSslPolicies.*

compute.regionTargetHttpProxies.*

compute.regionTargetHttpsProxies.*

compute.regionTargetTcpProxies.*

compute.regionUrlMaps.*

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.use

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.*

compute.sslPolicies.*

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.targetGrpcProxies.*

compute.targetHttpProxies.*

compute.targetHttpsProxies.*

compute.targetInstances.*

compute.targetPools.*

compute.targetSslProxies.*

compute.targetTcpProxies.*

compute.urlMaps.*

compute.zoneOperations.get

compute.zoneOperations.list

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.use

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.loadBalancerServiceUser)

Permissions to use services from a load balancer in other projects.

compute.backendServices.get

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.backendServices.use

compute.projects.get

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionBackendServices.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.networkAdmin)

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group. Or, if you have a combined team that manages both security and networking, then grant this role as well as the roles/compute.securityAdmin role to the combined team's group.

Lowest-level resources where you can grant this role:

  • InstanceBeta

compute.acceleratorTypes.*

compute.addresses.*

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.*

compute.backendServices.*

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.*

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewallPolicies.use

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.*

compute.globalAddresses.*

compute.globalForwardingRules.*

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.delete

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.globalPublicDelegatedPrefixes.update

compute.globalPublicDelegatedPrefixes.updatePolicy

compute.healthChecks.*

compute.httpHealthChecks.*

compute.httpsHealthChecks.*

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroupManagers.update

compute.instanceGroupManagers.use

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceGroups.update

compute.instanceGroups.use

compute.instanceSettings.get

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instances.updateSecurity

compute.instances.use

compute.instances.useReadOnly

compute.interconnectAttachments.*

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.*

compute.machineTypes.*

compute.networkAttachments.*

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networkEndpointGroups.use

compute.networks.*

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicDelegatedPrefixes.delete

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.update

compute.publicDelegatedPrefixes.updatePolicy

compute.regionBackendServices.*

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionFirewallPolicies.use

compute.regionHealthCheckServices.*

compute.regionHealthChecks.*

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNetworkEndpointGroups.use

compute.regionNotificationEndpoints.*

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSecurityPolicies.use

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.*

compute.regionTargetHttpProxies.*

compute.regionTargetHttpsProxies.*

compute.regionTargetTcpProxies.*

compute.regionUrlMaps.*

compute.regions.*

compute.routers.*

compute.routes.*

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.use

compute.serviceAttachments.*

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.*

compute.subnetworks.*

compute.targetGrpcProxies.*

compute.targetHttpProxies.*

compute.targetHttpsProxies.*

compute.targetInstances.*

compute.targetPools.*

compute.targetSslProxies.*

compute.targetTcpProxies.*

compute.targetVpnGateways.*

compute.urlMaps.*

compute.vpnGateways.*

compute.vpnTunnels.*

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

networkconnectivity.internalRanges.*

networkconnectivity.locations.*

networkconnectivity.operations.*

networkconnectivity.policyBasedRoutes.*

networkconnectivity.regionalEndpoints.*

networkconnectivity.serviceClasses.*

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionPolicies.*

networksecurity.*

networkservices.*

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

servicenetworking.operations.get

servicenetworking.services.addPeering

servicenetworking.services.createPeeredDnsDomain

servicenetworking.services.deleteConnection

servicenetworking.services.deletePeeredDnsDomain

servicenetworking.services.disableVpcServiceControls

servicenetworking.services.enableVpcServiceControls

servicenetworking.services.get

servicenetworking.services.listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

trafficdirector.*

(roles/compute.networkUser)

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

Lowest-level resources where you can grant this role:

  • Project

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.useInternal

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.use

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.instanceSettings.get

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.interconnects.use

compute.networkAttachments.get

compute.networkAttachments.list

compute.networks.access

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regions.*

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.use

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zones.*

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.locations.*

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.get

networkconnectivity.policyBasedRoutes.list

networksecurity.addressGroups.get

networksecurity.addressGroups.list

networksecurity.addressGroups.use

networksecurity.authorizationPolicies.get

networksecurity.authorizationPolicies.list

networksecurity.authorizationPolicies.use

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.use

networksecurity.firewallEndpointAssociations.get

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.get

networksecurity.firewallEndpoints.list

networksecurity.firewallEndpoints.use

networksecurity.gatewaySecurityPolicies.get

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicies.use

networksecurity.gatewaySecurityPolicyRules.get

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.gatewaySecurityPolicyRules.use

networksecurity.locations.*

networksecurity.operations.get

networksecurity.operations.list

networksecurity.securityProfileGroups.get

networksecurity.securityProfileGroups.list

networksecurity.securityProfileGroups.use

networksecurity.securityProfiles.get

networksecurity.securityProfiles.list

networksecurity.securityProfiles.use

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.use

networksecurity.tlsInspectionPolicies.get

networksecurity.tlsInspectionPolicies.list

networksecurity.tlsInspectionPolicies.use

networksecurity.urlLists.get

networksecurity.urlLists.list

networksecurity.urlLists.use

networkservices.endpointConfigSelectors.get

networkservices.endpointConfigSelectors.list

networkservices.endpointConfigSelectors.use

networkservices.endpointPolicies.get

networkservices.endpointPolicies.list

networkservices.endpointPolicies.use

networkservices.gateways.get

networkservices.gateways.list

networkservices.gateways.use

networkservices.grpcRoutes.get

networkservices.grpcRoutes.list

networkservices.grpcRoutes.use

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpFilters.use

networkservices.httpRoutes.get

networkservices.httpRoutes.list

networkservices.httpRoutes.use

networkservices.httpfilters.get

networkservices.httpfilters.list

networkservices.httpfilters.use

networkservices.lbRouteExtensions.get

networkservices.lbRouteExtensions.list

networkservices.lbTrafficExtensions.get

networkservices.lbTrafficExtensions.list

networkservices.locations.*

networkservices.meshes.get

networkservices.meshes.list

networkservices.meshes.use

networkservices.operations.get

networkservices.operations.list

networkservices.serviceBindings.get

networkservices.serviceBindings.list

networkservices.serviceLbPolicies.get

networkservices.serviceLbPolicies.list

networkservices.tcpRoutes.get

networkservices.tcpRoutes.list

networkservices.tcpRoutes.use

networkservices.tlsRoutes.get

networkservices.tlsRoutes.list

networkservices.tlsRoutes.use

resourcemanager.projects.get

resourcemanager.projects.list

servicenetworking.services.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.networkViewer)

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.

Lowest-level resources where you can grant this role:

  • InstanceBeta

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceSettings.get

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.machineTypes.*

compute.networkAttachments.get

compute.networkAttachments.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regions.*

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zones.*

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.locations.*

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.get

networkconnectivity.policyBasedRoutes.list

networksecurity.addressGroups.get

networksecurity.addressGroups.list

networksecurity.authorizationPolicies.get

networksecurity.authorizationPolicies.list

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.firewallEndpointAssociations.get

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.get

networksecurity.firewallEndpoints.list

networksecurity.gatewaySecurityPolicies.get

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicyRules.get

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.locations.*

networksecurity.operations.get

networksecurity.operations.list

networksecurity.securityProfileGroups.get

networksecurity.securityProfileGroups.list

networksecurity.securityProfiles.get

networksecurity.securityProfiles.list

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.tlsInspectionPolicies.get

networksecurity.tlsInspectionPolicies.list

networksecurity.urlLists.get

networksecurity.urlLists.list

networkservices.endpointConfigSelectors.get

networkservices.endpointConfigSelectors.list

networkservices.endpointPolicies.get

networkservices.endpointPolicies.list

networkservices.gateways.get

networkservices.gateways.list

networkservices.grpcRoutes.get

networkservices.grpcRoutes.list

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpRoutes.get

networkservices.httpRoutes.list

networkservices.httpfilters.get

networkservices.httpfilters.list

networkservices.lbRouteExtensions.get

networkservices.lbRouteExtensions.list

networkservices.lbTrafficExtensions.get

networkservices.lbTrafficExtensions.list

networkservices.locations.*

networkservices.meshes.get

networkservices.meshes.list

networkservices.operations.get

networkservices.operations.list

networkservices.serviceBindings.get

networkservices.serviceBindings.list

networkservices.serviceLbPolicies.get

networkservices.serviceLbPolicies.list

networkservices.tcpRoutes.get

networkservices.tcpRoutes.list

networkservices.tlsRoutes.get

networkservices.tlsRoutes.list

resourcemanager.projects.get

resourcemanager.projects.list

servicenetworking.services.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

trafficdirector.*

(roles/compute.orgFirewallPolicyAdmin)

Full control of Compute Engine Organization Firewall Policies.

compute.firewallPolicies.cloneRules

compute.firewallPolicies.create

compute.firewallPolicies.createTagBinding

compute.firewallPolicies.delete

compute.firewallPolicies.deleteTagBinding

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewallPolicies.move

compute.firewallPolicies.setIamPolicy

compute.firewallPolicies.update

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.regionFirewallPolicies.*

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionOperations.setIamPolicy

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.orgFirewallPolicyUser)

View or use Compute Engine Firewall Policies to associate with the organization or folders.

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.projects.get

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionFirewallPolicies.use

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.orgSecurityPolicyAdmin)

Full control of Compute Engine Organization Security Policies.

compute.firewallPolicies.*

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.securityPolicies.addAssociation

compute.securityPolicies.copyRules

compute.securityPolicies.create

compute.securityPolicies.createTagBinding

compute.securityPolicies.delete

compute.securityPolicies.deleteTagBinding

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.move

compute.securityPolicies.removeAssociation

compute.securityPolicies.setIamPolicy

compute.securityPolicies.update

compute.securityPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.orgSecurityPolicyUser)

View or use Compute Engine Security Policies to associate with the organization or folders.

compute.firewallPolicies.addAssociation

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewallPolicies.removeAssociation

compute.firewallPolicies.use

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.projects.get

compute.securityPolicies.addAssociation

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.removeAssociation

compute.securityPolicies.use

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.orgSecurityResourceAdmin)

Full control of Compute Engine Firewall Policy associations to the organization or folders.

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.organizations.listAssociations

compute.organizations.setFirewallPolicy

compute.organizations.setSecurityPolicy

compute.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.osAdminLogin)

Access to log in to a Compute Engine instance as an administrator user.

Lowest-level resources where you can grant this role:

  • InstanceBeta

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceSettings.get

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.osAdminLogin

compute.instances.osLogin

compute.projects.get

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.osLogin)

Access to log in to a Compute Engine instance as a standard user.

Lowest-level resources where you can grant this role:

  • InstanceBeta

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceSettings.get

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.instances.osLogin

compute.projects.get

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.osLoginExternalUser)

Available only at the organization level.

Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

Lowest-level resources where you can grant this role:

  • Organization

compute.oslogin.updateExternalUser

(roles/compute.packetMirroringAdmin)

Specify resources to be mirrored.

compute.instances.updateSecurity

compute.networks.mirror

compute.projects.get

compute.subnetworks.mirror

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.packetMirroringUser)

Use Compute Engine packet mirrorings.

compute.packetMirrorings.*

compute.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.publicIpAdmin)

Full control of public IP address management for Compute Engine.

compute.addresses.*

compute.globalAddresses.*

compute.globalPublicDelegatedPrefixes.*

compute.publicAdvertisedPrefixes.*

compute.publicDelegatedPrefixes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/compute.securityAdmin)

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group.

Lowest-level resources where you can grant this role:

  • InstanceBeta

compute.backendBuckets.list

compute.backendServices.list

compute.firewallPolicies.*

compute.firewalls.*

compute.globalOperations.get

compute.globalOperations.list

compute.instanceSettings.get

compute.instances.getEffectiveFirewalls

compute.instances.list

compute.instances.setShieldedInstanceIntegrityPolicy

compute.instances.setShieldedVmIntegrityPolicy

compute.instances.updateSecurity

compute.instances.updateShieldedInstanceConfig

compute.instances.updateShieldedVmConfig

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.updatePolicy

compute.packetMirrorings.*

compute.projects.get

compute.regionBackendServices.list

compute.regionFirewallPolicies.*

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.*

compute.regionSslCertificates.*

compute.regionSslPolicies.*

compute.regions.*

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.*

compute.sslCertificates.*

compute.sslPolicies.*

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetInstances.list

compute.targetPools.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.soleTenantViewer)

Permissions to view sole tenancy node groups

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

(roles/compute.storageAdmin)

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Snapshot Beta

compute.diskTypes.*

compute.disks.*

compute.globalOperations.get

compute.globalOperations.list

compute.images.*

compute.instanceSettings.get

compute.instantSnapshots.*

compute.licenseCodes.*

compute.licenses.*

compute.projects.get

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.resourcePolicies.*

compute.snapshots.*

compute.storagePools.*

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.viewer)

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them.

For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

Lowest-level resources where you can grant this role:

  • Disk
  • Image
  • Instance
  • Instance template
  • Node group
  • Node template
  • Snapshot Beta

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/compute.xpnAdmin)

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

At the organization level, this role can only be granted by an organization admin.

Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (roles/compute.networkUser) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

Lowest-level resources where you can grant this role:

  • Folder

compute.globalOperations.get

compute.globalOperations.list

compute.organizations.administerXpn

compute.organizations.disableXpnHost

compute.organizations.disableXpnResource

compute.organizations.enableXpnHost

compute.organizations.enableXpnResource

compute.projects.get

compute.subnetworks.getIamPolicy

compute.subnetworks.setIamPolicy

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/osconfig.guestPolicyAdmin)

Full admin access to GuestPolicies

osconfig.guestPolicies.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.guestPolicyEditor)

Editor of GuestPolicy resources

osconfig.guestPolicies.get

osconfig.guestPolicies.list

osconfig.guestPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.guestPolicyViewer)

Viewer of GuestPolicy resources

osconfig.guestPolicies.get

osconfig.guestPolicies.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.instanceOSPoliciesComplianceViewer)

Viewer of OS Policies Compliance of VM instances

osconfig.instanceOSPoliciesCompliances.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.inventoryViewer)

Viewer of OS Inventories

osconfig.inventories.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.osPolicyAssignmentAdmin)

Full admin access to OS Policy Assignments

osconfig.osPolicyAssignments.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.osPolicyAssignmentEditor)

Editor of OS Policy Assignments

osconfig.osPolicyAssignments.get

osconfig.osPolicyAssignments.list

osconfig.osPolicyAssignments.searchPolicies

osconfig.osPolicyAssignments.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.osPolicyAssignmentReportViewer)

Viewer of OS policy assignment reports for VM instances

osconfig.osPolicyAssignmentReports.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.osPolicyAssignmentViewer)

Viewer of OS Policy Assignments

osconfig.osPolicyAssignments.get

osconfig.osPolicyAssignments.list

osconfig.osPolicyAssignments.searchPolicies

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.patchDeploymentAdmin)

Full admin access to PatchDeployments

osconfig.patchDeployments.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.patchDeploymentViewer)

Viewer of PatchDeployment resources

osconfig.patchDeployments.get

osconfig.patchDeployments.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.patchJobExecutor)

Access to execute Patch Jobs.

osconfig.patchJobs.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.patchJobViewer)

Get and list Patch Jobs.

osconfig.patchJobs.get

osconfig.patchJobs.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.upgradeReportViewer)

Provides read-only access to VM Manager Upgrade Reports

osconfig.upgradeReports.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/osconfig.vulnerabilityReportViewer)

Viewer of OS VulnerabilityReports

osconfig.vulnerabilityReports.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/containeranalysis.admin)

Access to all Container Analysis resources.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.getIamPolicy

containeranalysis.notes.list

containeranalysis.notes.setIamPolicy

containeranalysis.notes.update

containeranalysis.occurrences.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.notes.attacher)

Can attach Container Analysis Occurrences to Notes.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.get

(roles/containeranalysis.notes.editor)

Can edit Container Analysis Notes.

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.notes.occurrences.viewer)

Can view all Container Analysis Occurrences attached to a Note.

containeranalysis.notes.get

containeranalysis.notes.listOccurrences

(roles/containeranalysis.notes.viewer)

Can view Container Analysis Notes.

containeranalysis.notes.get

containeranalysis.notes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.occurrences.editor)

Can edit Container Analysis Occurrences.

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/containeranalysis.occurrences.viewer)

Can view Container Analysis Occurrences.

containeranalysis.occurrences.get

containeranalysis.occurrences.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/datacatalog.admin)

Full access to all DataCatalog resources

bigquery.connections.get

bigquery.connections.updateTag

bigquery.datasets.get

bigquery.datasets.updateTag

bigquery.models.getMetadata

bigquery.models.updateTag

bigquery.routines.get

bigquery.routines.updateTag

bigquery.tables.get

bigquery.tables.updateTag

datacatalog.catalogs.searchAll

datacatalog.categories.getIamPolicy

datacatalog.categories.setIamPolicy

datacatalog.entries.*

datacatalog.entryGroups.*

datacatalog.operations.list

datacatalog.relationships.*

datacatalog.tagTemplates.*

datacatalog.taxonomies.*

pubsub.topics.get

pubsub.topics.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.categoryAdmin)

Manage taxonomies

datacatalog.categories.getIamPolicy

datacatalog.categories.setIamPolicy

datacatalog.taxonomies.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.categoryFineGrainedReader)

Read access to sub-resources tagged by a policy tag, for example, BigQuery columns

datacatalog.categories.fineGrainedGet

(roles/datacatalog.dataSteward)

Can update overview and data steward fields

datacatalog.entries.get

datacatalog.entries.list

datacatalog.entries.updateContacts

datacatalog.entries.updateOverview

datacatalog.entryGroups.get

datacatalog.relationships.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.entryGroupCreator)

Can create new entryGroups

datacatalog.entryGroups.create

datacatalog.entryGroups.get

datacatalog.entryGroups.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.entryGroupOwner)

Full access to entryGroups

datacatalog.entries.*

datacatalog.entryGroups.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.entryOwner)

Full access to entries

datacatalog.entries.*

datacatalog.entryGroups.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.entryViewer)

Read access to entries

datacatalog.entries.get

datacatalog.entries.list

datacatalog.entryGroups.get

datacatalog.relationships.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.glossaryOwner)

Full access to glossaries

datacatalog.entries.*

datacatalog.relationships.*

(roles/datacatalog.glossaryUser)

Can view glossaries and associate terms to entries

datacatalog.entries.get

datacatalog.entries.list

datacatalog.relationships.*

(roles/datacatalog.searchAdmin)

Can search all metadata for a project/org in DataCatalog

datacatalog.catalogs.searchAll

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.tagEditor)

Access to modify metadata tags for entries, as well as BigQuery and Pub/Sub data assets

bigquery.connections.updateTag

bigquery.datasets.updateTag

bigquery.models.updateTag

bigquery.routines.updateTag

bigquery.tables.updateTag

datacatalog.entries.updateTag

datacatalog.entryGroups.updateTag

pubsub.topics.updateTag

(roles/datacatalog.tagTemplateCreator)

Access to create new tag templates

datacatalog.tagTemplates.create

datacatalog.tagTemplates.get

(roles/datacatalog.tagTemplateOwner)

Full access to tag templates

datacatalog.tagTemplates.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.tagTemplateUser)

Access to apply a tag template to an entry (to modify tags, see Data Catalog Tag Editor)

datacatalog.tagTemplates.get

datacatalog.tagTemplates.getTag

datacatalog.tagTemplates.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.tagTemplateViewer)

Read access to templates and tags created using the templates

datacatalog.tagTemplates.get

datacatalog.tagTemplates.getTag

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datacatalog.viewer)

Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub

bigquery.connections.get

bigquery.datasets.get

bigquery.models.getMetadata

bigquery.routines.get

bigquery.tables.get

datacatalog.entries.get

datacatalog.entries.list

datacatalog.entryGroups.get

datacatalog.entryGroups.list

datacatalog.operations.list

datacatalog.relationships.list

datacatalog.tagTemplates.get

datacatalog.tagTemplates.getTag

datacatalog.taxonomies.get

datacatalog.taxonomies.list

pubsub.topics.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/dataconnectors.connectorAdmin)

Full access to Data Connectors.

dataconnectors.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataconnectors.connectorUser)

Access to use Data Connectors.

dataconnectors.connectors.get

dataconnectors.connectors.getIamPolicy

dataconnectors.connectors.list

dataconnectors.connectors.use

Permissions

(roles/datamigration.admin)

Full access to all resources of Database Migration.

cloudaicompanion.entitlements.get

datamigration.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/datapipelines.admin)

Administrator of Data pipelines resources

datapipelines.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datapipelines.invoker)

Invoker of Data pipelines jobs

datapipelines.pipelines.run

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datapipelines.viewer)

Viewer of Data pipelines resources

datapipelines.jobs.list

datapipelines.pipelines.get

datapipelines.pipelines.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/datastudio.admin)

Data Studio Admin

datastudio.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datastudio.contentManager)

Content Manager of a Data Studio resource

datastudio.datasources.get

datastudio.datasources.getIamPolicy

datastudio.datasources.move

datastudio.datasources.restoreTrash

datastudio.datasources.search

datastudio.datasources.settingsShare

datastudio.datasources.share

datastudio.datasources.trash

datastudio.datasources.update

datastudio.reports.get

datastudio.reports.getIamPolicy

datastudio.reports.move

datastudio.reports.restoreTrash

datastudio.reports.search

datastudio.reports.settingsShare

datastudio.reports.share

datastudio.reports.trash

datastudio.reports.update

datastudio.workspaces.createUnder

datastudio.workspaces.get

datastudio.workspaces.getIamPolicy

datastudio.workspaces.moveIn

datastudio.workspaces.search

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

(roles/datastudio.contributor)

Contributor of a Data Studio resource

datastudio.datasources.get

datastudio.datasources.getIamPolicy

datastudio.datasources.restoreTrash

datastudio.datasources.search

datastudio.datasources.settingsShare

datastudio.datasources.share

datastudio.datasources.update

datastudio.reports.get

datastudio.reports.getIamPolicy

datastudio.reports.restoreTrash

datastudio.reports.search

datastudio.reports.settingsShare

datastudio.reports.share

datastudio.reports.update

datastudio.workspaces.createUnder

datastudio.workspaces.get

datastudio.workspaces.getIamPolicy

datastudio.workspaces.moveIn

datastudio.workspaces.search

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

(roles/datastudio.editor)

Editor of a Data Studio resource

datastudio.datasources.get

datastudio.datasources.getIamPolicy

datastudio.datasources.search

datastudio.datasources.update

datastudio.reports.get

datastudio.reports.getIamPolicy

datastudio.reports.search

datastudio.reports.update

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

(roles/datastudio.manager)

Manager of a Data Studio resource

datastudio.*

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

(roles/datastudio.viewer)

Viewer of a Data Studio resource

datastudio.datasources.get

datastudio.datasources.search

datastudio.reports.get

datastudio.reports.search

resourcemanager.projects.get

(roles/lookerstudio.proManager)

Looker Studio Pro Manager

lookerstudio.pro.manage

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.projects.updateLiens

Permissions

(roles/dataflow.admin)

Minimal role for creating and managing dataflow jobs.

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.operations.*

compute.machineTypes.get

compute.projects.get

compute.regions.list

compute.zones.list

dataflow.jobs.*

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

recommender.dataflowDiagnosticsInsights.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.objects.create

storage.objects.get

storage.objects.list

(roles/dataflow.developer)

Provides the permissions necessary to execute and manipulate Dataflow jobs.

Lowest-level resources where you can grant this role:

  • Project

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.operations.*

compute.projects.get

compute.regions.list

compute.zones.list

dataflow.jobs.*

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

recommender.dataflowDiagnosticsInsights.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataflow.viewer)

Provides read-only access to all Dataflow-related resources.

Lowest-level resources where you can grant this role:

  • Project

dataflow.jobs.get

dataflow.jobs.list

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.get

dataflow.snapshots.list

recommender.dataflowDiagnosticsInsights.get

recommender.dataflowDiagnosticsInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataflow.worker)

Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline.

Lowest-level resources where you can grant this role:

  • Project

autoscaling.sites.readRecommendations

autoscaling.sites.writeMetrics

autoscaling.sites.writeState

compute.instanceGroupManagers.update

compute.instances.delete

compute.instances.setDiskAutoDelete

dataflow.jobs.get

dataflow.shuffle.*

dataflow.streamingWorkItems.*

dataflow.workItems.*

logging.logEntries.create

logging.logEntries.route

monitoring.timeSeries.create

storage.buckets.get

storage.objects.create

storage.objects.get

Permissions

(roles/dataform.admin)

Full access to all Dataform resources.

dataform.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.codeCreator)

Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.codeEditor)

Edit access code resources.

dataform.locations.*

dataform.repositories.commit

dataform.repositories.computeAccessTokenStatus

dataform.repositories.create

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workspaces.commit

dataform.workspaces.create

dataform.workspaces.delete

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.installNpmPackages

dataform.workspaces.list

dataform.workspaces.makeDirectory

dataform.workspaces.moveDirectory

dataform.workspaces.moveFile

dataform.workspaces.pull

dataform.workspaces.push

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.removeDirectory

dataform.workspaces.removeFile

dataform.workspaces.reset

dataform.workspaces.searchFiles

dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.codeOwner)

Full access to code resources.

dataform.locations.*

dataform.repositories.*

dataform.workspaces.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.codeViewer)

Read-only access to all code resources.

dataform.locations.*

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.searchFiles

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.editor)

Edit access to Workspaces and Read-only access to Repositories.

dataform.compilationResults.*

dataform.locations.*

dataform.releaseConfigs.get

dataform.releaseConfigs.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workflowConfigs.get

dataform.workflowConfigs.list

dataform.workflowInvocations.*

dataform.workspaces.commit

dataform.workspaces.create

dataform.workspaces.delete

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.installNpmPackages

dataform.workspaces.list

dataform.workspaces.makeDirectory

dataform.workspaces.moveDirectory

dataform.workspaces.moveFile

dataform.workspaces.pull

dataform.workspaces.push

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.removeDirectory

dataform.workspaces.removeFile

dataform.workspaces.reset

dataform.workspaces.searchFiles

dataform.workspaces.writeFile

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataform.viewer)

Read-only access to all Dataform resources.

dataform.compilationResults.get

dataform.compilationResults.list

dataform.compilationResults.query

dataform.locations.*

dataform.releaseConfigs.get

dataform.releaseConfigs.list

dataform.repositories.computeAccessTokenStatus

dataform.repositories.fetchHistory

dataform.repositories.fetchRemoteBranches

dataform.repositories.get

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.queryDirectoryContents

dataform.repositories.readFile

dataform.workflowConfigs.get

dataform.workflowConfigs.list

dataform.workflowInvocations.get

dataform.workflowInvocations.list

dataform.workflowInvocations.query

dataform.workspaces.fetchFileDiff

dataform.workspaces.fetchFileGitStatuses

dataform.workspaces.fetchGitAheadBehind

dataform.workspaces.get

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.queryDirectoryContents

dataform.workspaces.readFile

dataform.workspaces.searchFiles

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/dataprep.projects.user)

Use of Dataprep.

dataprep.projects.use

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/dataproc.admin)

Full control of Dataproc resources.

compute.machineTypes.*

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.zones.*

dataproc.autoscalingPolicies.*

dataproc.batches.*

dataproc.clusters.*

dataproc.jobs.*

dataproc.nodeGroups.*

dataproc.operations.*

dataproc.sessionTemplates.*

dataproc.sessions.*

dataproc.workflowTemplates.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataproc.editor)

Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones.

Lowest-level resources where you can grant this role:

  • Cluster

compute.machineTypes.*

compute.networks.get

compute.networks.list

compute.projects.get

compute.regions.*

compute.zones.*

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.start

dataproc.clusters.stop

dataproc.clusters.update

dataproc.clusters.use

dataproc.jobs.cancel

dataproc.jobs.create

dataproc.jobs.delete

dataproc.jobs.get

dataproc.jobs.list

dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessions.*

dataproc.workflowTemplates.create

dataproc.workflowTemplates.delete

dataproc.workflowTemplates.get

dataproc.workflowTemplates.instantiate

dataproc.workflowTemplates.instantiateInline

dataproc.workflowTemplates.list

dataproc.workflowTemplates.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataproc.hubAgent)

Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.

compute.instances.get

compute.instances.setMetadata

compute.instances.setTags

compute.zoneOperations.get

compute.zones.list

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.use

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.update

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.logEntries.create

logging.logEntries.list

logging.logEntries.route

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.create

logging.queries.delete

logging.queries.get

logging.queries.list

logging.queries.listShared

logging.queries.update

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.get

storage.objects.get

storage.objects.list

(roles/dataproc.viewer)

Provides read-only access to Dataproc resources.

Lowest-level resources where you can grant this role:

  • Cluster

compute.machineTypes.get

compute.regions.*

compute.zones.*

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.batches.get

dataproc.batches.list

dataproc.clusters.get

dataproc.clusters.list

dataproc.jobs.get

dataproc.jobs.list

dataproc.nodeGroups.get

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.get

dataproc.sessionTemplates.list

dataproc.sessions.get

dataproc.sessions.list

dataproc.workflowTemplates.get

dataproc.workflowTemplates.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataproc.worker)

Provides worker access to Dataproc resources. Intended for service accounts.

dataproc.agents.*

dataproc.tasks.*

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

storage.buckets.get

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.objects.*

Permissions

(roles/metastore.admin)

Full access to all Dataproc Metastore resources.

metastore.backups.*

metastore.federations.*

metastore.imports.*

metastore.locations.*

metastore.operations.*

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.setIamPolicy

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.editor)

Read and write access to all Dataproc Metastore resources.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.federations.create

metastore.federations.delete

metastore.federations.get

metastore.federations.list

metastore.federations.update

metastore.imports.*

metastore.locations.*

metastore.operations.*

metastore.services.create

metastore.services.delete

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

metastore.services.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.federationAccessor)

Access to the Metastore Federation resource.

metastore.federations.use

(roles/metastore.metadataEditor)

Access to read and modify the metadata of databases and tables under those databases.

metastore.databases.create

metastore.databases.delete

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.databases.update

metastore.services.get

metastore.services.use

metastore.tables.create

metastore.tables.delete

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

metastore.tables.update

(roles/metastore.metadataMutateAdmin)

Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.mutateMetadata

(roles/metastore.metadataOperator)

Read-only access to Dataproc Metastore resources with additional metadata operations permission.

metastore.backups.create

metastore.backups.delete

metastore.backups.get

metastore.backups.list

metastore.backups.use

metastore.imports.*

metastore.locations.*

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.restore

resourcemanager.projects.get

resourcemanager.projects.list

(roles/metastore.metadataOwner)

Full access to the metadata of databases and tables under those databases.

metastore.databases.*

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

metastore.services.use

metastore.tables.*

(roles/metastore.metadataQueryAdmin)

Access to query metadata from a Dataproc Metastore service's underlying metadata store.

metastore.services.queryMetadata

(roles/metastore.metadataUser)

Access to the Dataproc Metastore gRPC endpoint

metastore.databases.get

metastore.databases.list

metastore.services.get

metastore.services.use

(roles/metastore.metadataViewer)

Access to read the metadata of databases and tables under those databases

metastore.databases.get

metastore.databases.getIamPolicy

metastore.databases.list

metastore.services.get

metastore.services.use

metastore.tables.get

metastore.tables.getIamPolicy

metastore.tables.list

(roles/metastore.user)

Read-only access to all Dataproc Metastore resources.

metastore.backups.get

metastore.backups.list

metastore.federations.get

metastore.federations.getIamPolicy

metastore.federations.list

metastore.imports.get

metastore.imports.list

metastore.locations.*

metastore.operations.get

metastore.operations.list

metastore.services.export

metastore.services.get

metastore.services.getIamPolicy

metastore.services.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/datastore.backupSchedulesAdmin)

Manage backup schedules in Cloud Datastore.

datastore.backupSchedules.*

datastore.databases.getMetadata

datastore.databases.list

(roles/datastore.backupSchedulesViewer)

Read access to backup schedules in Cloud Datastore.

datastore.backupSchedules.get

datastore.backupSchedules.list

(roles/datastore.backupsAdmin)

Read/Write access to metadata about backups in Cloud Datastore but restore is not allowed.

datastore.backups.delete

datastore.backups.get

datastore.backups.list

(roles/datastore.backupsViewer)

Read access to metadata about backups in Cloud Datastore.

datastore.backups.get

datastore.backups.list

(roles/datastore.importExportAdmin)

Provides full access to manage imports and exports.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

datastore.databases.export

datastore.databases.getMetadata

datastore.databases.import

datastore.operations.cancel

datastore.operations.get

datastore.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datastore.indexAdmin)

Provides full access to manage index definitions.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

datastore.databases.getMetadata

datastore.indexes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datastore.keyVisualizerViewer)

Full access to Key Visualizer scans.

datastore.databases.getMetadata

datastore.keyVisualizerScans.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datastore.owner)

Provides full access to Datastore resources.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

datastore.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datastore.restoreAdmin)

Restore into Cloud Datastore Databases from Cloud Datastore Backups.

datastore.backups.get

datastore.backups.list

datastore.backups.restoreDatabase

datastore.databases.create

datastore.databases.getMetadata

datastore.databases.list

datastore.operations.get

datastore.operations.list

(roles/datastore.user)

Provides read/write access to data in a Datastore database.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

datastore.databases.get

datastore.databases.getMetadata

datastore.databases.list

datastore.entities.*

datastore.indexes.list

datastore.namespaces.*

datastore.statistics.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datastore.viewer)

Provides read access to Datastore resources.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

datastore.databases.get

datastore.databases.getMetadata

datastore.databases.list

datastore.entities.get

datastore.entities.list

datastore.indexes.get

datastore.indexes.list

datastore.namespaces.*

datastore.statistics.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/datastream.admin)

Full access to all Datastream resources.

datastream.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datastream.viewer)

Read-only access to all Datastream resources.

datastream.connectionProfiles.destinationTypes

datastream.connectionProfiles.discover

datastream.connectionProfiles.get

datastream.connectionProfiles.getIamPolicy

datastream.connectionProfiles.list

datastream.connectionProfiles.listEffectiveTags

datastream.connectionProfiles.listStaticServiceIps

datastream.connectionProfiles.listTagBindings

datastream.connectionProfiles.sourceTypes

datastream.locations.*

datastream.objects.get

datastream.objects.list

datastream.operations.get

datastream.operations.list

datastream.privateConnections.get

datastream.privateConnections.getIamPolicy

datastream.privateConnections.list

datastream.privateConnections.listEffectiveTags

datastream.privateConnections.listTagBindings

datastream.routes.get

datastream.routes.getIamPolicy

datastream.routes.list

datastream.streams.fetchErrors

datastream.streams.get

datastream.streams.getIamPolicy

datastream.streams.list

datastream.streams.listEffectiveTags

datastream.streams.listTagBindings

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/deploymentmanager.editor)

Provides the permissions necessary to create and manage deployments.

Lowest-level resources where you can grant this role:

  • Project

deploymentmanager.compositeTypes.*

deploymentmanager.deployments.cancelPreview

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.stop

deploymentmanager.deployments.update

deploymentmanager.manifests.*

deploymentmanager.operations.*

deploymentmanager.resources.*

deploymentmanager.typeProviders.*

deploymentmanager.types.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/deploymentmanager.typeEditor)

Provides read and write access to all Type Registry resources.

Lowest-level resources where you can grant this role:

  • Project

deploymentmanager.compositeTypes.*

deploymentmanager.operations.get

deploymentmanager.typeProviders.*

deploymentmanager.types.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

(roles/deploymentmanager.typeViewer)

Provides read-only access to all Type Registry resources.

Lowest-level resources where you can grant this role:

  • Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

(roles/deploymentmanager.viewer)

Provides read-only access to all Deployment Manager-related resources.

Lowest-level resources where you can grant this role:

  • Project

deploymentmanager.compositeTypes.get

deploymentmanager.compositeTypes.list

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.manifests.*

deploymentmanager.operations.*

deploymentmanager.resources.*

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.getType

deploymentmanager.typeProviders.list

deploymentmanager.typeProviders.listTypes

deploymentmanager.types.get

deploymentmanager.types.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/dialogflow.aamAdmin)

An admin has access to all resources and can perform all administrative actions in an AAM project.

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.documents.get

dialogflow.documents.list

dialogflow.encryptionspec.get

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.examples.get

dialogflow.examples.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.generators.get

dialogflow.generators.list

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.playbooks.get

dialogflow.playbooks.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.tools.get

dialogflow.tools.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dialogflow.aamConversationalArchitect)

A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.documents.get

dialogflow.documents.list

dialogflow.encryptionspec.get

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.examples.get

dialogflow.examples.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.generators.get

dialogflow.generators.list

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.playbooks.get

dialogflow.playbooks.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.tools.get

dialogflow.tools.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dialogflow.aamDialogDesigner)

A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.documents.get

dialogflow.documents.list

dialogflow.encryptionspec.get

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.examples.get

dialogflow.examples.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.generators.get

dialogflow.generators.list

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.playbooks.get

dialogflow.playbooks.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.tools.get

dialogflow.tools.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dialogflow.aamLeadDialogDesigner)

A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.documents.get

dialogflow.documents.list

dialogflow.encryptionspec.get

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.examples.get

dialogflow.examples.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.generators.get

dialogflow.generators.list

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.playbooks.get

dialogflow.playbooks.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.tools.get

dialogflow.tools.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dialogflow.aamViewer)

A user can view the taxonomy and data reports in an AAM project.

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.documents.get

dialogflow.documents.list

dialogflow.encryptionspec.get

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.examples.get

dialogflow.examples.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.generators.get

dialogflow.generators.list

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.playbooks.get

dialogflow.playbooks.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.tools.get

dialogflow.tools.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dialogflow.admin)

Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control.

Lowest-level resources where you can grant this role:

  • Project

dialogflow.*

resourcemanager.projects.get

(roles/dialogflow.agentAssistClient)

Can create and handle live conversations using Agent Assist features.

dialogflow.answerrecords.*

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.*

dialogflow.documents.get

dialogflow.documents.list

dialogflow.generators.get

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.participants.*

dialogflow.sessions.detectIntent

(roles/dialogflow.client)

Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control.

Lowest-level resources where you can grant this role:

  • Project

dialogflow.contexts.*

dialogflow.conversations.*

dialogflow.environments.runContinuousTest

dialogflow.messages.list

dialogflow.participants.*

dialogflow.sessionEntityTypes.*

dialogflow.sessions.*

(roles/dialogflow.consoleAgentEditor)

Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control.

Lowest-level resources where you can grant this role:

  • Project

actions.agentVersions.create

dialogflow.*

resourcemanager.projects.get

(roles/dialogflow.consoleSimulatorUser)

Can perform query of dialogflow suggestions in the simulator in web console.

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.*

dialogflow.documents.get

dialogflow.documents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.participants.*

dialogflow.sessions.detectIntent

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dialogflow.consoleSmartMessagingAllowlistEditor)

Can edit allowlist for smart messaging associated with conversation model in the agent assist console

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.list

dialogflow.documents.get

dialogflow.documents.list

dialogflow.operations.get

dialogflow.smartMessagingEntries.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dialogflow.conversationManager)

Can manage all the resources related to Dialogflow Conversations.

dialogflow.conversationProfiles.*

dialogflow.conversations.*

dialogflow.participants.*

(roles/dialogflow.entityTypeAdmin)

Can read & write entity types.

dialogflow.entityTypes.*

(roles/dialogflow.environmentEditor)

Can read & update environment and its sub-resources.

dialogflow.deployments.*

dialogflow.environments.get

dialogflow.environments.getHistory

dialogflow.environments.list

dialogflow.environments.lookupHistory

dialogflow.environments.runContinuousTest

dialogflow.environments.update

dialogflow.experiments.*

(roles/dialogflow.flowEditor)

Can read & update flow and its sub-resources.

dialogflow.flows.get

dialogflow.flows.list

dialogflow.flows.train

dialogflow.flows.update

dialogflow.flows.validate

dialogflow.pages.*

dialogflow.transitionRouteGroups.*

dialogflow.versions.*

(roles/dialogflow.integrationManager)

Can add, remove, enable and disable Dialogflow integrations.

dialogflow.integrations.*

(roles/dialogflow.intentAdmin)

Can read & write intents.

dialogflow.intents.*

(roles/dialogflow.reader)

Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control.

Lowest-level resources where you can grant this role:

  • Project

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.contexts.get

dialogflow.contexts.list

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.get

dialogflow.conversations.list

dialogflow.deployments.*

dialogflow.documents.get

dialogflow.documents.list

dialogflow.encryptionspec.get

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.examples.get

dialogflow.examples.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.generators.get

dialogflow.generators.list

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.get

dialogflow.participants.list

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.playbooks.get

dialogflow.playbooks.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.get

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.tools.get

dialogflow.tools.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

resourcemanager.projects.get

(roles/dialogflow.testCaseAdmin)

Can read & write test cases.

dialogflow.testcases.*

(roles/dialogflow.webhookAdmin)

Can read & write webhooks.

dialogflow.webhooks.*

Permissions

(roles/dns.admin)

Provides read-write access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

compute.networks.list

dns.changes.*

dns.dnsKeys.*

dns.gkeClusters.*

dns.managedZoneOperations.*

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.getIamPolicy

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

dns.responsePolicies.*

dns.responsePolicyRules.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dns.peer)

Access to target networks with DNS peering zones

dns.networks.targetWithPeeringZone

(roles/dns.reader)

Provides read-only access to all Cloud DNS resources.

Lowest-level resources where you can grant this role:

  • Managed zone

compute.networks.get

dns.changes.get

dns.changes.list

dns.dnsKeys.*

dns.managedZoneOperations.*

dns.managedZones.get

dns.managedZones.list

dns.policies.get

dns.policies.list

dns.projects.get

dns.resourceRecordSets.get

dns.resourceRecordSets.list

dns.responsePolicies.get

dns.responsePolicies.list

dns.responsePolicyRules.get

dns.responsePolicyRules.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/documentai.admin)

Grants full access to all resources in Document AI

documentai.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/documentai.apiUser)

Grants access to process documents in Document AI

documentai.humanReviewConfigs.review

documentai.operations.getLegacy

documentai.processorVersions.processBatch

documentai.processorVersions.processOnline

documentai.processors.processBatch

documentai.processors.processOnline

(roles/documentai.editor)

Grants access to use all resources in Document AI

documentai.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/documentai.viewer)

Grants access to view all resources and process documents in Document AI

documentai.dataLabelingJobs.list

documentai.datasetSchemas.get

documentai.datasets.get

documentai.datasets.getDocuments

documentai.datasets.listDocuments

documentai.evaluationDocuments.get

documentai.evaluations.get

documentai.evaluations.list

documentai.humanReviewConfigs.get

documentai.humanReviewConfigs.review

documentai.labelerPools.get

documentai.labelerPools.list

documentai.locations.*

documentai.operations.getLegacy

documentai.processedDocumentsSets.*

documentai.processorTypes.*

documentai.processorVersions.get

documentai.processorVersions.list

documentai.processorVersions.processBatch

documentai.processorVersions.processOnline

documentai.processors.fetchHumanReviewDetails

documentai.processors.get

documentai.processors.list

documentai.processors.processBatch

documentai.processors.processOnline

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/earthengine.admin)

Full access to all Earth Engine resource features

earthengine.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/earthengine.appsPublisher)

Publisher of Earth Engine Apps

iam.serviceAccounts.create

iam.serviceAccounts.disable

iam.serviceAccounts.enable

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.setIamPolicy

resourcemanager.projects.get

serviceusage.services.get

(roles/earthengine.viewer)

Viewer of all Earth Engine resources

earthengine.assets.get

earthengine.assets.getIamPolicy

earthengine.assets.list

earthengine.computations.create

earthengine.config.get

earthengine.filmstripthumbnails.get

earthengine.maps.get

earthengine.operations.get

earthengine.operations.list

earthengine.tables.get

earthengine.thumbnails.get

earthengine.videothumbnails.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/earthengine.writer)

Writer of all Earth Engine resources

earthengine.assets.create

earthengine.assets.delete

earthengine.assets.get

earthengine.assets.getIamPolicy

earthengine.assets.list

earthengine.assets.update

earthengine.computations.create

earthengine.config.*

earthengine.exports.create

earthengine.featureviews.create

earthengine.filmstripthumbnails.*

earthengine.imports.create

earthengine.maps.*

earthengine.operations.*

earthengine.tables.*

earthengine.thumbnails.*

earthengine.videothumbnails.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/edgecontainer.admin)

Full access to Edge Container all resources.

edgecontainer.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/edgecontainer.machineUser)

Access to use Edge Container Machine resources.

edgecontainer.machines.get

edgecontainer.machines.getIamPolicy

edgecontainer.machines.list

edgecontainer.machines.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/edgecontainer.offlineCredentialUser)

Access to get Edge Container cluster offline credentials

edgecontainer.clusters.generateOfflineCredential

resourcemanager.projects.get

resourcemanager.projects.list

(roles/edgecontainer.viewer)

Read-only access to Edge Container all resources.

edgecontainer.clusters.generateAccessToken

edgecontainer.clusters.get

edgecontainer.clusters.getIamPolicy

edgecontainer.clusters.list

edgecontainer.locations.*

edgecontainer.machines.get

edgecontainer.machines.getIamPolicy

edgecontainer.machines.list

edgecontainer.nodePools.get

edgecontainer.nodePools.getIamPolicy

edgecontainer.nodePools.list

edgecontainer.operations.get

edgecontainer.operations.list

edgecontainer.serverconfig.get

edgecontainer.vpnConnections.get

edgecontainer.vpnConnections.getIamPolicy

edgecontainer.vpnConnections.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/edgenetwork.admin)

Full access to Edge Network all resources.

edgenetwork.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/edgenetwork.viewer)

Read-only access to Edge Network all resources.

edgenetwork.interconnectAttachments.get

edgenetwork.interconnectAttachments.getIamPolicy

edgenetwork.interconnectAttachments.list

edgenetwork.interconnects.get

edgenetwork.interconnects.getDiagnostics

edgenetwork.interconnects.getIamPolicy

edgenetwork.interconnects.list

edgenetwork.locations.*

edgenetwork.networks.get

edgenetwork.networks.getIamPolicy

edgenetwork.networks.getStatus

edgenetwork.networks.list

edgenetwork.operations.get

edgenetwork.operations.list

edgenetwork.routers.get

edgenetwork.routers.getIamPolicy

edgenetwork.routers.getRouterStatus

edgenetwork.routers.list

edgenetwork.routes.get

edgenetwork.routes.list

edgenetwork.subnetworks.get

edgenetwork.subnetworks.getIamPolicy

edgenetwork.subnetworks.getStatus

edgenetwork.subnetworks.list

edgenetwork.zones.get

edgenetwork.zones.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/enterpriseknowledgegraph.admin)

Administrator of Enterprise Knowledge Graph resources

enterpriseknowledgegraph.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/enterpriseknowledgegraph.editor)

Editor of Enterprise Knowledge Graph resources

enterpriseknowledgegraph.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/enterpriseknowledgegraph.viewer)

Viewer of Enterprise Knowledge Graph resources

enterpriseknowledgegraph.cloudKnowledgeGraphEntities.*

enterpriseknowledgegraph.entityReconciliationJobs.get

enterpriseknowledgegraph.entityReconciliationJobs.list

enterpriseknowledgegraph.publicKnowledgeGraphEntities.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/errorreporting.admin)

Provides full access to Error Reporting data.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

errorreporting.*

logging.notificationRules.*

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

(roles/errorreporting.user)

Provides the permissions to read and write Error Reporting data, except for sending new error events.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

errorreporting.applications.list

errorreporting.errorEvents.delete

errorreporting.errorEvents.list

errorreporting.groupMetadata.*

errorreporting.groups.list

logging.notificationRules.*

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

(roles/errorreporting.viewer)

Provides read-only access to Error Reporting data.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

errorreporting.applications.list

errorreporting.errorEvents.list

errorreporting.groupMetadata.get

errorreporting.groups.list

logging.notificationRules.get

logging.notificationRules.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

(roles/errorreporting.writer)

Provides the permissions to send error events to Error Reporting.

Lowest-level resources where you can grant this role:

  • Service Account

errorreporting.errorEvents.create

Permissions

(roles/eventarc.admin)

Full control over all Eventarc resources.

Lowest-level resources where you can grant this role:

  • Project

eventarc.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.connectionPublisher)

Can publish events to Eventarc channel connections.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.get

eventarc.channelConnections.list

eventarc.channelConnections.publish

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.developer)

Access to read and write Eventarc resources.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.googleChannelConfigs.*

eventarc.locations.*

eventarc.operations.*

eventarc.providers.*

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.eventReceiver)

Can receive events from all event providers.

Lowest-level resources where you can grant this role:

  • Project

eventarc.events.*

(roles/eventarc.publisher)

Can publish events to Eventarc channels.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channels.get

eventarc.channels.list

eventarc.channels.publish

resourcemanager.projects.get

resourcemanager.projects.list

(roles/eventarc.viewer)

Can view the state of all Eventarc resources, including IAM policies.

Lowest-level resources where you can grant this role:

  • Project

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

eventarc.operations.get

eventarc.operations.list

eventarc.providers.*

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/firebase.admin)

Full access to Firebase products.

apikeys.keys.get

apikeys.keys.getKeyString

apikeys.keys.list

apikeys.keys.lookup

appengine.applications.get

automl.*

clientauthconfig.brands.get

clientauthconfig.brands.list

clientauthconfig.brands.update

clientauthconfig.clients.create

clientauthconfig.clients.delete

clientauthconfig.clients.get

clientauthconfig.clients.list

clientauthconfig.clients.update

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.operations.*

cloudconfig.*

cloudfunctions.*

cloudmessaging.messages.create

cloudnotifications.activities.list

cloudtestservice.environmentcatalog.get

cloudtestservice.matrices.*

cloudtoolresults.*

datastore.*

errorreporting.groups.list

eventarc.*

fcmdata.deliverydata.list

firebase.*

firebaseabt.*

firebaseanalytics.*

firebaseappcheck.*

firebaseappdistro.*

firebaseauth.*

firebasecrash.*

firebasecrashlytics.*

firebasedatabase.*

firebasedynamiclinks.*

firebaseextensions.*

firebaseextensionspublisher.*

firebasehosting.*

firebaseinappmessaging.*

firebasemessagingcampaigns.*

firebaseml.*

firebasenotifications.*

firebaseperformance.*

firebaserules.*

firebasestorage.*

logging.logEntries.list

monitoring.timeSeries.list

oauthconfig.verification.get

orgpolicy.policy.get

recommender.cloudFunctionsPerformanceInsights.*

recommender.cloudFunctionsPerformanceRecommendations.*

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

recommender.locations.*

recommender.runServiceCostInsights.*

recommender.runServiceCostRecommendations.*

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityRecommendations.*

recommender.runServicePerformanceInsights.*

recommender.runServicePerformanceRecommendations.*

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityRecommendations.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.*

runtimeconfig.configs.create

runtimeconfig.configs.delete

runtimeconfig.configs.get

runtimeconfig.configs.list

runtimeconfig.configs.update

runtimeconfig.operations.*

runtimeconfig.variables.create

runtimeconfig.variables.delete

runtimeconfig.variables.get

runtimeconfig.variables.list

runtimeconfig.variables.update

runtimeconfig.variables.watch

runtimeconfig.waiters.create

runtimeconfig.waiters.delete

runtimeconfig.waiters.get

runtimeconfig.waiters.list

runtimeconfig.waiters.update

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

(roles/firebase.analyticsAdmin)

Full access to Google Analytics for Firebase.

cloudnotifications.activities.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.*

firebaseextensions.configs.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/firebase.analyticsViewer)

Read access to Google Analytics for Firebase.

cloudnotifications.activities.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseextensions.configs.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/firebase.developAdmin)

Full access to Firebase Develop products and Analytics.

apikeys.keys.get

apikeys.keys.getKeyString

apikeys.keys.list

apikeys.keys.lookup

appengine.applications.get

automl.*

clientauthconfig.brands.get

clientauthconfig.brands.list

clientauthconfig.brands.update

clientauthconfig.clients.get

clientauthconfig.clients.list

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.operations.*

cloudfunctions.*

cloudnotifications.activities.list

datastore.*

errorreporting.groups.list

eventarc.*

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.*

firebaseappcheck.*

firebaseauth.*

firebasedatabase.*

firebaseextensions.configs.list

firebasehosting.*

firebaseml.*

firebaserules.*

firebasestorage.*

logging.logEntries.list

monitoring.timeSeries.list

oauthconfig.verification.get

orgpolicy.policy.get

recommender.cloudFunctionsPerformanceInsights.*

recommender.cloudFunctionsPerformanceRecommendations.*

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

recommender.locations.*

recommender.runServiceCostInsights.*

recommender.runServiceCostRecommendations.*

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityRecommendations.*

recommender.runServicePerformanceInsights.*

recommender.runServicePerformanceRecommendations.*

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityRecommendations.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.*

runtimeconfig.configs.create

runtimeconfig.configs.delete

runtimeconfig.configs.get

runtimeconfig.configs.list

runtimeconfig.configs.update

runtimeconfig.operations.*

runtimeconfig.variables.create

runtimeconfig.variables.delete

runtimeconfig.variables.get

runtimeconfig.variables.list

runtimeconfig.variables.update

runtimeconfig.variables.watch

runtimeconfig.waiters.create

runtimeconfig.waiters.delete

runtimeconfig.waiters.get

runtimeconfig.waiters.list

runtimeconfig.waiters.update

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

(roles/firebase.developViewer)

Read access to Firebase Develop products and Analytics.

automl.annotationSpecs.get

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.get

automl.columnSpecs.list

automl.datasets.get

automl.datasets.list

automl.examples.get

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.get

automl.humanAnnotationTasks.list

automl.locations.get

automl.locations.list

automl.modelEvaluations.get

automl.modelEvaluations.list

automl.models.get

automl.models.list

automl.operations.get

automl.operations.list

automl.tableSpecs.get

automl.tableSpecs.list

clientauthconfig.brands.get

clientauthconfig.brands.list

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.operations.*

cloudfunctions.functions.get

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.locations.list

cloudfunctions.operations.*

cloudnotifications.activities.list

datastore.databases.get

datastore.databases.getMetadata

datastore.databases.list

datastore.entities.get

datastore.entities.list

datastore.indexes.get

datastore.indexes.list

datastore.namespaces.*

datastore.statistics.*

errorreporting.groups.list

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

eventarc.operations.get

eventarc.operations.list

eventarc.providers.*

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseappcheck.appAttestConfig.get

firebaseappcheck.debugTokens.get

firebaseappcheck.deviceCheckConfig.get

firebaseappcheck.playIntegrityConfig.get

firebaseappcheck.recaptchaEnterpriseConfig.get

firebaseappcheck.recaptchaV3Config.get

firebaseappcheck.resourcePolicies.get

firebaseappcheck.safetyNetConfig.get

firebaseappcheck.services.get

firebaseauth.configs.get

firebaseauth.users.get

firebasedatabase.instances.get

firebasedatabase.instances.list

firebaseextensions.configs.list

firebasehosting.sites.get

firebasehosting.sites.list

firebaseml.models.get

firebaseml.models.list

firebaseml.modelversions.get

firebaseml.modelversions.list

firebaserules.releases.get

firebaserules.releases.list

firebaserules.rulesets.get

firebaserules.rulesets.list

firebasestorage.buckets.get

firebasestorage.buckets.list

firebasestorage.defaultBucket.get

logging.logEntries.list

monitoring.timeSeries.list

oauthconfig.verification.get

recommender.cloudFunctionsPerformanceInsights.get

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.get

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.locations.*

recommender.runServiceCostInsights.get

recommender.runServiceCostInsights.list

recommender.runServiceCostRecommendations.get

recommender.runServiceCostRecommendations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServicePerformanceInsights.get

recommender.runServicePerformanceInsights.list

recommender.runServicePerformanceRecommendations.get

recommender.runServicePerformanceRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.configurations.*

run.executions.get

run.executions.list

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.locations.list

run.operations.get

run.operations.list

run.revisions.get

run.revisions.list

run.routes.get

run.routes.list

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.tasks.*

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

(roles/firebase.growthAdmin)

Full access to Firebase Grow products and Analytics.

clientauthconfig.clients.get

clientauthconfig.clients.list

cloudconfig.*

cloudmessaging.messages.create

cloudnotifications.activities.list

fcmdata.deliverydata.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseabt.*

firebaseanalytics.*

firebasedynamiclinks.*

firebaseextensions.configs.list

firebaseinappmessaging.*

firebasemessagingcampaigns.*

firebasenotifications.*

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/firebase.growthViewer)

Read access to Firebase Grow products and Analytics.

cloudconfig.configs.get

cloudnotifications.activities.list

fcmdata.deliverydata.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseabt.experimentresults.get

firebaseabt.experiments.get

firebaseabt.experiments.list

firebaseabt.projectmetadata.get

firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebasedynamiclinks.destinations.list

firebasedynamiclinks.domains.get

firebasedynamiclinks.domains.list

firebasedynamiclinks.links.get

firebasedynamiclinks.links.list

firebasedynamiclinks.stats.get

firebaseextensions.configs.list

firebaseinappmessaging.campaigns.get

firebaseinappmessaging.campaigns.list

firebasemessagingcampaigns.campaigns.get

firebasemessagingcampaigns.campaigns.list

firebasenotifications.messages.get

firebasenotifications.messages.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/firebase.qualityAdmin)

Full access to Firebase Quality products and Analytics.

cloudnotifications.activities.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.*

firebaseappdistro.*

firebasecrash.*

firebasecrashlytics.*

firebaseextensions.configs.list

firebaseperformance.*

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/firebase.qualityViewer)

Read access to Firebase Quality products and Analytics.

cloudnotifications.activities.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseappdistro.groups.list

firebaseappdistro.releases.list

firebaseappdistro.testers.list

firebasecrash.reports.get

firebasecrashlytics.config.get

firebasecrashlytics.data.get

firebasecrashlytics.issues.get

firebasecrashlytics.issues.list

firebasecrashlytics.sessions.get

firebaseextensions.configs.list

firebaseperformance.data.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/firebase.sdkAdminServiceAgent)

Read and write access to Firebase products available in the Admin SDK

appengine.applications.get

cloudconfig.*

cloudmessaging.messages.create

datastore.databases.get

datastore.databases.getMetadata

datastore.databases.list

datastore.entities.*

datastore.indexes.get

datastore.indexes.list

datastore.namespaces.*

datastore.statistics.*

firebase.clients.*

firebase.projects.get

firebase.projects.update

firebaseappcheck.*

firebaseauth.configs.create

firebaseauth.configs.get

firebaseauth.configs.getSecret

firebaseauth.configs.update

firebaseauth.users.*

firebasedatabase.*

firebasehosting.*

firebaseml.*

firebasenotifications.*

firebaserules.releases.get

firebaserules.releases.list

firebaserules.releases.update

firebaserules.rulesets.create

firebaserules.rulesets.delete

firebaserules.rulesets.get

firebaserules.rulesets.list

identitytoolkit.*

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.projects.update

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.buckets.update

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.objects.*

(roles/firebase.sdkProvisioningServiceAgent)

Access to provision apps with the Admin SDK.

apikeys.keys.list

clientauthconfig.clients.list

cloudmessaging.messages.create

firebase.clients.create

servicemanagement.services.bind

serviceusage.services.enable

serviceusage.services.get

(roles/firebase.viewer)

Read-only access to Firebase products.

automl.annotationSpecs.get

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.get

automl.columnSpecs.list

automl.datasets.get

automl.datasets.list

automl.examples.get

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.get

automl.humanAnnotationTasks.list

automl.locations.get

automl.locations.list

automl.modelEvaluations.get

automl.modelEvaluations.list

automl.models.get

automl.models.list

automl.operations.get

automl.operations.list

automl.tableSpecs.get

automl.tableSpecs.list

clientauthconfig.brands.get

clientauthconfig.brands.list

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.operations.*

cloudconfig.configs.get

cloudfunctions.functions.get

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.locations.list

cloudfunctions.operations.*

cloudnotifications.activities.list

cloudtestservice.environmentcatalog.get

cloudtestservice.matrices.get

cloudtoolresults.executions.get

cloudtoolresults.executions.list

cloudtoolresults.histories.get

cloudtoolresults.histories.list

cloudtoolresults.settings.get

cloudtoolresults.steps.get

cloudtoolresults.steps.list

datastore.databases.get

datastore.databases.getMetadata

datastore.databases.list

datastore.entities.get

datastore.entities.list

datastore.indexes.get

datastore.indexes.list

datastore.namespaces.*

datastore.statistics.*

errorreporting.groups.list

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

eventarc.operations.get

eventarc.operations.list

eventarc.providers.*

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

fcmdata.deliverydata.list

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.links.list

firebase.playLinks.get

firebase.playLinks.list

firebase.projects.get

firebaseabt.experimentresults.get

firebaseabt.experiments.get

firebaseabt.experiments.list

firebaseabt.projectmetadata.get

firebaseanalytics.resources.googleAnalyticsReadAndAnalyze

firebaseappcheck.appAttestConfig.get

firebaseappcheck.debugTokens.get

firebaseappcheck.deviceCheckConfig.get

firebaseappcheck.playIntegrityConfig.get

firebaseappcheck.recaptchaEnterpriseConfig.get

firebaseappcheck.recaptchaV3Config.get

firebaseappcheck.resourcePolicies.get

firebaseappcheck.safetyNetConfig.get

firebaseappcheck.services.get

firebaseappdistro.groups.list

firebaseappdistro.releases.list

firebaseappdistro.testers.list

firebaseauth.configs.get

firebaseauth.users.get

firebasecrash.reports.get

firebasecrashlytics.config.get

firebasecrashlytics.data.get

firebasecrashlytics.issues.get

firebasecrashlytics.issues.list

firebasecrashlytics.sessions.get

firebasedatabase.instances.get

firebasedatabase.instances.list

firebasedynamiclinks.destinations.list

firebasedynamiclinks.domains.get

firebasedynamiclinks.domains.list

firebasedynamiclinks.links.get

firebasedynamiclinks.links.list

firebasedynamiclinks.stats.get

firebaseextensions.configs.list

firebaseextensionspublisher.extensions.get

firebaseextensionspublisher.extensions.list

firebasehosting.sites.get

firebasehosting.sites.list

firebaseinappmessaging.campaigns.get

firebaseinappmessaging.campaigns.list

firebasemessagingcampaigns.campaigns.get

firebasemessagingcampaigns.campaigns.list

firebaseml.models.get

firebaseml.models.list

firebaseml.modelversions.get

firebaseml.modelversions.list

firebasenotifications.messages.get

firebasenotifications.messages.list

firebaseperformance.data.get

firebaserules.releases.get

firebaserules.releases.list

firebaserules.rulesets.get

firebaserules.rulesets.list

firebasestorage.buckets.get

firebasestorage.buckets.list

firebasestorage.defaultBucket.get

logging.logEntries.list

monitoring.timeSeries.list

oauthconfig.verification.get

recommender.cloudFunctionsPerformanceInsights.get

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.get

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.locations.*

recommender.runServiceCostInsights.get

recommender.runServiceCostInsights.list

recommender.runServiceCostRecommendations.get

recommender.runServiceCostRecommendations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServicePerformanceInsights.get

recommender.runServicePerformanceInsights.list

recommender.runServicePerformanceRecommendations.get

recommender.runServicePerformanceRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.configurations.*

run.executions.get

run.executions.list

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.locations.list

run.operations.get

run.operations.list

run.revisions.get

run.revisions.list

run.routes.get

run.routes.list

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.tasks.*

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

(roles/firebaseappcheck.serviceAgent)

Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise and Play Integrity API.

recaptchaenterprise.assessments.*

serviceusage.services.use

(roles/firebasemods.serviceAgent)

Grants Firebase Extensions API Service Account access to manage resources.

appengine.applications.get

artifactregistry.packages.delete

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.setIamPolicy

cloudtasks.locations.*

cloudtasks.queues.*

cloudtasks.tasks.create

cloudtasks.tasks.fullView

deploymentmanager.compositeTypes.*

deploymentmanager.deployments.cancelPreview

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.stop

deploymentmanager.deployments.update

deploymentmanager.manifests.*

deploymentmanager.operations.*

deploymentmanager.resources.*

deploymentmanager.typeProviders.*

deploymentmanager.types.*

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.setIamPolicy

iam.serviceAccounts.actAs

iam.serviceAccounts.create

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.projects.updateLiens

run.services.getIamPolicy

run.services.setIamPolicy

serviceusage.quotas.get

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/cloudconfig.admin)

Full access to Firebase Remote Config resources.

cloudconfig.*

firebase.clients.get

firebase.clients.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudconfig.viewer)

Read access to Firebase Remote Config resources.

cloudconfig.configs.get

firebase.clients.get

firebase.clients.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtestservice.directAccessAdmin)

Administrator owning access to Direct Access

cloudtestservice.devicesession.*

cloudtestservice.environmentcatalog.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtestservice.directAccessViewer)

Viewer, able to see what direct access sessions exist

cloudtestservice.devicesession.get

cloudtestservice.devicesession.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtestservice.testAdmin)

Full access to all Test Lab features

cloudtestservice.environmentcatalog.get

cloudtestservice.matrices.*

cloudtoolresults.*

firebase.billingPlans.get

firebase.clients.get

firebase.clients.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

storage.buckets.get

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

(roles/cloudtestservice.testViewer)

Read access to Test Lab features

cloudtestservice.environmentcatalog.get

cloudtestservice.matrices.get

cloudtoolresults.executions.get

cloudtoolresults.executions.list

cloudtoolresults.histories.get

cloudtoolresults.histories.list

cloudtoolresults.settings.get

cloudtoolresults.steps.get

cloudtoolresults.steps.list

firebase.clients.get

firebase.clients.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.get

storage.objects.list

(roles/firebaseabt.admin)

Full read/write access to Firebase A/B Testing resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseabt.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseabt.viewer)

Read-only access to Firebase A/B Testing resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseabt.experimentresults.get

firebaseabt.experiments.get

firebaseabt.experiments.list

firebaseabt.projectmetadata.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseappcheck.admin)

Full management of Firebase App Check.

firebaseappcheck.*

(roles/firebaseappcheck.tokenVerifier)

Access to token verification capabilities for Firebase App Check.

firebaseappcheck.appCheckTokens.verify

(roles/firebaseappcheck.viewer)

Read-only access for Firebase App Check.

firebaseappcheck.appAttestConfig.get

firebaseappcheck.debugTokens.get

firebaseappcheck.deviceCheckConfig.get

firebaseappcheck.playIntegrityConfig.get

firebaseappcheck.recaptchaEnterpriseConfig.get

firebaseappcheck.recaptchaV3Config.get

firebaseappcheck.resourcePolicies.get

firebaseappcheck.safetyNetConfig.get

firebaseappcheck.services.get

(roles/firebaseappdistro.admin)

Full read/write access to Firebase App Distribution resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseappdistro.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseappdistro.viewer)

Read-only access to Firebase App Distribution resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseappdistro.groups.list

firebaseappdistro.releases.list

firebaseappdistro.testers.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseauth.admin)

Full read/write access to Firebase Authentication resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseauth.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseauth.viewer)

Read-only access to Firebase Authentication resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseauth.configs.get

firebaseauth.users.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasecrashlytics.admin)

Full read/write access to Firebase Crashlytics resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasecrashlytics.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasecrashlytics.viewer)

Read-only access to Firebase Crashlytics resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasecrashlytics.config.get

firebasecrashlytics.data.get

firebasecrashlytics.issues.get

firebasecrashlytics.issues.list

firebasecrashlytics.sessions.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasedatabase.admin)

Full read/write access to Firebase Realtime Database resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasedatabase.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasedatabase.viewer)

Read-only access to Firebase Realtime Database resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasedatabase.instances.get

firebasedatabase.instances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasedynamiclinks.admin)

Full read/write access to Firebase Dynamic Links resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasedynamiclinks.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasedynamiclinks.viewer)

Read-only access to Firebase Dynamic Links resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasedynamiclinks.destinations.list

firebasedynamiclinks.domains.get

firebasedynamiclinks.domains.list

firebasedynamiclinks.links.get

firebasedynamiclinks.links.list

firebasedynamiclinks.stats.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseextensions.developer)

View, create, and delete Firebase Extensions Instances and Extensions Versions, and update Extensions Instances

firebase.clients.get

firebase.clients.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseextensions.viewer)

Viewer of Firebase Extensions Instances

firebase.clients.get

firebase.clients.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseextensionspublisher.extensionsAdmin)

Fully manage Firebase Extensions

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseextensionspublisher.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseextensionspublisher.extensionsViewer)

View Firebase Extensions

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseextensionspublisher.extensions.get

firebaseextensionspublisher.extensions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasehosting.admin)

Full read/write access to Firebase Hosting resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasehosting.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasehosting.viewer)

Read-only access to Firebase Hosting resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasehosting.sites.get

firebasehosting.sites.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseinappmessaging.admin)

Full read/write access to Firebase In-App Messaging resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseinappmessaging.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseinappmessaging.viewer)

Read-only access to Firebase In-App Messaging resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseinappmessaging.campaigns.get

firebaseinappmessaging.campaigns.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasemessagingcampaigns.admin)

Full management of Firebase Messaging Campaigns.

firebasemessagingcampaigns.*

(roles/firebasemessagingcampaigns.viewer)

Read-only access for Firebase Messaging Campaigns.

firebasemessagingcampaigns.campaigns.get

firebasemessagingcampaigns.campaigns.list

(roles/firebaseml.admin)

Full read/write access to Firebase ML Kit resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseml.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseml.viewer)

Read-only access to Firebase ML Kit resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseml.models.get

firebaseml.models.list

firebaseml.modelversions.get

firebaseml.modelversions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasenotifications.admin)

Full read/write access to Firebase Cloud Messaging resources.

fcmdata.deliverydata.list

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasenotifications.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasenotifications.viewer)

Read-only access to Firebase Cloud Messaging resources.

fcmdata.deliverydata.list

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasenotifications.messages.get

firebasenotifications.messages.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseperformance.admin)

Full access to firebaseperformance resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseperformance.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaseperformance.viewer)

Read-only access to firebaseperformance resources.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebaseperformance.data.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaserules.admin)

Full management of Firebase Rules.

firebaserules.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebaserules.system)

Read/write/list access for Datastore entities and Cloud Storage objects, as well as get/list/publish access for PubSub topics.

datastore.databases.get

datastore.entities.*

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/firebaserules.viewer)

Read-only access on all resources with the ability to test Rulesets.

firebaserules.releases.get

firebaserules.releases.list

firebaserules.rulesets.get

firebaserules.rulesets.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasestorage.admin)

Full management of Cloud Storage for Firebase.

firebase.clients.get

firebase.clients.list

firebase.projects.get

firebasestorage.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasestorage.viewer)

Read-only access for Cloud Storage for Firebase.

firebasestorage.buckets.get

firebasestorage.buckets.list

firebasestorage.defaultBucket.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/fleetengine.consumerSdkUser)

Limited read access to Fleet Engine resources

fleetengine.trips.get

fleetengine.vehicles.get

fleetengine.vehicles.search

fleetengine.vehicles.searchFuzzed

(roles/fleetengine.deliveryAdmin)

Full access to Fleet Engine Delivery resources.

fleetengine.deliveryvehicles.*

fleetengine.tasks.*

fleetengine.tasktrackinginfo.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

(roles/fleetengine.deliveryConsumer)

Limited read access to Fleet Engine Delivery resources

fleetengine.tasks.searchWithTrackingId

fleetengine.tasktrackinginfo.get

(roles/fleetengine.deliveryFleetReader)

Grants read access to all Fleet Engine Delivery resources

fleetengine.deliveryvehicles.get

fleetengine.deliveryvehicles.list

fleetengine.tasks.get

fleetengine.tasks.list

fleetengine.tasks.searchWithTrackingId

fleetengine.tasktrackinginfo.get

(roles/fleetengine.deliverySuperUser)

Full access to Fleet Engine DeliveryVehicles and Tasks resources.

fleetengine.deliveryvehicles.create

fleetengine.deliveryvehicles.get

fleetengine.deliveryvehicles.list

fleetengine.deliveryvehicles.update

fleetengine.deliveryvehicles.updateLocation

fleetengine.deliveryvehicles.updateVehicleStops

fleetengine.tasks.create

fleetengine.tasks.get

fleetengine.tasks.list

fleetengine.tasks.searchWithTrackingId

fleetengine.tasks.update

fleetengine.tasktrackinginfo.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/fleetengine.deliveryTrustedDriver)

Read and write access to Fleet Engine Delivery resources

fleetengine.deliveryvehicles.create

fleetengine.deliveryvehicles.get

fleetengine.deliveryvehicles.update

fleetengine.deliveryvehicles.updateLocation

fleetengine.deliveryvehicles.updateVehicleStops

fleetengine.tasks.create

fleetengine.tasks.update

(roles/fleetengine.deliveryUntrustedDriver)

Limited write access to Fleet Engine Delivery Vehicle resources

fleetengine.deliveryvehicles.get

fleetengine.deliveryvehicles.updateLocation

(roles/fleetengine.driverSdkUser)

Read and limited update access to Fleet Engine resources

fleetengine.trips.get

fleetengine.trips.search

fleetengine.trips.update

fleetengine.vehicles.get

fleetengine.vehicles.updateLocation

(roles/fleetengine.ondemandAdmin)

Full access to Vehicle and Trip resources.

fleetengine.trips.*

fleetengine.vehicles.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

(roles/fleetengine.serviceSuperUser)

Full access to all Fleet Engine resources.

fleetengine.trips.create

fleetengine.trips.get

fleetengine.trips.search

fleetengine.trips.update

fleetengine.trips.updateState

fleetengine.vehicles.create

fleetengine.vehicles.get

fleetengine.vehicles.list

fleetengine.vehicles.search

fleetengine.vehicles.searchFuzzed

fleetengine.vehicles.update

fleetengine.vehicles.updateLocation

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/genomics.admin)

Full access to genomics datasets and operations.

genomics.*

(roles/genomics.editor)

Access to read and edit genomics datasets and operations.

genomics.datasets.create

genomics.datasets.delete

genomics.datasets.get

genomics.datasets.list

genomics.datasets.update

genomics.operations.*

(roles/genomics.pipelinesRunner)

Full access to operate on genomics pipelines.

genomics.operations.*

(roles/genomics.viewer)

Access to view genomics datasets and operations.

genomics.datasets.get

genomics.datasets.list

genomics.operations.get

genomics.operations.list

Permissions

(roles/gkehub.admin)

Full access to Fleet resources.

gkehub.features.*

gkehub.fleet.*

gkehub.locations.*

gkehub.membershipbindings.*

gkehub.memberships.*

gkehub.namespaces.*

gkehub.operations.*

gkehub.rbacrolebindings.*

gkehub.scopes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkehub.connect)

Ability to set up GKE Connect between external clusters and Google.

gkehub.endpoints.connect

(roles/gkehub.editor)

Edit access to Fleet resources.

gkehub.features.create

gkehub.features.delete

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.features.update

gkehub.fleet.*

gkehub.locations.*

gkehub.membershipbindings.*

gkehub.memberships.create

gkehub.memberships.delete

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.memberships.update

gkehub.namespaces.*

gkehub.operations.*

gkehub.rbacrolebindings.*

gkehub.scopes.create

gkehub.scopes.delete

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

gkehub.scopes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkehub.gatewayAdmin)

Full access to Connect Gateway.

gkehub.gateway.*

gkehub.memberships.get

serviceusage.services.get

(roles/gkehub.gatewayEditor)

Edit access to Connect Gateway.

gkehub.gateway.delete

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.memberships.get

serviceusage.services.get

(roles/gkehub.gatewayReader)

Read-only access to Connect Gateway.

gkehub.gateway.get

gkehub.memberships.get

serviceusage.services.get

(roles/gkehub.viewer)

Read-only access to Fleets and related resources.

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.fleet.get

gkehub.fleet.getFreeTrial

gkehub.locations.*

gkehub.membershipbindings.get

gkehub.membershipbindings.list

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.operations.get

gkehub.operations.list

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.scopes.get

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/gkeonprem.admin)

Full access to GKE on-prem all resources.

gkeonprem.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkeonprem.viewer)

Read-only access to GKE on-prem all resources.

gkeonprem.bareMetalAdminClusters.connect

gkeonprem.bareMetalAdminClusters.get

gkeonprem.bareMetalAdminClusters.getIamPolicy

gkeonprem.bareMetalAdminClusters.list

gkeonprem.bareMetalAdminClusters.queryVersionConfig

gkeonprem.bareMetalClusters.get

gkeonprem.bareMetalClusters.getIamPolicy

gkeonprem.bareMetalClusters.list

gkeonprem.bareMetalClusters.queryVersionConfig

gkeonprem.bareMetalNodePools.get

gkeonprem.bareMetalNodePools.getIamPolicy

gkeonprem.bareMetalNodePools.list

gkeonprem.locations.*

gkeonprem.operations.get

gkeonprem.operations.list

gkeonprem.vmwareAdminClusters.connect

gkeonprem.vmwareAdminClusters.get

gkeonprem.vmwareAdminClusters.getIamPolicy

gkeonprem.vmwareAdminClusters.list

gkeonprem.vmwareClusters.get

gkeonprem.vmwareClusters.getIamPolicy

gkeonprem.vmwareClusters.list

gkeonprem.vmwareClusters.queryVersionConfig

gkeonprem.vmwareNodePools.get

gkeonprem.vmwareNodePools.getIamPolicy

gkeonprem.vmwareNodePools.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/gsuiteaddons.developer)

Full access to Google Workspace Add-ons resources

gsuiteaddons.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gsuiteaddons.reader)

Read-only access to Google Workspace Add-ons resources

gsuiteaddons.authorizations.get

gsuiteaddons.deployments.get

gsuiteaddons.deployments.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gsuiteaddons.tester)

Testing execution access to Google Workspace Add-ons resources

gsuiteaddons.deployments.execute

gsuiteaddons.deployments.install

gsuiteaddons.deployments.installStatus

gsuiteaddons.deployments.uninstall

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/iam.denyAdmin)

Deny admin role, with permissions to read and modify deny policies

Lowest-level resources where you can grant this role:

  • Organization

iam.denypolicies.*

(roles/iam.denyReviewer)

Deny Reviewer role, with permissions to read deny policies

Lowest-level resources where you can grant this role:

  • Organization

iam.denypolicies.get

iam.denypolicies.list

(roles/iam.securityAdmin)

Security admin role, with permissions to get and set any IAM policy.

accessapproval.requests.list

accesscontextmanager.accessLevels.list

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.gcpUserAccessBindings.list

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.policies.setIamPolicy

accesscontextmanager.servicePerimeters.list

actions.agentVersions.list

advisorynotifications.notifications.*

aiplatform.annotationSpecs.list

aiplatform.annotations.list

aiplatform.artifacts.list

aiplatform.batchPredictionJobs.list

aiplatform.contexts.list

aiplatform.customJobs.list

aiplatform.dataItems.list

aiplatform.dataLabelingJobs.list

aiplatform.datasetVersions.list

aiplatform.datasets.list

aiplatform.deploymentResourcePools.list

aiplatform.edgeDeploymentJobs.list

aiplatform.edgeDevices.list

aiplatform.endpoints.getIamPolicy

aiplatform.endpoints.list

aiplatform.endpoints.setIamPolicy

aiplatform.entityTypes.getIamPolicy

aiplatform.entityTypes.list

aiplatform.entityTypes.setIamPolicy

aiplatform.executions.list

aiplatform.featureGroups.list

aiplatform.featureOnlineStores.list

aiplatform.featureViewSyncs.list

aiplatform.featureViews.list

aiplatform.features.list

aiplatform.featurestores.getIamPolicy

aiplatform.featurestores.list

aiplatform.featurestores.setIamPolicy

aiplatform.humanInTheLoops.list

aiplatform.hyperparameterTuningJobs.list

aiplatform.indexEndpoints.list

aiplatform.indexes.list

aiplatform.locations.list

aiplatform.metadataSchemas.list

aiplatform.metadataStores.list

aiplatform.modelDeploymentMonitoringJobs.list

aiplatform.modelEvaluationSlices.list

aiplatform.modelEvaluations.list

aiplatform.models.list

aiplatform.nasJobs.list

aiplatform.nasTrialDetails.list

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimeTemplates.setIamPolicy

aiplatform.notebookRuntimes.list

aiplatform.operations.list

aiplatform.persistentResources.list

aiplatform.pipelineJobs.list

aiplatform.schedules.list

aiplatform.specialistPools.list

aiplatform.studies.list

aiplatform.tensorboardExperiments.list

aiplatform.tensorboardRuns.list

aiplatform.tensorboardTimeSeries.list

aiplatform.tensorboards.list

aiplatform.trainingPipelines.list

aiplatform.trials.list

alloydb.backups.list

alloydb.clusters.list

alloydb.databases.list

alloydb.instances.list

alloydb.locations.list

alloydb.operations.list

alloydb.supportedDatabaseFlags.list

alloydb.users.list

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.dataExchanges.setIamPolicy

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.subscriptions.list

apigateway.apiconfigs.getIamPolicy

apigateway.apiconfigs.list

apigateway.apiconfigs.setIamPolicy

apigateway.apis.getIamPolicy

apigateway.apis.list

apigateway.apis.setIamPolicy

apigateway.gateways.getIamPolicy

apigateway.gateways.list

apigateway.gateways.setIamPolicy

apigateway.locations.list

apigateway.operations.list

apigee.apiproductattributes.list

apigee.apiproducts.list

apigee.appgroupapps.list

apigee.appgroups.list

apigee.apps.list

apigee.archivedeployments.list

apigee.caches.list

apigee.datacollectors.list

apigee.datastores.list

apigee.deployments.list

apigee.developerappattributes.list

apigee.developerapps.list

apigee.developerattributes.list

apigee.developers.list

apigee.developersubscriptions.list

apigee.endpointattachments.list

apigee.envgroupattachments.list

apigee.envgroups.list

apigee.environments.getIamPolicy

apigee.environments.list

apigee.environments.setIamPolicy

apigee.exports.list

apigee.flowhooks.list

apigee.hostqueries.list

apigee.hostsecurityreports.list

apigee.instanceattachments.list

apigee.instances.list

apigee.keystorealiases.list

apigee.keystores.list

apigee.keyvaluemapentries.list

apigee.keyvaluemaps.list

apigee.nataddresses.list

apigee.operations.list

apigee.organizations.list

apigee.portals.list

apigee.proxies.list

apigee.proxyrevisions.list

apigee.queries.list

apigee.rateplans.list

apigee.references.list

apigee.reports.list

apigee.resourcefiles.list

apigee.securityActions.list

apigee.securityFeedback.list

apigee.securityIncidents.list

apigee.securityProfiles.list

apigee.securityreports.list

apigee.sharedflowrevisions.list

apigee.sharedflows.list

apigee.targetservers.list

apigee.traceconfigoverrides.list

apigee.tracesessions.list

apigeeconnect.connections.list

apigeeregistry.apis.getIamPolicy

apigeeregistry.apis.list

apigeeregistry.apis.setIamPolicy

apigeeregistry.artifacts.getIamPolicy

apigeeregistry.artifacts.list

apigeeregistry.artifacts.setIamPolicy

apigeeregistry.deployments.list

apigeeregistry.locations.list

apigeeregistry.operations.list

apigeeregistry.specs.getIamPolicy

apigeeregistry.specs.list

apigeeregistry.specs.setIamPolicy

apigeeregistry.versions.getIamPolicy

apigeeregistry.versions.list

apigeeregistry.versions.setIamPolicy

apikeys.keys.list

appengine.instances.list

appengine.memcache.list

appengine.operations.list

appengine.services.list

appengine.versions.list

apphub.applications.getIamPolicy

apphub.applications.list

apphub.applications.setIamPolicy

apphub.discoveredServices.list

apphub.discoveredWorkloads.list

apphub.locations.list

apphub.operations.list

apphub.serviceProjectAttachments.list

apphub.services.list

apphub.workloads.list

applianceactivation.rttCommands.list

artifactregistry.dockerimages.list

artifactregistry.files.list

artifactregistry.locations.list

artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.list

artifactregistry.packages.list

artifactregistry.pythonpackages.list

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.repositories.setIamPolicy

artifactregistry.tags.list

artifactregistry.versions.list

assuredoss.locations.list

assuredoss.metadata.list

assuredoss.operations.list

assuredworkloads.operations.list

assuredworkloads.violations.list

assuredworkloads.workload.list

auditmanager.locations.list

auditmanager.operations.list

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.list

automl.datasets.getIamPolicy

automl.datasets.list

automl.datasets.setIamPolicy

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.list

automl.locations.getIamPolicy

automl.locations.list

automl.locations.setIamPolicy

automl.modelEvaluations.list

automl.models.getIamPolicy

automl.models.list

automl.models.setIamPolicy

automl.operations.list

automl.tableSpecs.list

automlrecommendations.apiKeys.list

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.list

automlrecommendations.eventStores.list

automlrecommendations.events.list

automlrecommendations.placements.list

automlrecommendations.recommendations.list

autoscaling.sites.getIamPolicy

autoscaling.sites.setIamPolicy

backupdr.locations.list

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.setIamPolicy

backupdr.operations.list

baremetalsolution.instancequotas.list

baremetalsolution.instances.list

baremetalsolution.luns.list

baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.list

baremetalsolution.nfsshares.list

baremetalsolution.osimages.list

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.list

baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.list

baremetalsolution.volumesnapshots.list

batch.jobs.list

batch.locations.list

batch.operations.list

batch.tasks.list

beyondcorp.appConnections.getIamPolicy

beyondcorp.appConnections.list

beyondcorp.appConnections.setIamPolicy

beyondcorp.appConnectors.getIamPolicy

beyondcorp.appConnectors.list

beyondcorp.appConnectors.setIamPolicy

beyondcorp.appGateways.getIamPolicy

beyondcorp.appGateways.list

beyondcorp.appGateways.setIamPolicy

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientConnectorServices.setIamPolicy

beyondcorp.clientGateways.getIamPolicy

beyondcorp.clientGateways.list

beyondcorp.clientGateways.setIamPolicy

beyondcorp.locations.list

beyondcorp.operations.list

beyondcorp.partnerTenants.list

beyondcorp.proxyConfigs.list

beyondcorp.subscriptions.list

biglake.catalogs.list

biglake.databases.list

biglake.locks.list

biglake.tables.list

bigquery.capacityCommitments.list

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.setIamPolicy

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.datasets.getIamPolicy

bigquery.datasets.setIamPolicy

bigquery.jobs.list

bigquery.models.list

bigquery.reservationAssignments.list

bigquery.reservations.list

bigquery.routines.list

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.savedqueries.list

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.setIamPolicy

bigquerymigration.locations.list

bigquerymigration.subtasks.list

bigquerymigration.workflows.list

bigtable.appProfiles.list

bigtable.backups.getIamPolicy

bigtable.backups.list

bigtable.backups.setIamPolicy

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.getIamPolicy

bigtable.instances.list

bigtable.instances.setIamPolicy

bigtable.keyvisualizer.list

bigtable.locations.list

bigtable.tables.getIamPolicy

bigtable.tables.list

bigtable.tables.setIamPolicy

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.setIamPolicy

billing.billingAccountPrices.list

billing.billingAccountServices.list

billing.billingAccountSkuGroupSkus.list

billing.billingAccountSkuGroups.list

billing.billingAccountSkus.list

billing.budgets.list

billing.credits.list

billing.resourceAssociations.list

billing.subscriptions.list

binaryauthorization.attestors.getIamPolicy

binaryauthorization.attestors.list

binaryauthorization.attestors.setIamPolicy

binaryauthorization.continuousValidationConfig.getIamPolicy

binaryauthorization.continuousValidationConfig.setIamPolicy

binaryauthorization.platformPolicies.list

binaryauthorization.policy.getIamPolicy

binaryauthorization.policy.setIamPolicy

blockchainnodeengine.blockchainNodes.list

blockchainnodeengine.locations.list

blockchainnodeengine.operations.list

capacityplanner.forecasts.list

capacityplanner.usageHistories.list

carestudio.patients.list

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmapentries.setIamPolicy

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certmaps.setIamPolicy

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.certs.setIamPolicy

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.setIamPolicy

certificatemanager.locations.list

certificatemanager.operations.list

certificatemanager.trustconfigs.list

chronicle.analyticValues.list

chronicle.analytics.list

chronicle.collectors.list

chronicle.conversations.list

chronicle.curatedRuleSetCategories.list

chronicle.curatedRuleSetDeployments.list

chronicle.curatedRuleSets.list

chronicle.curatedRules.list

chronicle.dashboards.list

chronicle.dataAccessLabels.list

chronicle.dataAccessScopes.list

chronicle.dataTaps.list

chronicle.entities.list

chronicle.errorNotificationConfigs.list

chronicle.extensionValidationReports.list

chronicle.feedSourceTypeSchemas.list

chronicle.feeds.list

chronicle.findingsRefinementDeployments.list

chronicle.findingsRefinements.list

chronicle.forwarders.list

chronicle.iocMatches.list

chronicle.logTypeSchemas.list

chronicle.logTypes.list

chronicle.logs.list

chronicle.messages.list

chronicle.operations.list

chronicle.parserExtensions.list

chronicle.parsers.list

chronicle.parsingErrors.list

chronicle.referenceLists.list

chronicle.retrohunts.list

chronicle.ruleDeployments.list

chronicle.ruleExecutionErrors.list

chronicle.rules.list

chronicle.searchQueries.list

chronicle.validationErrors.list

chronicle.watchlists.list

clientauthconfig.brands.list

clientauthconfig.clients.list

cloud.locations.list

cloudasset.assets.searchAllResources

cloudasset.feeds.list

cloudasset.savedqueries.list

cloudbuild.builds.list

cloudbuild.connections.getIamPolicy

cloudbuild.connections.list

cloudbuild.connections.setIamPolicy

cloudbuild.integrations.list

cloudbuild.operations.list

cloudbuild.repositories.list

cloudbuild.workerpools.list

cloudcontrolspartner.accessapprovalrequests.list

cloudcontrolspartner.customers.list

cloudcontrolspartner.violations.list

cloudcontrolspartner.workloads.list

clouddebugger.breakpoints.list

clouddebugger.debuggees.list

clouddeploy.automationRuns.list

clouddeploy.automations.list

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.customTargetTypes.setIamPolicy

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.deliveryPipelines.setIamPolicy

clouddeploy.jobRuns.list

clouddeploy.locations.list

clouddeploy.operations.list

clouddeploy.releases.list

clouddeploy.rollouts.list

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

clouddeploy.targets.setIamPolicy

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.functions.setIamPolicy

cloudfunctions.locations.list

cloudfunctions.operations.list

cloudiot.devices.list

cloudiot.registries.getIamPolicy

cloudiot.registries.list

cloudiot.registries.setIamPolicy

cloudjobdiscovery.companies.list

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.cryptoKeys.setIamPolicy

cloudkms.ekmConfigs.getIamPolicy

cloudkms.ekmConfigs.setIamPolicy

cloudkms.ekmConnections.getIamPolicy

cloudkms.ekmConnections.list

cloudkms.ekmConnections.setIamPolicy

cloudkms.importJobs.getIamPolicy

cloudkms.importJobs.list

cloudkms.importJobs.setIamPolicy

cloudkms.keyRings.getIamPolicy

cloudkms.keyRings.list

cloudkms.keyRings.setIamPolicy

cloudkms.locations.list

cloudnotifications.activities.list

cloudonefs.isiloncloud.com/clusters.list

cloudonefs.isiloncloud.com/fileshares.list

cloudprivatecatalogproducer.associations.list

cloudprivatecatalogproducer.catalogAssociations.list

cloudprivatecatalogproducer.catalogs.getIamPolicy

cloudprivatecatalogproducer.catalogs.list

cloudprivatecatalogproducer.catalogs.setIamPolicy

cloudprivatecatalogproducer.producerCatalogs.getIamPolicy

cloudprivatecatalogproducer.producerCatalogs.list

cloudprivatecatalogproducer.producerCatalogs.setIamPolicy

cloudprivatecatalogproducer.products.getIamPolicy

cloudprivatecatalogproducer.products.list

cloudprivatecatalogproducer.products.setIamPolicy

cloudprofiler.profiles.list

cloudscheduler.jobs.list

cloudscheduler.locations.list

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.list

cloudsql.backupRuns.list

cloudsql.databases.list

cloudsql.instances.list

cloudsql.sslCerts.list

cloudsql.users.list

cloudsupport.accounts.getIamPolicy

cloudsupport.accounts.list

cloudsupport.accounts.setIamPolicy

cloudsupport.techCases.list

cloudtasks.locations.list

cloudtasks.queues.getIamPolicy

cloudtasks.queues.list

cloudtasks.queues.setIamPolicy

cloudtasks.tasks.list

cloudtestservice.devicesession.list

cloudtoolresults.executions.list

cloudtoolresults.histories.list

cloudtoolresults.steps.list

cloudtrace.insights.list

cloudtrace.tasks.list

cloudtrace.traces.list

cloudtranslate.adaptiveMtDatasets.list

cloudtranslate.adaptiveMtFiles.list

cloudtranslate.adaptiveMtSentences.list

cloudtranslate.customModels.list

cloudtranslate.datasets.list

cloudtranslate.glossaries.list

cloudtranslate.glossaryentries.list

cloudtranslate.locations.list

cloudtranslate.operations.list

cloudvolumesgcp-api.netapp.com/activeDirectories.list

cloudvolumesgcp-api.netapp.com/ipRanges.list

cloudvolumesgcp-api.netapp.com/jobs.list

cloudvolumesgcp-api.netapp.com/regions.list

cloudvolumesgcp-api.netapp.com/serviceLevels.list

cloudvolumesgcp-api.netapp.com/snapshots.list

cloudvolumesgcp-api.netapp.com/volumereplication.list

cloudvolumesgcp-api.netapp.com/volumes.list

commerceagreementpublishing.agreements.list

commerceagreementpublishing.documents.list

commercebusinessenablement.operations.list

commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.refunds.list

commercebusinessenablement.resellerDiscountOffers.list

commercebusinessenablement.resellerPrivateOfferPlans.list

commercebusinessenablement.resellerRestrictions.list

commerceoffercatalog.agreements.list

commerceoffercatalog.documents.list

commerceorggovernance.collections.list

commerceorggovernance.populateCollectionJobs.list

commerceorggovernance.services.list

commerceprice.events.list

commerceprice.privateoffers.list

composer.dags.list

composer.environments.list

composer.imageversions.list

composer.operations.list

composer.userworkloadsconfigmaps.list

composer.userworkloadssecrets.list

compute.acceleratorTypes.list

compute.addresses.list

compute.autoscalers.list

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.setIamPolicy

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.setIamPolicy

compute.commitments.list

compute.diskTypes.list

compute.disks.getIamPolicy

compute.disks.list

compute.disks.setIamPolicy

compute.externalVpnGateways.list

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.setIamPolicy

compute.firewalls.list

compute.forwardingRules.list

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.futureReservations.setIamPolicy

compute.globalAddresses.list

compute.globalForwardingRules.list

compute.globalNetworkEndpointGroups.list

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalOperations.setIamPolicy

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.list

compute.httpHealthChecks.list

compute.httpsHealthChecks.list

compute.images.getIamPolicy

compute.images.list

compute.images.setIamPolicy

compute.instanceGroupManagers.list

compute.instanceGroups.list

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instanceTemplates.setIamPolicy

compute.instances.getIamPolicy

compute.instances.list

compute.instances.setIamPolicy

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.instantSnapshots.setIamPolicy

compute.interconnectAttachments.list

compute.interconnectLocations.list

compute.interconnectRemoteLocations.list

compute.interconnects.list

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenseCodes.setIamPolicy

compute.licenses.getIamPolicy

compute.licenses.list

compute.licenses.setIamPolicy

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineImages.setIamPolicy

compute.machineTypes.list

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.maintenancePolicies.setIamPolicy

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkAttachments.setIamPolicy

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networkEndpointGroups.setIamPolicy

compute.networks.list

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeGroups.setIamPolicy

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTemplates.setIamPolicy

compute.nodeTypes.list

compute.packetMirrorings.list

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.setIamPolicy

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.setIamPolicy

compute.regionHealthCheckServices.list

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.list

compute.regionNotificationEndpoints.list

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionOperations.setIamPolicy

compute.regionSecurityPolicies.list

compute.regionSslCertificates.list

compute.regionSslPolicies.list

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.list

compute.regions.list

compute.reservations.list

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.resourcePolicies.setIamPolicy

compute.routers.list

compute.routes.list

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.setIamPolicy

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.serviceAttachments.setIamPolicy

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.setIamPolicy

compute.sslCertificates.list

compute.sslPolicies.list

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.storagePools.setIamPolicy

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.setIamPolicy

compute.targetGrpcProxies.list

compute.targetHttpProxies.list

compute.targetHttpsProxies.list

compute.targetInstances.list

compute.targetPools.list

compute.targetSslProxies.list

compute.targetTcpProxies.list

compute.targetVpnGateways.list

compute.urlMaps.list

compute.vpnGateways.list

compute.vpnTunnels.list

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zoneOperations.setIamPolicy

compute.zones.list

confidentialcomputing.locations.list

config.deployments.getIamPolicy

config.deployments.list

config.deployments.setIamPolicy

config.locations.list

config.operations.list

config.previews.list

config.resources.list

config.revisions.list

config.terraformversions.list

connectors.actions.list

connectors.connections.getIamPolicy

connectors.connections.list

connectors.connections.setIamPolicy

connectors.connectors.list

connectors.customConnectorVersions.getIamPolicy

connectors.customConnectorVersions.list

connectors.customConnectorVersions.setIamPolicy

connectors.customConnectors.getIamPolicy

connectors.customConnectors.list

connectors.customConnectors.setIamPolicy

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.endpointAttachments.setIamPolicy

connectors.entities.list

connectors.entityTypes.list

connectors.eventSubscriptions.list

connectors.eventtypes.list

connectors.locations.list

connectors.managedZones.getIamPolicy

connectors.managedZones.list

connectors.managedZones.setIamPolicy

connectors.operations.list

connectors.providers.list

connectors.versions.list

consumerprocurement.accounts.list

consumerprocurement.consents.list

consumerprocurement.entitlements.list

consumerprocurement.events.list

consumerprocurement.freeTrials.list

consumerprocurement.orderAttributions.list

consumerprocurement.orders.list

contactcenteraiplatform.contactCenters.list

contactcenteraiplatform.locations.list

contactcenteraiplatform.operations.list

contactcenterinsights.analyses.list

contactcenterinsights.conversations.list

contactcenterinsights.faqEntries.list

contactcenterinsights.faqModels.list

contactcenterinsights.issueModels.list

contactcenterinsights.issues.list

contactcenterinsights.operations.list

contactcenterinsights.phraseMatchers.list

contactcenterinsights.views.list

container.apiServices.list

container.auditSinks.list

container.backendConfigs.list

container.bindings.list

container.certificateSigningRequests.list

container.clusterRoleBindings.list

container.clusterRoles.list

container.clusters.list

container.componentStatuses.list

container.configMaps.list

container.controllerRevisions.list

container.cronJobs.list

container.csiDrivers.list

container.csiNodeInfos.list

container.csiNodes.list

container.customResourceDefinitions.list

container.daemonSets.list

container.deployments.list

container.endpointSlices.list

container.endpoints.list

container.events.list

container.frontendConfigs.list

container.horizontalPodAutoscalers.list

container.ingresses.list

container.initializerConfigurations.list

container.jobs.list

container.leases.list

container.limitRanges.list

container.localSubjectAccessReviews.list

container.managedCertificates.list

container.mutatingWebhookConfigurations.list

container.namespaces.list

container.networkPolicies.list

container.nodes.list

container.operations.list

container.persistentVolumeClaims.list

container.persistentVolumes.list

container.petSets.list

container.podDisruptionBudgets.list

container.podPresets.list

container.podSecurityPolicies.list

container.podTemplates.list

container.pods.list

container.priorityClasses.list

container.replicaSets.list

container.replicationControllers.list

container.resourceQuotas.list

container.roleBindings.list

container.roles.list

container.runtimeClasses.list

container.scheduledJobs.list

container.selfSubjectAccessReviews.list

container.serviceAccounts.list

container.services.list

container.statefulSets.list

container.storageClasses.list

container.storageStates.list

container.storageVersionMigrations.list

container.subjectAccessReviews.list

container.thirdPartyObjects.list

container.thirdPartyResources.list

container.updateInfos.list

container.validatingWebhookConfigurations.list

container.volumeAttachments.list

container.volumeSnapshotClasses.list

container.volumeSnapshotContents.list

container.volumeSnapshots.list

containeranalysis.notes.getIamPolicy

containeranalysis.notes.list

containeranalysis.notes.setIamPolicy

containeranalysis.occurrences.getIamPolicy

containeranalysis.occurrences.list

containeranalysis.occurrences.setIamPolicy

containersecurity.clusterSummaries.list

containersecurity.findings.list

containersecurity.locations.list

containersecurity.workloadConfigAudits.list

contentwarehouse.corpora.list

contentwarehouse.documentSchemas.list

contentwarehouse.documents.getIamPolicy

contentwarehouse.documents.list

contentwarehouse.documents.setIamPolicy

contentwarehouse.ruleSets.list

contentwarehouse.synonymSets.list

databaseinsights.locations.list

datacatalog.categories.getIamPolicy

datacatalog.categories.setIamPolicy

datacatalog.entries.getIamPolicy

datacatalog.entries.list

datacatalog.entries.setIamPolicy

datacatalog.entryGroups.getIamPolicy

datacatalog.entryGroups.list

datacatalog.entryGroups.setIamPolicy

datacatalog.operations.list

datacatalog.relationships.list

datacatalog.tagTemplates.getIamPolicy

datacatalog.tagTemplates.setIamPolicy

datacatalog.taxonomies.getIamPolicy

datacatalog.taxonomies.list

datacatalog.taxonomies.setIamPolicy

dataconnectors.connectors.getIamPolicy

dataconnectors.connectors.list

dataconnectors.connectors.setIamPolicy

dataconnectors.locations.list

dataconnectors.operations.list

dataflow.jobs.list

dataflow.messages.list

dataflow.snapshots.list

dataform.compilationResults.list

dataform.locations.list

dataform.releaseConfigs.list

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.repositories.setIamPolicy

dataform.workflowConfigs.list

dataform.workflowInvocations.list

dataform.workspaces.getIamPolicy

dataform.workspaces.list

dataform.workspaces.setIamPolicy

datafusion.artifacts.list

datafusion.instances.getIamPolicy

datafusion.instances.list

datafusion.instances.setIamPolicy

datafusion.locations.list

datafusion.operations.list

datafusion.pipelineConnections.list

datafusion.pipelines.list

datafusion.profiles.list

datafusion.secureKeys.list

datalabeling.annotateddatasets.list

datalabeling.annotationspecsets.list

datalabeling.dataitems.list

datalabeling.datasets.list

datalabeling.examples.list

datalabeling.instructions.list

datalabeling.operations.list

datalineage.events.list

datalineage.processes.list

datalineage.runs.list

datamigration.connectionprofiles.getIamPolicy

datamigration.connectionprofiles.list

datamigration.connectionprofiles.setIamPolicy

datamigration.conversionworkspaces.getIamPolicy

datamigration.conversionworkspaces.list

datamigration.conversionworkspaces.setIamPolicy

datamigration.locations.list

datamigration.mappingrules.getIamPolicy

datamigration.mappingrules.setIamPolicy

datamigration.migrationjobs.getIamPolicy

datamigration.migrationjobs.list

datamigration.migrationjobs.setIamPolicy

datamigration.operations.list

datamigration.privateconnections.getIamPolicy

datamigration.privateconnections.list

datamigration.privateconnections.setIamPolicy

datapipelines.jobs.list

datapipelines.pipelines.list

dataplex.aspectTypes.getIamPolicy

dataplex.aspectTypes.list

dataplex.aspectTypes.setIamPolicy

dataplex.assetActions.list

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.assets.setIamPolicy

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.content.setIamPolicy

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributeBindings.setIamPolicy

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataAttributes.setIamPolicy

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.dataTaxonomies.setIamPolicy

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.setIamPolicy

dataplex.entities.list

dataplex.entries.list

dataplex.entryGroups.getIamPolicy

dataplex.entryGroups.list

dataplex.entryGroups.setIamPolicy

dataplex.entryTypes.getIamPolicy

dataplex.entryTypes.list

dataplex.entryTypes.setIamPolicy

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.environments.setIamPolicy

dataplex.lakeActions.list

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.lakes.setIamPolicy

dataplex.locations.list

dataplex.operations.list

dataplex.partitions.list

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.tasks.setIamPolicy

dataplex.zoneActions.list

dataplex.zones.getIamPolicy

dataplex.zones.list

dataplex.zones.setIamPolicy

dataproc.agents.list

dataproc.autoscalingPolicies.getIamPolicy

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.setIamPolicy

dataproc.batches.list

dataproc.clusters.getIamPolicy

dataproc.clusters.list

dataproc.clusters.setIamPolicy

dataproc.jobs.getIamPolicy

dataproc.jobs.list

dataproc.jobs.setIamPolicy

dataproc.operations.getIamPolicy

dataproc.operations.list

dataproc.operations.setIamPolicy

dataproc.sessionTemplates.list

dataproc.sessions.list

dataproc.workflowTemplates.getIamPolicy

dataproc.workflowTemplates.list

dataproc.workflowTemplates.setIamPolicy

dataprocessing.datasources.list

dataprocessing.featurecontrols.list

dataprocessing.groupcontrols.list

datastore.backupSchedules.list

datastore.backups.list

datastore.databases.list

datastore.entities.list

datastore.indexes.list

datastore.keyVisualizerScans.list

datastore.locations.list

datastore.namespaces.list

datastore.operations.list

datastore.statistics.list

datastream.connectionProfiles.getIamPolicy

datastream.connectionProfiles.list

datastream.connectionProfiles.setIamPolicy

datastream.locations.list

datastream.objects.list

datastream.operations.list

datastream.privateConnections.getIamPolicy

datastream.privateConnections.list

datastream.privateConnections.setIamPolicy

datastream.routes.getIamPolicy

datastream.routes.list

datastream.routes.setIamPolicy

datastream.streams.getIamPolicy

datastream.streams.list

datastream.streams.setIamPolicy

datastudio.datasources.getIamPolicy

datastudio.datasources.setIamPolicy

datastudio.reports.getIamPolicy

datastudio.reports.setIamPolicy

datastudio.workspaces.getIamPolicy

datastudio.workspaces.setIamPolicy

deploymentmanager.compositeTypes.list

deploymentmanager.deployments.getIamPolicy

deploymentmanager.deployments.list

deploymentmanager.deployments.setIamPolicy

deploymentmanager.manifests.list

deploymentmanager.operations.list

deploymentmanager.resources.list

deploymentmanager.typeProviders.list

deploymentmanager.types.list

dialogflow.agents.list

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.list

dialogflow.contexts.list

dialogflow.conversationDatasets.list

dialogflow.conversationModels.list

dialogflow.conversationProfiles.list

dialogflow.conversations.list

dialogflow.deployments.list

dialogflow.documents.list

dialogflow.entityTypes.list

dialogflow.environments.list

dialogflow.examples.list

dialogflow.experiments.list

dialogflow.flows.list

dialogflow.generators.list

dialogflow.integrations.list

dialogflow.intents.list

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.list

dialogflow.pages.list

dialogflow.participants.list

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.playbooks.list

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.list

dialogflow.testcases.list

dialogflow.tools.list

dialogflow.transitionRouteGroups.list

dialogflow.versions.list

dialogflow.webhooks.list

discoveryengine.branches.list

discoveryengine.cmekConfigs.list

discoveryengine.collections.list

discoveryengine.controls.list

discoveryengine.conversations.list

discoveryengine.dataStores.list

discoveryengine.documents.list

discoveryengine.engines.list

discoveryengine.models.list

discoveryengine.operations.list

discoveryengine.schemas.list

discoveryengine.servingConfigs.list

discoveryengine.targetSites.list

dlp.analyzeRiskTemplates.list

dlp.columnDataProfiles.list

dlp.connections.list

dlp.deidentifyTemplates.list

dlp.estimates.list

dlp.inspectFindings.list

dlp.inspectTemplates.list

dlp.jobTriggers.list

dlp.jobs.list

dlp.locations.list

dlp.projectDataProfiles.list

dlp.storedInfoTypes.list

dlp.subscriptions.list

dlp.tableDataProfiles.list

dns.changes.list

dns.dnsKeys.list

dns.managedZoneOperations.list

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.setIamPolicy

dns.policies.getIamPolicy

dns.policies.list

dns.policies.setIamPolicy

dns.resourceRecordSets.list

dns.responsePolicies.list

dns.responsePolicyRules.list

documentai.dataLabelingJobs.list

documentai.evaluations.list

documentai.labelerPools.list

documentai.locations.list

documentai.processorTypes.list

documentai.processorVersions.list

documentai.processors.list

domains.locations.list

domains.operations.list

domains.registrations.getIamPolicy

domains.registrations.list

domains.registrations.setIamPolicy

earthengine.assets.getIamPolicy

earthengine.assets.list

earthengine.assets.setIamPolicy

earthengine.operations.list

edgecontainer.clusters.getIamPolicy

edgecontainer.clusters.list

edgecontainer.clusters.setIamPolicy

edgecontainer.locations.list

edgecontainer.machines.getIamPolicy

edgecontainer.machines.list

edgecontainer.machines.setIamPolicy

edgecontainer.nodePools.getIamPolicy

edgecontainer.nodePools.list

edgecontainer.nodePools.setIamPolicy

edgecontainer.operations.list

edgecontainer.vpnConnections.getIamPolicy

edgecontainer.vpnConnections.list

edgecontainer.vpnConnections.setIamPolicy

edgenetwork.interconnectAttachments.getIamPolicy

edgenetwork.interconnectAttachments.list

edgenetwork.interconnectAttachments.setIamPolicy

edgenetwork.interconnects.getIamPolicy

edgenetwork.interconnects.list

edgenetwork.interconnects.setIamPolicy

edgenetwork.locations.list

edgenetwork.networks.getIamPolicy

edgenetwork.networks.list

edgenetwork.networks.setIamPolicy

edgenetwork.operations.list

edgenetwork.routers.getIamPolicy

edgenetwork.routers.list

edgenetwork.routers.setIamPolicy

edgenetwork.routes.list

edgenetwork.subnetworks.getIamPolicy

edgenetwork.subnetworks.list

edgenetwork.subnetworks.setIamPolicy

edgenetwork.zones.list

enterpriseknowledgegraph.entityReconciliationJobs.list

enterprisepurchasing.gcveCuds.list

enterprisepurchasing.gcveNodePricingInfo.list

enterprisepurchasing.locations.list

enterprisepurchasing.operations.list

errorreporting.applications.list

errorreporting.errorEvents.list

errorreporting.groups.list

essentialcontacts.contacts.list

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.setIamPolicy

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.setIamPolicy

eventarc.locations.list

eventarc.operations.list

eventarc.providers.list

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.setIamPolicy

fcmdata.deliverydata.list

file.backups.list

file.instances.list

file.locations.list

file.operations.list

financialservices.locations.list

financialservices.operations.list

financialservices.v1backtests.list

financialservices.v1datasets.list

financialservices.v1engineconfigs.list

financialservices.v1engineversions.list

financialservices.v1instances.list

financialservices.v1models.list

financialservices.v1predictions.list

firebase.clients.list

firebase.links.list

firebase.playLinks.list

firebaseabt.experiments.list

firebaseappdistro.groups.list

firebaseappdistro.releases.list

firebaseappdistro.testers.list

firebasecrashlytics.issues.list

firebasedatabase.instances.list

firebasedynamiclinks.destinations.list

firebasedynamiclinks.domains.list

firebasedynamiclinks.links.list

firebaseextensions.configs.list

firebaseextensionspublisher.extensions.list

firebasehosting.sites.list

firebaseinappmessaging.campaigns.list

firebasemessagingcampaigns.campaigns.list

firebaseml.models.list

firebaseml.modelversions.list

firebasenotifications.messages.list

firebaserules.releases.list

firebaserules.rulesets.list

firebasestorage.buckets.list

fleetengine.deliveryvehicles.list

fleetengine.tasks.list

fleetengine.vehicles.list

gcp.redisenterprise.com/databases.list

gcp.redisenterprise.com/subscriptions.list

gdchardwaremanagement.changeLogEntries.list

gdchardwaremanagement.comments.list

gdchardwaremanagement.hardware.list

gdchardwaremanagement.hardwareGroups.list

gdchardwaremanagement.locations.list

gdchardwaremanagement.operations.list

gdchardwaremanagement.orders.list

gdchardwaremanagement.sites.list

gdchardwaremanagement.skus.list

genomics.datasets.getIamPolicy

genomics.datasets.list

genomics.datasets.setIamPolicy

genomics.operations.list

gkebackup.backupPlans.getIamPolicy

gkebackup.backupPlans.list

gkebackup.backupPlans.setIamPolicy

gkebackup.backups.list

gkebackup.locations.list

gkebackup.operations.list

gkebackup.restorePlans.getIamPolicy

gkebackup.restorePlans.list

gkebackup.restorePlans.setIamPolicy

gkebackup.restores.list

gkebackup.volumeBackups.list

gkebackup.volumeRestores.list

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.features.setIamPolicy

gkehub.gateway.getIamPolicy

gkehub.gateway.setIamPolicy

gkehub.locations.list

gkehub.membershipbindings.list

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.memberships.setIamPolicy

gkehub.namespaces.list

gkehub.operations.list

gkehub.rbacrolebindings.list

gkehub.scopes.getIamPolicy

gkehub.scopes.list

gkehub.scopes.setIamPolicy

gkemulticloud.attachedClusters.list

gkemulticloud.awsClusters.list

gkemulticloud.awsNodePools.list

gkemulticloud.azureClients.list

gkemulticloud.azureClusters.list

gkemulticloud.azureNodePools.list

gkemulticloud.operations.list

gkeonprem.bareMetalAdminClusters.getIamPolicy

gkeonprem.bareMetalAdminClusters.list

gkeonprem.bareMetalAdminClusters.setIamPolicy

gkeonprem.bareMetalClusters.getIamPolicy

gkeonprem.bareMetalClusters.list

gkeonprem.bareMetalClusters.setIamPolicy

gkeonprem.bareMetalNodePools.getIamPolicy

gkeonprem.bareMetalNodePools.list

gkeonprem.bareMetalNodePools.setIamPolicy

gkeonprem.locations.list

gkeonprem.operations.list

gkeonprem.vmwareAdminClusters.getIamPolicy

gkeonprem.vmwareAdminClusters.list

gkeonprem.vmwareAdminClusters.setIamPolicy

gkeonprem.vmwareClusters.getIamPolicy

gkeonprem.vmwareClusters.list

gkeonprem.vmwareClusters.setIamPolicy

gkeonprem.vmwareNodePools.getIamPolicy

gkeonprem.vmwareNodePools.list

gkeonprem.vmwareNodePools.setIamPolicy

gsuiteaddons.deployments.list

healthcare.annotationStores.getIamPolicy

healthcare.annotationStores.list

healthcare.annotationStores.setIamPolicy

healthcare.annotations.list

healthcare.attributeDefinitions.list

healthcare.consentArtifacts.list

healthcare.consentStores.getIamPolicy

healthcare.consentStores.list

healthcare.consentStores.setIamPolicy

healthcare.consents.list

healthcare.datasets.getIamPolicy

healthcare.datasets.list

healthcare.datasets.setIamPolicy

healthcare.dicomStores.getIamPolicy

healthcare.dicomStores.list

healthcare.dicomStores.setIamPolicy

healthcare.fhirStores.getIamPolicy

healthcare.fhirStores.list

healthcare.fhirStores.setIamPolicy

healthcare.hl7V2Messages.list

healthcare.hl7V2Stores.getIamPolicy

healthcare.hl7V2Stores.list

healthcare.hl7V2Stores.setIamPolicy

healthcare.locations.list

healthcare.operations.list

healthcare.userDataMappings.list

iam.denypolicies.list

iam.googleapis.com/workforcePoolProviderKeys.list

iam.googleapis.com/workforcePoolProviders.list

iam.googleapis.com/workforcePools.getIamPolicy

iam.googleapis.com/workforcePools.list

iam.googleapis.com/workforcePools.setIamPolicy

iam.googleapis.com/workloadIdentityPoolProviderKeys.list

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPools.list

iam.roles.get

iam.roles.list

iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

iam.serviceAccounts.setIamPolicy

iap.tunnel.*

iap.tunnelDestGroups.getIamPolicy

iap.tunnelDestGroups.list

iap.tunnelDestGroups.setIamPolicy

iap.tunnelInstances.getIamPolicy

iap.tunnelInstances.setIamPolicy

iap.tunnelLocations.*

iap.tunnelZones.*

iap.web.getIamPolicy

iap.web.setIamPolicy

iap.webServiceVersions.getIamPolicy

iap.webServiceVersions.setIamPolicy

iap.webServices.getIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.getIamPolicy

iap.webTypes.setIamPolicy

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

identitytoolkit.tenants.setIamPolicy

ids.endpoints.getIamPolicy

ids.endpoints.list

ids.endpoints.setIamPolicy

ids.locations.list

ids.operations.list

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.apigeeSuspensions.list

integrations.authConfigs.list

integrations.certificates.list

integrations.executions.list

integrations.integrationVersions.list

integrations.integrations.list

integrations.securityAuthConfigs.list

integrations.securityExecutions.list

integrations.securityIntegTempVers.list

integrations.securityIntegrationVers.list

integrations.securityIntegrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

integrations.suspensions.list

issuerswitch.accountManagerTransactions.list

issuerswitch.complaintTransactions.list

issuerswitch.financialTransactions.list

issuerswitch.mandateTransactions.list

issuerswitch.metadataTransactions.list

issuerswitch.operations.list

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.list

issuerswitch.rules.list

krmapihosting.krmApiHosts.getIamPolicy

krmapihosting.krmApiHosts.list

krmapihosting.krmApiHosts.setIamPolicy

krmapihosting.locations.list

krmapihosting.operations.list

lifesciences.operations.list

livestream.assets.list

livestream.channels.list

livestream.events.list

livestream.inputs.list

livestream.locations.list

livestream.operations.list

logging.buckets.list

logging.exclusions.list

logging.links.list

logging.locations.list

logging.logEntries.list

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.list

logging.operations.list

logging.privateLogEntries.list

logging.queries.list

logging.sinks.list

logging.views.list

looker.backups.list

looker.instances.list

looker.locations.list

looker.operations.list

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.backups.setIamPolicy

managedidentities.domains.getIamPolicy

managedidentities.domains.list

managedidentities.domains.setIamPolicy

managedidentities.locations.list

managedidentities.operations.list

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

managedidentities.peerings.setIamPolicy

managedidentities.sqlintegrations.list

mapsadmin.clientMaps.list

mapsadmin.clientStyleSheetSnapshots.list

mapsadmin.clientStyles.list

mapsadmin.styleSnapshots.list

mapsanalytics.metricMetadata.list

mapsplatformdatasets.datasets.list

marketplacesolutions.locations.list

marketplacesolutions.operations.list

marketplacesolutions.powerImages.list

marketplacesolutions.powerInstances.list

marketplacesolutions.powerNetworks.list

marketplacesolutions.powerSshKeys.list

marketplacesolutions.powerVolumes.list

memcache.instances.list

memcache.locations.list

memcache.operations.list

metastore.backups.getIamPolicy

metastore.backups.list

metastore.backups.setIamPolicy

metastore.databases.getIamPolicy

metastore.databases.list

metastore.databases.setIamPolicy

metastore.federations.getIamPolicy

metastore.federations.list

metastore.federations.setIamPolicy

metastore.imports.list

metastore.locations.list

metastore.operations.list

metastore.services.getIamPolicy

metastore.services.list

metastore.services.setIamPolicy

metastore.tables.getIamPolicy

metastore.tables.list

metastore.tables.setIamPolicy

migrationcenter.assets.list

migrationcenter.discoveryClients.list

migrationcenter.errorFrames.list

migrationcenter.groups.list

migrationcenter.importDataFiles.list

migrationcenter.importJobs.list

migrationcenter.locations.list

migrationcenter.operations.list

migrationcenter.preferenceSets.list

migrationcenter.reportConfigs.list

migrationcenter.reports.list

migrationcenter.sources.list

ml.jobs.getIamPolicy

ml.jobs.list

ml.jobs.setIamPolicy

ml.locations.list

ml.models.getIamPolicy

ml.models.list

ml.models.setIamPolicy

ml.operations.list

ml.studies.getIamPolicy

ml.studies.list

ml.studies.setIamPolicy

ml.trials.list

ml.versions.list

monitoring.alertPolicies.list

monitoring.dashboards.list

monitoring.groups.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.list

monitoring.publicWidgets.list

monitoring.services.list

monitoring.slos.list

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.list

netapp.activeDirectories.list

netapp.backupPolicies.list

netapp.backupVaults.list

netapp.backups.list

netapp.kmsConfigs.list

netapp.replications.list

netapp.snapshots.list

netapp.storagePools.list

netapp.volumes.list

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.groups.setIamPolicy

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.setIamPolicy

networkconnectivity.internalRanges.getIamPolicy

networkconnectivity.internalRanges.list

networkconnectivity.internalRanges.setIamPolicy

networkconnectivity.locations.list

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.getIamPolicy

networkconnectivity.policyBasedRoutes.list

networkconnectivity.policyBasedRoutes.setIamPolicy

networkconnectivity.regionalEndpoints.list

networkconnectivity.serviceClasses.list

networkconnectivity.serviceConnectionMaps.list

networkconnectivity.serviceConnectionPolicies.list

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

networkconnectivity.spokes.setIamPolicy

networkmanagement.connectivitytests.getIamPolicy

networkmanagement.connectivitytests.list

networkmanagement.connectivitytests.setIamPolicy

networkmanagement.locations.list

networkmanagement.operations.list

networksecurity.addressGroups.getIamPolicy

networksecurity.addressGroups.list

networksecurity.addressGroups.setIamPolicy

networksecurity.authorizationPolicies.getIamPolicy

networksecurity.authorizationPolicies.list

networksecurity.authorizationPolicies.setIamPolicy

networksecurity.clientTlsPolicies.getIamPolicy

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.setIamPolicy

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.list

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.locations.list

networksecurity.operations.list

networksecurity.securityProfileGroups.list

networksecurity.securityProfiles.list

networksecurity.serverTlsPolicies.getIamPolicy

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.setIamPolicy

networksecurity.tlsInspectionPolicies.list

networksecurity.urlLists.list

networkservices.endpointConfigSelectors.getIamPolicy

networkservices.endpointConfigSelectors.list

networkservices.endpointConfigSelectors.setIamPolicy

networkservices.endpointPolicies.getIamPolicy

networkservices.endpointPolicies.list

networkservices.endpointPolicies.setIamPolicy

networkservices.gateways.list

networkservices.grpcRoutes.getIamPolicy

networkservices.grpcRoutes.list

networkservices.grpcRoutes.setIamPolicy

networkservices.httpFilters.getIamPolicy

networkservices.httpFilters.list

networkservices.httpFilters.setIamPolicy

networkservices.httpRoutes.getIamPolicy

networkservices.httpRoutes.list

networkservices.httpRoutes.setIamPolicy

networkservices.httpfilters.getIamPolicy

networkservices.httpfilters.list

networkservices.httpfilters.setIamPolicy

networkservices.lbRouteExtensions.list

networkservices.lbTrafficExtensions.list

networkservices.locations.list

networkservices.meshes.getIamPolicy

networkservices.meshes.list

networkservices.meshes.setIamPolicy

networkservices.operations.list

networkservices.serviceBindings.list

networkservices.serviceLbPolicies.list

networkservices.tcpRoutes.getIamPolicy

networkservices.tcpRoutes.list

networkservices.tcpRoutes.setIamPolicy

networkservices.tlsRoutes.list

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.environments.setIamPolicy

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.executions.setIamPolicy

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.instances.setIamPolicy

notebooks.locations.list

notebooks.operations.list

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.runtimes.setIamPolicy

notebooks.schedules.getIamPolicy

notebooks.schedules.list

notebooks.schedules.setIamPolicy

ondemandscanning.operations.list

opsconfigmonitoring.resourceMetadata.list

orgpolicy.constraints.list

orgpolicy.customConstraints.list

orgpolicy.policies.list

osconfig.guestPolicies.list

osconfig.instanceOSPoliciesCompliances.list

osconfig.inventories.list

osconfig.osPolicyAssignmentReports.list

osconfig.osPolicyAssignments.list

osconfig.patchDeployments.list

osconfig.patchJobs.list

osconfig.upgradeReports.list

osconfig.vulnerabilityReports.list

paymentsresellersubscription.products.list

paymentsresellersubscription.promotions.list

policyremediatormanager.locations.list

policyremediatormanager.operations.list

policysimulator.orgPolicyViolations.list

policysimulator.orgPolicyViolationsPreviews.list

policysimulator.replayResults.list

policysimulator.replays.*

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.caPools.setIamPolicy

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateAuthorities.setIamPolicy

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateRevocationLists.setIamPolicy

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificateTemplates.setIamPolicy

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.certificates.setIamPolicy

privateca.locations.list

privateca.operations.list

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

privateca.reusableConfigs.setIamPolicy

privilegedaccessmanager.entitlements.list

privilegedaccessmanager.entitlements.setIamPolicy

privilegedaccessmanager.grants.list

privilegedaccessmanager.locations.list

privilegedaccessmanager.operations.list

proximitybeacon.attachments.list

proximitybeacon.beacons.getIamPolicy

proximitybeacon.beacons.list

proximitybeacon.beacons.setIamPolicy

proximitybeacon.namespaces.getIamPolicy

proximitybeacon.namespaces.list

proximitybeacon.namespaces.setIamPolicy

pubsub.schemas.getIamPolicy

pubsub.schemas.list

pubsub.schemas.setIamPolicy

pubsub.snapshots.getIamPolicy

pubsub.snapshots.list

pubsub.snapshots.setIamPolicy

pubsub.subscriptions.getIamPolicy

pubsub.subscriptions.list

pubsub.subscriptions.setIamPolicy

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsub.topics.setIamPolicy

pubsublite.operations.list

pubsublite.reservations.list

pubsublite.subscriptions.list

pubsublite.topics.list

recaptchaenterprise.keys.list

recaptchaenterprise.relatedaccountgroupmemberships.list

recaptchaenterprise.relatedaccountgroups.list

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.bigqueryMaterializedViewInsights.list

recommender.bigqueryMaterializedViewRecommendations.list

recommender.bigqueryPartitionClusterRecommendations.list

recommender.bigqueryTableStatsInsights.list

recommender.cloudAssetInsights.list

recommender.cloudCostGeneralInsights.list

recommender.cloudCostGeneralRecommendations.list

recommender.cloudDeprecationGeneralInsights.list

recommender.cloudDeprecationGeneralRecommendations.list

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.cloudManageabilityGeneralInsights.list

recommender.cloudManageabilityGeneralRecommendations.list

recommender.cloudPerformanceGeneralInsights.list

recommender.cloudPerformanceGeneralRecommendations.list

recommender.cloudRecentChangeInsights.list

recommender.cloudRecentChangeRecommendations.list

recommender.cloudReliabilityGeneralInsights.list

recommender.cloudReliabilityGeneralRecommendations.list

recommender.cloudSecurityGeneralInsights.list

recommender.cloudSecurityGeneralRecommendations.list

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceActivityInsights.list

recommender.cloudsqlInstanceCpuUsageInsights.list

recommender.cloudsqlInstanceDiskUsageTrendInsights.list

recommender.cloudsqlInstanceMemoryUsageInsights.list

recommender.cloudsqlInstanceOomProbabilityInsights.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceInsights.list

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityInsights.list

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlInstanceSecurityInsights.list

recommender.cloudsqlInstanceSecurityRecommendations.list

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.list

recommender.computeAddressIdleResourceInsights.list

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceInsights.list

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeFirewallInsights.list

recommender.computeImageIdleResourceInsights.list

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceCpuUsageInsights.list

recommender.computeInstanceCpuUsagePredictionInsights.list

recommender.computeInstanceCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerCpuUsageInsights.list

recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list

recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceGroupManagerMemoryUsageInsights.list

recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.list

recommender.computeInstanceMemoryUsageInsights.list

recommender.computeInstanceMemoryUsagePredictionInsights.list

recommender.computeInstanceNetworkThroughputInsights.list

recommender.containerDiagnosisInsights.list

recommender.containerDiagnosisRecommendations.list

recommender.costInsights.list

recommender.dataflowDiagnosticsInsights.list

recommender.errorReportingInsights.list

recommender.errorReportingRecommendations.list

recommender.gmpGuidedExperienceInsights.list

recommender.gmpGuidedExperienceRecommendations.list

recommender.gmpProjectManagementInsights.list

recommender.gmpProjectManagementRecommendations.list

recommender.gmpProjectProductSuggestionsInsights.list

recommender.gmpProjectProductSuggestionsRecommendations.list

recommender.gmpProjectQuotaInsights.list

recommender.gmpProjectQuotaRecommendations.list

recommender.iamPolicyChangeRiskInsights.list

recommender.iamPolicyChangeRiskRecommendations.list

recommender.iamPolicyInsights.list

recommender.iamPolicyLateralMovementInsights.list

recommender.iamPolicyRecommendations.list

recommender.iamServiceAccountChangeRiskInsights.list

recommender.iamServiceAccountChangeRiskRecommendations.list

recommender.iamServiceAccountInsights.list

recommender.locations.list

recommender.loggingProductSuggestionContainerInsights.list

recommender.loggingProductSuggestionContainerRecommendations.list

recommender.monitoringProductSuggestionComputeInsights.list

recommender.monitoringProductSuggestionComputeRecommendations.list

recommender.networkAnalyzerCloudSqlInsights.list

recommender.networkAnalyzerDynamicRouteInsights.list

recommender.networkAnalyzerGkeConnectivityInsights.list

recommender.networkAnalyzerGkeIpAddressInsights.list

recommender.networkAnalyzerGkeServiceAccountInsights.list

recommender.networkAnalyzerIpAddressInsights.list

recommender.networkAnalyzerLoadBalancerInsights.list

recommender.networkAnalyzerVpcConnectivityInsights.list

recommender.resourcemanagerProjectChangeRiskInsights.list

recommender.resourcemanagerProjectChangeRiskRecommendations.list

recommender.resourcemanagerProjectUtilizationInsights.list

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.resourcemanagerServiceLimitInsights.list

recommender.resourcemanagerServiceLimitRecommendations.list

recommender.runServiceCostInsights.list

recommender.runServiceCostRecommendations.list

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.list

recommender.runServicePerformanceInsights.list

recommender.runServicePerformanceRecommendations.list

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.list

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.list

recommender.usageCommitmentRecommendations.list

redis.clusters.list

redis.instances.list

redis.locations.list

redis.operations.list

remotebuildexecution.instances.list

remotebuildexecution.workerpools.list

resourcemanager.folders.getIamPolicy

resourcemanager.folders.list

resourcemanager.folders.setIamPolicy

resourcemanager.hierarchyNodes.listTagBindings

resourcemanager.organizations.getIamPolicy

resourcemanager.organizations.setIamPolicy

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.projects.setIamPolicy

resourcemanager.tagHolds.list

resourcemanager.tagKeys.getIamPolicy

resourcemanager.tagKeys.list

resourcemanager.tagKeys.setIamPolicy

resourcemanager.tagValues.getIamPolicy

resourcemanager.tagValues.list

resourcemanager.tagValues.setIamPolicy

resourcesettings.settings.list

retail.catalogs.list

retail.controls.list

retail.experiments.list

retail.models.list

retail.operations.list

retail.products.list

retail.servingConfigs.list

riskmanager.controlScoreBreakdowns.list

riskmanager.operations.list

riskmanager.policies.list

riskmanager.reports.list

rma.collectors.list

rma.locations.list

rma.operations.list

run.configurations.list

run.executions.list

run.jobs.getIamPolicy

run.jobs.list

run.jobs.setIamPolicy

run.locations.list

run.operations.list

run.revisions.list

run.routes.list

run.services.getIamPolicy

run.services.list

run.services.setIamPolicy

run.tasks.list

runapps.applications.list

runapps.deployments.list

runapps.locations.list

runapps.operations.list

runtimeconfig.configs.getIamPolicy

runtimeconfig.configs.list

runtimeconfig.configs.setIamPolicy

runtimeconfig.operations.list

runtimeconfig.variables.getIamPolicy

runtimeconfig.variables.list

runtimeconfig.variables.setIamPolicy

runtimeconfig.waiters.getIamPolicy

runtimeconfig.waiters.list

runtimeconfig.waiters.setIamPolicy

secretmanager.locations.list

secretmanager.secrets.getIamPolicy

secretmanager.secrets.list

secretmanager.secrets.setIamPolicy

secretmanager.versions.list

securedlandingzone.overwatches.list

securesourcemanager.instances.getIamPolicy

securesourcemanager.instances.list

securesourcemanager.instances.setIamPolicy

securesourcemanager.locations.list

securesourcemanager.operations.list

securesourcemanager.repositories.getIamPolicy

securesourcemanager.repositories.list

securesourcemanager.repositories.setIamPolicy

securesourcemanager.sshkeys.list

securitycenter.assets.list

securitycenter.attackpaths.list

securitycenter.bigQueryExports.list

securitycenter.compliancesnapshots.list

securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.findings.list

securitycenter.muteconfigs.list

securitycenter.notificationconfig.list

securitycenter.resourcevalueconfigs.list

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.sources.getIamPolicy

securitycenter.sources.list

securitycenter.sources.setIamPolicy

securitycenter.valuedresources.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securityposture.locations.list

securityposture.operations.list

securityposture.postureDeployments.list

securityposture.postureTemplates.list

securityposture.postures.list

servicebroker.bindingoperations.list

servicebroker.bindings.getIamPolicy

servicebroker.bindings.list

servicebroker.bindings.setIamPolicy

servicebroker.catalogs.getIamPolicy

servicebroker.catalogs.list

servicebroker.catalogs.setIamPolicy

servicebroker.instanceoperations.list

servicebroker.instances.getIamPolicy

servicebroker.instances.list

servicebroker.instances.setIamPolicy

serviceconsumermanagement.tenancyu.list

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.endpoints.setIamPolicy

servicedirectory.locations.list

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.namespaces.setIamPolicy

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.setIamPolicy

servicehealth.events.list

servicehealth.locations.list

servicehealth.organizationEvents.list

servicehealth.organizationImpacts.list

servicemanagement.services.getIamPolicy

servicemanagement.services.list

servicemanagement.services.setIamPolicy

servicenetworking.operations.list

servicesecurityinsights.clusterSecurityInfo.list

servicesecurityinsights.securityInfo.list

servicesecurityinsights.workloadPolicies.list

serviceusage.operations.list

serviceusage.services.list

source.repos.getIamPolicy

source.repos.list

source.repos.setIamPolicy

spanner.backupOperations.list

spanner.backups.getIamPolicy

spanner.backups.list

spanner.backups.setIamPolicy

spanner.databaseOperations.list

spanner.databaseRoles.list

spanner.databases.getIamPolicy

spanner.databases.list

spanner.databases.setIamPolicy

spanner.instanceConfigOperations.list

spanner.instanceConfigs.list

spanner.instanceOperations.list

spanner.instances.getIamPolicy

spanner.instances.list

spanner.instances.setIamPolicy

spanner.sessions.list

speakerid.phrases.list

speakerid.speakers.list

speech.customClasses.list

speech.locations.list

speech.operations.list

speech.phraseSets.list

speech.recognizers.list

stackdriver.resourceMetadata.list

storage.anywhereCaches.list

storage.bucketOperations.list

storage.buckets.getIamPolicy

storage.buckets.list

storage.buckets.setIamPolicy

storage.hmacKeys.list

storage.managedFolders.getIamPolicy

storage.managedFolders.list

storage.managedFolders.setIamPolicy

storage.multipartUploads.list

storage.objects.getIamPolicy

storage.objects.list

storage.objects.setIamPolicy

storageinsights.datasetConfigs.list

storageinsights.locations.list

storageinsights.operations.list

storageinsights.reportConfigs.list

storageinsights.reportDetails.list

storagetransfer.agentpools.list

storagetransfer.jobs.list

storagetransfer.operations.list

stream.locations.list

stream.operations.list

stream.streamContents.list

stream.streamInstances.list

telcoautomation.blueprints.list

telcoautomation.deployments.list

telcoautomation.edgeSlms.list

telcoautomation.hydratedDeployments.list

telcoautomation.locations.list

telcoautomation.operations.list

telcoautomation.orchestrationClusters.list

telcoautomation.publicBlueprints.list

timeseriesinsights.datasets.list

timeseriesinsights.locations.list

tpu.acceleratortypes.list

tpu.locations.list

tpu.nodes.list

tpu.operations.list

tpu.runtimeversions.list

tpu.tensorflowversions.list

transcoder.jobTemplates.list

transcoder.jobs.list

transferappliance.appliances.list

transferappliance.locations.list

transferappliance.operations.list

transferappliance.orders.list

transferappliance.savedAddresses.list

translationhub.portals.list

videostitcher.cdnKeys.list

videostitcher.liveAdTagDetails.list

videostitcher.liveConfigs.list

videostitcher.slates.list

videostitcher.vodAdTagDetails.list

videostitcher.vodStitchDetails.list

visionai.analyses.getIamPolicy

visionai.analyses.list

visionai.analyses.setIamPolicy

visionai.annotations.list

visionai.applications.list

visionai.assets.list

visionai.clusters.getIamPolicy

visionai.clusters.list

visionai.clusters.setIamPolicy

visionai.corpora.list

visionai.dataSchemas.list

visionai.drafts.list

visionai.events.getIamPolicy

visionai.events.list

visionai.events.setIamPolicy

visionai.indexEndpoints.list

visionai.indexes.list

visionai.instances.list

visionai.locations.list

visionai.operations.list

visionai.operators.getIamPolicy

visionai.operators.list

visionai.operators.setIamPolicy

visionai.processors.list

visionai.searchConfigs.list

visionai.series.getIamPolicy

visionai.series.list

visionai.series.setIamPolicy

visionai.streams.getIamPolicy

visionai.streams.list

visionai.streams.setIamPolicy

visionai.uistreams.list

visualinspection.annotationSets.list

visualinspection.annotationSpecs.list

visualinspection.annotations.list

visualinspection.datasets.list

visualinspection.images.list

visualinspection.locations.list

visualinspection.modelEvaluations.list

visualinspection.models.list

visualinspection.modules.list

visualinspection.operations.list

visualinspection.solutionArtifacts.list

visualinspection.solutions.list

vmmigration.cloneJobs.list

vmmigration.cutoverJobs.list

vmmigration.datacenterConnectors.list

vmmigration.deployments.list

vmmigration.groups.list

vmmigration.locations.list

vmmigration.migratingVms.list

vmmigration.operations.list

vmmigration.replicationCycles.list

vmmigration.sources.list

vmmigration.targets.list

vmmigration.utilizationReports.list

vmwareengine.clusters.getIamPolicy

vmwareengine.clusters.list

vmwareengine.clusters.setIamPolicy

vmwareengine.externalAccessRules.list

vmwareengine.externalAddresses.list

vmwareengine.hcxActivationKeys.getIamPolicy

vmwareengine.hcxActivationKeys.list

vmwareengine.hcxActivationKeys.setIamPolicy

vmwareengine.locations.list

vmwareengine.loggingServers.list

vmwareengine.managementDnsZoneBindings.list

vmwareengine.networkPeerings.list

vmwareengine.networkPolicies.list

vmwareengine.nodeTypes.list

vmwareengine.nodes.list

vmwareengine.operations.list

vmwareengine.privateClouds.getIamPolicy

vmwareengine.privateClouds.list

vmwareengine.privateClouds.setIamPolicy

vmwareengine.privateConnections.list

vmwareengine.subnets.list

vmwareengine.vmwareEngineNetworks.list

vpcaccess.connectors.list

vpcaccess.locations.list

vpcaccess.operations.list

workflows.callbacks.list

workflows.executions.list

workflows.locations.list

workflows.operations.list

workflows.stepEntries.list

workflows.workflows.list

workloadcertificate.locations.list

workloadcertificate.operations.list

workloadcertificate.workloadRegistrations.list

workloadmanager.actuations.list

workloadmanager.deployments.list

workloadmanager.evaluations.list

workloadmanager.executions.list

workloadmanager.locations.list

workloadmanager.operations.list

workloadmanager.results.list

workloadmanager.rules.list

workstations.workstationClusters.list

workstations.workstationConfigs.getIamPolicy

workstations.workstationConfigs.list

workstations.workstationConfigs.setIamPolicy

workstations.workstations.getIamPolicy

workstations.workstations.list

workstations.workstations.setIamPolicy

(roles/iam.securityReviewer)

Provides permissions to list all resources and allow policies on them.

accessapproval.requests.list

accesscontextmanager.accessLevels.list

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.gcpUserAccessBindings.list

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.list

actions.agentVersions.list

advisorynotifications.notifications.*

aiplatform.annotationSpecs.list

aiplatform.annotations.list

aiplatform.artifacts.list

aiplatform.batchPredictionJobs.list

aiplatform.contexts.list

aiplatform.customJobs.list

aiplatform.dataItems.list

aiplatform.dataLabelingJobs.list

aiplatform.datasetVersions.list

aiplatform.datasets.list

aiplatform.deploymentResourcePools.list

aiplatform.edgeDeploymentJobs.list

aiplatform.edgeDevices.list

aiplatform.endpoints.getIamPolicy

aiplatform.endpoints.list

aiplatform.entityTypes.getIamPolicy

aiplatform.entityTypes.list

aiplatform.executions.list

aiplatform.featureGroups.list

aiplatform.featureOnlineStores.list

aiplatform.featureViewSyncs.list

aiplatform.featureViews.list

aiplatform.features.list

aiplatform.featurestores.getIamPolicy

aiplatform.featurestores.list

aiplatform.humanInTheLoops.list

aiplatform.hyperparameterTuningJobs.list

aiplatform.indexEndpoints.list

aiplatform.indexes.list

aiplatform.locations.list

aiplatform.metadataSchemas.list

aiplatform.metadataStores.list

aiplatform.modelDeploymentMonitoringJobs.list

aiplatform.modelEvaluationSlices.list

aiplatform.modelEvaluations.list

aiplatform.models.list

aiplatform.nasJobs.list

aiplatform.nasTrialDetails.list

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimes.list

aiplatform.operations.list

aiplatform.persistentResources.list

aiplatform.pipelineJobs.list

aiplatform.schedules.list

aiplatform.specialistPools.list

aiplatform.studies.list

aiplatform.tensorboardExperiments.list

aiplatform.tensorboardRuns.list

aiplatform.tensorboardTimeSeries.list

aiplatform.tensorboards.list

aiplatform.trainingPipelines.list

aiplatform.trials.list

alloydb.backups.list

alloydb.clusters.list

alloydb.databases.list

alloydb.instances.list

alloydb.locations.list

alloydb.operations.list

alloydb.supportedDatabaseFlags.list

alloydb.users.list

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.subscriptions.list

apigateway.apiconfigs.getIamPolicy

apigateway.apiconfigs.list

apigateway.apis.getIamPolicy

apigateway.apis.list

apigateway.gateways.getIamPolicy

apigateway.gateways.list

apigateway.locations.list

apigateway.operations.list

apigee.apiproductattributes.list

apigee.apiproducts.list

apigee.appgroupapps.list

apigee.appgroups.list

apigee.apps.list

apigee.archivedeployments.list

apigee.caches.list

apigee.datacollectors.list

apigee.datastores.list

apigee.deployments.list

apigee.developerappattributes.list

apigee.developerapps.list

apigee.developerattributes.list

apigee.developers.list

apigee.developersubscriptions.list

apigee.endpointattachments.list

apigee.envgroupattachments.list

apigee.envgroups.list

apigee.environments.getIamPolicy

apigee.environments.list

apigee.exports.list

apigee.flowhooks.list

apigee.hostqueries.list

apigee.hostsecurityreports.list

apigee.instanceattachments.list

apigee.instances.list

apigee.keystorealiases.list

apigee.keystores.list

apigee.keyvaluemapentries.list

apigee.keyvaluemaps.list

apigee.nataddresses.list

apigee.operations.list

apigee.organizations.list

apigee.portals.list

apigee.proxies.list

apigee.proxyrevisions.list

apigee.queries.list

apigee.rateplans.list

apigee.references.list

apigee.reports.list

apigee.resourcefiles.list

apigee.securityActions.list

apigee.securityFeedback.list

apigee.securityIncidents.list

apigee.securityProfiles.list

apigee.securityreports.list

apigee.sharedflowrevisions.list

apigee.sharedflows.list

apigee.targetservers.list

apigee.traceconfigoverrides.list

apigee.tracesessions.list

apigeeconnect.connections.list

apigeeregistry.apis.getIamPolicy

apigeeregistry.apis.list

apigeeregistry.artifacts.getIamPolicy

apigeeregistry.artifacts.list

apigeeregistry.deployments.list

apigeeregistry.locations.list

apigeeregistry.operations.list

apigeeregistry.specs.getIamPolicy

apigeeregistry.specs.list

apigeeregistry.versions.getIamPolicy

apigeeregistry.versions.list

apikeys.keys.list

appengine.instances.list

appengine.memcache.list

appengine.operations.list

appengine.services.list

appengine.versions.list

apphub.applications.getIamPolicy

apphub.applications.list

apphub.discoveredServices.list

apphub.discoveredWorkloads.list

apphub.locations.list

apphub.operations.list

apphub.serviceProjectAttachments.list

apphub.services.list

apphub.workloads.list

applianceactivation.rttCommands.list

artifactregistry.dockerimages.list

artifactregistry.files.list

artifactregistry.locations.list

artifactregistry.mavenartifacts.list

artifactregistry.npmpackages.list

artifactregistry.packages.list

artifactregistry.pythonpackages.list

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.tags.list

artifactregistry.versions.list

assuredoss.locations.list

assuredoss.metadata.list

assuredoss.operations.list

assuredworkloads.operations.list

assuredworkloads.violations.list

assuredworkloads.workload.list

auditmanager.locations.list

auditmanager.operations.list

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.list

automl.datasets.getIamPolicy

automl.datasets.list

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.list

automl.locations.getIamPolicy

automl.locations.list

automl.modelEvaluations.list

automl.models.getIamPolicy

automl.models.list

automl.operations.list

automl.tableSpecs.list

automlrecommendations.apiKeys.list

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.list

automlrecommendations.eventStores.list

automlrecommendations.events.list

automlrecommendations.placements.list

automlrecommendations.recommendations.list

autoscaling.sites.getIamPolicy

backupdr.locations.list

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.operations.list

baremetalsolution.instancequotas.list

baremetalsolution.instances.list

baremetalsolution.luns.list

baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.list

baremetalsolution.nfsshares.list

baremetalsolution.osimages.list

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.list

baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.list

baremetalsolution.volumesnapshots.list

batch.jobs.list

batch.locations.list

batch.operations.list

batch.tasks.list

beyondcorp.appConnections.getIamPolicy

beyondcorp.appConnections.list

beyondcorp.appConnectors.getIamPolicy

beyondcorp.appConnectors.list

beyondcorp.appGateways.getIamPolicy

beyondcorp.appGateways.list

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientGateways.getIamPolicy

beyondcorp.clientGateways.list

beyondcorp.locations.list

beyondcorp.operations.list

beyondcorp.partnerTenants.list

beyondcorp.proxyConfigs.list

beyondcorp.subscriptions.list

biglake.catalogs.list

biglake.databases.list

biglake.locks.list

biglake.tables.list

bigquery.capacityCommitments.list

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.datasets.getIamPolicy

bigquery.jobs.list

bigquery.models.list

bigquery.reservationAssignments.list

bigquery.reservations.list

bigquery.routines.list

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.savedqueries.list

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquerymigration.locations.list

bigquerymigration.subtasks.list

bigquerymigration.workflows.list

bigtable.appProfiles.list

bigtable.backups.getIamPolicy

bigtable.backups.list

bigtable.clusters.list

bigtable.hotTablets.list

bigtable.instances.getIamPolicy

bigtable.instances.list

bigtable.keyvisualizer.list

bigtable.locations.list

bigtable.tables.getIamPolicy

bigtable.tables.list

billing.accounts.getIamPolicy

billing.accounts.list

billing.billingAccountPrices.list

billing.billingAccountServices.list

billing.billingAccountSkuGroupSkus.list

billing.billingAccountSkuGroups.list

billing.billingAccountSkus.list

billing.budgets.list

billing.credits.list

billing.resourceAssociations.list

billing.subscriptions.list

binaryauthorization.attestors.getIamPolicy

binaryauthorization.attestors.list

binaryauthorization.continuousValidationConfig.getIamPolicy

binaryauthorization.platformPolicies.list

binaryauthorization.policy.getIamPolicy

blockchainnodeengine.blockchainNodes.list

blockchainnodeengine.locations.list

blockchainnodeengine.operations.list

capacityplanner.forecasts.list

capacityplanner.usageHistories.list

carestudio.patients.list

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.locations.list

certificatemanager.operations.list

certificatemanager.trustconfigs.list

chronicle.analyticValues.list

chronicle.analytics.list

chronicle.collectors.list

chronicle.conversations.list

chronicle.curatedRuleSetCategories.list

chronicle.curatedRuleSetDeployments.list

chronicle.curatedRuleSets.list

chronicle.curatedRules.list

chronicle.dashboards.list

chronicle.dataAccessLabels.list

chronicle.dataAccessScopes.list

chronicle.dataTaps.list

chronicle.entities.list

chronicle.errorNotificationConfigs.list

chronicle.extensionValidationReports.list

chronicle.feedSourceTypeSchemas.list

chronicle.feeds.list

chronicle.findingsRefinementDeployments.list

chronicle.findingsRefinements.list

chronicle.forwarders.list

chronicle.iocMatches.list

chronicle.logTypeSchemas.list

chronicle.logTypes.list

chronicle.logs.list

chronicle.messages.list

chronicle.operations.list

chronicle.parserExtensions.list

chronicle.parsers.list

chronicle.parsingErrors.list

chronicle.referenceLists.list

chronicle.retrohunts.list

chronicle.ruleDeployments.list

chronicle.ruleExecutionErrors.list

chronicle.rules.list

chronicle.searchQueries.list

chronicle.validationErrors.list

chronicle.watchlists.list

clientauthconfig.brands.list

clientauthconfig.clients.list

cloud.locations.list

cloudasset.feeds.list

cloudasset.savedqueries.list

cloudbuild.builds.list

cloudbuild.connections.getIamPolicy

cloudbuild.connections.list

cloudbuild.integrations.list

cloudbuild.operations.list

cloudbuild.repositories.list

cloudbuild.workerpools.list

cloudcontrolspartner.accessapprovalrequests.list

cloudcontrolspartner.customers.list

cloudcontrolspartner.violations.list

cloudcontrolspartner.workloads.list

clouddebugger.breakpoints.list

clouddebugger.debuggees.list

clouddeploy.automationRuns.list

clouddeploy.automations.list

clouddeploy.customTargetTypes.getIamPolicy

clouddeploy.customTargetTypes.list

clouddeploy.deliveryPipelines.getIamPolicy

clouddeploy.deliveryPipelines.list

clouddeploy.jobRuns.list

clouddeploy.locations.list

clouddeploy.operations.list

clouddeploy.releases.list

clouddeploy.rollouts.list

clouddeploy.targets.getIamPolicy

clouddeploy.targets.list

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.locations.list

cloudfunctions.operations.list

cloudiot.devices.list

cloudiot.registries.getIamPolicy

cloudiot.registries.list

cloudjobdiscovery.companies.list

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.ekmConfigs.getIamPolicy

cloudkms.ekmConnections.getIamPolicy

cloudkms.ekmConnections.list

cloudkms.importJobs.getIamPolicy

cloudkms.importJobs.list

cloudkms.keyRings.getIamPolicy

cloudkms.keyRings.list

cloudkms.locations.list

cloudnotifications.activities.list

cloudonefs.isiloncloud.com/clusters.list

cloudonefs.isiloncloud.com/fileshares.list

cloudprivatecatalogproducer.associations.list

cloudprivatecatalogproducer.catalogAssociations.list

cloudprivatecatalogproducer.catalogs.getIamPolicy

cloudprivatecatalogproducer.catalogs.list

cloudprivatecatalogproducer.producerCatalogs.getIamPolicy

cloudprivatecatalogproducer.producerCatalogs.list

cloudprivatecatalogproducer.products.getIamPolicy

cloudprivatecatalogproducer.products.list

cloudprofiler.profiles.list

cloudscheduler.jobs.list

cloudscheduler.locations.list

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.list

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.list

cloudsql.backupRuns.list

cloudsql.databases.list

cloudsql.instances.list

cloudsql.sslCerts.list

cloudsql.users.list

cloudsupport.accounts.getIamPolicy

cloudsupport.accounts.list

cloudsupport.techCases.list

cloudtasks.locations.list

cloudtasks.queues.getIamPolicy

cloudtasks.queues.list

cloudtasks.tasks.list

cloudtestservice.devicesession.list

cloudtoolresults.executions.list

cloudtoolresults.histories.list

cloudtoolresults.steps.list

cloudtrace.insights.list

cloudtrace.tasks.list

cloudtrace.traces.list

cloudtranslate.adaptiveMtDatasets.list

cloudtranslate.adaptiveMtFiles.list

cloudtranslate.adaptiveMtSentences.list

cloudtranslate.customModels.list

cloudtranslate.datasets.list

cloudtranslate.glossaries.list

cloudtranslate.glossaryentries.list

cloudtranslate.locations.list

cloudtranslate.operations.list

cloudvolumesgcp-api.netapp.com/activeDirectories.list

cloudvolumesgcp-api.netapp.com/ipRanges.list

cloudvolumesgcp-api.netapp.com/jobs.list

cloudvolumesgcp-api.netapp.com/regions.list

cloudvolumesgcp-api.netapp.com/serviceLevels.list

cloudvolumesgcp-api.netapp.com/snapshots.list

cloudvolumesgcp-api.netapp.com/volumereplication.list

cloudvolumesgcp-api.netapp.com/volumes.list

commerceagreementpublishing.agreements.list

commerceagreementpublishing.documents.list

commercebusinessenablement.operations.list

commercebusinessenablement.partnerAccounts.list

commercebusinessenablement.refunds.list

commercebusinessenablement.resellerDiscountOffers.list

commercebusinessenablement.resellerPrivateOfferPlans.list

commercebusinessenablement.resellerRestrictions.list

commerceoffercatalog.agreements.list

commerceoffercatalog.documents.list

commerceorggovernance.collections.list

commerceorggovernance.populateCollectionJobs.list

commerceorggovernance.services.list

commerceprice.events.list

commerceprice.privateoffers.list

composer.dags.list

composer.environments.list

composer.imageversions.list

composer.operations.list

composer.userworkloadsconfigmaps.list

composer.userworkloadssecrets.list

compute.acceleratorTypes.list

compute.addresses.list

compute.autoscalers.list

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.commitments.list

compute.diskTypes.list

compute.disks.getIamPolicy

compute.disks.list

compute.externalVpnGateways.list

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewalls.list

compute.forwardingRules.list

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.list

compute.globalForwardingRules.list

compute.globalNetworkEndpointGroups.list

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.list

compute.httpHealthChecks.list

compute.httpsHealthChecks.list

compute.images.getIamPolicy

compute.images.list

compute.instanceGroupManagers.list

compute.instanceGroups.list

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.getIamPolicy

compute.instances.list

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.list

compute.interconnectLocations.list

compute.interconnectRemoteLocations.list

compute.interconnects.list

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.list

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networks.list

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.list

compute.packetMirrorings.list

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionHealthCheckServices.list

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.list

compute.regionNotificationEndpoints.list

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.list

compute.regionSslCertificates.list

compute.regionSslPolicies.list

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.list

compute.regions.list

compute.reservations.list

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.list

compute.routes.list

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.sslCertificates.list

compute.sslPolicies.list

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.targetGrpcProxies.list

compute.targetHttpProxies.list

compute.targetHttpsProxies.list

compute.targetInstances.list

compute.targetPools.list

compute.targetSslProxies.list

compute.targetTcpProxies.list

compute.targetVpnGateways.list

compute.urlMaps.list

compute.vpnGateways.list

compute.vpnTunnels.list

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.list

confidentialcomputing.locations.list

config.deployments.getIamPolicy

config.deployments.list

config.locations.list

config.operations.list

config.previews.list

config.resources.list

config.revisions.list

config.terraformversions.list

connectors.actions.list

connectors.connections.getIamPolicy

connectors.connections.list

connectors.connectors.list

connectors.customConnectorVersions.getIamPolicy

connectors.customConnectorVersions.list

connectors.customConnectors.getIamPolicy

connectors.customConnectors.list

connectors.endpointAttachments.getIamPolicy

connectors.endpointAttachments.list

connectors.entities.list

connectors.entityTypes.list

connectors.eventSubscriptions.list

connectors.eventtypes.list

connectors.locations.list

connectors.managedZones.getIamPolicy

connectors.managedZones.list

connectors.operations.list

connectors.providers.list

connectors.versions.list

consumerprocurement.accounts.list

consumerprocurement.consents.list

consumerprocurement.entitlements.list

consumerprocurement.events.list

consumerprocurement.freeTrials.list

consumerprocurement.orderAttributions.list

consumerprocurement.orders.list

contactcenteraiplatform.contactCenters.list

contactcenteraiplatform.locations.list

contactcenteraiplatform.operations.list

contactcenterinsights.analyses.list

contactcenterinsights.conversations.list

contactcenterinsights.faqEntries.list

contactcenterinsights.faqModels.list

contactcenterinsights.issueModels.list

contactcenterinsights.issues.list

contactcenterinsights.operations.list

contactcenterinsights.phraseMatchers.list

contactcenterinsights.views.list

container.apiServices.list

container.auditSinks.list

container.backendConfigs.list

container.bindings.list

container.certificateSigningRequests.list

container.clusterRoleBindings.list

container.clusterRoles.list

container.clusters.list

container.componentStatuses.list

container.configMaps.list

container.controllerRevisions.list

container.cronJobs.list

container.csiDrivers.list

container.csiNodeInfos.list

container.csiNodes.list

container.customResourceDefinitions.list

container.daemonSets.list

container.deployments.list

container.endpointSlices.list

container.endpoints.list

container.events.list

container.frontendConfigs.list

container.horizontalPodAutoscalers.list

container.ingresses.list

container.initializerConfigurations.list

container.jobs.list

container.leases.list

container.limitRanges.list

container.localSubjectAccessReviews.list

container.managedCertificates.list

container.mutatingWebhookConfigurations.list

container.namespaces.list

container.networkPolicies.list

container.nodes.list

container.operations.list

container.persistentVolumeClaims.list

container.persistentVolumes.list

container.petSets.list

container.podDisruptionBudgets.list

container.podPresets.list

container.podSecurityPolicies.list

container.podTemplates.list

container.pods.list

container.priorityClasses.list

container.replicaSets.list

container.replicationControllers.list

container.resourceQuotas.list

container.roleBindings.list

container.roles.list

container.runtimeClasses.list

container.scheduledJobs.list

container.selfSubjectAccessReviews.list

container.serviceAccounts.list

container.services.list

container.statefulSets.list

container.storageClasses.list

container.storageStates.list

container.storageVersionMigrations.list

container.subjectAccessReviews.list

container.thirdPartyObjects.list

container.thirdPartyResources.list

container.updateInfos.list

container.validatingWebhookConfigurations.list

container.volumeAttachments.list

container.volumeSnapshotClasses.list

container.volumeSnapshotContents.list

container.volumeSnapshots.list

containeranalysis.notes.getIamPolicy

containeranalysis.notes.list

containeranalysis.occurrences.getIamPolicy

containeranalysis.occurrences.list

containersecurity.clusterSummaries.list

containersecurity.findings.list

containersecurity.locations.list

containersecurity.workloadConfigAudits.list

contentwarehouse.corpora.list

contentwarehouse.documentSchemas.list

contentwarehouse.documents.getIamPolicy

contentwarehouse.documents.list

contentwarehouse.ruleSets.list

contentwarehouse.synonymSets.list

databaseinsights.locations.list

datacatalog.categories.getIamPolicy

datacatalog.entries.getIamPolicy

datacatalog.entries.list

datacatalog.entryGroups.getIamPolicy

datacatalog.entryGroups.list

datacatalog.operations.list

datacatalog.relationships.list

datacatalog.tagTemplates.getIamPolicy

datacatalog.taxonomies.getIamPolicy

datacatalog.taxonomies.list

dataconnectors.connectors.getIamPolicy

dataconnectors.connectors.list

dataconnectors.locations.list

dataconnectors.operations.list

dataflow.jobs.list

dataflow.messages.list

dataflow.snapshots.list

dataform.compilationResults.list

dataform.locations.list

dataform.releaseConfigs.list

dataform.repositories.getIamPolicy

dataform.repositories.list

dataform.workflowConfigs.list

dataform.workflowInvocations.list

dataform.workspaces.getIamPolicy

dataform.workspaces.list

datafusion.artifacts.list

datafusion.instances.getIamPolicy

datafusion.instances.list

datafusion.locations.list

datafusion.operations.list

datafusion.pipelineConnections.list

datafusion.pipelines.list

datafusion.profiles.list

datafusion.secureKeys.list

datalabeling.annotateddatasets.list

datalabeling.annotationspecsets.list

datalabeling.dataitems.list

datalabeling.datasets.list

datalabeling.examples.list

datalabeling.instructions.list

datalabeling.operations.list

datalineage.events.list

datalineage.processes.list

datalineage.runs.list

datamigration.connectionprofiles.getIamPolicy

datamigration.connectionprofiles.list

datamigration.conversionworkspaces.getIamPolicy

datamigration.conversionworkspaces.list

datamigration.locations.list

datamigration.mappingrules.getIamPolicy

datamigration.migrationjobs.getIamPolicy

datamigration.migrationjobs.list

datamigration.operations.list

datamigration.privateconnections.getIamPolicy

datamigration.privateconnections.list

datapipelines.jobs.list

datapipelines.pipelines.list

dataplex.aspectTypes.getIamPolicy

dataplex.aspectTypes.list

dataplex.assetActions.list

dataplex.assets.getIamPolicy

dataplex.assets.list

dataplex.content.getIamPolicy

dataplex.content.list

dataplex.dataAttributeBindings.getIamPolicy

dataplex.dataAttributeBindings.list

dataplex.dataAttributes.getIamPolicy

dataplex.dataAttributes.list

dataplex.dataTaxonomies.getIamPolicy

dataplex.dataTaxonomies.list

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.entities.list

dataplex.entries.list

dataplex.entryGroups.getIamPolicy

dataplex.entryGroups.list

dataplex.entryTypes.getIamPolicy

dataplex.entryTypes.list

dataplex.environments.getIamPolicy

dataplex.environments.list

dataplex.lakeActions.list

dataplex.lakes.getIamPolicy

dataplex.lakes.list

dataplex.locations.list

dataplex.operations.list

dataplex.partitions.list

dataplex.tasks.getIamPolicy

dataplex.tasks.list

dataplex.zoneActions.list

dataplex.zones.getIamPolicy

dataplex.zones.list

dataproc.agents.list

dataproc.autoscalingPolicies.getIamPolicy

dataproc.autoscalingPolicies.list

dataproc.batches.list

dataproc.clusters.getIamPolicy

dataproc.clusters.list

dataproc.jobs.getIamPolicy

dataproc.jobs.list

dataproc.operations.getIamPolicy

dataproc.operations.list

dataproc.sessionTemplates.list

dataproc.sessions.list

dataproc.workflowTemplates.getIamPolicy

dataproc.workflowTemplates.list

dataprocessing.datasources.list

dataprocessing.featurecontrols.list

dataprocessing.groupcontrols.list

datastore.backupSchedules.list

datastore.backups.list

datastore.databases.list

datastore.entities.list

datastore.indexes.list

datastore.keyVisualizerScans.list

datastore.locations.list

datastore.namespaces.list

datastore.operations.list

datastore.statistics.list

datastream.connectionProfiles.getIamPolicy

datastream.connectionProfiles.list

datastream.locations.list

datastream.objects.list

datastream.operations.list

datastream.privateConnections.getIamPolicy

datastream.privateConnections.list

datastream.routes.getIamPolicy

datastream.routes.list

datastream.streams.getIamPolicy

datastream.streams.list

datastudio.datasources.getIamPolicy

datastudio.reports.getIamPolicy

datastudio.workspaces.getIamPolicy

deploymentmanager.compositeTypes.list

deploymentmanager.deployments.getIamPolicy

deploymentmanager.deployments.list

deploymentmanager.manifests.list

deploymentmanager.operations.list

deploymentmanager.resources.list

deploymentmanager.typeProviders.list

deploymentmanager.types.list

dialogflow.agents.list

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.list

dialogflow.contexts.list

dialogflow.conversationDatasets.list

dialogflow.conversationModels.list

dialogflow.conversationProfiles.list

dialogflow.conversations.list

dialogflow.deployments.list

dialogflow.documents.list

dialogflow.entityTypes.list

dialogflow.environments.list

dialogflow.examples.list

dialogflow.experiments.list

dialogflow.flows.list

dialogflow.generators.list

dialogflow.integrations.list

dialogflow.intents.list

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.list

dialogflow.pages.list

dialogflow.participants.list

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.playbooks.list

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.list

dialogflow.smartMessagingEntries.list

dialogflow.testcases.list

dialogflow.tools.list

dialogflow.transitionRouteGroups.list

dialogflow.versions.list

dialogflow.webhooks.list

discoveryengine.branches.list

discoveryengine.cmekConfigs.list

discoveryengine.collections.list

discoveryengine.controls.list

discoveryengine.conversations.list

discoveryengine.dataStores.list

discoveryengine.documents.list

discoveryengine.engines.list

discoveryengine.models.list

discoveryengine.operations.list

discoveryengine.schemas.list

discoveryengine.servingConfigs.list

discoveryengine.targetSites.list

dlp.analyzeRiskTemplates.list

dlp.columnDataProfiles.list

dlp.connections.list

dlp.deidentifyTemplates.list

dlp.estimates.list

dlp.inspectFindings.list

dlp.inspectTemplates.list

dlp.jobTriggers.list

dlp.jobs.list

dlp.locations.list

dlp.projectDataProfiles.list

dlp.storedInfoTypes.list

dlp.subscriptions.list

dlp.tableDataProfiles.list

dns.changes.list

dns.dnsKeys.list

dns.managedZoneOperations.list

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.policies.getIamPolicy

dns.policies.list

dns.resourceRecordSets.list

dns.responsePolicies.list

dns.responsePolicyRules.list

documentai.dataLabelingJobs.list

documentai.evaluations.list

documentai.labelerPools.list

documentai.locations.list

documentai.processorTypes.list

documentai.processorVersions.list

documentai.processors.list

domains.locations.list

domains.operations.list

domains.registrations.getIamPolicy

domains.registrations.list

earthengine.assets.getIamPolicy

earthengine.assets.list

earthengine.operations.list

edgecontainer.clusters.getIamPolicy

edgecontainer.clusters.list

edgecontainer.locations.list

edgecontainer.machines.getIamPolicy

edgecontainer.machines.list

edgecontainer.nodePools.getIamPolicy

edgecontainer.nodePools.list

edgecontainer.operations.list

edgecontainer.vpnConnections.getIamPolicy

edgecontainer.vpnConnections.list

edgenetwork.interconnectAttachments.getIamPolicy

edgenetwork.interconnectAttachments.list

edgenetwork.interconnects.getIamPolicy

edgenetwork.interconnects.list

edgenetwork.locations.list

edgenetwork.networks.getIamPolicy

edgenetwork.networks.list

edgenetwork.operations.list

edgenetwork.routers.getIamPolicy

edgenetwork.routers.list

edgenetwork.routes.list

edgenetwork.subnetworks.getIamPolicy

edgenetwork.subnetworks.list

edgenetwork.zones.list

enterpriseknowledgegraph.entityReconciliationJobs.list

enterprisepurchasing.gcveCuds.list

enterprisepurchasing.gcveNodePricingInfo.list

enterprisepurchasing.locations.list

enterprisepurchasing.operations.list

errorreporting.applications.list

errorreporting.errorEvents.list

errorreporting.groups.list

essentialcontacts.contacts.list

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.locations.list

eventarc.operations.list

eventarc.providers.list

eventarc.triggers.getIamPolicy

eventarc.triggers.list

fcmdata.deliverydata.list

file.backups.list

file.instances.list

file.locations.list

file.operations.list

financialservices.locations.list

financialservices.operations.list

financialservices.v1backtests.list

financialservices.v1datasets.list

financialservices.v1engineconfigs.list

financialservices.v1engineversions.list

financialservices.v1instances.list

financialservices.v1models.list

financialservices.v1predictions.list

firebase.clients.list

firebase.links.list

firebase.playLinks.list

firebaseabt.experiments.list

firebaseappdistro.groups.list

firebaseappdistro.releases.list

firebaseappdistro.testers.list

firebasecrashlytics.issues.list

firebasedatabase.instances.list

firebasedynamiclinks.destinations.list

firebasedynamiclinks.domains.list

firebasedynamiclinks.links.list

firebaseextensions.configs.list

firebaseextensionspublisher.extensions.list

firebasehosting.sites.list

firebaseinappmessaging.campaigns.list

firebasemessagingcampaigns.campaigns.list

firebaseml.models.list

firebaseml.modelversions.list

firebasenotifications.messages.list

firebaserules.releases.list

firebaserules.rulesets.list

firebasestorage.buckets.list

fleetengine.deliveryvehicles.list

fleetengine.tasks.list

fleetengine.vehicles.list

gcp.redisenterprise.com/databases.list

gcp.redisenterprise.com/subscriptions.list

gdchardwaremanagement.changeLogEntries.list

gdchardwaremanagement.comments.list

gdchardwaremanagement.hardware.list

gdchardwaremanagement.hardwareGroups.list

gdchardwaremanagement.locations.list

gdchardwaremanagement.operations.list

gdchardwaremanagement.orders.list

gdchardwaremanagement.sites.list

gdchardwaremanagement.skus.list

genomics.datasets.getIamPolicy

genomics.datasets.list

genomics.operations.list

gkebackup.backupPlans.getIamPolicy

gkebackup.backupPlans.list

gkebackup.backups.list

gkebackup.locations.list

gkebackup.operations.list

gkebackup.restorePlans.getIamPolicy

gkebackup.restorePlans.list

gkebackup.restores.list

gkebackup.volumeBackups.list

gkebackup.volumeRestores.list

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.gateway.getIamPolicy

gkehub.locations.list

gkehub.membershipbindings.list

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.namespaces.list

gkehub.operations.list

gkehub.rbacrolebindings.list

gkehub.scopes.getIamPolicy

gkehub.scopes.list

gkemulticloud.attachedClusters.list

gkemulticloud.awsClusters.list

gkemulticloud.awsNodePools.list

gkemulticloud.azureClients.list

gkemulticloud.azureClusters.list

gkemulticloud.azureNodePools.list

gkemulticloud.operations.list

gkeonprem.bareMetalAdminClusters.getIamPolicy

gkeonprem.bareMetalAdminClusters.list

gkeonprem.bareMetalClusters.getIamPolicy

gkeonprem.bareMetalClusters.list

gkeonprem.bareMetalNodePools.getIamPolicy

gkeonprem.bareMetalNodePools.list

gkeonprem.locations.list

gkeonprem.operations.list

gkeonprem.vmwareAdminClusters.getIamPolicy

gkeonprem.vmwareAdminClusters.list

gkeonprem.vmwareClusters.getIamPolicy

gkeonprem.vmwareClusters.list

gkeonprem.vmwareNodePools.getIamPolicy

gkeonprem.vmwareNodePools.list

gsuiteaddons.deployments.list

healthcare.annotationStores.getIamPolicy

healthcare.annotationStores.list

healthcare.annotations.list

healthcare.attributeDefinitions.list

healthcare.consentArtifacts.list

healthcare.consentStores.getIamPolicy

healthcare.consentStores.list

healthcare.consents.list

healthcare.datasets.getIamPolicy

healthcare.datasets.list

healthcare.dicomStores.getIamPolicy

healthcare.dicomStores.list

healthcare.fhirStores.getIamPolicy

healthcare.fhirStores.list

healthcare.hl7V2Messages.list

healthcare.hl7V2Stores.getIamPolicy

healthcare.hl7V2Stores.list

healthcare.locations.list

healthcare.operations.list

healthcare.userDataMappings.list

iam.denypolicies.list

iam.googleapis.com/workforcePoolProviderKeys.list

iam.googleapis.com/workforcePoolProviders.list

iam.googleapis.com/workforcePools.getIamPolicy

iam.googleapis.com/workforcePools.list

iam.googleapis.com/workloadIdentityPoolProviderKeys.list

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPools.list

iam.roles.get

iam.roles.list

iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

iap.tunnel.getIamPolicy

iap.tunnelDestGroups.getIamPolicy

iap.tunnelDestGroups.list

iap.tunnelInstances.getIamPolicy

iap.tunnelLocations.getIamPolicy

iap.tunnelZones.getIamPolicy

iap.web.getIamPolicy

iap.webServiceVersions.getIamPolicy

iap.webServices.getIamPolicy

iap.webTypes.getIamPolicy

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

ids.endpoints.getIamPolicy

ids.endpoints.list

ids.locations.list

ids.operations.list

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.apigeeSuspensions.list

integrations.authConfigs.list

integrations.certificates.list

integrations.executions.list

integrations.integrationVersions.list

integrations.integrations.list

integrations.securityAuthConfigs.list

integrations.securityExecutions.list

integrations.securityIntegTempVers.list

integrations.securityIntegrationVers.list

integrations.securityIntegrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

integrations.suspensions.list

issuerswitch.accountManagerTransactions.list

issuerswitch.complaintTransactions.list

issuerswitch.financialTransactions.list

issuerswitch.mandateTransactions.list

issuerswitch.metadataTransactions.list

issuerswitch.operations.list

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.list

issuerswitch.rules.list

krmapihosting.krmApiHosts.getIamPolicy

krmapihosting.krmApiHosts.list

krmapihosting.locations.list

krmapihosting.operations.list

lifesciences.operations.list

livestream.assets.list

livestream.channels.list

livestream.events.list

livestream.inputs.list

livestream.locations.list

livestream.operations.list

logging.buckets.list

logging.exclusions.list

logging.links.list

logging.locations.list

logging.logEntries.list

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.list

logging.operations.list

logging.privateLogEntries.list

logging.queries.list

logging.sinks.list

logging.views.list

looker.backups.list

looker.instances.list

looker.locations.list

looker.operations.list

managedidentities.backups.getIamPolicy

managedidentities.backups.list

managedidentities.domains.getIamPolicy

managedidentities.domains.list

managedidentities.locations.list

managedidentities.operations.list

managedidentities.peerings.getIamPolicy

managedidentities.peerings.list

managedidentities.sqlintegrations.list

mapsadmin.clientMaps.list

mapsadmin.clientStyleSheetSnapshots.list

mapsadmin.clientStyles.list

mapsadmin.styleSnapshots.list

mapsanalytics.metricMetadata.list

mapsplatformdatasets.datasets.list

marketplacesolutions.locations.list

marketplacesolutions.operations.list

marketplacesolutions.powerImages.list

marketplacesolutions.powerInstances.list

marketplacesolutions.powerNetworks.list

marketplacesolutions.powerSshKeys.list

marketplacesolutions.powerVolumes.list

memcache.instances.list

memcache.locations.list

memcache.operations.list

metastore.backups.getIamPolicy

metastore.backups.list

metastore.databases.getIamPolicy

metastore.databases.list

metastore.federations.getIamPolicy

metastore.federations.list

metastore.imports.list

metastore.locations.list

metastore.operations.list

metastore.services.getIamPolicy

metastore.services.list

metastore.tables.getIamPolicy

metastore.tables.list

migrationcenter.assets.list

migrationcenter.discoveryClients.list

migrationcenter.errorFrames.list

migrationcenter.groups.list

migrationcenter.importDataFiles.list

migrationcenter.importJobs.list

migrationcenter.locations.list

migrationcenter.operations.list

migrationcenter.preferenceSets.list

migrationcenter.reportConfigs.list

migrationcenter.reports.list

migrationcenter.sources.list

ml.jobs.getIamPolicy

ml.jobs.list

ml.locations.list

ml.models.getIamPolicy

ml.models.list

ml.operations.list

ml.studies.getIamPolicy

ml.studies.list

ml.trials.list

ml.versions.list

monitoring.alertPolicies.list

monitoring.dashboards.list

monitoring.groups.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.list

monitoring.publicWidgets.list

monitoring.services.list

monitoring.slos.list

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.list

netapp.activeDirectories.list

netapp.backupPolicies.list

netapp.backupVaults.list

netapp.backups.list

netapp.kmsConfigs.list

netapp.replications.list

netapp.snapshots.list

netapp.storagePools.list

netapp.volumes.list

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.internalRanges.getIamPolicy

networkconnectivity.internalRanges.list

networkconnectivity.locations.list

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.getIamPolicy

networkconnectivity.policyBasedRoutes.list

networkconnectivity.regionalEndpoints.list

networkconnectivity.serviceClasses.list

networkconnectivity.serviceConnectionMaps.list

networkconnectivity.serviceConnectionPolicies.list

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

networkmanagement.connectivitytests.getIamPolicy

networkmanagement.connectivitytests.list

networkmanagement.locations.list

networkmanagement.operations.list

networksecurity.addressGroups.getIamPolicy

networksecurity.addressGroups.list

networksecurity.authorizationPolicies.getIamPolicy

networksecurity.authorizationPolicies.list

networksecurity.clientTlsPolicies.getIamPolicy

networksecurity.clientTlsPolicies.list

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.list

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.locations.list

networksecurity.operations.list

networksecurity.securityProfileGroups.list

networksecurity.securityProfiles.list

networksecurity.serverTlsPolicies.getIamPolicy

networksecurity.serverTlsPolicies.list

networksecurity.tlsInspectionPolicies.list

networksecurity.urlLists.list

networkservices.endpointConfigSelectors.getIamPolicy

networkservices.endpointConfigSelectors.list

networkservices.endpointPolicies.getIamPolicy

networkservices.endpointPolicies.list

networkservices.gateways.list

networkservices.grpcRoutes.getIamPolicy

networkservices.grpcRoutes.list

networkservices.httpFilters.getIamPolicy

networkservices.httpFilters.list

networkservices.httpRoutes.getIamPolicy

networkservices.httpRoutes.list

networkservices.httpfilters.getIamPolicy

networkservices.httpfilters.list

networkservices.lbRouteExtensions.list

networkservices.lbTrafficExtensions.list

networkservices.locations.list

networkservices.meshes.getIamPolicy

networkservices.meshes.list

networkservices.operations.list

networkservices.serviceBindings.list

networkservices.serviceLbPolicies.list

networkservices.tcpRoutes.getIamPolicy

networkservices.tcpRoutes.list

networkservices.tlsRoutes.list

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.list

notebooks.operations.list

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.getIamPolicy

notebooks.schedules.list

ondemandscanning.operations.list

opsconfigmonitoring.resourceMetadata.list

orgpolicy.constraints.list

orgpolicy.customConstraints.list

orgpolicy.policies.list

osconfig.guestPolicies.list

osconfig.instanceOSPoliciesCompliances.list

osconfig.inventories.list

osconfig.osPolicyAssignmentReports.list

osconfig.osPolicyAssignments.list

osconfig.patchDeployments.list

osconfig.patchJobs.list

osconfig.upgradeReports.list

osconfig.vulnerabilityReports.list

paymentsresellersubscription.products.list

paymentsresellersubscription.promotions.list

policyremediatormanager.locations.list

policyremediatormanager.operations.list

policysimulator.orgPolicyViolations.list

policysimulator.orgPolicyViolationsPreviews.list

policysimulator.replayResults.list

policysimulator.replays.list

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.list

privateca.operations.list

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

privilegedaccessmanager.entitlements.list

privilegedaccessmanager.grants.list

privilegedaccessmanager.locations.list

privilegedaccessmanager.operations.list

proximitybeacon.attachments.list

proximitybeacon.beacons.getIamPolicy

proximitybeacon.beacons.list

proximitybeacon.namespaces.getIamPolicy

proximitybeacon.namespaces.list

pubsub.schemas.getIamPolicy

pubsub.schemas.list

pubsub.snapshots.getIamPolicy

pubsub.snapshots.list

pubsub.subscriptions.getIamPolicy

pubsub.subscriptions.list

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsublite.operations.list

pubsublite.reservations.list

pubsublite.subscriptions.list

pubsublite.topics.list

recaptchaenterprise.keys.list

recaptchaenterprise.relatedaccountgroupmemberships.list

recaptchaenterprise.relatedaccountgroups.list

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.bigqueryMaterializedViewInsights.list

recommender.bigqueryMaterializedViewRecommendations.list

recommender.bigqueryPartitionClusterRecommendations.list

recommender.bigqueryTableStatsInsights.list

recommender.cloudAssetInsights.list

recommender.cloudCostGeneralInsights.list

recommender.cloudCostGeneralRecommendations.list

recommender.cloudDeprecationGeneralInsights.list

recommender.cloudDeprecationGeneralRecommendations.list

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.cloudManageabilityGeneralInsights.list

recommender.cloudManageabilityGeneralRecommendations.list

recommender.cloudPerformanceGeneralInsights.list

recommender.cloudPerformanceGeneralRecommendations.list

recommender.cloudRecentChangeInsights.list

recommender.cloudRecentChangeRecommendations.list

recommender.cloudReliabilityGeneralInsights.list

recommender.cloudReliabilityGeneralRecommendations.list

recommender.cloudSecurityGeneralInsights.list

recommender.cloudSecurityGeneralRecommendations.list

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceActivityInsights.list

recommender.cloudsqlInstanceCpuUsageInsights.list

recommender.cloudsqlInstanceDiskUsageTrendInsights.list

recommender.cloudsqlInstanceMemoryUsageInsights.list

recommender.cloudsqlInstanceOomProbabilityInsights.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceInsights.list

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityInsights.list

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlInstanceSecurityInsights.list

recommender.cloudsqlInstanceSecurityRecommendations.list

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.list

recommender.computeAddressIdleResourceInsights.list

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceInsights.list

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeFirewallInsights.list

recommender.computeImageIdleResourceInsights.list

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceCpuUsageInsights.list

recommender.computeInstanceCpuUsagePredictionInsights.list

recommender.computeInstanceCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerCpuUsageInsights.list

recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list

recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceGroupManagerMemoryUsageInsights.list

recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.list

recommender.computeInstanceMemoryUsageInsights.list

recommender.computeInstanceMemoryUsagePredictionInsights.list

recommender.computeInstanceNetworkThroughputInsights.list

recommender.containerDiagnosisInsights.list

recommender.containerDiagnosisRecommendations.list

recommender.costInsights.list

recommender.dataflowDiagnosticsInsights.list

recommender.errorReportingInsights.list

recommender.errorReportingRecommendations.list

recommender.gmpGuidedExperienceInsights.list

recommender.gmpGuidedExperienceRecommendations.list

recommender.gmpProjectManagementInsights.list

recommender.gmpProjectManagementRecommendations.list

recommender.gmpProjectProductSuggestionsInsights.list

recommender.gmpProjectProductSuggestionsRecommendations.list

recommender.gmpProjectQuotaInsights.list

recommender.gmpProjectQuotaRecommendations.list

recommender.iamPolicyChangeRiskInsights.list

recommender.iamPolicyChangeRiskRecommendations.list

recommender.iamPolicyInsights.list

recommender.iamPolicyLateralMovementInsights.list

recommender.iamPolicyRecommendations.list

recommender.iamServiceAccountChangeRiskInsights.list

recommender.iamServiceAccountChangeRiskRecommendations.list

recommender.iamServiceAccountInsights.list

recommender.locations.list

recommender.loggingProductSuggestionContainerInsights.list

recommender.loggingProductSuggestionContainerRecommendations.list

recommender.monitoringProductSuggestionComputeInsights.list

recommender.monitoringProductSuggestionComputeRecommendations.list

recommender.networkAnalyzerCloudSqlInsights.list

recommender.networkAnalyzerDynamicRouteInsights.list

recommender.networkAnalyzerGkeConnectivityInsights.list

recommender.networkAnalyzerGkeIpAddressInsights.list

recommender.networkAnalyzerGkeServiceAccountInsights.list

recommender.networkAnalyzerIpAddressInsights.list

recommender.networkAnalyzerLoadBalancerInsights.list

recommender.networkAnalyzerVpcConnectivityInsights.list

recommender.resourcemanagerProjectChangeRiskInsights.list

recommender.resourcemanagerProjectChangeRiskRecommendations.list

recommender.resourcemanagerProjectUtilizationInsights.list

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.resourcemanagerServiceLimitInsights.list

recommender.resourcemanagerServiceLimitRecommendations.list

recommender.runServiceCostInsights.list

recommender.runServiceCostRecommendations.list

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.list

recommender.runServicePerformanceInsights.list

recommender.runServicePerformanceRecommendations.list

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.list

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.list

recommender.usageCommitmentRecommendations.list

redis.clusters.list

redis.instances.list

redis.locations.list

redis.operations.list

remotebuildexecution.instances.list

remotebuildexecution.workerpools.list

resourcemanager.folders.getIamPolicy

resourcemanager.folders.list

resourcemanager.hierarchyNodes.listTagBindings

resourcemanager.organizations.getIamPolicy

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.tagHolds.list

resourcemanager.tagKeys.getIamPolicy

resourcemanager.tagKeys.list

resourcemanager.tagValues.getIamPolicy

resourcemanager.tagValues.list

resourcesettings.settings.list

retail.catalogs.list

retail.controls.list

retail.experiments.list

retail.models.list

retail.operations.list

retail.products.list

retail.servingConfigs.list

riskmanager.controlScoreBreakdowns.list

riskmanager.operations.list

riskmanager.policies.list

riskmanager.reports.list

rma.collectors.list

rma.locations.list

rma.operations.list

run.configurations.list

run.executions.list

run.jobs.getIamPolicy

run.jobs.list

run.locations.list

run.operations.list

run.revisions.list

run.routes.list

run.services.getIamPolicy

run.services.list

run.tasks.list

runapps.applications.list

runapps.deployments.list

runapps.locations.list

runapps.operations.list

runtimeconfig.configs.getIamPolicy

runtimeconfig.configs.list

runtimeconfig.operations.list

runtimeconfig.variables.getIamPolicy

runtimeconfig.variables.list

runtimeconfig.waiters.getIamPolicy

runtimeconfig.waiters.list

secretmanager.locations.list

secretmanager.secrets.getIamPolicy

secretmanager.secrets.list

secretmanager.versions.list

securedlandingzone.overwatches.list

securesourcemanager.instances.getIamPolicy

securesourcemanager.instances.list

securesourcemanager.locations.list

securesourcemanager.operations.list

securesourcemanager.repositories.getIamPolicy

securesourcemanager.repositories.list

securesourcemanager.sshkeys.list

securitycenter.assets.list

securitycenter.attackpaths.list

securitycenter.bigQueryExports.list

securitycenter.compliancesnapshots.list

securitycenter.effectivesecurityhealthanalyticscustommodules.list

securitycenter.findings.list

securitycenter.muteconfigs.list

securitycenter.notificationconfig.list

securitycenter.resourcevalueconfigs.list

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.sources.getIamPolicy

securitycenter.sources.list

securitycenter.valuedresources.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.locations.list

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securityposture.locations.list

securityposture.operations.list

securityposture.postureDeployments.list

securityposture.postureTemplates.list

securityposture.postures.list

servicebroker.bindingoperations.list

servicebroker.bindings.getIamPolicy

servicebroker.bindings.list

servicebroker.catalogs.getIamPolicy

servicebroker.catalogs.list

servicebroker.instanceoperations.list

servicebroker.instances.getIamPolicy

servicebroker.instances.list

serviceconsumermanagement.tenancyu.list

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.locations.list

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicehealth.events.list

servicehealth.locations.list

servicehealth.organizationEvents.list

servicehealth.organizationImpacts.list

servicemanagement.services.getIamPolicy

servicemanagement.services.list

servicenetworking.operations.list

servicesecurityinsights.clusterSecurityInfo.list

servicesecurityinsights.securityInfo.list

servicesecurityinsights.workloadPolicies.list

serviceusage.operations.list

serviceusage.services.list

source.repos.getIamPolicy

source.repos.list

spanner.backupOperations.list

spanner.backups.getIamPolicy

spanner.backups.list

spanner.databaseOperations.list

spanner.databaseRoles.list

spanner.databases.getIamPolicy

spanner.databases.list

spanner.instanceConfigOperations.list

spanner.instanceConfigs.list

spanner.instanceOperations.list

spanner.instances.getIamPolicy

spanner.instances.list

spanner.sessions.list

speakerid.phrases.list

speakerid.speakers.list

speech.customClasses.list

speech.locations.list

speech.operations.list

speech.phraseSets.list

speech.recognizers.list

stackdriver.resourceMetadata.list

storage.anywhereCaches.list

storage.bucketOperations.list

storage.buckets.getIamPolicy

storage.buckets.list

storage.hmacKeys.list

storage.managedFolders.getIamPolicy

storage.managedFolders.list

storage.multipartUploads.list

storage.objects.getIamPolicy

storage.objects.list

storageinsights.datasetConfigs.list

storageinsights.locations.list

storageinsights.operations.list

storageinsights.reportConfigs.list

storageinsights.reportDetails.list

storagetransfer.agentpools.list

storagetransfer.jobs.list

storagetransfer.operations.list

stream.locations.list

stream.operations.list

stream.streamContents.list

stream.streamInstances.list

telcoautomation.blueprints.list

telcoautomation.deployments.list

telcoautomation.edgeSlms.list

telcoautomation.hydratedDeployments.list

telcoautomation.locations.list

telcoautomation.operations.list

telcoautomation.orchestrationClusters.list

telcoautomation.publicBlueprints.list

timeseriesinsights.datasets.list

timeseriesinsights.locations.list

tpu.acceleratortypes.list

tpu.locations.list

tpu.nodes.list

tpu.operations.list

tpu.runtimeversions.list

tpu.tensorflowversions.list

transcoder.jobTemplates.list

transcoder.jobs.list

transferappliance.appliances.list

transferappliance.locations.list

transferappliance.operations.list

transferappliance.orders.list

transferappliance.savedAddresses.list

translationhub.portals.list

videostitcher.cdnKeys.list

videostitcher.liveAdTagDetails.list

videostitcher.liveConfigs.list

videostitcher.slates.list

videostitcher.vodAdTagDetails.list

videostitcher.vodStitchDetails.list

visionai.analyses.getIamPolicy

visionai.analyses.list

visionai.annotations.list

visionai.applications.list

visionai.assets.list

visionai.clusters.getIamPolicy

visionai.clusters.list

visionai.corpora.list

visionai.dataSchemas.list

visionai.drafts.list

visionai.events.getIamPolicy

visionai.events.list

visionai.indexEndpoints.list

visionai.indexes.list

visionai.instances.list

visionai.locations.list

visionai.operations.list

visionai.operators.getIamPolicy

visionai.operators.list

visionai.processors.list

visionai.searchConfigs.list

visionai.series.getIamPolicy

visionai.series.list

visionai.streams.getIamPolicy

visionai.streams.list

visionai.uistreams.list

visualinspection.annotationSets.list

visualinspection.annotationSpecs.list

visualinspection.annotations.list

visualinspection.datasets.list

visualinspection.images.list

visualinspection.locations.list

visualinspection.modelEvaluations.list

visualinspection.models.list

visualinspection.modules.list

visualinspection.operations.list

visualinspection.solutionArtifacts.list

visualinspection.solutions.list

vmmigration.cloneJobs.list

vmmigration.cutoverJobs.list

vmmigration.datacenterConnectors.list

vmmigration.deployments.list

vmmigration.groups.list

vmmigration.locations.list

vmmigration.migratingVms.list

vmmigration.operations.list

vmmigration.replicationCycles.list

vmmigration.sources.list

vmmigration.targets.list

vmmigration.utilizationReports.list

vmwareengine.clusters.getIamPolicy

vmwareengine.clusters.list

vmwareengine.externalAccessRules.list

vmwareengine.externalAddresses.list

vmwareengine.hcxActivationKeys.getIamPolicy

vmwareengine.hcxActivationKeys.list

vmwareengine.locations.list

vmwareengine.loggingServers.list

vmwareengine.managementDnsZoneBindings.list

vmwareengine.networkPeerings.list

vmwareengine.networkPolicies.list

vmwareengine.nodeTypes.list

vmwareengine.nodes.list

vmwareengine.operations.list

vmwareengine.privateClouds.getIamPolicy

vmwareengine.privateClouds.list

vmwareengine.privateConnections.list

vmwareengine.subnets.list

vmwareengine.vmwareEngineNetworks.list

vpcaccess.connectors.list

vpcaccess.locations.list

vpcaccess.operations.list

workflows.callbacks.list

workflows.executions.list

workflows.locations.list

workflows.operations.list

workflows.stepEntries.list

workflows.workflows.list

workloadcertificate.locations.list

workloadcertificate.operations.list

workloadcertificate.workloadRegistrations.list

workloadmanager.actuations.list

workloadmanager.deployments.list

workloadmanager.evaluations.list

workloadmanager.executions.list

workloadmanager.locations.list

workloadmanager.operations.list

workloadmanager.results.list

workloadmanager.rules.list

workstations.workstationClusters.list

workstations.workstationConfigs.getIamPolicy

workstations.workstationConfigs.list

workstations.workstations.getIamPolicy

workstations.workstations.list

Permissions

(roles/config.admin)

Full access to Cloud Infrastructure Manager resources.

config.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/config.agent)

Required permissions to make Cloud Infrastructure Manager work with the user-specified service account

cloudbuild.connections.list

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.list

cloudquotas.quotas.get

config.artifacts.import

config.deployments.deleteState

config.deployments.getLock

config.deployments.getState

config.deployments.updateState

config.previews.upload

config.revisions.getState

logging.logEntries.create

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/config.viewer)

Read-only access to Cloud Infrastructure Manager resources.

config.deployments.get

config.deployments.getIamPolicy

config.deployments.list

config.locations.*

config.operations.get

config.operations.list

config.previews.get

config.previews.list

config.resources.*

config.revisions.get

config.revisions.list

config.terraformversions.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/krmapihosting.admin)

Full access to all Config Controller resources.

krmapihosting.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/krmapihosting.viewer)

Read-only access to all Config Controller resources.

krmapihosting.krmApiHosts.get

krmapihosting.krmApiHosts.getIamPolicy

krmapihosting.krmApiHosts.list

krmapihosting.locations.*

krmapihosting.operations.get

krmapihosting.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/container.admin)

Provides access to full management of clusters and their Kubernetes API objects.

To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the user-managed service account that your nodes will use.

Lowest-level resources where you can grant this role:

  • Project

container.*

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisRecommendations.*

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/container.clusterAdmin)

Provides access to management of clusters.

To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the user-managed service account that your nodes will use.

Lowest-level resources where you can grant this role:

  • Project

container.clusters.create

container.clusters.delete

container.clusters.get

container.clusters.list

container.clusters.update

container.operations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/container.clusterViewer)

Provides access to get and list GKE clusters.

container.clusters.get

container.clusters.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/container.developer)

Provides access to Kubernetes API objects inside clusters.

Lowest-level resources where you can grant this role:

  • Project

container.apiServices.*

container.auditSinks.*

container.backendConfigs.*

container.bindings.*

container.certificateSigningRequests.create

container.certificateSigningRequests.delete

container.certificateSigningRequests.get

container.certificateSigningRequests.list

container.certificateSigningRequests.update

container.certificateSigningRequests.updateStatus

container.clusterRoleBindings.get

container.clusterRoleBindings.list

container.clusterRoles.get

container.clusterRoles.list

container.clusters.get

container.clusters.list

container.componentStatuses.*

container.configMaps.*

container.controllerRevisions.get

container.controllerRevisions.list

container.cronJobs.*

container.csiDrivers.*

container.csiNodeInfos.*

container.csiNodes.*

container.customResourceDefinitions.*

container.daemonSets.*

container.deployments.*

container.endpointSlices.*

container.endpoints.*

container.events.*

container.frontendConfigs.*

container.horizontalPodAutoscalers.*

container.ingresses.*

container.initializerConfigurations.*

container.jobs.*

container.leases.*

container.limitRanges.*

container.localSubjectAccessReviews.*

container.managedCertificates.*

container.mutatingWebhookConfigurations.get

container.mutatingWebhookConfigurations.list

container.namespaces.*

container.networkPolicies.*

container.nodes.*

container.persistentVolumeClaims.*

container.persistentVolumes.*

container.petSets.*

container.podDisruptionBudgets.*

container.podPresets.*

container.podSecurityPolicies.get

container.podSecurityPolicies.list

container.podTemplates.*

container.pods.*

container.priorityClasses.*

container.replicaSets.*

container.replicationControllers.*

container.resourceQuotas.*

container.roleBindings.get

container.roleBindings.list

container.roles.get

container.roles.list

container.runtimeClasses.*

container.scheduledJobs.*

container.secrets.*

container.selfSubjectAccessReviews.*

container.selfSubjectRulesReviews.create

container.serviceAccounts.*

container.services.*

container.statefulSets.*

container.storageClasses.*

container.storageStates.*

container.storageVersionMigrations.*

container.subjectAccessReviews.*

container.thirdPartyObjects.*

container.thirdPartyResources.*

container.tokenReviews.create

container.updateInfos.*

container.validatingWebhookConfigurations.get

container.validatingWebhookConfigurations.list

container.volumeAttachments.*

container.volumeSnapshotClasses.*

container.volumeSnapshotContents.*

container.volumeSnapshots.*

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisRecommendations.*

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/container.hostServiceAgentUser)

Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project.

compute.firewalls.get

container.hostServiceAgent.use

dns.networks.bindDNSResponsePolicy

dns.networks.bindPrivateDNSPolicy

dns.networks.bindPrivateDNSZone

dns.responsePolicies.*

dns.responsePolicyRules.*

(roles/container.viewer)

Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects.

Lowest-level resources where you can grant this role:

  • Project

container.apiServices.get

container.apiServices.getStatus

container.apiServices.list

container.auditSinks.get

container.auditSinks.list

container.backendConfigs.get

container.backendConfigs.list

container.bindings.get

container.bindings.list

container.certificateSigningRequests.get

container.certificateSigningRequests.getStatus

container.certificateSigningRequests.list

container.clusterRoleBindings.get

container.clusterRoleBindings.list

container.clusterRoles.get

container.clusterRoles.list

container.clusters.get

container.clusters.list

container.componentStatuses.*

container.configMaps.get

container.configMaps.list

container.controllerRevisions.get

container.controllerRevisions.list

container.cronJobs.get

container.cronJobs.getStatus

container.cronJobs.list

container.csiDrivers.get

container.csiDrivers.list

container.csiNodeInfos.get

container.csiNodeInfos.list

container.csiNodes.get

container.csiNodes.list

container.customResourceDefinitions.get

container.customResourceDefinitions.getStatus

container.customResourceDefinitions.list

container.daemonSets.get

container.daemonSets.getStatus

container.daemonSets.list

container.deployments.get

container.deployments.getScale

container.deployments.getStatus

container.deployments.list

container.endpointSlices.get

container.endpointSlices.list

container.endpoints.get

container.endpoints.list

container.events.get

container.events.list

container.frontendConfigs.get

container.frontendConfigs.list

container.horizontalPodAutoscalers.get

container.horizontalPodAutoscalers.getStatus

container.horizontalPodAutoscalers.list

container.ingresses.get

container.ingresses.getStatus

container.ingresses.list

container.initializerConfigurations.get

container.initializerConfigurations.list

container.jobs.get

container.jobs.getStatus

container.jobs.list

container.leases.get

container.leases.list

container.limitRanges.get

container.limitRanges.list

container.managedCertificates.get

container.managedCertificates.list

container.mutatingWebhookConfigurations.get

container.mutatingWebhookConfigurations.list

container.namespaces.get

container.namespaces.getStatus

container.namespaces.list

container.networkPolicies.get

container.networkPolicies.list

container.nodes.get

container.nodes.getStatus

container.nodes.list

container.operations.*

container.persistentVolumeClaims.get

container.persistentVolumeClaims.getStatus

container.persistentVolumeClaims.list

container.persistentVolumes.get

container.persistentVolumes.getStatus

container.persistentVolumes.list

container.petSets.get

container.petSets.list

container.podDisruptionBudgets.get

container.podDisruptionBudgets.getStatus

container.podDisruptionBudgets.list

container.podPresets.get

container.podPresets.list

container.podSecurityPolicies.get

container.podSecurityPolicies.list

container.podTemplates.get

container.podTemplates.list

container.pods.get

container.pods.getStatus

container.pods.list

container.priorityClasses.get

container.priorityClasses.list

container.replicaSets.get

container.replicaSets.getScale

container.replicaSets.getStatus

container.replicaSets.list

container.replicationControllers.get

container.replicationControllers.getScale

container.replicationControllers.getStatus

container.replicationControllers.list

container.resourceQuotas.get

container.resourceQuotas.getStatus

container.resourceQuotas.list

container.roleBindings.get

container.roleBindings.list

container.roles.get

container.roles.list

container.runtimeClasses.get

container.runtimeClasses.list

container.scheduledJobs.get

container.scheduledJobs.list

container.serviceAccounts.get

container.serviceAccounts.list

container.services.get

container.services.getStatus

container.services.list

container.statefulSets.get

container.statefulSets.getScale

container.statefulSets.getStatus

container.statefulSets.list

container.storageClasses.get

container.storageClasses.list

container.storageStates.get

container.storageStates.getStatus

container.storageStates.list

container.storageVersionMigrations.get

container.storageVersionMigrations.getStatus

container.storageVersionMigrations.list

container.thirdPartyObjects.get

container.thirdPartyObjects.list

container.thirdPartyResources.get

container.thirdPartyResources.list

container.tokenReviews.create

container.updateInfos.get

container.updateInfos.list

container.validatingWebhookConfigurations.get

container.validatingWebhookConfigurations.list

container.volumeAttachments.get

container.volumeAttachments.getStatus

container.volumeAttachments.list

container.volumeSnapshotClasses.get

container.volumeSnapshotClasses.list

container.volumeSnapshotContents.get

container.volumeSnapshotContents.getStatus

container.volumeSnapshotContents.list

container.volumeSnapshots.get

container.volumeSnapshots.list

recommender.containerDiagnosisInsights.get

recommender.containerDiagnosisInsights.list

recommender.containerDiagnosisRecommendations.get

recommender.containerDiagnosisRecommendations.list

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.get

recommender.networkAnalyzerGkeConnectivityInsights.list

recommender.networkAnalyzerGkeIpAddressInsights.get

recommender.networkAnalyzerGkeIpAddressInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/livestream.editor)

Full access to Live Stream resources.

livestream.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/livestream.viewer)

Read access to Live Stream resources.

livestream.assets.get

livestream.assets.list

livestream.channels.get

livestream.channels.list

livestream.events.get

livestream.events.list

livestream.inputs.get

livestream.inputs.list

livestream.locations.*

livestream.operations.get

livestream.operations.list

livestream.pools.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/logging.admin)

Provides all permissions necessary to use all features of Cloud Logging.

Lowest-level resources where you can grant this role:

  • Project

logging.buckets.copyLogEntries

logging.buckets.create

logging.buckets.delete

logging.buckets.get

logging.buckets.list

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.fields.access

logging.links.*

logging.locations.*

logging.logEntries.*

logging.logMetrics.*

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.*

logging.notificationRules.*

logging.operations.*

logging.privateLogEntries.list

logging.queries.*

logging.settings.*

logging.sinks.*

logging.usage.get

logging.views.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/logging.bucketWriter)

Ability to write logs to a log bucket.

Lowest-level resources where you can grant this role:

  • Project

logging.buckets.write

(roles/logging.configWriter)

Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.

Lowest-level resources where you can grant this role:

  • Project

logging.buckets.create

logging.buckets.delete

logging.buckets.get

logging.buckets.list

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.links.*

logging.locations.*

logging.logMetrics.*

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.*

logging.operations.*

logging.settings.*

logging.sinks.*

logging.views.create

logging.views.delete

logging.views.get

logging.views.list

logging.views.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/logging.fieldAccessor)

Ability to read restricted fields in a log bucket.

Lowest-level resources where you can grant this role:

  • Project

logging.fields.access

(roles/logging.linkViewer)

Ability to see links for a bucket.

logging.links.get

logging.links.list

(roles/logging.logWriter)

Provides the permissions to write log entries.

Lowest-level resources where you can grant this role:

  • Project

logging.logEntries.create

logging.logEntries.route

(roles/logging.privateLogViewer)

Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.

Lowest-level resources where you can grant this role:

  • Project

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.privateLogEntries.list

logging.queries.create

logging.queries.delete

logging.queries.get

logging.queries.list

logging.queries.listShared

logging.queries.update

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.access

logging.views.get

logging.views.list

resourcemanager.projects.get

(roles/logging.viewAccessor)

Ability to read logs in a view.

Lowest-level resources where you can grant this role:

  • Project

logging.logEntries.download

logging.views.access

logging.views.listLogs

logging.views.listResourceKeys

logging.views.listResourceValues

(roles/logging.viewer)

Provides access to view logs.

Lowest-level resources where you can grant this role:

  • Project

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.create

logging.queries.delete

logging.queries.get

logging.queries.list

logging.queries.listShared

logging.queries.update

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

resourcemanager.projects.get

Permissions

(roles/looker.admin)

Full access to all Looker resources.

looker.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/looker.instanceUser)

Access to log in to a Looker instance.

looker.instances.get

looker.instances.login

resourcemanager.projects.get

resourcemanager.projects.list

(roles/looker.viewer)

Read-only access to all Looker resources.

looker.backups.get

looker.backups.list

looker.instances.get

looker.instances.list

looker.instances.login

looker.locations.*

looker.operations.get

looker.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/mapsadmin.admin)

Read and Write all Maps Management and Maps Styles Resources.

mapsadmin.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mapsadmin.viewer)

Read all Maps Management and Maps Styles Resources.

mapsadmin.clientMaps.get

mapsadmin.clientMaps.list

mapsadmin.clientStyleSheetSnapshots.list

mapsadmin.clientStyles.get

mapsadmin.clientStyles.list

mapsadmin.styleEditorConfigs.get

mapsadmin.styleSnapshots.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/memcache.admin)

Full access to Memcached instances and related resources.

compute.networks.list

memcache.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/memcache.editor)

Read-Write access to Memcached instances and related resources.

memcache.instances.applyParameters

memcache.instances.get

memcache.instances.list

memcache.instances.update

memcache.instances.updateParameters

memcache.locations.*

memcache.operations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/memcache.viewer)

Read-only access to Memcached instances and related resources.

memcache.instances.get

memcache.instances.list

memcache.locations.*

memcache.operations.get

memcache.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/redis.admin)

Full control for all Memorystore for Redis resources.

compute.networks.list

networkconnectivity.serviceConnectionPolicies.list

redis.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

(roles/redis.dbConnectionUser)

Access to connecting to Redis Server db.

redis.clusters.connect

(roles/redis.editor)

Manage Memorystore for Redis instances. Can't create or delete instances.

compute.networks.list

redis.clusters.get

redis.clusters.list

redis.clusters.update

redis.instances.failover

redis.instances.get

redis.instances.list

redis.instances.update

redis.locations.*

redis.operations.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

(roles/redis.viewer)

Read-only access to all Memorystore for Redis resources.

redis.clusters.get

redis.clusters.list

redis.instances.get

redis.instances.list

redis.instances.listEffectiveTags

redis.instances.listTagBindings

redis.locations.*

redis.operations.get

redis.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

Permissions

(roles/meshconfig.admin)

Full access to all mesh configuration resources

meshconfig.projects.init

(roles/meshconfig.viewer)

Read access to mesh configuration

Permissions

(roles/migrationcenter.admin)

Full access to Migration Center all resources.

migrationcenter.*

resourcemanager.projects.get

resourcemanager.projects.list

rma.*

serviceusage.quotas.get

(roles/migrationcenter.discoveryClient)

Migration Center Discover Client role

migrationcenter.assets.reportFrames

migrationcenter.discoveryClients.get

migrationcenter.discoveryClients.sendHeartbeat

(roles/migrationcenter.discoveryClientRegistrator)

Registrator of Migration Center Discover Clients

migrationcenter.discoveryClients.create

migrationcenter.discoveryClients.delete

migrationcenter.discoveryClients.update

migrationcenter.operations.get

migrationcenter.sources.create

migrationcenter.sources.delete

resourcemanager.projects.get

resourcemanager.projects.list

(roles/migrationcenter.viewer)

Read-only access to Migration Center all resources.

migrationcenter.assets.get

migrationcenter.assets.list

migrationcenter.discoveryClients.get

migrationcenter.discoveryClients.list

migrationcenter.errorFrames.*

migrationcenter.groups.get

migrationcenter.groups.list

migrationcenter.importDataFiles.get

migrationcenter.importDataFiles.list

migrationcenter.importJobs.get

migrationcenter.importJobs.list

migrationcenter.locations.*

migrationcenter.operations.get

migrationcenter.operations.list

migrationcenter.preferenceSets.get

migrationcenter.preferenceSets.list

migrationcenter.reportConfigs.get

migrationcenter.reportConfigs.list

migrationcenter.reports.get

migrationcenter.reports.list

migrationcenter.settings.get

migrationcenter.sources.get

migrationcenter.sources.list

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.locations.*

rma.operations.get

rma.operations.list

serviceusage.quotas.get

Permissions

(roles/monitoring.admin)

Provides the same access as the Monitoring Editor role (roles/monitoring.editor).

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.*

opsconfigmonitoring.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.*

(roles/monitoring.alertPolicyEditor)

Read/write access to alerting policies.

monitoring.alertPolicies.*

(roles/monitoring.alertPolicyViewer)

Read-only access to alerting policies.

monitoring.alertPolicies.get

monitoring.alertPolicies.list

(roles/monitoring.cloudConsoleIncidentEditor)

Read/write access to incidents from Cloud Console.

(roles/monitoring.cloudConsoleIncidentViewer)

Read access to incidents from Cloud Console.

(roles/monitoring.dashboardEditor)

Read/write access to dashboard configurations.

monitoring.dashboards.*

(roles/monitoring.dashboardViewer)

Read-only access to dashboard configurations.

monitoring.dashboards.get

monitoring.dashboards.list

(roles/monitoring.editor)

Provides full access to information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.alertPolicies.*

monitoring.dashboards.*

monitoring.groups.*

monitoring.metricDescriptors.*

monitoring.monitoredResourceDescriptors.*

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

monitoring.publicWidgets.*

monitoring.services.*

monitoring.slos.*

monitoring.snoozes.*

monitoring.timeSeries.*

monitoring.uptimeCheckConfigs.*

opsconfigmonitoring.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.*

(roles/monitoring.metricWriter)

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

Lowest-level resources where you can grant this role:

  • Project

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

(roles/monitoring.metricsScopesAdmin)

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

(roles/monitoring.metricsScopesViewer)

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get

resourcemanager.projects.list

(roles/monitoring.notificationChannelEditor)

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

(roles/monitoring.notificationChannelViewer)

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.get

monitoring.notificationChannels.list

(roles/monitoring.servicesEditor)

Read/write access to services.

monitoring.services.*

monitoring.slos.*

(roles/monitoring.servicesViewer)

Read-only access to services.

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

(roles/monitoring.snoozeEditor)

monitoring.snoozes.*

(roles/monitoring.snoozeViewer)

monitoring.snoozes.get

monitoring.snoozes.list

(roles/monitoring.uptimeCheckConfigEditor)

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

(roles/monitoring.uptimeCheckConfigViewer)

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

(roles/monitoring.viewer)

Provides read-only access to get and list information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

Permissions

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.groups.*

networkconnectivity.hubRouteTables.*

networkconnectivity.hubRoutes.*

networkconnectivity.hubs.*

networkconnectivity.locations.*

networkconnectivity.operations.*

networkconnectivity.spokes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.locations.*

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

networkconnectivity.serviceConnectionMaps.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/networkmanagement.admin)

Full access to Network Management resources.

Lowest-level resources where you can grant this role:

  • Project

networkmanagement.*

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkmanagement.viewer)

Read-only access to Network Management resources.

Lowest-level resources where you can grant this role:

  • Project

networkmanagement.config.get

networkmanagement.connectivitytests.get

networkmanagement.connectivitytests.getIamPolicy

networkmanagement.connectivitytests.list

networkmanagement.locations.*

networkmanagement.operations.*

networkmanagement.topologygraphs.read

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/ondemandscanning.admin)

All permissions for On-Demand Scanning

ondemandscanning.*

Permissions

(roles/opsconfigmonitoring.resourceMetadata.viewer)

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

(roles/opsconfigmonitoring.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

Permissions

(roles/axt.admin)

Enable Access Transparency for Organization

Lowest-level resources where you can grant this role:

  • Project

axt.*

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/orgpolicy.policyAdmin)

Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.

Lowest-level resources where you can grant this role:

  • Organization

orgpolicy.*

policysimulator.orgPolicyViolations.list

policysimulator.orgPolicyViolationsPreviews.*

(roles/orgpolicy.policyViewer)

Provides access to view Organization Policies on resources.

Lowest-level resources where you can grant this role:

  • Project

orgpolicy.constraints.list

orgpolicy.customConstraints.get

orgpolicy.customConstraints.list

orgpolicy.policies.list

orgpolicy.policy.get

Permissions

(roles/advisorynotifications.admin)

Grants write access to settings in Advisory Notifications

advisorynotifications.*

resourcemanager.organizations.get

resourcemanager.projects.get

(roles/advisorynotifications.viewer)

Grants view access in Advisory Notifications

advisorynotifications.notifications.*

advisorynotifications.settings.get

resourcemanager.organizations.get

resourcemanager.projects.get

(roles/apphub.admin)

Full access to App Hub resources.

apphub.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apphub.editor)

Edit access to App Hub resources.

apphub.applications.create

apphub.applications.delete

apphub.applications.get

apphub.applications.list

apphub.applications.update

apphub.discoveredServices.*

apphub.discoveredWorkloads.*

apphub.locations.*

apphub.operations.*

apphub.serviceProjectAttachments.lookup

apphub.services.*

apphub.workloads.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apphub.viewer)

View access to App Hub resources.

apphub.applications.get

apphub.applications.list

apphub.discoveredServices.get

apphub.discoveredServices.list

apphub.discoveredWorkloads.get

apphub.discoveredWorkloads.list

apphub.locations.*

apphub.operations.get

apphub.operations.list

apphub.serviceProjectAttachments.lookup

apphub.services.get

apphub.services.list

apphub.workloads.get

apphub.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/applianceactivation.approver)

Grants access to approve commands to run on appliances

applianceactivation.rttCommands.approve

applianceactivation.rttCommands.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/applianceactivation.client)

Grants access to read commands for an appliance and send its result.

applianceactivation.rttCommands.get

applianceactivation.rttCommands.sendResult

(roles/applianceactivation.troubleshooter)

Grants access to send new commands to run on appliances and view the outputs

applianceactivation.rttCommands.create

applianceactivation.rttCommands.get

applianceactivation.rttCommands.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredoss.admin)

Allows users admin access to Assured OSS for the organization (super user). Users can view and manage Assured OSS entitlement and configurations.

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

assuredoss.metadata.*

assuredoss.operations.*

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredoss.projectAdmin)

Allows users admin access to Assured OSS for a specified project. Users can view and manage Assured OSS entitlement and configurations.

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.*

iam.serviceAccounts.create

iam.serviceAccounts.get

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

(roles/assuredoss.reader)

Allows users read access to Assured OSS for a specified project. Users can use Assured OSS and view Assured OSS configurations.

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

assuredoss.metadata.*

assuredoss.operations.get

assuredoss.operations.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredoss.user)

Allows service accounts access to Assured OSS for a specified project. The accounts will have permissions to use Assured OSS.

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.locations.*

assuredoss.metadata.*

assuredoss.operations.get

assuredoss.operations.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/auditmanager.admin)

Full access to Audit Manager resources.

auditmanager.*

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/auditmanager.auditor)

Allows creating and viewing an audit report.

auditmanager.auditReports.generate

auditmanager.auditScopeReports.generate

auditmanager.locations.get

auditmanager.locations.list

auditmanager.operations.*

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/autoscaling.metricsWriter)

Access to write metrics for autoscaling site

autoscaling.sites.writeMetrics

(roles/autoscaling.recommendationsReader)

Access to read recommendations from autoscaling site

autoscaling.sites.readRecommendations

(roles/autoscaling.sitesAdmin)

Full access to all autoscaling site features

autoscaling.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/autoscaling.stateWriter)

Access to write state for autoscaling site

autoscaling.sites.writeState

(roles/batch.agentReporter)

Reporter of batch agent states.

batch.states.report

(roles/batch.jobsEditor)

Editor of batch Jobs

batch.jobs.*

batch.locations.*

batch.operations.*

batch.tasks.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/batch.jobsViewer)

Viewer of Batch Jobs, Task Groups and Tasks

batch.jobs.get

batch.jobs.list

batch.locations.*

batch.operations.*

batch.tasks.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/biglake.admin)

Provides full access to all BigLake resources.

biglake.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/biglake.viewer)

Provides read-only access to all BigLake resources.

biglake.catalogs.get

biglake.catalogs.list

biglake.databases.get

biglake.databases.list

biglake.locks.list

biglake.tables.get

biglake.tables.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquerymigration.editor)

Editor of EDW migration workflows.

bigquerymigration.locations.*

bigquerymigration.subtasks.get

bigquerymigration.subtasks.list

bigquerymigration.workflows.create

bigquerymigration.workflows.delete

bigquerymigration.workflows.get

bigquerymigration.workflows.list

bigquerymigration.workflows.update

(roles/bigquerymigration.orchestrator)

Orchestrator of EDW migration tasks.

bigquerymigration.subtasks.create

bigquerymigration.taskTypes.orchestrateTask

bigquerymigration.workflows.orchestrateTask

storage.objects.list

(roles/bigquerymigration.translationUser)

User of EDW migration interactive SQL translation service.

bigquerymigration.translation.translate

(roles/bigquerymigration.viewer)

Viewer of EDW migration MigrationWorkflow.

bigquerymigration.locations.*

bigquerymigration.subtasks.get

bigquerymigration.subtasks.list

bigquerymigration.workflows.get

bigquerymigration.workflows.list

(roles/bigquerymigration.worker)

Worker that executes EDW migration subtasks.

bigquerymigration.subtaskTypes.executeTask

bigquerymigration.subtasks.executeTask

storage.objects.create

storage.objects.get

storage.objects.list

(roles/billing.carbonViewer)

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.list

(roles/blockchainnodeengine.admin)

Full access to Blockchain Node Engine resources.

blockchainnodeengine.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/blockchainnodeengine.viewer)

Read-only access to Blockchain Node Engine resources.

blockchainnodeengine.blockchainNodes.get

blockchainnodeengine.blockchainNodes.list

blockchainnodeengine.locations.*

blockchainnodeengine.operations.get

blockchainnodeengine.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/capacityplanner.viewer)

Read-only access to Capacity Planner usage resources

capacityplanner.*

cloudquotas.quotas.get

monitoring.timeSeries.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

(roles/carestudio.viewer)

This role can view all properties of Patients.

carestudio.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chroniclesm.admin)

Admins can view and modify Chronicle service details.

chroniclesm.*

(roles/chroniclesm.viewer)

Viewers can see Chronicle service details but not change them.

chroniclesm.gcpAssociations.get

chroniclesm.gcpSettings.get

(roles/cloud.locationReader)

Read and enumerate locations available for resource creation.

cloud.*

(roles/cloudaicompanion.user)

A user who can receive assistance from Cloud AI Companion

cloudaicompanion.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudcontrolspartner.admin)

Full access to Cloud Controls Partner resources.

cloudcontrolspartner.accessapprovalrequests.list

cloudcontrolspartner.customers.list

cloudcontrolspartner.ekmconnections.get

cloudcontrolspartner.inspectabilityevents.get

cloudcontrolspartner.partnerpermissions.get

cloudcontrolspartner.partners.get

cloudcontrolspartner.platformcontrols.get

cloudcontrolspartner.violations.list

cloudcontrolspartner.workloads.list

(roles/cloudcontrolspartner.editor)

Editor access to Cloud Controls Partner resources.

cloudcontrolspartner.*

(roles/cloudcontrolspartner.inspectabilityReader)

Readonly access to Cloud Controls Partner inspectability resources.

cloudcontrolspartner.customers.*

cloudcontrolspartner.inspectabilityevents.get

cloudcontrolspartner.platformcontrols.get

(roles/cloudcontrolspartner.monitoringReader)

Read-only access to Cloud Controls Partner monitoring resources.

cloudcontrolspartner.customers.*

cloudcontrolspartner.violations.*

cloudcontrolspartner.workloads.*

(roles/cloudcontrolspartner.reader)

Read-only access to Cloud Controls Partner resources.

cloudcontrolspartner.*

(roles/cloudoptimization.admin)

Administrator of Cloud Optimization AI resources

cloudoptimization.*

(roles/cloudoptimization.editor)

Editor of Cloud Optimization AI resources

cloudoptimization.*

(roles/cloudoptimization.viewer)

Viewer of Cloud Optimization AI resources

cloudoptimization.operations.get

(roles/cloudquotas.admin)

Full access to Cloud Quotas resources.

cloudquotas.*

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudquotas.viewer)

Readonly access to Cloud Quotas resources.

cloudquotas.quotas.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceagreementpublishing.admin)

Admin of Commerce Agreement Publishing service

commerceagreementpublishing.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/commerceagreementpublishing.viewer)

Viewer of Commerce Agreement Publishing service

commerceagreementpublishing.agreements.get

commerceagreementpublishing.agreements.list

commerceagreementpublishing.documents.get

commerceagreementpublishing.documents.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/confidentialcomputing.workloadUser)

Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.

confidentialcomputing.*

logging.logEntries.create

(roles/contactcenteraiplatform.admin)

Full access to Contact Center AI Platform resources.

contactcenteraiplatform.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contactcenteraiplatform.viewer)

Read-only access to Contact Center AI Platform resources.

contactcenteraiplatform.contactCenters.get

contactcenteraiplatform.contactCenters.list

contactcenteraiplatform.locations.*

contactcenteraiplatform.operations.get

contactcenteraiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contactcenterinsights.editor)

Grants read and write access to all Contact Center AI Insights resources.

contactcenterinsights.*

(roles/contactcenterinsights.viewer)

Grants read access to all Contact Center AI Insights resources.

contactcenterinsights.analyses.get

contactcenterinsights.analyses.list

contactcenterinsights.conversations.get

contactcenterinsights.conversations.list

contactcenterinsights.faqEntries.get

contactcenterinsights.faqEntries.list

contactcenterinsights.faqModels.get

contactcenterinsights.faqModels.list

contactcenterinsights.issueModels.get

contactcenterinsights.issueModels.list

contactcenterinsights.issues.get

contactcenterinsights.issues.list

contactcenterinsights.operations.*

contactcenterinsights.phraseMatchers.get

contactcenterinsights.phraseMatchers.list

contactcenterinsights.settings.get

contactcenterinsights.views.get

contactcenterinsights.views.list

(roles/containersecurity.viewer)

Read-only access to GKE Security Posture resources.

container.clusters.list

containersecurity.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.admin)

Grants full access to all the resources in Content Warehouse

contentwarehouse.corpora.*

contentwarehouse.dataExportJobs.*

contentwarehouse.documentSchemas.*

contentwarehouse.documents.*

contentwarehouse.locations.*

contentwarehouse.operations.get

contentwarehouse.rawDocuments.*

contentwarehouse.ruleSets.*

contentwarehouse.synonymSets.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentAdmin)

Grants full access to the document resource in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.create

contentwarehouse.documents.delete

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.documents.setIamPolicy

contentwarehouse.documents.update

contentwarehouse.links.*

contentwarehouse.locations.getStatus

contentwarehouse.rawDocuments.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentCreator)

Grants access to create document in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documentSchemas.list

contentwarehouse.documents.create

contentwarehouse.locations.getStatus

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentEditor)

Grants access to update document resource in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.documents.update

contentwarehouse.links.*

contentwarehouse.locations.getStatus

contentwarehouse.rawDocuments.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentSchemaViewer)

Grants access to view the document schemas in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documentSchemas.list

contentwarehouse.locations.getStatus

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.documentViewer)

Grants access to view all the resources in Content Warehouse

contentwarehouse.documentSchemas.get

contentwarehouse.documents.get

contentwarehouse.documents.getIamPolicy

contentwarehouse.links.get

contentwarehouse.locations.getStatus

contentwarehouse.rawDocuments.download

resourcemanager.projects.get

resourcemanager.projects.list

(roles/databaseinsights.eventsViewer)

Viewer role for Events Service data

databaseinsights.aggregatedEvents.query

databaseinsights.clusterEvents.query

databaseinsights.instanceEvents.query

(roles/databaseinsights.monitoringViewer)

Viewer role for Database Insights monitoring data

databaseinsights.activeQueries.fetch

databaseinsights.activitySummary.fetch

databaseinsights.aggregatedStats.query

databaseinsights.locations.*

databaseinsights.timeSeries.query

databaseinsights.workloadRecommendations.fetch

resourcemanager.projects.get

resourcemanager.projects.list

(roles/databaseinsights.operationsAdmin)

Admin role for performing Database Insights operations

databaseinsights.activeQuery.terminate

(roles/databaseinsights.recommendationViewer)

Viewer role for Database Insights recommendation data

databaseinsights.locations.*

databaseinsights.recommendations.query

databaseinsights.resourceRecommendations.query

databaseinsights.workloadRecommendations.fetch

resourcemanager.projects.get

resourcemanager.projects.list

(roles/databaseinsights.viewer)

Viewer role for Database Insights data

databaseinsights.activeQueries.fetch

databaseinsights.activitySummary.fetch

databaseinsights.aggregatedStats.query

databaseinsights.locations.*

databaseinsights.recommendations.query

databaseinsights.resourceRecommendations.query

databaseinsights.timeSeries.query

databaseinsights.workloadRecommendations.fetch

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.admin)

Grants full access to all resources in Data Lineage API

datalineage.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.editor)

Grants edit access to all resources in Data Lineage API

datalineage.events.*

datalineage.locations.searchLinks

datalineage.operations.get

datalineage.processes.create

datalineage.processes.get

datalineage.processes.list

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.list

datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.producer)

Grants access to creating all resources in Data Lineage API

datalineage.events.create

datalineage.processes.create

datalineage.processes.get

datalineage.processes.update

datalineage.runs.create

datalineage.runs.get

datalineage.runs.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datalineage.viewer)

Grants read access to all resources in Data Lineage API

datalineage.events.get

datalineage.events.list

datalineage.locations.searchLinks

datalineage.processes.get

datalineage.processes.list

datalineage.runs.get

datalineage.runs.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dataprocessing.admin)

Data processing controls admin who can fully manage data processing controls settings and view all datasource data.

billing.accounts.get

billing.accounts.list

dataprocessing.*

(roles/dataprocessing.dataSourceManager)

Data processing controls data source manager who can get, list, and update the underlying data.

dataprocessing.datasources.list

dataprocessing.datasources.update

(roles/discoveryengine.admin)

Grants full access to all discoveryengine resources.

discoveryengine.*

(roles/discoveryengine.editor)

Grants read and write access to all discovery engine resources.

discoveryengine.analytics.*

discoveryengine.branches.*

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.get

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.*

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.create

discoveryengine.documents.delete

discoveryengine.documents.get

discoveryengine.documents.import

discoveryengine.documents.list

discoveryengine.documents.update

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.engines.pause

discoveryengine.engines.resume

discoveryengine.engines.tune

discoveryengine.models.*

discoveryengine.operations.*

discoveryengine.projects.get

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.schemas.preview

discoveryengine.schemas.validate

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.create

discoveryengine.userEvents.fetchStats

discoveryengine.userEvents.import

discoveryengine.widgetConfigs.*

(roles/discoveryengine.viewer)

Grants read access to all discovery engine resources.

discoveryengine.analytics.*

discoveryengine.branches.*

discoveryengine.cmekConfigs.get

discoveryengine.cmekConfigs.list

discoveryengine.collections.get

discoveryengine.collections.list

discoveryengine.completionConfigs.get

discoveryengine.controls.get

discoveryengine.controls.list

discoveryengine.conversations.converse

discoveryengine.conversations.get

discoveryengine.conversations.list

discoveryengine.dataStores.completeQuery

discoveryengine.dataStores.get

discoveryengine.dataStores.list

discoveryengine.documentProcessingConfigs.get

discoveryengine.documents.get

discoveryengine.documents.list

discoveryengine.engines.get

discoveryengine.engines.list

discoveryengine.models.get

discoveryengine.models.list

discoveryengine.operations.*

discoveryengine.projects.get

discoveryengine.schemas.get

discoveryengine.schemas.list

discoveryengine.schemas.preview

discoveryengine.schemas.validate

discoveryengine.servingConfigs.get

discoveryengine.servingConfigs.list

discoveryengine.servingConfigs.recommend

discoveryengine.servingConfigs.search

discoveryengine.siteSearchEngines.get

discoveryengine.targetSites.get

discoveryengine.targetSites.list

discoveryengine.userEvents.fetchStats

discoveryengine.widgetConfigs.get

(roles/enterprisepurchasing.admin)

Full access to Enterprise Purchasing resources.

enterprisepurchasing.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/enterprisepurchasing.editor)

Edit access to Enterprise Purchasing resources.

enterprisepurchasing.gcveCuds.get

enterprisepurchasing.gcveCuds.list

enterprisepurchasing.gcveNodePricingInfo.list

enterprisepurchasing.locations.*

enterprisepurchasing.operations.get

enterprisepurchasing.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/enterprisepurchasing.viewer)

Readonly access to Enterprise Purchasing resources.

enterprisepurchasing.gcveCuds.get

enterprisepurchasing.gcveCuds.list

enterprisepurchasing.gcveNodePricingInfo.list

enterprisepurchasing.locations.*

enterprisepurchasing.operations.get

enterprisepurchasing.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/essentialcontacts.admin)

Full access to all essential contacts

essentialcontacts.*

(roles/essentialcontacts.viewer)

Viewer for all essential contacts

essentialcontacts.contacts.get

essentialcontacts.contacts.list

(roles/firebasecloudmessaging.admin)

Full read/write access to Firebase Cloud Messaging API resources.

cloudmessaging.messages.create

fcmdata.deliverydata.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebasecrash.symbolMappingsAdmin)

Full read/write access to symbol mapping file resources for Firebase Crash Reporting.

firebase.clients.get

firebase.clients.list

resourcemanager.projects.get

(roles/gdchardwaremanagement.admin)

Full access to GDC Hardware Management resources.

gdchardwaremanagement.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gdchardwaremanagement.operator)

Create, read, and update access to GDC Hardware Management resources that support those operations. Also grants delete access to HardwareGroup resource.

gdchardwaremanagement.changeLogEntries.*

gdchardwaremanagement.comments.*

gdchardwaremanagement.hardware.*

gdchardwaremanagement.hardwareGroups.*

gdchardwaremanagement.locations.*

gdchardwaremanagement.operations.get

gdchardwaremanagement.operations.list

gdchardwaremanagement.orders.create

gdchardwaremanagement.orders.get

gdchardwaremanagement.orders.list

gdchardwaremanagement.orders.update

gdchardwaremanagement.sites.*

gdchardwaremanagement.skus.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gdchardwaremanagement.reader)

Readonly access to GDC Hardware Management resources.

gdchardwaremanagement.changeLogEntries.*

gdchardwaremanagement.comments.get

gdchardwaremanagement.comments.list

gdchardwaremanagement.hardware.get

gdchardwaremanagement.hardware.list

gdchardwaremanagement.hardwareGroups.get

gdchardwaremanagement.hardwareGroups.list

gdchardwaremanagement.locations.*

gdchardwaremanagement.operations.get

gdchardwaremanagement.operations.list

gdchardwaremanagement.orders.get

gdchardwaremanagement.orders.list

gdchardwaremanagement.sites.get

gdchardwaremanagement.sites.list

gdchardwaremanagement.skus.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/identityplatform.admin)

Full access to Identity Platform resources.

firebaseauth.*

identitytoolkit.*

(roles/identityplatform.viewer)

Read access to Identity Platform resources.

firebaseauth.configs.get

firebaseauth.users.get

identitytoolkit.tenants.get

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

(roles/identitytoolkit.admin)

Full access to Identity Toolkit resources.

firebaseauth.*

identitytoolkit.*

(roles/identitytoolkit.viewer)

Read access to Identity Toolkit resources.

firebaseauth.configs.get

firebaseauth.users.get

identitytoolkit.tenants.get

identitytoolkit.tenants.getIamPolicy

identitytoolkit.tenants.list

(roles/integrations.apigeeIntegrationAdminRole)

A user that has full access to all Apigee integrations.

connectors.actions.*

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entityTypes.list

integrations.apigeeAuthConfigs.*

integrations.apigeeCertificates.*

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrations.*

integrations.apigeeSfdcChannels.*

integrations.apigeeSfdcInstances.*

integrations.apigeeSuspensions.*

integrations.authConfigs.*

integrations.certificates.*

integrations.executions.*

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.*

integrations.sfdcChannels.*

integrations.sfdcInstances.*

integrations.suspensions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationDeployerRole)

A developer that can deploy/undeploy Apigee integrations to the integration runtime.

integrations.apigeeIntegrationVers.deploy

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.deploy

integrations.integrations.get

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationEditorRole)

A developer that can list, create and update Apigee integrations.

connectors.actions.*

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entityTypes.list

integrations.apigeeAuthConfigs.create

integrations.apigeeAuthConfigs.get

integrations.apigeeAuthConfigs.list

integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.create

integrations.apigeeCertificates.get

integrations.apigeeCertificates.list

integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrations.*

integrations.apigeeSfdcChannels.create

integrations.apigeeSfdcChannels.get

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.create

integrations.apigeeSfdcInstances.get

integrations.apigeeSfdcInstances.list

integrations.apigeeSfdcInstances.update

integrations.authConfigs.create

integrations.authConfigs.get

integrations.authConfigs.list

integrations.authConfigs.update

integrations.certificates.get

integrations.executions.*

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.create

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

integrations.integrations.update

integrations.sfdcChannels.*

integrations.sfdcInstances.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationInvokerRole)

A role that can invoke Apigee integrations.

connectors.actions.*

connectors.connections.executeSqlQuery

connectors.entities.*

connectors.entityTypes.list

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.*

integrations.executions.*

integrations.integrationVersions.get

integrations.integrationVersions.invoke

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeIntegrationsViewer)

A developer that can list and view Apigee integrations.

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.authConfigs.get

integrations.authConfigs.list

integrations.certificates.get

integrations.certificates.list

integrations.executions.*

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.apigeeSuspensionResolver)

A role that can approve / reject Apigee integrations that contain a suspension/wait task.

integrations.apigeeSuspensions.*

integrations.suspensions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.certificateViewer)

A developer that can list and view Certificates.

integrations.certificates.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationAdmin)

A user that has full access (CRUD) to all integrations.

integrations.apigeeAuthConfigs.*

integrations.apigeeCertificates.*

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrations.*

integrations.apigeeSfdcChannels.*

integrations.apigeeSfdcInstances.*

integrations.apigeeSuspensions.*

integrations.authConfigs.*

integrations.certificates.*

integrations.executions.*

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.*

integrations.sfdcChannels.*

integrations.sfdcInstances.*

integrations.suspensions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationDeployer)

A developer that can deploy/undeploy integrations to the integration runtime.

integrations.apigeeIntegrationVers.deploy

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.deploy

integrations.integrations.get

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationEditor)

A developer that can list, create and update integrations.

integrations.apigeeAuthConfigs.create

integrations.apigeeAuthConfigs.get

integrations.apigeeAuthConfigs.list

integrations.apigeeAuthConfigs.update

integrations.apigeeCertificates.create

integrations.apigeeCertificates.get

integrations.apigeeCertificates.list

integrations.apigeeCertificates.update

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrations.*

integrations.apigeeSfdcChannels.create

integrations.apigeeSfdcChannels.get

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcChannels.update

integrations.apigeeSfdcInstances.create

integrations.apigeeSfdcInstances.get

integrations.apigeeSfdcInstances.list

integrations.apigeeSfdcInstances.update

integrations.authConfigs.create

integrations.authConfigs.get

integrations.authConfigs.list

integrations.authConfigs.update

integrations.certificates.get

integrations.executions.*

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.create

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

integrations.integrations.update

integrations.sfdcChannels.*

integrations.sfdcInstances.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationInvoker)

A role that can invoke integrations.

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.*

integrations.executions.*

integrations.integrationVersions.get

integrations.integrationVersions.invoke

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.invoke

integrations.integrations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.integrationViewer)

A developer that can list and view integrations.

integrations.apigeeAuthConfigs.list

integrations.apigeeCertificates.list

integrations.apigeeIntegrationVers.get

integrations.apigeeIntegrationVers.list

integrations.apigeeIntegrations.list

integrations.apigeeSfdcChannels.list

integrations.apigeeSfdcInstances.list

integrations.authConfigs.get

integrations.authConfigs.list

integrations.certificates.get

integrations.certificates.list

integrations.executions.*

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrations.get

integrations.integrations.list

integrations.sfdcChannels.list

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.securityIntegrationAdmin)

A user that has full access to all Security integrations.

integrations.securityAuthConfigs.*

integrations.securityExecutions.*

integrations.securityIntegTempVers.*

integrations.securityIntegrationVers.*

integrations.securityIntegrations.*

(roles/integrations.sfdcInstanceAdmin)

A user that has full access (CRUD) to all SFDC instances.

integrations.sfdcChannels.*

integrations.sfdcInstances.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.sfdcInstanceEditor)

A developer that can list, create and update integrations.

integrations.sfdcChannels.create

integrations.sfdcChannels.get

integrations.sfdcChannels.list

integrations.sfdcChannels.update

integrations.sfdcInstances.create

integrations.sfdcInstances.get

integrations.sfdcInstances.list

integrations.sfdcInstances.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.sfdcInstanceViewer)

A developer that can list and view SFDC instances.

integrations.sfdcChannels.get

integrations.sfdcChannels.list

integrations.sfdcInstances.get

integrations.sfdcInstances.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/integrations.suspensionResolver)

A role that can resolve suspended integrations.

integrations.apigeeSuspensions.*

integrations.suspensions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.accountManagerAdmin)

This role can perform all account manager related operations

issuerswitch.accountManagerTransactions.*

issuerswitch.managedAccounts.*

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.accountManagerTransactionsAdmin)

This role can perform all account manager transactions related operations

issuerswitch.accountManagerTransactions.*

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.accountManagerTransactionsViewer)

This role can view all account manager transactions

issuerswitch.accountManagerTransactions.list

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.admin)

Access to all issuer switch roles

issuerswitch.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.issuerParticipantsAdmin)

Full access to issuer switch participants

issuerswitch.issuerParticipants.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.resolutionsAdmin)

Full access to issuer switch resolutions

issuerswitch.complaintTransactions.list

issuerswitch.complaints.*

issuerswitch.disputes.*

issuerswitch.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.rulesAdmin)

Full access to issuer switch rules

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.*

issuerswitch.rules.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.rulesViewer)

This role can view rules and related metadata.

issuerswitch.ruleMetadata.list

issuerswitch.ruleMetadataValues.list

issuerswitch.rules.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/issuerswitch.transactionsViewer)

This role can view all transactions

issuerswitch.complaintTransactions.list

issuerswitch.financialTransactions.list

issuerswitch.mandateTransactions.list

issuerswitch.metadataTransactions.list

issuerswitch.operations.get

issuerswitch.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/kubernetesmetadata.publisher)

Publisher of Kubernetes clusters metadata

kubernetesmetadata.*

(roles/mandiant.attackSurfaceManagementEditor)

Access to write Attack Surface Management

mandiant.genericAttackSurfaceManagements.create

mandiant.genericAttackSurfaceManagements.delete

mandiant.genericAttackSurfaceManagements.update

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.attackSurfaceManagementViewer)

Access to read Attack Surface Management

mandiant.genericAttackSurfaceManagements.get

mandiant.genericPlatforms.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.digitalThreatMonitoringEditor)

Access to write Digital Threat Monitoring

mandiant.genericDigitalThreatMonitorings.create

mandiant.genericDigitalThreatMonitorings.update

mandiant.genericPlatforms.create

mandiant.genericPlatforms.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.digitalThreatMonitoringViewer)

Access to read Digital Threat Monitoring

mandiant.genericDigitalThreatMonitorings.get

mandiant.genericPlatforms.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.expertiseOnDemandEditor)

Access to write Expertise On Demand

mandiant.genericExpertiseOnDemands.create

mandiant.genericExpertiseOnDemands.delete

mandiant.genericExpertiseOnDemands.update

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.expertiseOnDemandViewer)

Access to read Expertise On Demand

mandiant.genericExpertiseOnDemands.get

mandiant.genericPlatforms.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.threatIntelEditor)

Access to write Threat Intel

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

mandiant.genericThreatIntels.create

mandiant.genericThreatIntels.delete

mandiant.genericThreatIntels.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.threatIntelViewer)

Access to read Threat Intel

mandiant.genericPlatforms.get

mandiant.genericThreatIntels.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.validationEditor)

Access to write Validation

mandiant.genericPlatforms.create

mandiant.genericPlatforms.delete

mandiant.genericPlatforms.update

mandiant.genericValidations.create

mandiant.genericValidations.delete

mandiant.genericValidations.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mandiant.validationViewer)

Access to read Validation

mandiant.genericPlatforms.get

mandiant.genericValidations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mapsanalytics.viewer)

Grants read-only access to all of the Maps Analytics resources.

mapsanalytics.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.list

(roles/mapsplatformdatasets.admin)

Grants read and write access to all the Maps Platform Datasets API resources

mapsadmin.clientStyles.*

mapsplatformdatasets.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mapsplatformdatasets.viewer)

Grants read-only access to all the Maps Platform Datasets API resources

mapsadmin.clientStyles.get

mapsadmin.clientStyles.list

mapsplatformdatasets.datasets.export

mapsplatformdatasets.datasets.get

mapsplatformdatasets.datasets.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/marketplacesolutions.admin)

Full access to Marketplace Solutions resources.

marketplacesolutions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/marketplacesolutions.editor)

Edit access to Marketplace Solutions resources.

marketplacesolutions.locations.*

marketplacesolutions.operations.get

marketplacesolutions.operations.list

marketplacesolutions.powerImages.*

marketplacesolutions.powerInstances.get

marketplacesolutions.powerInstances.list

marketplacesolutions.powerInstances.update

marketplacesolutions.powerNetworks.*

marketplacesolutions.powerSshKeys.*

marketplacesolutions.powerVolumes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/marketplacesolutions.viewer)

Readonly access to Marketplace Solutions resources.

marketplacesolutions.locations.*

marketplacesolutions.operations.get

marketplacesolutions.operations.list

marketplacesolutions.powerImages.*

marketplacesolutions.powerInstances.get

marketplacesolutions.powerInstances.list

marketplacesolutions.powerNetworks.*

marketplacesolutions.powerSshKeys.*

marketplacesolutions.powerVolumes.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/nestconsole.homeDeveloperAdmin)

Admin access to Google Home Developer Console resources

nestconsole.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/nestconsole.homeDeveloperEditor)

Read-Write access to Google Home Developer Console resources

nestconsole.smarthomePreviews.update

nestconsole.smarthomeProjects.get

nestconsole.smarthomeProjects.update

nestconsole.smarthomeVersions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/nestconsole.homeDeveloperViewer)

Read-only access to Google Home Developer Console resources

nestconsole.smarthomeProjects.get

nestconsole.smarthomeVersions.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/netapp.admin)

Full access to Google Cloud NetApp Volumes resources.

netapp.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/netapp.viewer)

Readonly access to Google Cloud NetApp Volumes resources.

netapp.activeDirectories.get

netapp.activeDirectories.list

netapp.backupPolicies.get

netapp.backupPolicies.list

netapp.backupVaults.get

netapp.backupVaults.list

netapp.backups.get

netapp.backups.list

netapp.kmsConfigs.get

netapp.kmsConfigs.list

netapp.replications.get

netapp.replications.list

netapp.snapshots.get

netapp.snapshots.list

netapp.storagePools.get

netapp.storagePools.list

netapp.volumes.get

netapp.volumes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oauthconfig.editor)

Read/write access to OAuth config resources

clientauthconfig.*

oauthconfig.*

(roles/oauthconfig.viewer)

Read-only access to OAuth config resources

clientauthconfig.brands.get

clientauthconfig.brands.list

clientauthconfig.clients.get

clientauthconfig.clients.list

oauthconfig.clientpolicy.get

oauthconfig.testusers.get

oauthconfig.verification.get

(roles/paymentsresellersubscription.partnerAdmin)

Full access to all Payments Reseller resources, including subscriptions, products and promotions

paymentsresellersubscription.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.partnerViewer)

Read access to all Payments Reseller resources, including subscriptions, products and promotions

paymentsresellersubscription.products.list

paymentsresellersubscription.promotions.list

paymentsresellersubscription.subscriptions.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.productViewer)

Read access to Payments Reseller Product resource

paymentsresellersubscription.products.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.promotionViewer)

Read access to Payments Reseller Promotion resource

paymentsresellersubscription.promotions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.subscriptionEditor)

Write access to Payments Reseller Subscription resource

paymentsresellersubscription.subscriptions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/paymentsresellersubscription.subscriptionViewer)

Read access to Payments Reseller Subscription resource

paymentsresellersubscription.subscriptions.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/policyanalyzer.activityAnalysisViewer)

Viewer user that can read all activity analysis.

policyanalyzer.*

(roles/policyremediatormanager.policyRemediatorAdmin)

Grants the ability to enable and disable the usage of the policy remediator for the organization

policyremediatormanager.*

(roles/policyremediatormanager.policyRemediatorReader)

Grants the ability to read/view the state of the policy remediator for the organization

policyremediatormanager.locations.*

policyremediatormanager.operations.get

policyremediatormanager.operations.list

policyremediatormanager.remediatorServices.get

(roles/policysimulator.admin)

Admin user that can run and access replays.

policysimulator.replayResults.list

policysimulator.replays.*

(roles/policysimulator.orgPolicyAdmin)

OrgPolicy Admin that can run and access simulations.

cloudasset.assets.analyzeOrgPolicy

cloudasset.assets.exportResource

cloudasset.assets.listResource

cloudasset.assets.searchAllResources

orgpolicy.customConstraints.get

orgpolicy.customConstraints.list

orgpolicy.policies.list

orgpolicy.policy.get

policysimulator.orgPolicyViolations.list

policysimulator.orgPolicyViolationsPreviews.*

resourcemanager.organizations.get

(roles/publicca.externalAccountKeyCreator)

This role can create a new externalAccountKey resource.

publicca.externalAccountKeys.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/readerrevenuesubscriptionlinking.admin)

Full access to publication reader resources

readerrevenuesubscriptionlinking.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/readerrevenuesubscriptionlinking.entitlementsViewer)

This role can view all publication reader entitlements

readerrevenuesubscriptionlinking.readerEntitlements.get

(roles/readerrevenuesubscriptionlinking.viewer)

This role can view all publication reader resources

readerrevenuesubscriptionlinking.readerEntitlements.get

readerrevenuesubscriptionlinking.readers.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.exporter)

Exporter of Recommendations

recommender.resources.export

(roles/remotebuildexecution.actionCacheWriter)

Remote Build Execution Action Cache Writer

remotebuildexecution.actions.set

remotebuildexecution.blobs.create

(roles/remotebuildexecution.artifactAdmin)

Remote Build Execution Artifact Admin

remotebuildexecution.actions.create

remotebuildexecution.actions.delete

remotebuildexecution.actions.get

remotebuildexecution.blobs.*

remotebuildexecution.logstreams.*

(roles/remotebuildexecution.artifactCreator)

Remote Build Execution Artifact Creator

remotebuildexecution.actions.create

remotebuildexecution.actions.get

remotebuildexecution.blobs.*

remotebuildexecution.logstreams.*

(roles/remotebuildexecution.artifactViewer)

Remote Build Execution Artifact Viewer

remotebuildexecution.actions.get

remotebuildexecution.blobs.get

remotebuildexecution.logstreams.get

(roles/remotebuildexecution.configurationAdmin)

Remote Build Execution Configuration Admin

remotebuildexecution.instances.*

remotebuildexecution.workerpools.*

(roles/remotebuildexecution.configurationViewer)

Remote Build Execution Configuration Viewer

remotebuildexecution.instances.get

remotebuildexecution.instances.list

remotebuildexecution.workerpools.get

remotebuildexecution.workerpools.list

(roles/remotebuildexecution.logstreamWriter)

Remote Build Execution Logstream Writer

remotebuildexecution.logstreams.create

remotebuildexecution.logstreams.update

(roles/remotebuildexecution.reservationAdmin)

Remote Build Execution Reservation Admin

remotebuildexecution.actions.create

remotebuildexecution.actions.delete

remotebuildexecution.actions.get

(roles/remotebuildexecution.worker)

Remote Build Execution Worker

remotebuildexecution.actions.update

remotebuildexecution.blobs.*

remotebuildexecution.botsessions.*

remotebuildexecution.logstreams.create

remotebuildexecution.logstreams.update

(roles/retail.admin)

Full access to Retail api resources.

automlrecommendations.apiKeys.create

automlrecommendations.apiKeys.delete

automlrecommendations.catalogItems.*

automlrecommendations.catalogs.*

automlrecommendations.eventStores.getStats

automlrecommendations.events.create

automlrecommendations.events.list

automlrecommendations.events.purge

automlrecommendations.events.rejoin

automlrecommendations.placements.*

automlrecommendations.recommendations.*

retail.*

(roles/retail.editor)

Full access to Retail api resources except purge, rejoin, and setSponsorship.

automlrecommendations.apiKeys.create

automlrecommendations.apiKeys.delete

automlrecommendations.catalogItems.*

automlrecommendations.catalogs.*

automlrecommendations.eventStores.getStats

automlrecommendations.events.create

automlrecommendations.events.list

automlrecommendations.placements.*

automlrecommendations.recommendations.*

retail.attributesConfigs.addCatalogAttribute

retail.attributesConfigs.exportCatalogAttributes

retail.attributesConfigs.get

retail.attributesConfigs.importCatalogAttributes

retail.attributesConfigs.replaceCatalogAttribute

retail.attributesConfigs.update

retail.catalogs.*

retail.controls.*

retail.experiments.*

retail.models.*

retail.operations.*

retail.placements.*

retail.products.create

retail.products.delete

retail.products.export

retail.products.get

retail.products.import

retail.products.list

retail.products.update

retail.retailProjects.get

retail.servingConfigs.*

retail.userEvents.create

retail.userEvents.import

(roles/retail.viewer)

Grants access to read all resources in Retail.

automlrecommendations.catalogItems.get

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.getStats

automlrecommendations.catalogs.list

automlrecommendations.eventStores.getStats

automlrecommendations.events.list

automlrecommendations.placements.getStats

automlrecommendations.placements.list

automlrecommendations.recommendations.list

retail.attributesConfigs.exportCatalogAttributes

retail.attributesConfigs.get

retail.catalogs.completeQuery

retail.catalogs.exportAnalyticsMetrics

retail.catalogs.list

retail.controls.export

retail.controls.get

retail.controls.list

retail.experiments.get

retail.experiments.list

retail.experiments.loadExperimentLookerDashboard

retail.experiments.queryTrafficMetrics

retail.models.get

retail.models.list

retail.operations.*

retail.placements.*

retail.products.export

retail.products.get

retail.products.list

retail.retailProjects.get

retail.servingConfigs.get

retail.servingConfigs.list

retail.servingConfigs.predict

retail.servingConfigs.search

(roles/riscconfigs.admin)

Read/write access to RISC config resources.

clientauthconfig.clients.list

riscconfigurationservice.*

(roles/riscconfigs.viewer)

Read-only access to RISC config resources.

clientauthconfig.clients.list

riscconfigurationservice.riscconfigs.get

(roles/runapps.developer)

Access to create and change Serverless Integrations and their configuration.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.*

runapps.deployments.get

runapps.deployments.list

runapps.locations.*

runapps.operations.*

(roles/runapps.operator)

Access to deploy Serverless Integrations.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.get

runapps.applications.getStatus

runapps.applications.list

runapps.deployments.*

runapps.locations.*

runapps.operations.*

(roles/runapps.viewer)

Read-only access to Serverless Integrations resources.

resourcemanager.projects.get

resourcemanager.projects.list

runapps.applications.get

runapps.applications.getStatus

runapps.applications.list

runapps.deployments.get

runapps.deployments.list

runapps.locations.*

runapps.operations.get

runapps.operations.list

(roles/runtimeconfig.admin)

Full access to RuntimeConfig resources.

runtimeconfig.*

(roles/securedlandingzone.bqdwOrgRemediator)

Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

accesscontextmanager.servicePerimeters.update

(roles/securedlandingzone.bqdwProjectRemediator)

Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.setIamPolicy

bigquery.datasets.update

cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.getIamPolicy

cloudkms.cryptoKeys.list

cloudkms.cryptoKeys.setIamPolicy

cloudkms.cryptoKeys.update

cloudkms.keyRings.getIamPolicy

cloudkms.keyRings.setIamPolicy

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsub.topics.setIamPolicy

pubsub.topics.update

resourcemanager.projects.update

serviceusage.services.use

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.buckets.setIamPolicy

storage.buckets.update

(roles/securedlandingzone.overwatchActivator)

This role can activate or suspend Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.overwatches.activate

securedlandingzone.overwatches.suspend

(roles/securedlandingzone.overwatchAdmin)

Full access to Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.*

(roles/securedlandingzone.overwatchViewer)

This role can view all properties of Overwatches

resourcemanager.projects.get

resourcemanager.projects.list

securedlandingzone.operations.get

securedlandingzone.overwatches.get

securedlandingzone.overwatches.list

(roles/securitycentermanagement.customModulesEditor)

Full access to manage Cloud Security Command Center custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.*

(roles/securitycentermanagement.customModulesViewer)

Readonly access to Cloud Security Command Center custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycentermanagement.etdCustomModulesEditor)

Full access to manage Cloud Security Command Center ETD custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

securitycentermanagement.eventThreatDetectionCustomModules.*

securitycentermanagement.locations.*

(roles/securitycentermanagement.etdCustomModulesViewer)

Readonly access to Cloud Security Command Center ETD custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

(roles/securitycentermanagement.shaCustomModulesEditor)

Full access to manage Cloud Security Command Center SHA custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.locations.*

securitycentermanagement.securityHealthAnalyticsCustomModules.*

(roles/securitycentermanagement.shaCustomModulesViewer)

Readonly access to Cloud Security Command Center SHA custom modules.

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.locations.*

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securityposture.admin)

Full access to Security Posture service APIs.

orgpolicy.*

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.*

(roles/securityposture.postureDeployer)

Mutate and read permissions to the Posture Deployment resource.

orgpolicy.*

resourcemanager.organizations.get

securitycenter.securityhealthanalyticssettings.*

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.update

securityposture.operations.get

securityposture.postureDeployments.*

(roles/securityposture.postureDeploymentsViewer)

Read only access to the Posture Deployment resource.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

(roles/securityposture.postureEditor)

Mutate and read permissions to the Posture resource.

securityposture.operations.get

securityposture.postures.*

(roles/securityposture.postureViewer)

Read only access to the Posture resource.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postures.get

securityposture.postures.list

(roles/securityposture.reportCreator)

Create access for Reports, e.g. IaC Validation Report.

securityposture.operations.get

securityposture.reports.create

(roles/securityposture.viewer)

Read only access to all the SecurityPosture Service resources.

resourcemanager.organizations.get

securityposture.operations.get

securityposture.postureDeployments.get

securityposture.postureDeployments.list

securityposture.postureTemplates.*

securityposture.postures.get

securityposture.postures.list

(roles/servicehealth.viewer)

Readonly access to Personalized Service Health resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicehealth.*

(roles/servicesecurityinsights.securityInsightsViewer)

Read-only access to Security Insights resources

servicesecurityinsights.*

(roles/speakerid.admin)

Grants full access to all Speaker ID resources, including project settings.

speakerid.*

(roles/speakerid.editor)

Grants access to read and write all Speaker ID resources.

speakerid.phrases.*

speakerid.speakers.*

(roles/speakerid.verifier)

Grants read access to all Speaker ID resources, and allows verification.

speakerid.phrases.get

speakerid.phrases.list

speakerid.speakers.get

speakerid.speakers.list

speakerid.speakers.verify

(roles/speakerid.viewer)

Grants read access to all Speaker ID resources.

speakerid.phrases.get

speakerid.phrases.list

speakerid.speakers.get

speakerid.speakers.list

(roles/speech.admin)

Grants full access to all resources in Speech-to-text

speech.*

(roles/speech.client)

Grants access to the recognition APIs.

speech.adaptations.execute

speech.customClasses.get

speech.customClasses.list

speech.locations.*

speech.operations.get

speech.operations.list

speech.operations.wait

speech.phraseSets.get

speech.phraseSets.list

speech.recognizers.get

speech.recognizers.list

speech.recognizers.recognize

(roles/speech.editor)

Grants access to edit resources in Speech-to-text

speech.adaptations.execute

speech.customClasses.*

speech.locations.*

speech.operations.*

speech.phraseSets.*

speech.recognizers.*

(roles/storageinsights.admin)

Full access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.*

(roles/storageinsights.analyst)

Data access to Storage Insights.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.linkDataset

storageinsights.datasetConfigs.list

storageinsights.datasetConfigs.unlinkDataset

storageinsights.locations.*

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

(roles/storageinsights.viewer)

Read-only access to Storage Insights resources.

resourcemanager.projects.get

resourcemanager.projects.list

storageinsights.datasetConfigs.get

storageinsights.datasetConfigs.list

storageinsights.locations.*

storageinsights.operations.get

storageinsights.operations.list

storageinsights.reportConfigs.get

storageinsights.reportConfigs.list

storageinsights.reportDetails.*

(roles/subscribewithgoogledeveloper.developer)

Access DevTools for Subscribe with Google

resourcemanager.projects.get

resourcemanager.projects.list

subscribewithgoogledeveloper.tools.get

(roles/telcoautomation.admin)

Full access to Telco Automation resources.

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.create

logging.queries.delete

logging.queries.get

logging.queries.list

logging.queries.listShared

logging.queries.update

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

monitoring.timeSeries.list

resourcemanager.projects.get

serviceusage.operations.*

serviceusage.quotas.*

serviceusage.services.*

source.repos.get

source.repos.list

telcoautomation.*

(roles/telcoautomation.blueprintDesigner)

Ability to manage blueprints

telcoautomation.blueprints.create

telcoautomation.blueprints.delete

telcoautomation.blueprints.get

telcoautomation.blueprints.list

telcoautomation.blueprints.propose

telcoautomation.blueprints.update

telcoautomation.deployments.computeStatus

telcoautomation.deployments.get

telcoautomation.deployments.list

telcoautomation.hydratedDeployments.get

telcoautomation.hydratedDeployments.list

telcoautomation.orchestrationClusters.get

telcoautomation.orchestrationClusters.list

telcoautomation.publicBlueprints.*

(roles/telcoautomation.deploymentAdmin)

Ability to manage deployments

telcoautomation.blueprints.get

telcoautomation.blueprints.list

telcoautomation.deployments.*

telcoautomation.hydratedDeployments.*

telcoautomation.orchestrationClusters.get

telcoautomation.orchestrationClusters.list

(roles/telcoautomation.opsAdminTier1)

Ability to get status of deployments

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.create

logging.queries.delete

logging.queries.get

logging.queries.list

logging.queries.listShared

logging.queries.update

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

resourcemanager.projects.get

telcoautomation.blueprints.get

telcoautomation.blueprints.list

telcoautomation.deployments.computeStatus

telcoautomation.deployments.get

telcoautomation.deployments.list

telcoautomation.hydratedDeployments.get

telcoautomation.hydratedDeployments.list

telcoautomation.orchestrationClusters.get

telcoautomation.orchestrationClusters.list

(roles/telcoautomation.opsAdminTier4)

Ability to manage deployments and their status

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.create

logging.queries.delete

logging.queries.get

logging.queries.list

logging.queries.listShared

logging.queries.update

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

resourcemanager.projects.get

telcoautomation.blueprints.get

telcoautomation.blueprints.list

telcoautomation.deployments.*

telcoautomation.hydratedDeployments.*

telcoautomation.orchestrationClusters.get

telcoautomation.orchestrationClusters.list

(roles/telcoautomation.serviceOrchestrator)

Ability to manage deployments

telcoautomation.blueprints.get

telcoautomation.blueprints.list

telcoautomation.deployments.*

telcoautomation.hydratedDeployments.*

telcoautomation.orchestrationClusters.get

telcoautomation.orchestrationClusters.list

(roles/timeseriesinsights.datasetsEditor)

Edit access to DataSets.

timeseriesinsights.*

(roles/timeseriesinsights.datasetsOwner)

Full access to DataSets.

timeseriesinsights.*

(roles/timeseriesinsights.datasetsViewer)

Read-only access (List and Query) to DataSets.

timeseriesinsights.datasets.evaluate

timeseriesinsights.datasets.list

timeseriesinsights.datasets.query

timeseriesinsights.locations.*

(roles/trafficdirector.client)

Fetch service configurations and report metrics.

trafficdirector.*

(roles/translationhub.admin)

Admin of Translation Hub

automl.models.get

automl.models.list

automl.models.predict

cloudtranslate.customModels.get

cloudtranslate.customModels.list

cloudtranslate.customModels.predict

cloudtranslate.glossaries.create

cloudtranslate.glossaries.delete

cloudtranslate.glossaries.get

cloudtranslate.glossaries.list

cloudtranslate.glossaries.predict

resourcemanager.projects.get

resourcemanager.projects.list

translationhub.*

(roles/translationhub.portalUser)

Portal user of Translation Hub

automl.models.get

automl.models.list

automl.models.predict

cloudtranslate.customModels.get

cloudtranslate.customModels.list

cloudtranslate.customModels.predict

cloudtranslate.glossaries.get

cloudtranslate.glossaries.list

cloudtranslate.glossaries.predict

resourcemanager.projects.get

resourcemanager.projects.list

translationhub.portals.get

translationhub.portals.list

(roles/visualinspection.editor)

Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics

visualinspection.annotationSets.*

visualinspection.annotationSpecs.*

visualinspection.annotations.*

visualinspection.datasets.*

visualinspection.images.*

visualinspection.locations.get

visualinspection.locations.list

visualinspection.modelEvaluations.*

visualinspection.models.*

visualinspection.modules.*

visualinspection.operations.*

visualinspection.solutionArtifacts.*

visualinspection.solutions.*

(roles/visualinspection.usageMetricsReporter)

ReportUsageMetric access to Visual Inspection AI Service

visualinspection.locations.reportUsageMetrics

(roles/visualinspection.viewer)

Read access to Visual Inspection AI resources

visualinspection.annotationSets.get

visualinspection.annotationSets.list

visualinspection.annotationSpecs.get

visualinspection.annotationSpecs.list

visualinspection.annotations.get

visualinspection.annotations.list

visualinspection.datasets.export

visualinspection.datasets.get

visualinspection.datasets.list

visualinspection.images.get

visualinspection.images.list

visualinspection.locations.get

visualinspection.locations.list

visualinspection.modelEvaluations.*

visualinspection.models.get

visualinspection.models.list

visualinspection.modules.get

visualinspection.modules.list

visualinspection.operations.*

visualinspection.solutionArtifacts.get

visualinspection.solutionArtifacts.list

visualinspection.solutionArtifacts.predict

visualinspection.solutions.get

visualinspection.solutions.list

Permissions

(roles/privilegedaccessmanager.admin)

Full access to Privileged Access Manager resources.

privilegedaccessmanager.entitlements.*

privilegedaccessmanager.grants.get

privilegedaccessmanager.grants.list

privilegedaccessmanager.grants.revoke

privilegedaccessmanager.locations.*

privilegedaccessmanager.operations.*

resourcemanager.projects.get

(roles/privilegedaccessmanager.approver)

Access to Approve/Deny Privileged Access Manager Grants.

privilegedaccessmanager.entitlements.get

privilegedaccessmanager.grants.approve

privilegedaccessmanager.grants.deny

privilegedaccessmanager.grants.get

privilegedaccessmanager.grants.list

(roles/privilegedaccessmanager.requester)

Access to request Privileged Access Manager Grants.

privilegedaccessmanager.grants.create

(roles/privilegedaccessmanager.viewer)

Readonly access to Privileged Access Manager resources.

privilegedaccessmanager.entitlements.get

privilegedaccessmanager.entitlements.list

privilegedaccessmanager.grants.get

privilegedaccessmanager.grants.list

privilegedaccessmanager.locations.*

privilegedaccessmanager.operations.get

privilegedaccessmanager.operations.list

resourcemanager.projects.get

Permissions

(roles/browser)

Read access to browse the hierarchy for a project, including the folder, organization, and allow policy. This role doesn't include permission to view resources in the project.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

Permissions

(roles/proximitybeacon.attachmentEditor)

Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.

proximitybeacon.attachments.*

proximitybeacon.beacons.get

proximitybeacon.beacons.list

proximitybeacon.namespaces.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/proximitybeacon.attachmentPublisher)

Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.

proximitybeacon.beacons.attach

proximitybeacon.beacons.get

proximitybeacon.beacons.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/proximitybeacon.attachmentViewer)

Can view all attachments under a namespace; no beacon or namespace permissions.

proximitybeacon.attachments.get

proximitybeacon.attachments.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/proximitybeacon.beaconEditor)

Necessary access to register, modify, and view beacons; no attachment or namespace permissions.

proximitybeacon.beacons.create

proximitybeacon.beacons.get

proximitybeacon.beacons.list

proximitybeacon.beacons.update

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/pubsub.admin)

Provides full access to topics and subscriptions.

Lowest-level resources where you can grant this role:

  • Schema
  • Snapshot
  • Subscription
  • Topic

pubsub.*

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/pubsub.editor)

Provides access to modify topics and subscriptions, and access to publish and consume messages.

Lowest-level resources where you can grant this role:

  • Schema
  • Snapshot
  • Subscription
  • Topic

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.delete

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/pubsub.publisher)

Provides access to publish messages to a topic.

Lowest-level resources where you can grant this role:

  • Topic

pubsub.topics.publish

(roles/pubsub.subscriber)

Provides access to consume messages from a subscription and to attach subscriptions to a topic.

Lowest-level resources where you can grant this role:

  • Snapshot
  • Subscription
  • Topic

pubsub.snapshots.seek

pubsub.subscriptions.consume

pubsub.topics.attachSubscription

(roles/pubsub.viewer)

Provides access to view topics and subscriptions.

Lowest-level resources where you can grant this role:

  • Schema
  • Snapshot
  • Subscription
  • Topic

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/pubsublite.admin)

Full access to topics, subscriptions and reservations.

pubsublite.*

(roles/pubsublite.editor)

Modify topics, subscriptions and reservations, publish and consume messages.

pubsublite.*

(roles/pubsublite.publisher)

Publish messages to a topic.

pubsublite.locations.openKafkaStream

pubsublite.topics.getPartitions

pubsublite.topics.publish

(roles/pubsublite.subscriber)

Subscribe to and read messages from a topic.

pubsublite.locations.openKafkaStream

pubsublite.operations.get

pubsublite.subscriptions.getCursor

pubsublite.subscriptions.seek

pubsublite.subscriptions.setCursor

pubsublite.subscriptions.subscribe

pubsublite.topics.computeHeadCursor

pubsublite.topics.computeMessageStats

pubsublite.topics.computeTimeCursor

pubsublite.topics.getPartitions

pubsublite.topics.subscribe

(roles/pubsublite.viewer)

View topics, subscriptions and reservations.

pubsublite.operations.*

pubsublite.reservations.get

pubsublite.reservations.list

pubsublite.reservations.listTopics

pubsublite.subscriptions.get

pubsublite.subscriptions.getCursor

pubsublite.subscriptions.list

pubsublite.topics.get

pubsublite.topics.getPartitions

pubsublite.topics.list

pubsublite.topics.listSubscriptions

Permissions

(roles/rma.admin)

Full access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.*

(roles/rma.runner)

Update and Read access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.collectors.update

rma.locations.*

rma.operations.get

rma.operations.list

(roles/rma.viewer)

Read-only access to Rapid Migration Assessment all resources.

resourcemanager.projects.get

resourcemanager.projects.list

rma.annotations.get

rma.collectors.get

rma.collectors.list

rma.locations.*

rma.operations.get

rma.operations.list

Permissions

(roles/recaptchaenterprise.admin)

Access to view and modify reCAPTCHA Enterprise keys

monitoring.timeSeries.list

recaptchaenterprise.keys.*

recaptchaenterprise.metrics.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recaptchaenterprise.agent)

Access to create and annotate reCAPTCHA Enterprise assessments

recaptchaenterprise.assessments.*

recaptchaenterprise.relatedaccountgroupmemberships.list

recaptchaenterprise.relatedaccountgroups.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recaptchaenterprise.viewer)

Access to view reCAPTCHA Enterprise keys and metrics

monitoring.timeSeries.list

recaptchaenterprise.keys.get

recaptchaenterprise.keys.list

recaptchaenterprise.metrics.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/automlrecommendations.admin)

Full access to all Recommendations AI resources.

automlrecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

retail.catalogs.list

retail.catalogs.update

retail.operations.*

retail.placements.*

retail.products.create

retail.products.delete

retail.products.export

retail.products.get

retail.products.import

retail.products.list

retail.products.purge

retail.products.update

retail.retailProjects.get

retail.userEvents.*

serviceusage.services.get

serviceusage.services.list

(roles/automlrecommendations.adminViewer)

Viewer of all Recommendations AI resources.

automlrecommendations.apiKeys.list

automlrecommendations.catalogItems.get

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.getStats

automlrecommendations.catalogs.list

automlrecommendations.eventStores.*

automlrecommendations.events.get

automlrecommendations.events.list

automlrecommendations.placements.getStats

automlrecommendations.placements.list

automlrecommendations.recommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

retail.catalogs.list

retail.operations.*

retail.placements.*

retail.products.export

retail.products.get

retail.products.list

retail.retailProjects.get

serviceusage.services.get

serviceusage.services.list

(roles/automlrecommendations.editor)

Editor of all Recommendations AI resources.

automlrecommendations.apiKeys.create

automlrecommendations.apiKeys.list

automlrecommendations.catalogItems.*

automlrecommendations.catalogs.getStats

automlrecommendations.catalogs.list

automlrecommendations.eventStores.*

automlrecommendations.events.create

automlrecommendations.events.get

automlrecommendations.events.list

automlrecommendations.placements.create

automlrecommendations.placements.getStats

automlrecommendations.placements.list

automlrecommendations.recommendations.create

automlrecommendations.recommendations.list

automlrecommendations.recommendations.pause

automlrecommendations.recommendations.resume

automlrecommendations.recommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

retail.catalogs.list

retail.catalogs.update

retail.operations.*

retail.placements.*

retail.products.create

retail.products.delete

retail.products.export

retail.products.get

retail.products.import

retail.products.list

retail.products.update

retail.retailProjects.get

retail.userEvents.create

retail.userEvents.import

serviceusage.services.get

serviceusage.services.list

(roles/automlrecommendations.viewer)

Viewer of all Recommendations resources except apiKeys. To view all resources, including apiKeys, grant the Recommendations AI Admin Viewer role (roles/automlrecommendations.adminViewer).

automlrecommendations.catalogItems.get

automlrecommendations.catalogItems.list

automlrecommendations.catalogs.getStats

automlrecommendations.catalogs.list

automlrecommendations.eventStores.*

automlrecommendations.events.get

automlrecommendations.events.list

automlrecommendations.placements.getStats

automlrecommendations.placements.list

automlrecommendations.recommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

retail.catalogs.list

retail.operations.*

retail.placements.*

retail.products.export

retail.products.get

retail.products.list

retail.retailProjects.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/recommender.bigQueryCapacityCommitmentsAdmin)

Admin of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.bigQueryCapacityCommitmentsBillingAccountAdmin)

Billing Account Admin of BigQuery Capacity Commitments insights and recommendations.

billing.accounts.get

billing.accounts.list

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsRecommendations.*

(roles/recommender.bigQueryCapacityCommitmentsBillingAccountViewer)

Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations.

billing.accounts.get

billing.accounts.list

recommender.bigqueryCapacityCommitmentsInsights.get

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.get

recommender.bigqueryCapacityCommitmentsRecommendations.list

(roles/recommender.bigQueryCapacityCommitmentsProjectAdmin)

Project Admin of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.bigQueryCapacityCommitmentsProjectViewer)

Project Viewer of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.get

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.get

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.bigQueryCapacityCommitmentsViewer)

Viewer of BigQuery Capacity Commitments insights and recommendations.

recommender.bigqueryCapacityCommitmentsInsights.get

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.get

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.bigqueryMaterializedViewAdmin)

Admin of BigQuery Materialized View Insights and Recommendations.

recommender.bigqueryMaterializedViewInsights.*

recommender.bigqueryMaterializedViewRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.bigqueryMaterializedViewViewer)

Viewer of BigQuery Materialized View Insights and Recommendations.

recommender.bigqueryMaterializedViewInsights.get

recommender.bigqueryMaterializedViewInsights.list

recommender.bigqueryMaterializedViewRecommendations.get

recommender.bigqueryMaterializedViewRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.bigqueryPartitionClusterAdmin)

Admin of BigQuery Partitioning Clustering recommendations.

recommender.bigqueryPartitionClusterRecommendations.*

recommender.bigqueryTableStatsInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.bigqueryPartitionClusterViewer)

Viewer of BigQuery Partitioning Clustering recommendations.

recommender.bigqueryPartitionClusterRecommendations.get

recommender.bigqueryPartitionClusterRecommendations.list

recommender.bigqueryTableStatsInsights.get

recommender.bigqueryTableStatsInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.billingAccountCudAdmin)

Admin of Billing Account Usage Commitment Recommender.

billing.accounts.get

billing.accounts.list

recommender.commitmentUtilizationInsights.*

recommender.usageCommitmentRecommendations.*

(roles/recommender.billingAccountCudViewer)

Viewer of Billing Account Usage Commitment Recommender.

billing.accounts.get

billing.accounts.list

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

(roles/recommender.cloudAssetInsightsAdmin)

Admin of all Cloud Asset insights.

recommender.cloudAssetInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudAssetInsightsViewer)

Viewer of all Cloud Asset insights.

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudCostRecommendationAdmin)

Admin of Cloud Cost General Recommendations Insights and Recommendations.

recommender.cloudCostGeneralInsights.*

recommender.cloudCostGeneralRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudCostRecommendationViewer)

Viewer of Cloud Cost General Recommendations Insights and Recommendations.

recommender.cloudCostGeneralInsights.get

recommender.cloudCostGeneralInsights.list

recommender.cloudCostGeneralRecommendations.get

recommender.cloudCostGeneralRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudDeprecationRecommendationAdmin)

Admin of Cloud Deprecation General Recommender Insights and Recommendations.

recommender.cloudDeprecationGeneralInsights.*

recommender.cloudDeprecationGeneralRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudDeprecationRecommendationViewer)

Viewer of Cloud Deprecation General Recommender Insights and Recommendations.

recommender.cloudDeprecationGeneralInsights.get

recommender.cloudDeprecationGeneralInsights.list

recommender.cloudDeprecationGeneralRecommendations.get

recommender.cloudDeprecationGeneralRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudManageabilityRecommendationAdmin)

Admin of Cloud Manageability General Recommendations Insights and Recommendations.

recommender.cloudManageabilityGeneralInsights.*

recommender.cloudManageabilityGeneralRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudManageabilityRecommendationViewer)

Viewer of Cloud Manageability General Recommendations Insights and Recommendations.

recommender.cloudManageabilityGeneralInsights.get

recommender.cloudManageabilityGeneralInsights.list

recommender.cloudManageabilityGeneralRecommendations.get

recommender.cloudManageabilityGeneralRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudPerformanceRecommendationAdmin)

Admin of Cloud Performance General Recommendations Insights and Recommendations.

recommender.cloudPerformanceGeneralInsights.*

recommender.cloudPerformanceGeneralRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudPerformanceRecommendationViewer)

Viewer of Cloud Performance General Recommendations Insights and Recommendations.

recommender.cloudPerformanceGeneralInsights.get

recommender.cloudPerformanceGeneralInsights.list

recommender.cloudPerformanceGeneralRecommendations.get

recommender.cloudPerformanceGeneralRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudReliabilityRecommendationAdmin)

Admin of Cloud Reliability General Recommendations Insights and Recommendations.

recommender.cloudReliabilityGeneralInsights.*

recommender.cloudReliabilityGeneralRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudReliabilityRecommendationViewer)

Viewer of Cloud Reliability General Recommendations Insights and Recommendations.

recommender.cloudReliabilityGeneralInsights.get

recommender.cloudReliabilityGeneralInsights.list

recommender.cloudReliabilityGeneralRecommendations.get

recommender.cloudReliabilityGeneralRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudSecurityRecommendationAdmin)

Admin of Cloud Security General Recommendations Insights and Recommendations.

recommender.cloudSecurityGeneralInsights.*

recommender.cloudSecurityGeneralRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudSecurityRecommendationViewer)

Viewer of Cloud Security General Recommendations Insights and Recommendations.

recommender.cloudSecurityGeneralInsights.get

recommender.cloudSecurityGeneralInsights.list

recommender.cloudSecurityGeneralRecommendations.get

recommender.cloudSecurityGeneralRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudsqlAdmin)

Admin of Cloud SQL insights and recommendations.

recommender.cloudsqlIdleInstanceRecommendations.*

recommender.cloudsqlInstanceActivityInsights.*

recommender.cloudsqlInstanceCpuUsageInsights.*

recommender.cloudsqlInstanceDiskUsageTrendInsights.*

recommender.cloudsqlInstanceMemoryUsageInsights.*

recommender.cloudsqlInstanceOomProbabilityInsights.*

recommender.cloudsqlInstanceOutOfDiskRecommendations.*

recommender.cloudsqlInstancePerformanceInsights.*

recommender.cloudsqlInstancePerformanceRecommendations.*

recommender.cloudsqlInstanceReliabilityInsights.*

recommender.cloudsqlInstanceReliabilityRecommendations.*

recommender.cloudsqlInstanceSecurityInsights.*

recommender.cloudsqlInstanceSecurityRecommendations.*

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*

recommender.cloudsqlOverprovisionedInstanceRecommendations.*

recommender.cloudsqlUnderProvisionedInstanceRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.cloudsqlViewer)

Viewer of Cloud SQL insights and recommendations.

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceActivityInsights.get

recommender.cloudsqlInstanceActivityInsights.list

recommender.cloudsqlInstanceCpuUsageInsights.get

recommender.cloudsqlInstanceCpuUsageInsights.list

recommender.cloudsqlInstanceDiskUsageTrendInsights.get

recommender.cloudsqlInstanceDiskUsageTrendInsights.list

recommender.cloudsqlInstanceMemoryUsageInsights.get

recommender.cloudsqlInstanceMemoryUsageInsights.list

recommender.cloudsqlInstanceOomProbabilityInsights.get

recommender.cloudsqlInstanceOomProbabilityInsights.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.get

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceInsights.get

recommender.cloudsqlInstancePerformanceInsights.list

recommender.cloudsqlInstancePerformanceRecommendations.get

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityInsights.get

recommender.cloudsqlInstanceReliabilityInsights.list

recommender.cloudsqlInstanceReliabilityRecommendations.get

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlInstanceSecurityInsights.get

recommender.cloudsqlInstanceSecurityInsights.list

recommender.cloudsqlInstanceSecurityRecommendations.get

recommender.cloudsqlInstanceSecurityRecommendations.list

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.get

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.computeAdmin)

Admin of compute recommendations.

recommender.computeAddressIdleResourceInsights.*

recommender.computeAddressIdleResourceRecommendations.*

recommender.computeDiskIdleResourceInsights.*

recommender.computeDiskIdleResourceRecommendations.*

recommender.computeImageIdleResourceInsights.*

recommender.computeImageIdleResourceRecommendations.*

recommender.computeInstanceCpuUsageInsights.*

recommender.computeInstanceCpuUsagePredictionInsights.*

recommender.computeInstanceCpuUsageTrendInsights.*

recommender.computeInstanceGroupManagerCpuUsageInsights.*

recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.*

recommender.computeInstanceGroupManagerCpuUsageTrendInsights.*

recommender.computeInstanceGroupManagerMachineTypeRecommendations.*

recommender.computeInstanceGroupManagerMemoryUsageInsights.*

recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.*

recommender.computeInstanceIdleResourceRecommendations.*

recommender.computeInstanceIdleResourceRecommenderConfig.*

recommender.computeInstanceMachineTypeRecommendations.*

recommender.computeInstanceMemoryUsageInsights.*

recommender.computeInstanceMemoryUsagePredictionInsights.*

recommender.computeInstanceNetworkThroughputInsights.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.computeViewer)

Viewer of compute recommendations.

recommender.computeAddressIdleResourceInsights.get

recommender.computeAddressIdleResourceInsights.list

recommender.computeAddressIdleResourceRecommendations.get

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceInsights.get

recommender.computeDiskIdleResourceInsights.list

recommender.computeDiskIdleResourceRecommendations.get

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeImageIdleResourceInsights.get

recommender.computeImageIdleResourceInsights.list

recommender.computeImageIdleResourceRecommendations.get

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceCpuUsageInsights.get

recommender.computeInstanceCpuUsageInsights.list

recommender.computeInstanceCpuUsagePredictionInsights.get

recommender.computeInstanceCpuUsagePredictionInsights.list

recommender.computeInstanceCpuUsageTrendInsights.get

recommender.computeInstanceCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerCpuUsageInsights.get

recommender.computeInstanceGroupManagerCpuUsageInsights.list

recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get

recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list

recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get

recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.get

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceGroupManagerMemoryUsageInsights.get

recommender.computeInstanceGroupManagerMemoryUsageInsights.list

recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get

recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list

recommender.computeInstanceIdleResourceRecommendations.get

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.get

recommender.computeInstanceMachineTypeRecommendations.list

recommender.computeInstanceMemoryUsageInsights.get

recommender.computeInstanceMemoryUsageInsights.list

recommender.computeInstanceMemoryUsagePredictionInsights.get

recommender.computeInstanceMemoryUsagePredictionInsights.list

recommender.computeInstanceNetworkThroughputInsights.get

recommender.computeInstanceNetworkThroughputInsights.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.containerDiagnosisAdmin)

Admin of GKE Diagnosis Insights and Recommendations.

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.containerDiagnosisViewer)

Viewer of GKE Diagnosis Insights and Recommendations.

recommender.containerDiagnosisInsights.get

recommender.containerDiagnosisInsights.list

recommender.containerDiagnosisRecommendations.get

recommender.containerDiagnosisRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.dataflowDiagnosticsAdmin)

Admin of Diagnostics recommendations.

recommender.dataflowDiagnosticsInsights.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.dataflowDiagnosticsViewer)

Viewer of Diagnostics recommendations.

recommender.dataflowDiagnosticsInsights.get

recommender.dataflowDiagnosticsInsights.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.errorReportingAdmin)

Admin of Error Reporting Insights and Recommendations.

recommender.errorReportingInsights.*

recommender.errorReportingRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.errorReportingViewer)

Viewer of Error Reporting Insights and Recommendations.

recommender.errorReportingInsights.get

recommender.errorReportingInsights.list

recommender.errorReportingRecommendations.get

recommender.errorReportingRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.firewallAdmin)

Admin of Firewall insights and recommendations.

monitoring.timeSeries.list

recommender.computeFirewallInsightTypeConfigs.*

recommender.computeFirewallInsights.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.firewallViewer)

Viewer of Firewall insights and recommendations.

monitoring.timeSeries.list

recommender.computeFirewallInsightTypeConfigs.get

recommender.computeFirewallInsights.get

recommender.computeFirewallInsights.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.gmpAdmin)

Admin of all Google Maps Platform insights and recommendations.

recommender.gmpGuidedExperienceInsights.*

recommender.gmpGuidedExperienceRecommendations.*

recommender.gmpProjectManagementInsights.*

recommender.gmpProjectManagementRecommendations.*

recommender.gmpProjectProductSuggestionsInsights.*

recommender.gmpProjectProductSuggestionsRecommendations.*

recommender.gmpProjectQuotaInsights.*

recommender.gmpProjectQuotaRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.gmpViewer)

Viewer of all Google Maps Platform insights and recommendations.

recommender.gmpGuidedExperienceInsights.get

recommender.gmpGuidedExperienceInsights.list

recommender.gmpGuidedExperienceRecommendations.get

recommender.gmpGuidedExperienceRecommendations.list

recommender.gmpProjectManagementInsights.get

recommender.gmpProjectManagementInsights.list

recommender.gmpProjectManagementRecommendations.get

recommender.gmpProjectManagementRecommendations.list

recommender.gmpProjectProductSuggestionsInsights.get

recommender.gmpProjectProductSuggestionsInsights.list

recommender.gmpProjectProductSuggestionsRecommendations.get

recommender.gmpProjectProductSuggestionsRecommendations.list

recommender.gmpProjectQuotaInsights.get

recommender.gmpProjectQuotaInsights.list

recommender.gmpProjectQuotaRecommendations.get

recommender.gmpProjectQuotaRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.iamAdmin)

Admin of IAM recommendations.

recommender.iamPolicyInsights.*

recommender.iamPolicyLateralMovementInsights.*

recommender.iamPolicyRecommendations.*

recommender.iamPolicyRecommenderConfig.*

recommender.iamServiceAccountInsights.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.iamViewer)

Viewer of IAM recommendations.

recommender.iamPolicyInsights.get

recommender.iamPolicyInsights.list

recommender.iamPolicyLateralMovementInsights.get

recommender.iamPolicyLateralMovementInsights.list

recommender.iamPolicyRecommendations.get

recommender.iamPolicyRecommendations.list

recommender.iamPolicyRecommenderConfig.get

recommender.iamServiceAccountInsights.get

recommender.iamServiceAccountInsights.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.iampolicychangeriskAdmin)

Admin of IAM Policy Change Risk Insights and Recommendations.

recommender.iamPolicyChangeRiskInsights.*

recommender.iamPolicyChangeRiskRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.iampolicychangeriskViewer)

Viewer of IAM Policy Change Risk Insights and Recommendations.

recommender.iamPolicyChangeRiskInsights.get

recommender.iamPolicyChangeRiskInsights.list

recommender.iamPolicyChangeRiskRecommendations.get

recommender.iamPolicyChangeRiskRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerAdmin)

Admin of Network Analyzer Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerCloudSqlInsights.*

recommender.networkAnalyzerDynamicRouteInsights.*

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.*

recommender.networkAnalyzerGkeServiceAccountInsights.*

recommender.networkAnalyzerIpAddressInsights.*

recommender.networkAnalyzerLoadBalancerInsights.*

recommender.networkAnalyzerVpcConnectivityInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerCloudSqlAdmin)

Admin of Network Analyzer Cloud SQL Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerCloudSqlInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerCloudSqlViewer)

Viewer of Network Analyzer Cloud SQL Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerCloudSqlInsights.get

recommender.networkAnalyzerCloudSqlInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerDynamicRouteAdmin)

Admin of Network Analyzer Dynamic Route Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerDynamicRouteInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerDynamicRouteViewer)

Viewer of Network Analyzer Dynamic Route Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerDynamicRouteInsights.get

recommender.networkAnalyzerDynamicRouteInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerGkeConnectivityAdmin)

Admin of Network Analyzer GKE Connectivity Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerGkeConnectivityViewer)

Viewer of Network Analyzer GKE Connectivity Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.get

recommender.networkAnalyzerGkeConnectivityInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerGkeIpAddressAdmin)

Admin of Network Analyzer GKE IP Address Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerGkeIpAddressInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerGkeIpAddressViewer)

Viewer of Network Analyzer GKE IP Address Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerGkeIpAddressInsights.get

recommender.networkAnalyzerGkeIpAddressInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerGkeServiceAccountAdmin)

Admin of Network Analyzer GKE Service Account Insights Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerGkeServiceAccountInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerGkeServiceAccountViewer)

Viewer of Network Analyzer GKE Service Account Insights Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerGkeServiceAccountInsights.get

recommender.networkAnalyzerGkeServiceAccountInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerIpAddressAdmin)

Admin of Network Analyzer IP Address Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerIpAddressInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerIpAddressViewer)

Viewer of Network Analyzer IP Address Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerIpAddressInsights.get

recommender.networkAnalyzerIpAddressInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerLoadBalancerAdmin)

Admin of Network Analyzer Load Balancer Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerLoadBalancerInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerLoadBalancerViewer)

Viewer of Network Analyzer Load Balancer Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerLoadBalancerInsights.get

recommender.networkAnalyzerLoadBalancerInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerViewer)

Viewer of Network Analyzer Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerCloudSqlInsights.get

recommender.networkAnalyzerCloudSqlInsights.list

recommender.networkAnalyzerDynamicRouteInsights.get

recommender.networkAnalyzerDynamicRouteInsights.list

recommender.networkAnalyzerGkeConnectivityInsights.get

recommender.networkAnalyzerGkeConnectivityInsights.list

recommender.networkAnalyzerGkeIpAddressInsights.get

recommender.networkAnalyzerGkeIpAddressInsights.list

recommender.networkAnalyzerGkeServiceAccountInsights.get

recommender.networkAnalyzerGkeServiceAccountInsights.list

recommender.networkAnalyzerIpAddressInsights.get

recommender.networkAnalyzerIpAddressInsights.list

recommender.networkAnalyzerLoadBalancerInsights.get

recommender.networkAnalyzerLoadBalancerInsights.list

recommender.networkAnalyzerVpcConnectivityInsights.get

recommender.networkAnalyzerVpcConnectivityInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerVpcConnectivityAdmin)

Admin of Network Analyzer VPC Connectivity Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerVpcConnectivityInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.networkAnalyzerVpcConnectivityViewer)

Viewer of Network Analyzer VPC Connectivity Insights and Recommendations.

recommender.locations.*

recommender.networkAnalyzerVpcConnectivityInsights.get

recommender.networkAnalyzerVpcConnectivityInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.productSuggestionAdmin)

Admin of all Product Suggestion insights and recommendations.

recommender.locations.*

recommender.loggingProductSuggestionContainerInsights.*

recommender.loggingProductSuggestionContainerRecommendations.*

recommender.monitoringProductSuggestionComputeInsights.*

recommender.monitoringProductSuggestionComputeRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.productSuggestionViewer)

Viewer of all Product Suggestion insights and recommendations.

recommender.locations.*

recommender.loggingProductSuggestionContainerInsights.get

recommender.loggingProductSuggestionContainerInsights.list

recommender.loggingProductSuggestionContainerRecommendations.get

recommender.loggingProductSuggestionContainerRecommendations.list

recommender.monitoringProductSuggestionComputeInsights.get

recommender.monitoringProductSuggestionComputeInsights.list

recommender.monitoringProductSuggestionComputeRecommendations.get

recommender.monitoringProductSuggestionComputeRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.projectCudAdmin)

Admin of Project Usage Commitment Recommender.

recommender.commitmentUtilizationInsights.*

recommender.locations.*

recommender.spendBasedCommitmentRecommenderConfig.get

recommender.usageCommitmentRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.projectCudViewer)

Viewer of Project Usage Commitment Recommender.

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.locations.*

recommender.spendBasedCommitmentRecommenderConfig.get

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.projectUtilAdmin)

Admin of Project Utilization insights and recommendations.

recommender.resourcemanagerProjectUtilizationInsightTypeConfigs.*

recommender.resourcemanagerProjectUtilizationInsights.*

recommender.resourcemanagerProjectUtilizationRecommendations.*

recommender.resourcemanagerProjectUtilizationRecommenderConfigs.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.projectUtilViewer)

Viewer of Project Utilization insights and recommendations.

recommender.resourcemanagerProjectUtilizationInsightTypeConfigs.get

recommender.resourcemanagerProjectUtilizationInsights.get

recommender.resourcemanagerProjectUtilizationInsights.list

recommender.resourcemanagerProjectUtilizationRecommendations.get

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.resourcemanagerProjectUtilizationRecommenderConfigs.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.recentChangeConfigAdmin)

Admin of RecentChange RecommenderConfigs.

recommender.cloudRecentChangeRecommenderConfig.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.recentchangeriskAdmin)

Admin of Recent Change Risk Insights and Recommendations.

recommender.cloudRecentChangeInsights.*

recommender.cloudRecentChangeRecommendations.*

recommender.cloudRecentChangeRecommenderConfig.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.recentchangeriskViewer)

Viewer of Recent Change Risk Insights and Recommendations.

recommender.cloudRecentChangeInsights.get

recommender.cloudRecentChangeInsights.list

recommender.cloudRecentChangeRecommendations.get

recommender.cloudRecentChangeRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.serviceLimitAdmin)

Admin of Service Limit insights and recommendations.

recommender.resourcemanagerServiceLimitInsights.*

recommender.resourcemanagerServiceLimitRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.serviceLimitViewer)

Viewer of Service Limit insights and recommendations.

recommender.resourcemanagerServiceLimitInsights.get

recommender.resourcemanagerServiceLimitInsights.list

recommender.resourcemanagerServiceLimitRecommendations.get

recommender.resourcemanagerServiceLimitRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.serviceaccntchangeriskAdmin)

Admin of Service Account Change Risk Insights and Recommendations.

recommender.iamServiceAccountChangeRiskInsights.*

recommender.iamServiceAccountChangeRiskRecommendations.*

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.serviceaccntchangeriskViewer)

Viewer of Service Account Change Risk Insights and Recommendations.

recommender.iamServiceAccountChangeRiskInsights.get

recommender.iamServiceAccountChangeRiskInsights.list

recommender.iamServiceAccountChangeRiskRecommendations.get

recommender.iamServiceAccountChangeRiskRecommendations.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/recommender.ucsAdmin)

Admin of Spend Based Commitment Recommender.

billing.accounts.get

billing.accounts.list

recommender.locations.*

recommender.spendBasedCommitmentInsights.*

recommender.spendBasedCommitmentRecommendations.*

recommender.spendBasedCommitmentRecommenderConfig.*

(roles/recommender.ucsViewer)

Viewer of Spend Based Commitment Recommender.

billing.accounts.get

billing.accounts.list

recommender.locations.*

recommender.spendBasedCommitmentInsights.get

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.get

recommender.spendBasedCommitmentRecommendations.list

recommender.spendBasedCommitmentRecommenderConfig.get

(roles/recommender.viewer)

Enables Get and List operations.

recommender.bigqueryCapacityCommitmentsInsights.get

recommender.bigqueryCapacityCommitmentsInsights.list

recommender.bigqueryCapacityCommitmentsRecommendations.get

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.bigqueryMaterializedViewInsights.get

recommender.bigqueryMaterializedViewInsights.list

recommender.bigqueryMaterializedViewRecommendations.get

recommender.bigqueryMaterializedViewRecommendations.list

recommender.bigqueryPartitionClusterRecommendations.get

recommender.bigqueryPartitionClusterRecommendations.list

recommender.bigqueryTableStatsInsights.get

recommender.bigqueryTableStatsInsights.list

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.cloudCostGeneralInsights.get

recommender.cloudCostGeneralInsights.list

recommender.cloudCostGeneralRecommendations.get

recommender.cloudCostGeneralRecommendations.list

recommender.cloudDeprecationGeneralInsights.get

recommender.cloudDeprecationGeneralInsights.list

recommender.cloudDeprecationGeneralRecommendations.get

recommender.cloudDeprecationGeneralRecommendations.list

recommender.cloudFunctionsPerformanceInsights.get

recommender.cloudFunctionsPerformanceInsights.list

recommender.cloudFunctionsPerformanceRecommendations.get

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.cloudManageabilityGeneralInsights.get

recommender.cloudManageabilityGeneralInsights.list

recommender.cloudManageabilityGeneralRecommendations.get

recommender.cloudManageabilityGeneralRecommendations.list

recommender.cloudPerformanceGeneralInsights.get

recommender.cloudPerformanceGeneralInsights.list

recommender.cloudPerformanceGeneralRecommendations.get

recommender.cloudPerformanceGeneralRecommendations.list

recommender.cloudRecentChangeInsights.get

recommender.cloudRecentChangeInsights.list

recommender.cloudRecentChangeRecommendations.get

recommender.cloudRecentChangeRecommendations.list

recommender.cloudRecentChangeRecommenderConfig.get

recommender.cloudReliabilityGeneralInsights.get

recommender.cloudReliabilityGeneralInsights.list

recommender.cloudReliabilityGeneralRecommendations.get

recommender.cloudReliabilityGeneralRecommendations.list

recommender.cloudSecurityGeneralInsights.get

recommender.cloudSecurityGeneralInsights.list

recommender.cloudSecurityGeneralRecommendations.get

recommender.cloudSecurityGeneralRecommendations.list

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceActivityInsights.get

recommender.cloudsqlInstanceActivityInsights.list

recommender.cloudsqlInstanceCpuUsageInsights.get

recommender.cloudsqlInstanceCpuUsageInsights.list

recommender.cloudsqlInstanceDiskUsageTrendInsights.get

recommender.cloudsqlInstanceDiskUsageTrendInsights.list

recommender.cloudsqlInstanceMemoryUsageInsights.get

recommender.cloudsqlInstanceMemoryUsageInsights.list

recommender.cloudsqlInstanceOomProbabilityInsights.get

recommender.cloudsqlInstanceOomProbabilityInsights.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.get

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceInsights.get

recommender.cloudsqlInstancePerformanceInsights.list

recommender.cloudsqlInstancePerformanceRecommendations.get

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityInsights.get

recommender.cloudsqlInstanceReliabilityInsights.list

recommender.cloudsqlInstanceReliabilityRecommendations.get

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlInstanceSecurityInsights.get

recommender.cloudsqlInstanceSecurityInsights.list

recommender.cloudsqlInstanceSecurityRecommendations.get

recommender.cloudsqlInstanceSecurityRecommendations.list

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.get

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.computeAddressIdleResourceInsights.get

recommender.computeAddressIdleResourceInsights.list

recommender.computeAddressIdleResourceRecommendations.get

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceInsights.get

recommender.computeDiskIdleResourceInsights.list

recommender.computeDiskIdleResourceRecommendations.get

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeFirewallInsightTypeConfigs.get

recommender.computeFirewallInsights.get

recommender.computeFirewallInsights.list

recommender.computeImageIdleResourceInsights.get

recommender.computeImageIdleResourceInsights.list

recommender.computeImageIdleResourceRecommendations.get

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceCpuUsageInsights.get

recommender.computeInstanceCpuUsageInsights.list

recommender.computeInstanceCpuUsagePredictionInsights.get

recommender.computeInstanceCpuUsagePredictionInsights.list

recommender.computeInstanceCpuUsageTrendInsights.get

recommender.computeInstanceCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerCpuUsageInsights.get

recommender.computeInstanceGroupManagerCpuUsageInsights.list

recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get

recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list

recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get

recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.get

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceGroupManagerMemoryUsageInsights.get

recommender.computeInstanceGroupManagerMemoryUsageInsights.list

recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get

recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list

recommender.computeInstanceIdleResourceRecommendations.get

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceIdleResourceRecommenderConfig.get

recommender.computeInstanceMachineTypeRecommendations.get

recommender.computeInstanceMachineTypeRecommendations.list

recommender.computeInstanceMemoryUsageInsights.get

recommender.computeInstanceMemoryUsageInsights.list

recommender.computeInstanceMemoryUsagePredictionInsights.get

recommender.computeInstanceMemoryUsagePredictionInsights.list

recommender.computeInstanceNetworkThroughputInsights.get

recommender.computeInstanceNetworkThroughputInsights.list

recommender.containerDiagnosisInsights.get

recommender.containerDiagnosisInsights.list

recommender.containerDiagnosisRecommendations.get

recommender.containerDiagnosisRecommendations.list

recommender.costInsights.get

recommender.costInsights.list

recommender.dataflowDiagnosticsInsights.get

recommender.dataflowDiagnosticsInsights.list

recommender.errorReportingInsights.get

recommender.errorReportingInsights.list

recommender.errorReportingRecommendations.get

recommender.errorReportingRecommendations.list

recommender.gmpGuidedExperienceInsights.get

recommender.gmpGuidedExperienceInsights.list

recommender.gmpGuidedExperienceRecommendations.get

recommender.gmpGuidedExperienceRecommendations.list

recommender.gmpProjectManagementInsights.get

recommender.gmpProjectManagementInsights.list

recommender.gmpProjectManagementRecommendations.get

recommender.gmpProjectManagementRecommendations.list

recommender.gmpProjectProductSuggestionsInsights.get

recommender.gmpProjectProductSuggestionsInsights.list

recommender.gmpProjectProductSuggestionsRecommendations.get

recommender.gmpProjectProductSuggestionsRecommendations.list

recommender.gmpProjectQuotaInsights.get

recommender.gmpProjectQuotaInsights.list

recommender.gmpProjectQuotaRecommendations.get

recommender.gmpProjectQuotaRecommendations.list

recommender.iamPolicyChangeRiskInsights.get

recommender.iamPolicyChangeRiskInsights.list

recommender.iamPolicyChangeRiskRecommendations.get

recommender.iamPolicyChangeRiskRecommendations.list

recommender.iamPolicyInsights.get

recommender.iamPolicyInsights.list

recommender.iamPolicyLateralMovementInsights.get

recommender.iamPolicyLateralMovementInsights.list

recommender.iamPolicyRecommendations.get

recommender.iamPolicyRecommendations.list

recommender.iamPolicyRecommenderConfig.get

recommender.iamServiceAccountChangeRiskInsights.get

recommender.iamServiceAccountChangeRiskInsights.list

recommender.iamServiceAccountChangeRiskRecommendations.get

recommender.iamServiceAccountChangeRiskRecommendations.list

recommender.iamServiceAccountInsights.get

recommender.iamServiceAccountInsights.list

recommender.locations.*

recommender.loggingProductSuggestionContainerInsights.get

recommender.loggingProductSuggestionContainerInsights.list

recommender.loggingProductSuggestionContainerRecommendations.get

recommender.loggingProductSuggestionContainerRecommendations.list

recommender.monitoringProductSuggestionComputeInsights.get

recommender.monitoringProductSuggestionComputeInsights.list

recommender.monitoringProductSuggestionComputeRecommendations.get

recommender.monitoringProductSuggestionComputeRecommendations.list

recommender.networkAnalyzerCloudSqlInsights.get

recommender.networkAnalyzerCloudSqlInsights.list

recommender.networkAnalyzerDynamicRouteInsights.get

recommender.networkAnalyzerDynamicRouteInsights.list

recommender.networkAnalyzerGkeConnectivityInsights.get

recommender.networkAnalyzerGkeConnectivityInsights.list

recommender.networkAnalyzerGkeIpAddressInsights.get

recommender.networkAnalyzerGkeIpAddressInsights.list

recommender.networkAnalyzerGkeServiceAccountInsights.get

recommender.networkAnalyzerGkeServiceAccountInsights.list

recommender.networkAnalyzerIpAddressInsights.get

recommender.networkAnalyzerIpAddressInsights.list

recommender.networkAnalyzerLoadBalancerInsights.get

recommender.networkAnalyzerLoadBalancerInsights.list

recommender.networkAnalyzerVpcConnectivityInsights.get

recommender.networkAnalyzerVpcConnectivityInsights.list

recommender.resourcemanagerProjectChangeRiskInsights.get

recommender.resourcemanagerProjectChangeRiskInsights.list

recommender.resourcemanagerProjectChangeRiskRecommendations.get

recommender.resourcemanagerProjectChangeRiskRecommendations.list

recommender.resourcemanagerProjectUtilizationInsightTypeConfigs.get

recommender.resourcemanagerProjectUtilizationInsights.get

recommender.resourcemanagerProjectUtilizationInsights.list

recommender.resourcemanagerProjectUtilizationRecommendations.get

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.resourcemanagerProjectUtilizationRecommenderConfigs.get

recommender.resourcemanagerServiceLimitInsights.get

recommender.resourcemanagerServiceLimitInsights.list

recommender.resourcemanagerServiceLimitRecommendations.get

recommender.resourcemanagerServiceLimitRecommendations.list

recommender.runServiceCostInsights.get

recommender.runServiceCostInsights.list

recommender.runServiceCostRecommendations.get

recommender.runServiceCostRecommendations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServicePerformanceInsights.get

recommender.runServicePerformanceInsights.list

recommender.runServicePerformanceRecommendations.get

recommender.runServicePerformanceRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

recommender.spendBasedCommitmentInsights.get

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.get

recommender.spendBasedCommitmentRecommendations.list

recommender.spendBasedCommitmentRecommenderConfig.get

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

resourcemanager.projects.get

Permissions

(roles/resourcemanager.folderAdmin)

Provides all available permissions for working with folders.

Lowest-level resources where you can grant this role:

  • Folder

essentialcontacts.*

orgpolicy.constraints.list

orgpolicy.policies.list

orgpolicy.policy.get

resourcemanager.folders.*

resourcemanager.hierarchyNodes.*

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.projects.move

resourcemanager.projects.setIamPolicy

(roles/resourcemanager.folderCreator)

Provides permissions needed to browse the hierarchy and create folders.

Lowest-level resources where you can grant this role:

  • Folder

essentialcontacts.contacts.get

essentialcontacts.contacts.list

orgpolicy.constraints.list

orgpolicy.policies.list

orgpolicy.policy.get

resourcemanager.folders.create

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/resourcemanager.folderEditor)

Provides permission to modify folders as well as to view a folder's allow policy.

Lowest-level resources where you can grant this role:

  • Folder

essentialcontacts.contacts.get

essentialcontacts.contacts.list

orgpolicy.constraints.list

orgpolicy.policies.list

orgpolicy.policy.get

resourcemanager.folders.delete

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.list

resourcemanager.folders.undelete

resourcemanager.folders.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/resourcemanager.folderIamAdmin)

Provides permissions to administer allow policies on folders.

Lowest-level resources where you can grant this role:

  • Folder

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.setIamPolicy

(roles/resourcemanager.folderMover)

Provides permission to move projects and folders into and out of a parent organization or folder.

Lowest-level resources where you can grant this role:

  • Folder

resourcemanager.folders.move

resourcemanager.projects.move

(roles/resourcemanager.folderViewer)

Provides permission to get a folder and list the folders and projects below a resource.

Lowest-level resources where you can grant this role:

  • Folder

essentialcontacts.contacts.get

essentialcontacts.contacts.list

orgpolicy.constraints.list

orgpolicy.policies.list

orgpolicy.policy.get

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/resourcemanager.lienModifier)

Provides access to modify Liens on projects.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.updateLiens

(roles/resourcemanager.organizationAdmin)

Access to manage IAM policies and view organization policies for organizations, folders, and projects.

Lowest-level resources where you can grant this role:

  • Project

essentialcontacts.*

orgpolicy.constraints.list

orgpolicy.policies.list

orgpolicy.policy.get

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.list

resourcemanager.folders.setIamPolicy

resourcemanager.organizations.*

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.projects.setIamPolicy

(roles/resourcemanager.organizationViewer)

Provides access to view an organization.

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

(roles/resourcemanager.projectCreator)

Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.

Lowest-level resources where you can grant this role:

  • Folder

resourcemanager.organizations.get

resourcemanager.projects.create

(roles/resourcemanager.projectDeleter)

Provides access to delete Google Cloud projects.

Lowest-level resources where you can grant this role:

  • Folder

resourcemanager.projects.delete

(roles/resourcemanager.projectIamAdmin)

Provides permissions to administer allow policies on projects.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

(roles/resourcemanager.projectMover)

Provides access to update and move projects.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.move

resourcemanager.projects.update

(roles/resourcemanager.tagAdmin)

Access to create, delete, update, and manage access to Tags

resourcemanager.tagHolds.*

resourcemanager.tagKeys.*

resourcemanager.tagValues.*

(roles/resourcemanager.tagHoldAdmin)

Access to create, delete and list TagHolds under a TagValue

resourcemanager.tagHolds.*

(roles/resourcemanager.tagUser)

Access to list Tags and manage their associations with resources

alloydb.backups.createTagBinding

alloydb.backups.deleteTagBinding

alloydb.backups.listEffectiveTags

alloydb.backups.listTagBindings

alloydb.clusters.createTagBinding

alloydb.clusters.deleteTagBinding

alloydb.clusters.listEffectiveTags

alloydb.clusters.listTagBindings

artifactregistry.repositories.createTagBinding

artifactregistry.repositories.deleteTagBinding

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

bigquery.datasets.createTagBinding

bigquery.datasets.deleteTagBinding

bigquery.datasets.listEffectiveTags

bigquery.datasets.listTagBindings

bigquery.tables.createTagBinding

bigquery.tables.deleteTagBinding

bigtable.instances.createTagBinding

bigtable.instances.deleteTagBinding

bigtable.instances.listEffectiveTags

bigtable.instances.listTagBindings

cloudkms.keyRings.createTagBinding

cloudkms.keyRings.deleteTagBinding

cloudkms.keyRings.listEffectiveTags

cloudkms.keyRings.listTagBindings

cloudsql.instances.createTagBinding

cloudsql.instances.deleteTagBinding

cloudsql.instances.listEffectiveTags

cloudsql.instances.listTagBindings

compute.backendBuckets.createTagBinding

compute.backendBuckets.deleteTagBinding

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.createTagBinding

compute.backendServices.deleteTagBinding

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.disks.createTagBinding

compute.disks.deleteTagBinding

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.firewallPolicies.createTagBinding

compute.firewallPolicies.deleteTagBinding

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.createTagBinding

compute.firewalls.deleteTagBinding

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.createTagBinding

compute.forwardingRules.deleteTagBinding

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.globalForwardingRules.createTagBinding

compute.globalForwardingRules.deleteTagBinding

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalNetworkEndpointGroups.createTagBinding

compute.globalNetworkEndpointGroups.deleteTagBinding

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.healthChecks.createTagBinding

compute.healthChecks.deleteTagBinding

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.createTagBinding

compute.httpHealthChecks.deleteTagBinding

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.createTagBinding

compute.httpsHealthChecks.deleteTagBinding

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.createTagBinding

compute.images.deleteTagBinding

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.createTagBinding

compute.instanceGroupManagers.deleteTagBinding

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instances.createTagBinding

compute.instances.deleteTagBinding

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.networkEndpointGroups.createTagBinding

compute.networkEndpointGroups.deleteTagBinding

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networks.createTagBinding

compute.networks.deleteTagBinding

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.regionBackendServices.createTagBinding

compute.regionBackendServices.deleteTagBinding

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.createTagBinding

compute.regionFirewallPolicies.deleteTagBinding

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthChecks.createTagBinding

compute.regionHealthChecks.deleteTagBinding

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.createTagBinding

compute.regionNetworkEndpointGroups.deleteTagBinding

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionSecurityPolicies.createTagBinding

compute.regionSecurityPolicies.deleteTagBinding

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.createTagBinding

compute.regionSslCertificates.deleteTagBinding

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionTargetHttpProxies.createTagBinding

compute.regionTargetHttpProxies.deleteTagBinding

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.createTagBinding

compute.regionTargetHttpsProxies.deleteTagBinding

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionUrlMaps.createTagBinding

compute.regionUrlMaps.deleteTagBinding

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.routes.createTagBinding

compute.routes.deleteTagBinding

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.createTagBinding

compute.securityPolicies.deleteTagBinding

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.snapshots.createTagBinding

compute.snapshots.deleteTagBinding

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.createTagBinding

compute.sslCertificates.deleteTagBinding

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.createTagBinding

compute.sslPolicies.deleteTagBinding

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.subnetworks.createTagBinding

compute.subnetworks.deleteTagBinding

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetHttpProxies.createTagBinding

compute.targetHttpProxies.deleteTagBinding

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.createTagBinding

compute.targetHttpsProxies.deleteTagBinding

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.createTagBinding

compute.targetInstances.deleteTagBinding

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.createTagBinding

compute.targetPools.deleteTagBinding

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.createTagBinding

compute.targetSslProxies.deleteTagBinding

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.createTagBinding

compute.targetTcpProxies.deleteTagBinding

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.urlMaps.createTagBinding

compute.urlMaps.deleteTagBinding

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

container.clusters.createTagBinding

container.clusters.deleteTagBinding

container.clusters.listEffectiveTags

container.clusters.listTagBindings

datastore.databases.createTagBinding

datastore.databases.deleteTagBinding

datastore.databases.listEffectiveTags

datastore.databases.listTagBindings

datastream.connectionProfiles.createTagBinding

datastream.connectionProfiles.deleteTagBinding

datastream.connectionProfiles.listEffectiveTags

datastream.connectionProfiles.listTagBindings

datastream.privateConnections.createTagBinding

datastream.privateConnections.deleteTagBinding

datastream.privateConnections.listEffectiveTags

datastream.privateConnections.listTagBindings

datastream.streams.createTagBinding

datastream.streams.deleteTagBinding

datastream.streams.listEffectiveTags

datastream.streams.listTagBindings

domains.registrations.createTagBinding

domains.registrations.deleteTagBinding

domains.registrations.listEffectiveTags

domains.registrations.listTagBindings

file.backups.createTagBinding

file.backups.deleteTagBinding

file.backups.listEffectiveTags

file.backups.listTagBindings

file.instances.createTagBinding

file.instances.deleteTagBinding

file.instances.listEffectiveTags

file.instances.listTagBindings

file.snapshots.createTagBinding

file.snapshots.deleteTagBinding

file.snapshots.listEffectiveTags

file.snapshots.listTagBindings

managedidentities.domains.createTagBinding

managedidentities.domains.deleteTagBinding

managedidentities.domains.listEffectiveTags

managedidentities.domains.listTagBindings

redis.instances.createTagBinding

redis.instances.deleteTagBinding

redis.instances.listEffectiveTags

redis.instances.listTagBindings

resourcemanager.hierarchyNodes.*

resourcemanager.projects.get

resourcemanager.tagKeys.get

resourcemanager.tagKeys.list

resourcemanager.tagValueBindings.*

resourcemanager.tagValues.get

resourcemanager.tagValues.list

run.jobs.createTagBinding

run.jobs.deleteTagBinding

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.services.createTagBinding

run.services.deleteTagBinding

run.services.listEffectiveTags

run.services.listTagBindings

spanner.instances.createTagBinding

spanner.instances.deleteTagBinding

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

(roles/resourcemanager.tagViewer)

Access to list Tags and their associations with resources

alloydb.backups.listEffectiveTags

alloydb.backups.listTagBindings

alloydb.clusters.listEffectiveTags

alloydb.clusters.listTagBindings

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

bigquery.datasets.listEffectiveTags

bigquery.datasets.listTagBindings

bigtable.instances.listEffectiveTags

bigtable.instances.listTagBindings

cloudkms.keyRings.listEffectiveTags

cloudkms.keyRings.listTagBindings

cloudsql.instances.listEffectiveTags

cloudsql.instances.listTagBindings

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instances.listEffectiveTags

compute.instances.listTagBindings

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

container.clusters.listEffectiveTags

container.clusters.listTagBindings

datastore.databases.listEffectiveTags

datastore.databases.listTagBindings

datastream.connectionProfiles.listEffectiveTags

datastream.connectionProfiles.listTagBindings

datastream.privateConnections.listEffectiveTags

datastream.privateConnections.listTagBindings

datastream.streams.listEffectiveTags

datastream.streams.listTagBindings

domains.registrations.listEffectiveTags

domains.registrations.listTagBindings

file.backups.listEffectiveTags

file.backups.listTagBindings

file.instances.listEffectiveTags

file.instances.listTagBindings

file.snapshots.listEffectiveTags

file.snapshots.listTagBindings

managedidentities.domains.listEffectiveTags

managedidentities.domains.listTagBindings

redis.instances.listEffectiveTags

redis.instances.listTagBindings

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.hierarchyNodes.listTagBindings

resourcemanager.tagHolds.list

resourcemanager.tagKeys.get

resourcemanager.tagKeys.list

resourcemanager.tagValues.get

resourcemanager.tagValues.list

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.services.listEffectiveTags

run.services.listTagBindings

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

storage.buckets.listEffectiveTags

storage.buckets.listTagBindings

Permissions

(roles/resourcesettings.admin)

Provides admin capabilities to set Resource Setting Values on resources.

Lowest-level resources where you can grant this role:

  • Organization

resourcesettings.*

(roles/resourcesettings.viewer)

Provides capabilities to view Resource Settings and Resource Setting Values on resources.

resourcesettings.settings.get

resourcesettings.settings.list

Permissions

(roles/riskmanager.admin)

Grants all Risk Manager permissions

resourcemanager.projects.get

resourcemanager.projects.list

riskmanager.*

(roles/riskmanager.editor)

Access to edit Risk Manager resources

resourcemanager.projects.get

resourcemanager.projects.list

riskmanager.controlScoreBreakdowns.*

riskmanager.operations.*

riskmanager.policies.*

riskmanager.reports.create

riskmanager.reports.delete

riskmanager.reports.get

riskmanager.reports.list

riskmanager.serviceAccount.create

riskmanager.settings.*

(roles/riskmanager.reviewer)

Access to review Risk Manager reports

resourcemanager.projects.get

resourcemanager.projects.list

riskmanager.controlScoreBreakdowns.*

riskmanager.operations.get

riskmanager.operations.list

riskmanager.reports.get

riskmanager.reports.list

riskmanager.reports.review

(roles/riskmanager.viewer)

Access to view Risk Manager resources

resourcemanager.projects.get

resourcemanager.projects.list

riskmanager.controlScoreBreakdowns.*

riskmanager.operations.get

riskmanager.operations.list

riskmanager.policies.*

riskmanager.reports.get

riskmanager.reports.list

riskmanager.settings.get

Permissions

(roles/iam.organizationRoleAdmin)

Provides access to administer all custom roles in the organization and the projects below it.

Lowest-level resources where you can grant this role:

  • Organization

iam.roles.*

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/iam.organizationRoleViewer)

Provides read access to all custom roles in the organization and the projects below it.

Lowest-level resources where you can grant this role:

  • Organization

iam.roles.get

iam.roles.list

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/iam.roleAdmin)

Provides access to all custom roles in the project.

Lowest-level resources where you can grant this role:

  • Project

iam.roles.*

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

(roles/iam.roleViewer)

Provides read access to all custom roles in the project.

Lowest-level resources where you can grant this role:

  • Project

iam.roles.get

iam.roles.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

Permissions

(roles/secretmanager.admin)

Full access to administer Secret Manager resources.

Lowest-level resources where you can grant this role:

  • Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.*

(roles/secretmanager.secretAccessor)

Allows accessing the payload of secrets.

Lowest-level resources where you can grant this role:

  • Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.versions.access

(roles/secretmanager.secretVersionAdder)

Allows adding versions to existing secrets.

Lowest-level resources where you can grant this role:

  • Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.versions.add

(roles/secretmanager.secretVersionManager)

Allows creating and managing versions of existing secrets.

Lowest-level resources where you can grant this role:

  • Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.versions.add

secretmanager.versions.destroy

secretmanager.versions.disable

secretmanager.versions.enable

secretmanager.versions.get

secretmanager.versions.list

(roles/secretmanager.viewer)

Allows viewing metadata of all Secret Manager resources

Lowest-level resources where you can grant this role:

  • Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.locations.*

secretmanager.secrets.get

secretmanager.secrets.getIamPolicy

secretmanager.secrets.list

secretmanager.versions.get

secretmanager.versions.list

Permissions

(roles/securesourcemanager.admin)

Full access to all Secure Source Manager resources.

resourcemanager.projects.get

resourcemanager.projects.list

securesourcemanager.*

(roles/securesourcemanager.instanceAccessor)

An instance accessor can access an instance, but not necessarily create resources in the instance.

resourcemanager.projects.get

resourcemanager.projects.list

securesourcemanager.instances.access

securesourcemanager.sshkeys.create

securesourcemanager.sshkeys.delete

securesourcemanager.sshkeys.get

securesourcemanager.sshkeys.list

(roles/securesourcemanager.instanceManager)

Read-write access to all Secure Source Manager resources (full control except for the ability to modify permissions).

resourcemanager.projects.get

resourcemanager.projects.list

securesourcemanager.instances.access

securesourcemanager.instances.createRepository

securesourcemanager.instances.delete

securesourcemanager.instances.get

securesourcemanager.instances.list

securesourcemanager.locations.*

securesourcemanager.operations.*

securesourcemanager.sshkeys.*

(roles/securesourcemanager.instanceOwner)

Full control over Secure Source Manager instances, including listing, creating, and deleting them. Also enables instance user management.

resourcemanager.projects.get

resourcemanager.projects.list

securesourcemanager.instances.*

securesourcemanager.locations.*

securesourcemanager.operations.*

securesourcemanager.sshkeys.*

(roles/securesourcemanager.instanceRepositoryCreator)

An instance repository creator can connect to a Cloud Git instance via IAP (HTTPS) and create repositories in the instance.

resourcemanager.projects.get

resourcemanager.projects.list

securesourcemanager.instances.access

securesourcemanager.instances.createRepository

securesourcemanager.sshkeys.create

securesourcemanager.sshkeys.delete

securesourcemanager.sshkeys.get

securesourcemanager.sshkeys.list

(roles/securesourcemanager.repoAdmin)

A repoAdmin has the ability to CRUD a repository and its children as well as assign users to a repository. They can also set, get, or check IAM policies on the repository.

resourcemanager.projects.get

resourcemanager.projects.list

securesourcemanager.repositories.*

(roles/securesourcemanager.repoCreator)

A repoCreator has access to create repostiory in a project, the creator will then become the repoAdmin on this repository.

resourcemanager.projects.get

resourcemanager.projects.list

securesourcemanager.repositories.create

(roles/securesourcemanager.repoReader)

A repoReader has read access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.

resourcemanager.projects.get

resourcemanager.projects.list

securesourcemanager.repositories.fetch

securesourcemanager.repositories.get

securesourcemanager.repositories.list

securesourcemanager.repositories.readIssues

securesourcemanager.repositories.readPullRequests

(roles/securesourcemanager.repoWriter)

A repoWriter has read/write access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.

resourcemanager.projects.get

resourcemanager.projects.list

securesourcemanager.repositories.fetch

securesourcemanager.repositories.get

securesourcemanager.repositories.list

securesourcemanager.repositories.push

securesourcemanager.repositories.readIssues

securesourcemanager.repositories.readPullRequests

securesourcemanager.repositories.writeIssues

securesourcemanager.repositories.writePullRequests

(roles/securesourcemanager.sshKeyUser)

An sshKeyUser can create SSH keys for themselves and list/delete SSH keys they own.

resourcemanager.projects.get

resourcemanager.projects.list

securesourcemanager.sshkeys.create

securesourcemanager.sshkeys.delete

securesourcemanager.sshkeys.get

securesourcemanager.sshkeys.list

Permissions

(roles/securitycenter.admin)

Admin(super user) access to security center

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.*

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudsecurityscanner.*

compute.addresses.list

iam.serviceAccounts.create

iam.serviceAccounts.get

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.*

securitycentermanagement.*

serviceusage.quotas.get

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.adminEditor)

Admin Read-write access to security center

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

assuredoss.metadata.*

assuredoss.operations.get

assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudsecurityscanner.*

compute.addresses.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.*

securitycenter.assetsecuritymarks.update

securitycenter.attackpaths.list

securitycenter.bigQueryExports.*

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.exposurepathexplan.get

securitycenter.findingexplanations.get

securitycenter.findingexternalsystems.update

securitycenter.findings.*

securitycenter.findingsecuritymarks.update

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.*

securitycenter.notificationconfig.*

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.resourcevalueconfigs.*

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.simulations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.sources.update

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.adminViewer)

Admin Read access to security center

Lowest-level resources where you can grant this role:

  • Project

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

assuredoss.config.get

assuredoss.locations.*

assuredoss.metadata.*

assuredoss.operations.get

assuredoss.operations.list

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudsecurityscanner.crawledurls.list

cloudsecurityscanner.results.*

cloudsecurityscanner.scanruns.get

cloudsecurityscanner.scanruns.getSummary

cloudsecurityscanner.scanruns.list

cloudsecurityscanner.scans.get

cloudsecurityscanner.scans.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.attackpaths.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.exposurepathexplan.get

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.simulations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/securitycenter.assetSecurityMarksWriter)

Write access to asset security marks

Lowest-level resources where you can grant this role:

  • Project

securitycenter.assetsecuritymarks.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.assetsDiscoveryRunner)

Run asset discovery access to assets

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.assets.runDiscovery

securitycenter.userinterfacemetadata.get

(roles/securitycenter.assetsViewer)

Read access to assets

Lowest-level resources where you can grant this role:

  • Project

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.userinterfacemetadata.get

(roles/securitycenter.attackPathsViewer)

Read access to security center attack paths

securitycenter.attackpaths.list

(roles/securitycenter.bigQueryExportsEditor)

Read-Write access to security center BigQuery Exports

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

(roles/securitycenter.bigQueryExportsViewer)

Read access to security center BigQuery Exports

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

(roles/securitycenter.complianceSnapshotsViewer)

Read access to security center compliance snapshots

securitycenter.compliancesnapshots.list

(roles/securitycenter.externalSystemsEditor)

Write access to security center external systems

securitycenter.findingexternalsystems.update

(roles/securitycenter.findingSecurityMarksWriter)

Write access to finding security marks

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findingsecuritymarks.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsBulkMuteEditor)

Ability to mute findings in bulk

securitycenter.findings.bulkMuteUpdate

(roles/securitycenter.findingsEditor)

Read-write access to findings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.compliancesnapshots.list

securitycenter.findingexplanations.get

securitycenter.findings.bulkMuteUpdate

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.findings.setMute

securitycenter.findings.setState

securitycenter.findings.update

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsMuteSetter)

Set mute access to findings

securitycenter.findings.setMute

(roles/securitycenter.findingsStateSetter)

Set state access to findings

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findings.setState

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsViewer)

Read access to findings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.organizations.get

resourcemanager.projects.get

securitycenter.compliancesnapshots.list

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.findingsWorkflowStateSetter)

Set workflow state access to findings

Lowest-level resources where you can grant this role:

  • Project

securitycenter.findings.setWorkflowState

securitycenter.userinterfacemetadata.get

(roles/securitycenter.muteConfigsEditor)

Read-Write access to security center mute configurations

securitycenter.muteconfigs.*

(roles/securitycenter.muteConfigsViewer)

Read access to security center mute configurations

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

(roles/securitycenter.notificationConfigEditor)

Write access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.notificationconfig.*

securitycenter.userinterfacemetadata.get

(roles/securitycenter.notificationConfigViewer)

Read access to notification configurations

Lowest-level resources where you can grant this role:

  • Organization

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.resourceValueConfigsEditor)

Read-Write access to security center resource value configurations

resourcemanager.tagValues.get

securitycenter.resourcevalueconfigs.*

(roles/securitycenter.resourceValueConfigsViewer)

Read access to security center resource value configurations

resourcemanager.tagValues.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

(roles/securitycenter.securityHealthAnalyticsCustomModulesTester)

Test access to Security Health Analytics Custom Modules

securitycenter.securityhealthanalyticscustommodules.simulate

securitycenter.securityhealthanalyticscustommodules.test

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycenter.settingsAdmin)

Admin(super user) access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

securitycenter.containerthreatdetectionsettings.*

securitycenter.effectivesecurityhealthanalyticscustommodules.*

securitycenter.eventthreatdetectionsettings.*

securitycenter.integratedvulnerabilityscannersettings.*

securitycenter.muteconfigs.*

securitycenter.notificationconfig.*

securitycenter.organizationsettings.*

securitycenter.rapidvulnerabilitydetectionsettings.*

securitycenter.securitycentersettings.*

securitycenter.securityhealthanalyticscustommodules.create

securitycenter.securityhealthanalyticscustommodules.delete

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.update

securitycenter.securityhealthanalyticssettings.*

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.*

securitycenter.websecurityscannersettings.*

securitycentermanagement.*

(roles/securitycenter.settingsEditor)

Read-Write access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.*

securitycenter.containerthreatdetectionsettings.*

securitycenter.effectivesecurityhealthanalyticscustommodules.*

securitycenter.eventthreatdetectionsettings.*

securitycenter.integratedvulnerabilityscannersettings.*

securitycenter.muteconfigs.*

securitycenter.notificationconfig.*

securitycenter.organizationsettings.*

securitycenter.rapidvulnerabilitydetectionsettings.*

securitycenter.securitycentersettings.*

securitycenter.securityhealthanalyticscustommodules.create

securitycenter.securityhealthanalyticscustommodules.delete

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticscustommodules.update

securitycenter.securityhealthanalyticssettings.*

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.*

securitycenter.websecurityscannersettings.*

securitycentermanagement.*

(roles/securitycenter.settingsViewer)

Read access to security center settings

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/securitycenter.simulationsViewer)

Read access to security center simulations

securitycenter.simulations.get

(roles/securitycenter.sourcesAdmin)

Admin access to sources

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

securitycenter.sources.*

securitycenter.userinterfacemetadata.get

(roles/securitycenter.sourcesEditor)

Read-write access to sources

Lowest-level resources where you can grant this role:

  • Organization

resourcemanager.organizations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.sources.update

securitycenter.userinterfacemetadata.get

(roles/securitycenter.sourcesViewer)

Read access to sources

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.organizations.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.userinterfacemetadata.get

(roles/securitycenter.valuedResourcesViewer)

Read access to security center valued resources

securitycenter.valuedresources.list

Permissions

(roles/vpcaccess.admin)

Full access to all Serverless VPC Access resources

resourcemanager.projects.get

resourcemanager.projects.list

vpcaccess.*

(roles/vpcaccess.user)

User of Serverless VPC Access connectors

compute.networks.access

resourcemanager.projects.get

resourcemanager.projects.list

vpcaccess.connectors.get

vpcaccess.connectors.list

vpcaccess.connectors.use

vpcaccess.locations.list

vpcaccess.operations.*

(roles/vpcaccess.viewer)

Viewer of all Serverless VPC Access resources

resourcemanager.projects.get

resourcemanager.projects.list

vpcaccess.connectors.get

vpcaccess.connectors.list

vpcaccess.locations.list

vpcaccess.operations.*

Permissions

(roles/iam.serviceAccountAdmin)

Create and manage service accounts.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccounts.create

iam.serviceAccounts.delete

iam.serviceAccounts.disable

iam.serviceAccounts.enable

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

iam.serviceAccounts.setIamPolicy

iam.serviceAccounts.undelete

iam.serviceAccounts.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/iam.serviceAccountCreator)

Access to create service accounts.

iam.serviceAccounts.create

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/iam.serviceAccountDeleter)

Access to delete service accounts.

iam.serviceAccounts.delete

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/iam.serviceAccountKeyAdmin)

Create and manage (and rotate) service account keys.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccountKeys.*

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/iam.serviceAccountOpenIdTokenCreator)

Create OpenID Connect (OIDC) identity tokens

iam.serviceAccounts.getOpenIdToken

(roles/iam.serviceAccountTokenCreator)

Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

resourcemanager.projects.get

resourcemanager.projects.list

(roles/iam.serviceAccountUser)

Run operations as the service account.

Lowest-level resources where you can grant this role:

  • Service Account

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/iam.serviceAccountViewer)

Read access to service accounts, metadata, and keys.

iam.serviceAccountKeys.get

iam.serviceAccountKeys.list

iam.serviceAccounts.get

iam.serviceAccounts.getIamPolicy

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/iam.workloadIdentityUser)

Impersonate service accounts from federated workloads.

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.list

Permissions

(roles/aiplatform.colabServiceAgent)

Gives Vertex AI Colab the proper permissions to function.

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.globalOperations.get

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.useReadOnly

compute.networks.get

compute.networks.use

compute.networks.useExternalIp

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.useReadOnly

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

notebooks.instances.create

notebooks.instances.delete

notebooks.instances.get

(roles/aiplatform.customCodeServiceAgent)

Gives Vertex AI Custom Code the proper permissions.

aiplatform.annotationSpecs.*

aiplatform.annotations.*

aiplatform.artifacts.*

aiplatform.batchPredictionJobs.*

aiplatform.contexts.*

aiplatform.customJobs.*

aiplatform.dataItems.*

aiplatform.dataLabelingJobs.*

aiplatform.datasetVersions.*

aiplatform.datasets.*

aiplatform.deploymentResourcePools.*

aiplatform.edgeDeploymentJobs.*

aiplatform.edgeDeviceDebugInfo.get

aiplatform.edgeDevices.*

aiplatform.endpoints.create

aiplatform.endpoints.delete

aiplatform.endpoints.deploy

aiplatform.endpoints.explain

aiplatform.endpoints.get

aiplatform.endpoints.list

aiplatform.endpoints.predict

aiplatform.endpoints.undeploy

aiplatform.endpoints.update

aiplatform.entityTypes.create

aiplatform.entityTypes.delete

aiplatform.entityTypes.deleteFeatureValues

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.importFeatureValues

aiplatform.entityTypes.list

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.entityTypes.update

aiplatform.entityTypes.writeFeatureValues

aiplatform.executions.*

aiplatform.featureGroups.*

aiplatform.featureOnlineStores.*

aiplatform.featureViewSyncs.*

aiplatform.featureViews.*

aiplatform.features.*

aiplatform.featurestores.batchReadFeatureValues

aiplatform.featurestores.create

aiplatform.featurestores.delete

aiplatform.featurestores.exportFeatures

aiplatform.featurestores.get

aiplatform.featurestores.importFeatures

aiplatform.featurestores.list

aiplatform.featurestores.readFeatures

aiplatform.featurestores.update

aiplatform.featurestores.writeFeatures

aiplatform.humanInTheLoops.*

aiplatform.hyperparameterTuningJobs.*

aiplatform.indexEndpoints.*

aiplatform.indexes.*

aiplatform.locations.*

aiplatform.metadataSchemas.*

aiplatform.metadataStores.*

aiplatform.modelDeploymentMonitoringJobs.*

aiplatform.modelEvaluationSlices.*

aiplatform.modelEvaluations.*

aiplatform.models.*

aiplatform.nasJobs.*

aiplatform.nasTrialDetails.*

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.create

aiplatform.notebookRuntimeTemplates.delete

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimeTemplates.update

aiplatform.notebookRuntimes.*

aiplatform.operations.list

aiplatform.persistentResources.get

aiplatform.persistentResources.list

aiplatform.pipelineJobs.*

aiplatform.schedules.*

aiplatform.specialistPools.*

aiplatform.studies.*

aiplatform.tensorboardExperiments.*

aiplatform.tensorboardRuns.*

aiplatform.tensorboardTimeSeries.*

aiplatform.tensorboards.create

aiplatform.tensorboards.delete

aiplatform.tensorboards.get

aiplatform.tensorboards.list

aiplatform.tensorboards.update

aiplatform.trainingPipelines.*

aiplatform.trials.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.tags.get

artifactregistry.versions.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.readsessions.create

bigquery.readsessions.getData

bigquery.tables.create

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.update

bigquery.tables.updateData

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/aiplatform.notebookServiceAgent)

Vertex AI Service Agent used to run Notebook managed resources in user project with restricted permissions.

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

(roles/aiplatform.ragServiceAgent)

Vertex AI Service Agent used by Vertex RAG to access user imported data and Vertex AI in the project

aiplatform.endpoints.predict

logging.logEntries.create

logging.logEntries.route

storage.buckets.get

storage.buckets.list

storage.objects.get

storage.objects.list

(roles/aiplatform.serviceAgent)

Gives Vertex AI the permissions it needs to function.

aiplatform.annotationSpecs.*

aiplatform.annotations.*

aiplatform.artifacts.*

aiplatform.batchPredictionJobs.*

aiplatform.contexts.*

aiplatform.customJobs.*

aiplatform.dataItems.*

aiplatform.dataLabelingJobs.*

aiplatform.datasetVersions.*

aiplatform.datasets.*

aiplatform.deploymentResourcePools.*

aiplatform.edgeDeploymentJobs.*

aiplatform.edgeDeviceDebugInfo.get

aiplatform.edgeDevices.*

aiplatform.endpoints.create

aiplatform.endpoints.delete

aiplatform.endpoints.deploy

aiplatform.endpoints.explain

aiplatform.endpoints.get

aiplatform.endpoints.list

aiplatform.endpoints.predict

aiplatform.endpoints.undeploy

aiplatform.endpoints.update

aiplatform.entityTypes.create

aiplatform.entityTypes.delete

aiplatform.entityTypes.deleteFeatureValues

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.importFeatureValues

aiplatform.entityTypes.list

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.entityTypes.update

aiplatform.entityTypes.writeFeatureValues

aiplatform.executions.*

aiplatform.featureGroups.*

aiplatform.featureOnlineStores.*

aiplatform.featureViewSyncs.*

aiplatform.featureViews.*

aiplatform.features.*

aiplatform.featurestores.batchReadFeatureValues

aiplatform.featurestores.create

aiplatform.featurestores.delete

aiplatform.featurestores.exportFeatures

aiplatform.featurestores.get

aiplatform.featurestores.importFeatures

aiplatform.featurestores.list

aiplatform.featurestores.readFeatures

aiplatform.featurestores.update

aiplatform.featurestores.writeFeatures

aiplatform.humanInTheLoops.*

aiplatform.hyperparameterTuningJobs.*

aiplatform.indexEndpoints.*

aiplatform.indexes.*

aiplatform.locations.*

aiplatform.metadataSchemas.*

aiplatform.metadataStores.*

aiplatform.modelDeploymentMonitoringJobs.*

aiplatform.modelEvaluationSlices.*

aiplatform.modelEvaluations.*

aiplatform.models.*

aiplatform.nasJobs.*

aiplatform.nasTrialDetails.*

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.create

aiplatform.notebookRuntimeTemplates.delete

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimeTemplates.update

aiplatform.notebookRuntimes.*

aiplatform.operations.list

aiplatform.persistentResources.get

aiplatform.persistentResources.list

aiplatform.pipelineJobs.*

aiplatform.schedules.*

aiplatform.specialistPools.*

aiplatform.studies.*

aiplatform.tensorboardExperiments.*

aiplatform.tensorboardRuns.*

aiplatform.tensorboardTimeSeries.*

aiplatform.tensorboards.create

aiplatform.tensorboards.delete

aiplatform.tensorboards.get

aiplatform.tensorboards.list

aiplatform.tensorboards.update

aiplatform.trainingPipelines.*

aiplatform.trials.*

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.get

artifactregistry.versions.get

automl.datasets.export

automl.datasets.get

automl.datasets.list

automl.modelEvaluations.list

automl.models.get

automl.models.list

automl.operations.get

automl.tableSpecs.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.models.create

bigquery.models.export

bigquery.models.getData

bigquery.readsessions.create

bigquery.readsessions.getData

bigquery.tables.create

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.update

bigquery.tables.updateData

bigtable.tables.get

bigtable.tables.list

bigtable.tables.readRows

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.globalOperations.get

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.useReadOnly

compute.machineTypes.get

compute.networks.get

compute.networks.use

compute.networks.useExternalIp

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.useReadOnly

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

dataflow.jobs.*

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

datalabeling.annotateddatasets.get

datalabeling.datasets.export

datalabeling.datasets.get

datalabeling.datasets.list

datalabeling.operations.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

logging.logEntries.create

logging.logEntries.route

ml.models.list

ml.operations.get

ml.versions.get

ml.versions.list

monitoring.notificationChannels.get

notebooks.instances.create

notebooks.instances.delete

notebooks.instances.get

resourcemanager.projects.get

resourcemanager.projects.list

run.executions.delete

run.executions.get

run.jobs.create

run.jobs.delete

run.jobs.get

run.jobs.run

run.jobs.update

run.operations.delete

run.operations.get

run.routes.invoke

run.services.create

run.services.delete

run.services.get

serviceusage.services.use

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/aiplatform.tuningServiceAgent)

Vertex AI Service Agent used for tuning in user project.

aiplatform.artifacts.*

aiplatform.batchPredictionJobs.cancel

aiplatform.batchPredictionJobs.create

aiplatform.batchPredictionJobs.get

aiplatform.contexts.*

aiplatform.endpoints.create

aiplatform.endpoints.deploy

aiplatform.endpoints.get

aiplatform.metadataSchemas.*

aiplatform.metadataStores.*

aiplatform.models.get

aiplatform.models.upload

aiplatform.operations.list

aiplatform.tensorboardExperiments.*

aiplatform.tensorboardRuns.*

aiplatform.tensorboardTimeSeries.*

aiplatform.tensorboards.create

aiplatform.tensorboards.delete

aiplatform.tensorboards.get

aiplatform.tensorboards.list

aiplatform.tensorboards.update

resourcemanager.projects.get

storage.buckets.create

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

storage.objects.update

(roles/alloydb.serviceAgent)

Gives the AlloyDB service account permission to manage customer resources

alloydb.clusters.list

(roles/anthos.serviceAgent)

Gives the Anthos service agent access to Google Cloud resources.

gkehub.features.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

serviceusage.services.get

serviceusage.services.list

(roles/anthosaudit.serviceAgent)

Gives the Anthos Audit service agent access to Cloud Platform resources.

gkehub.features.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

(roles/anthosconfigmanagement.serviceAgent)

Gives the Anthos Config Management service agent access to Google Cloud resources.

container.clusters.get

gkehub.features.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

(roles/anthosidentityservice.serviceAgent)

Gives the Anthos Identity service agent access to Google Cloud resources.

gkehub.features.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

(roles/anthospolicycontroller.serviceAgent)

Gives the Anthos Policy Controller service agent access toCloud Platform resources.

gkehub.features.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

(roles/anthosservicemesh.serviceAgent)

Gives the Anthos Service Mesh service agent access to Cloud Platform resources.

compute.backendServices.create

compute.backendServices.delete

compute.backendServices.get

compute.backendServices.list

compute.backendServices.update

compute.backendServices.use

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.update

compute.globalNetworkEndpointGroups.attachNetworkEndpoints

compute.globalNetworkEndpointGroups.create

compute.globalNetworkEndpointGroups.delete

compute.globalNetworkEndpointGroups.detachNetworkEndpoints

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.healthChecks.create

compute.healthChecks.delete

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.update

compute.healthChecks.use

compute.healthChecks.useReadOnly

compute.networkEndpointGroups.attachNetworkEndpoints

compute.networkEndpointGroups.create

compute.networkEndpointGroups.delete

compute.networkEndpointGroups.detachNetworkEndpoints

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.use

compute.networks.updatePolicy

container.backendConfigs.*

container.clusterRoleBindings.*

container.clusterRoles.*

container.clusters.get

container.clusters.update

container.configMaps.*

container.customResourceDefinitions.create

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.daemonSets.create

container.daemonSets.delete

container.daemonSets.get

container.daemonSets.getStatus

container.daemonSets.list

container.daemonSets.update

container.deployments.get

container.deployments.list

container.events.get

container.events.list

container.jobs.create

container.jobs.delete

container.jobs.get

container.jobs.list

container.jobs.update

container.mutatingWebhookConfigurations.create

container.mutatingWebhookConfigurations.get

container.mutatingWebhookConfigurations.list

container.mutatingWebhookConfigurations.update

container.namespaces.create

container.namespaces.get

container.namespaces.list

container.operations.get

container.pods.get

container.pods.list

container.secrets.*

container.serviceAccounts.create

container.serviceAccounts.delete

container.serviceAccounts.get

container.serviceAccounts.list

container.serviceAccounts.update

container.services.get

container.services.list

container.thirdPartyObjects.create

container.thirdPartyObjects.get

container.thirdPartyObjects.list

container.thirdPartyObjects.update

container.validatingWebhookConfigurations.*

gkehub.features.get

gkehub.gateway.delete

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

logging.logEntries.create

meshconfig.projects.init

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

networksecurity.authorizationPolicies.create

networksecurity.authorizationPolicies.delete

networksecurity.authorizationPolicies.get

networksecurity.authorizationPolicies.list

networksecurity.authorizationPolicies.update

networksecurity.authorizationPolicies.use

networksecurity.clientTlsPolicies.create

networksecurity.clientTlsPolicies.delete

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.update

networksecurity.clientTlsPolicies.use

networksecurity.operations.*

networksecurity.serverTlsPolicies.create

networksecurity.serverTlsPolicies.delete

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.update

networksecurity.serverTlsPolicies.use

networkservices.endpointPolicies.create

networkservices.endpointPolicies.delete

networkservices.endpointPolicies.get

networkservices.endpointPolicies.list

networkservices.endpointPolicies.update

networkservices.endpointPolicies.use

networkservices.gateways.*

networkservices.grpcRoutes.create

networkservices.grpcRoutes.delete

networkservices.grpcRoutes.get

networkservices.grpcRoutes.list

networkservices.grpcRoutes.update

networkservices.grpcRoutes.use

networkservices.httpFilters.create

networkservices.httpFilters.delete

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpFilters.update

networkservices.httpFilters.use

networkservices.httpRoutes.create

networkservices.httpRoutes.delete

networkservices.httpRoutes.get

networkservices.httpRoutes.list

networkservices.httpRoutes.update

networkservices.httpRoutes.use

networkservices.meshes.create

networkservices.meshes.delete

networkservices.meshes.get

networkservices.meshes.list

networkservices.meshes.update

networkservices.meshes.use

networkservices.operations.*

networkservices.serviceLbPolicies.*

networkservices.tcpRoutes.create

networkservices.tcpRoutes.delete

networkservices.tcpRoutes.get

networkservices.tcpRoutes.list

networkservices.tcpRoutes.update

networkservices.tcpRoutes.use

networkservices.tlsRoutes.*

serviceusage.services.get

serviceusage.services.use

trafficdirector.*

workloadcertificate.locations.*

workloadcertificate.operations.get

workloadcertificate.workloadCertificateFeature.get

workloadcertificate.workloadRegistrations.create

workloadcertificate.workloadRegistrations.get

workloadcertificate.workloadRegistrations.list

(roles/anthossupport.serviceAgent)

Gives the Anthos Support Service Agent access to Cloud Platform resource.

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.fleet.get

gkehub.fleet.getFreeTrial

gkehub.gateway.get

gkehub.locations.*

gkehub.membershipbindings.get

gkehub.membershipbindings.list

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.operations.get

gkehub.operations.list

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.scopes.get

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

(roles/apigateway.serviceAgent)

Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

servicemanagement.services.check

servicemanagement.services.quota

servicemanagement.services.report

(roles/apigateway_management.serviceAgent)

Gives Cloud API Gateway service account access to retrieve a Service configuration.

iam.serviceAccounts.get

servicemanagement.services.create

servicemanagement.services.delete

servicemanagement.services.get

servicemanagement.services.list

servicemanagement.services.update

serviceusage.services.get

(roles/apigee.serviceAgent)

Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.

apigee.apiproducts.get

apigee.apiproducts.list

apigee.appkeys.create

apigee.appkeys.delete

apigee.appkeys.manage

apigee.apps.get

apigee.canaryevaluations.*

apigee.developerapps.*

apigee.developers.create

apigee.developers.delete

apigee.developers.get

apigee.environments.get

apigee.environments.getDataLocation

apigee.environments.manageRuntime

apigee.ingressconfigs.get

apigee.instances.reportStatus

apigee.operations.*

apigee.organizations.get

apigee.proxyrevisions.get

apigee.runtimeconfigs.get

cloudtrace.traces.patch

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

logging.buckets.create

logging.buckets.get

logging.buckets.list

logging.views.create

logging.views.get

logging.views.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

(roles/appdevelopmentexperience.serviceAgent)

Give the App Development Experience service agent access to Cloud Platform resources.

container.clusters.get

container.clusters.update

gkehub.features.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

(roles/appengine.serviceAgent)

Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

datastore.databases.get

datastore.entities.create

datastore.entities.delete

datastore.entities.get

datastore.entities.list

datastore.entities.update

datastore.indexes.list

datastore.namespaces.*

datastore.statistics.*

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.signBlob

serviceusage.services.enable

serviceusage.services.get

storage.buckets.create

storage.buckets.get

(roles/appengineflex.serviceAgent)

Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.

billing.accounts.get

cloudbuild.builds.create

cloudbuild.builds.get

compute.addresses.create

compute.addresses.delete

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.autoscalers.create

compute.autoscalers.delete

compute.autoscalers.get

compute.autoscalers.update

compute.backendServices.create

compute.backendServices.delete

compute.backendServices.get

compute.backendServices.list

compute.backendServices.update

compute.backendServices.use

compute.disks.create

compute.disks.list

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.list

compute.firewalls.update

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.globalAddresses.create

compute.globalAddresses.delete

compute.globalAddresses.get

compute.globalAddresses.use

compute.globalForwardingRules.create

compute.globalForwardingRules.delete

compute.globalForwardingRules.get

compute.globalOperations.get

compute.healthChecks.create

compute.healthChecks.delete

compute.healthChecks.get

compute.healthChecks.update

compute.healthChecks.useReadOnly

compute.httpHealthChecks.create

compute.httpHealthChecks.delete

compute.httpHealthChecks.get

compute.httpHealthChecks.use

compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.create

compute.httpsHealthChecks.delete

compute.httpsHealthChecks.get

compute.httpsHealthChecks.update

compute.httpsHealthChecks.use

compute.httpsHealthChecks.useReadOnly

compute.images.get

compute.images.useReadOnly

compute.instanceGroupManagers.create

compute.instanceGroupManagers.delete

compute.instanceGroupManagers.get

compute.instanceGroupManagers.update

compute.instanceGroupManagers.use

compute.instanceGroups.create

compute.instanceGroups.delete

compute.instanceGroups.get

compute.instanceGroups.update

compute.instanceGroups.use

compute.instanceTemplates.create

compute.instanceTemplates.delete

compute.instanceTemplates.get

compute.instanceTemplates.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.reset

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.use

compute.machineTypes.get

compute.networks.create

compute.networks.delete

compute.networks.get

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.regionBackendServices.create

compute.regionBackendServices.delete

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.update

compute.regionBackendServices.use

compute.regionOperations.get

compute.regions.get

compute.routes.create

compute.routes.delete

compute.routes.get

compute.routes.list

compute.subnetworks.delete

compute.subnetworks.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetHttpProxies.create

compute.targetHttpProxies.delete

compute.targetHttpProxies.get

compute.targetHttpProxies.use

compute.targetHttpsProxies.create

compute.targetHttpsProxies.delete

compute.targetHttpsProxies.get

compute.targetHttpsProxies.setSslCertificates

compute.targetHttpsProxies.use

compute.urlMaps.create

compute.urlMaps.delete

compute.urlMaps.get

compute.urlMaps.update

compute.urlMaps.use

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

deploymentmanager.compositeTypes.get

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.update

deploymentmanager.manifests.*

deploymentmanager.operations.*

deploymentmanager.typeProviders.create

deploymentmanager.typeProviders.get

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

logging.logEntries.create

logging.logMetrics.create

logging.logMetrics.delete

logging.logMetrics.get

logging.logMetrics.update

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.setIamPolicy

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

(roles/artifactregistry.serviceAgent)

Gives the Artifact Registry service account access to managed resources.

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.versions.delete

pubsub.topics.publish

(roles/assuredworkloads.monitoringServiceAgent)

Gives the Assured Workloads service account access to create CAIS feed and monitor Assured Workloads.

cloudasset.assets.exportResource

cloudasset.assets.listResource

cloudasset.feeds.create

cloudasset.feeds.delete

cloudasset.feeds.get

(roles/assuredworkloads.serviceAgent)

Gives the Assured Workloads service account access to create KMS keyrings and keys, and to monitor Assured Workloads.

cloudkms.cryptoKeys.create

cloudkms.keyRings.create

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.use

(roles/auditmanager.serviceAgent)

Grants Audit Manager Service Agent access to various list/get rpcs of products to perform an audit.

cloudasset.assets.*

cloudsql.instances.list

compute.autoscalers.list

compute.backendServices.list

compute.disks.list

compute.firewalls.list

compute.forwardingRules.list

compute.globalForwardingRules.list

compute.instanceGroupManagers.list

compute.instanceGroups.list

compute.instances.list

compute.regionSslPolicies.list

compute.regionTargetHttpProxies.list

compute.regionUrlMaps.list

compute.routers.list

compute.securityPolicies.list

compute.sslCertificates.list

compute.sslPolicies.list

compute.subnetworks.list

compute.targetHttpProxies.list

compute.targetSslProxies.list

compute.urlMaps.list

compute.vpnGateways.list

compute.zones.list

container.clusters.list

logging.buckets.list

monitoring.timeSeries.list

orgpolicy.policy.get

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.organizations.getIamPolicy

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

(roles/automl.serviceAgent)

AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.tables.create

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.update

bigquery.tables.updateData

bigtable.tables.get

bigtable.tables.list

bigtable.tables.readRows

serviceusage.services.use

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/automlrecommendations.serviceAgent)

Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.update

bigquery.tables.create

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.update

bigquery.tables.updateData

cloudnotifications.activities.list

dataflow.jobs.*

dataflow.messages.list

dataflow.metrics.get

logging.logEntries.create

logging.logEntries.route

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.*

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/backupdr.serviceAgent)

Grants the Backup and DR Service access to protect Compute Engine instances.

compute.addresses.list

compute.addresses.use

compute.diskTypes.*

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.machineTypes.*

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.serviceAgent)

Gives permission to manage network resources such as interconnect pairing keys, required for Bare Metal Solution.

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnects.get

compute.interconnects.list

compute.networks.get

compute.networks.list

compute.projects.get

resourcemanager.projects.get

(roles/batch.serviceAgent)

Gives Google Batch account access to manage customer resources.

compute.acceleratorTypes.*

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.diskTypes.*

compute.disks.addResourcePolicies

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.deleteTagBinding

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.disks.removeResourcePolicies

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.create

compute.images.createTagBinding

compute.images.delete

compute.images.deleteTagBinding

compute.images.deprecate

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.images.setLabels

compute.images.update

compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.*

compute.instanceTemplates.create

compute.instanceTemplates.delete

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instanceTemplates.useReadOnly

compute.instances.addAccessConfig

compute.instances.addMaintenancePolicies

compute.instances.addResourcePolicies

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.deleteAccessConfig

compute.instances.deleteTagBinding

compute.instances.detachDisk

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instances.osAdminLogin

compute.instances.osLogin

compute.instances.pscInterfaceCreate

compute.instances.removeMaintenancePolicies

compute.instances.removeResourcePolicies

compute.instances.reset

compute.instances.resume

compute.instances.sendDiagnosticInterrupt

compute.instances.setDeletionProtection

compute.instances.setDiskAutoDelete

compute.instances.setLabels

compute.instances.setMachineResources

compute.instances.setMachineType

compute.instances.setMetadata

compute.instances.setMinCpuPlatform

compute.instances.setName

compute.instances.setScheduling

compute.instances.setSecurityPolicy

compute.instances.setServiceAccount

compute.instances.setShieldedInstanceIntegrityPolicy

compute.instances.setShieldedVmIntegrityPolicy

compute.instances.setTags

compute.instances.simulateMaintenanceEvent

compute.instances.start

compute.instances.startWithEncryptionKey

compute.instances.stop

compute.instances.suspend

compute.instances.update

compute.instances.updateAccessConfig

compute.instances.updateDisplayDevice

compute.instances.updateNetworkInterface

compute.instances.updateSecurity

compute.instances.updateShieldedInstanceConfig

compute.instances.updateShieldedVmConfig

compute.instances.use

compute.instances.useReadOnly

compute.instantSnapshots.create

compute.instantSnapshots.delete

compute.instantSnapshots.export

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.instantSnapshots.setLabels

compute.instantSnapshots.useReadOnly

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenseCodes.update

compute.licenseCodes.use

compute.licenses.create

compute.licenses.delete

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.create

compute.machineImages.delete

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineImages.useReadOnly

compute.machineTypes.*

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEndpointGroups.attachNetworkEndpoints

compute.networkEndpointGroups.create

compute.networkEndpointGroups.createTagBinding

compute.networkEndpointGroups.delete

compute.networkEndpointGroups.deleteTagBinding

compute.networkEndpointGroups.detachNetworkEndpoints

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.*

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.create

compute.resourcePolicies.delete

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.resourcePolicies.update

compute.resourcePolicies.use

compute.resourcePolicies.useReadOnly

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.create

compute.snapshots.createTagBinding

compute.snapshots.delete

compute.snapshots.deleteTagBinding

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

iam.serviceAccounts.actAs

pubsub.topics.publish

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

(roles/bigqueryconnection.serviceAgent)

Gives BigQuery Connection Service access to Cloud SQL instances in user projects.

cloudsql.instances.connect

cloudsql.instances.get

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

(roles/bigquerycontinuousquery.serviceAgent)

Gives BigQuery Continuous Query access to the service accounts in the user project.

iam.serviceAccounts.getAccessToken

(roles/bigquerydatatransfer.serviceAgent)

Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project.

bigquery.config.get

bigquery.jobs.create

compute.networkAttachments.get

compute.networkAttachments.update

compute.regionOperations.get

compute.subnetworks.use

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

iam.serviceAccounts.getAccessToken

logging.logEntries.create

logging.logEntries.route

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigqueryomni.serviceAgent)

Gives BigQuery Omni access to tables in user projects.

bigquery.jobs.create

bigquery.tables.updateData

(roles/bigqueryspark.serviceAgent)

Gives BigQuery Spark access to the service accounts in the user project.

iam.serviceAccounts.getAccessToken

(roles/binaryauthorization.serviceAgent)

Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.

artifactregistry.dockerimages.get

artifactregistry.repositories.downloadArtifacts

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.verifyImageAttested

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.policy.evaluatePolicy

cloudasset.assets.exportResource

cloudasset.feeds.create

cloudasset.feeds.delete

cloudasset.feeds.get

cloudasset.feeds.update

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.listOccurrences

containeranalysis.occurrences.get

containeranalysis.occurrences.list

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.list

(roles/certificatemanager.serviceAgent)

Grants Certificate Manager access to services and APIs in the user project.

certificatemanager.locations.get

(roles/chronicle.serviceAgent)

Grants Chronicle scoped access to customer project

chronicle.instances.get

monitoring.alertPolicies.*

(roles/cloudasset.effectivePolicyServiceAgent)

Give effective policy service account access to search all resources and IAM policies.

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

(roles/cloudasset.serviceAgent)

Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.tables.create

bigquery.tables.delete

bigquery.tables.get

bigquery.tables.update

bigquery.tables.updateData

pubsub.topics.publish

storage.buckets.create

storage.buckets.get

storage.buckets.getIamPolicy

storage.objects.create

storage.objects.delete

storage.objects.get

(roles/cloudbuild.loggingServiceAgent)

Gives the Cloud Build logging-specific service account access to write logs.

logging.buckets.write

(roles/cloudbuild.serviceAgent)

Gives Cloud Build service account access to managed resources.

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.createOnPush

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

binaryauthorization.attestors.create

binaryauthorization.attestors.delete

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.update

binaryauthorization.attestors.verifyImageAttested

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.connections.get

cloudbuild.operations.*

cloudbuild.repositories.accessReadToken

cloudbuild.repositories.accessReadWriteToken

cloudbuild.repositories.get

cloudbuild.repositories.list

cloudbuild.workerpools.use

compute.firewalls.get

compute.firewalls.list

compute.networks.get

compute.subnetworks.get

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.update

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

logging.buckets.create

logging.buckets.get

logging.buckets.list

logging.logEntries.create

logging.logEntries.list

logging.views.access

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.get

pubsub.topics.publish

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.locations.*

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.networks.access

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

serviceusage.services.use

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/cloudconfig.serviceAgent)

Gives Infrastructure Manager service agent access to managed resources

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.workerpools.use

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

logging.logEntries.create

logging.logEntries.route

serviceusage.services.use

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/cloudcontrolspartner.accessApprovalServiceAgent)

Gives the Partner Console service account access to read Access Approval Requests for workloads associated with a partner.

accessapproval.requests.get

accessapproval.requests.list

(roles/cloudcontrolspartner.ekmServiceAgent)

Gives Cloud Controls Partner service agent permission to list EKM connections, get EKM connection status, and provide EKM diagnostic information.

cloudkms.ekmConnections.get

cloudkms.ekmConnections.getIamPolicy

cloudkms.ekmConnections.list

cloudkms.ekmConnections.verifyConnectivity

(roles/cloudcontrolspartner.monitoringServiceAgent)

Gives Cloud Controls Partner monitoring service agent permission to view and list Assured Workload violations. The role is assigned to enable partner monitoring capability.

assuredworkloads.violations.get

assuredworkloads.violations.list

(roles/clouddeploy.serviceAgent)

Gives Cloud Deploy Service Account access to managed resources.

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.workerpools.use

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

logging.logEntries.create

pubsub.topics.get

pubsub.topics.publish

servicemanagement.services.report

serviceusage.services.use

storage.buckets.create

storage.buckets.get

storage.objects.get

(roles/clouddeploymentmanager.serviceAgent)

Allows Deployment Manager service to actuate resources across DM projects and folders

accesscontextmanager.accessLevels.create

accesscontextmanager.accessLevels.delete

accesscontextmanager.accessLevels.get

accesscontextmanager.accessLevels.update

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.create

accesscontextmanager.servicePerimeters.delete

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.update

appengine.applications.get

appengine.operations.get

appengine.services.update

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

artifactregistry.repositories.create

artifactregistry.repositories.delete

artifactregistry.repositories.get

artifactregistry.repositories.update

bigquery.connections.get

bigquery.datasets.create

bigquery.datasets.delete

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.update

bigquery.jobs.create

bigquery.routines.create

bigquery.routines.get

bigquery.routines.update

bigquery.tables.create

bigquery.tables.delete

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.setCategory

bigquery.tables.update

bigquery.tables.updateData

bigtable.instances.create

bigtable.instances.delete

bigtable.instances.get

bigtable.instances.update

bigtable.tables.create

bigtable.tables.delete

bigtable.tables.get

bigtable.tables.update

billing.resourceAssociations.create

billing.resourcebudgets.write

cloudbuild.builds.create

cloudbuild.builds.get

cloudfunctions.functions.call

cloudfunctions.functions.create

cloudfunctions.functions.delete

cloudfunctions.functions.get

cloudfunctions.functions.getIamPolicy

cloudfunctions.functions.list

cloudfunctions.functions.update

cloudfunctions.operations.get

cloudprivatecatalog.targets.get

cloudscheduler.jobs.create

cloudscheduler.jobs.delete

cloudscheduler.jobs.get

cloudscheduler.jobs.update

cloudsql.backupRuns.create

cloudsql.databases.*

cloudsql.instances.create

cloudsql.instances.delete

cloudsql.instances.get

cloudsql.instances.import

cloudsql.instances.restart

cloudsql.instances.update

cloudsql.sslCerts.create

cloudsql.sslCerts.delete

cloudsql.sslCerts.get

cloudsql.users.create

cloudsql.users.delete

cloudtasks.queues.create

cloudtasks.queues.delete

cloudtasks.queues.get

compute.addresses.*

compute.autoscalers.create

compute.autoscalers.delete

compute.autoscalers.get

compute.autoscalers.update

compute.backendBuckets.create

compute.backendBuckets.delete

compute.backendBuckets.get

compute.backendBuckets.update

compute.backendBuckets.use

compute.backendServices.create

compute.backendServices.delete

compute.backendServices.get

compute.backendServices.setSecurityPolicy

compute.backendServices.update

compute.backendServices.use

compute.disks.addResourcePolicies

compute.disks.create

compute.disks.delete

compute.disks.get

compute.disks.removeResourcePolicies

compute.disks.resize

compute.disks.setLabels

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.externalVpnGateways.create

compute.externalVpnGateways.delete

compute.externalVpnGateways.get

compute.externalVpnGateways.setLabels

compute.externalVpnGateways.use

compute.firewallPolicies.create

compute.firewallPolicies.delete

compute.firewallPolicies.get

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.list

compute.firewalls.update

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscSetLabels

compute.forwardingRules.setLabels

compute.forwardingRules.setTarget

compute.forwardingRules.update

compute.forwardingRules.use

compute.globalAddresses.create

compute.globalAddresses.createInternal

compute.globalAddresses.delete

compute.globalAddresses.deleteInternal

compute.globalAddresses.get

compute.globalAddresses.setLabels

compute.globalAddresses.use

compute.globalForwardingRules.create

compute.globalForwardingRules.delete

compute.globalForwardingRules.get

compute.globalForwardingRules.pscCreate

compute.globalForwardingRules.pscDelete

compute.globalForwardingRules.pscSetLabels

compute.globalForwardingRules.setLabels

compute.globalNetworkEndpointGroups.attachNetworkEndpoints

compute.globalNetworkEndpointGroups.create

compute.globalNetworkEndpointGroups.delete

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.use

compute.globalOperations.get

compute.healthChecks.create

compute.healthChecks.delete

compute.healthChecks.get

compute.healthChecks.update

compute.healthChecks.use

compute.healthChecks.useReadOnly

compute.httpHealthChecks.create

compute.httpHealthChecks.delete

compute.httpHealthChecks.get

compute.httpHealthChecks.update

compute.httpHealthChecks.use

compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.create

compute.httpsHealthChecks.delete

compute.httpsHealthChecks.get

compute.httpsHealthChecks.update

compute.httpsHealthChecks.use

compute.httpsHealthChecks.useReadOnly

compute.images.create

compute.images.delete

compute.images.deprecate

compute.images.get

compute.images.setLabels

compute.images.useReadOnly

compute.instanceGroupManagers.create

compute.instanceGroupManagers.delete

compute.instanceGroupManagers.get

compute.instanceGroupManagers.update

compute.instanceGroupManagers.use

compute.instanceGroups.create

compute.instanceGroups.delete

compute.instanceGroups.get

compute.instanceGroups.update

compute.instanceGroups.use

compute.instanceTemplates.create

compute.instanceTemplates.delete

compute.instanceTemplates.get

compute.instanceTemplates.useReadOnly

compute.instances.addAccessConfig

compute.instances.create

compute.instances.delete

compute.instances.deleteAccessConfig

compute.instances.get

compute.instances.listTagBindings

compute.instances.resume

compute.instances.setDeletionProtection

compute.instances.setDiskAutoDelete

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.suspend

compute.instances.update

compute.instances.updateDisplayDevice

compute.instances.use

compute.interconnectAttachments.create

compute.interconnectAttachments.delete

compute.interconnectAttachments.get

compute.interconnectAttachments.setLabels

compute.interconnectAttachments.update

compute.interconnects.create

compute.interconnects.delete

compute.interconnects.get

compute.interconnects.setLabels

compute.interconnects.use

compute.machineImages.useReadOnly

compute.machineTypes.get

compute.networkEndpointGroups.attachNetworkEndpoints

compute.networkEndpointGroups.create

compute.networkEndpointGroups.delete

compute.networkEndpointGroups.get

compute.networkEndpointGroups.use

compute.networks.addPeering

compute.networks.create

compute.networks.delete

compute.networks.get

compute.networks.listPeeringRoutes

compute.networks.removePeering

compute.networks.switchToCustomMode

compute.networks.update

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.organizations.disableXpnResource

compute.organizations.enableXpnHost

compute.organizations.enableXpnResource

compute.packetMirrorings.create

compute.packetMirrorings.delete

compute.packetMirrorings.get

compute.projects.get

compute.projects.setUsageExportBucket

compute.regionBackendServices.create

compute.regionBackendServices.delete

compute.regionBackendServices.get

compute.regionBackendServices.update

compute.regionBackendServices.use

compute.regionHealthChecks.create

compute.regionHealthChecks.delete

compute.regionHealthChecks.get

compute.regionHealthChecks.update

compute.regionHealthChecks.use

compute.regionHealthChecks.useReadOnly

compute.regionNetworkEndpointGroups.create

compute.regionNetworkEndpointGroups.delete

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.use

compute.regionOperations.get

compute.regionSslCertificates.create

compute.regionSslCertificates.delete

compute.regionSslCertificates.get

compute.regionTargetHttpProxies.create

compute.regionTargetHttpProxies.delete

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.use

compute.regionTargetHttpsProxies.create

compute.regionTargetHttpsProxies.delete

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.use

compute.regionUrlMaps.create

compute.regionUrlMaps.delete

compute.regionUrlMaps.get

compute.regionUrlMaps.use

compute.regions.get

compute.reservations.list

compute.resourcePolicies.create

compute.resourcePolicies.delete

compute.resourcePolicies.get

compute.resourcePolicies.use

compute.routers.create

compute.routers.delete

compute.routers.get

compute.routers.update

compute.routers.use

compute.routes.create

compute.routes.delete

compute.routes.get

compute.securityPolicies.create

compute.securityPolicies.delete

compute.securityPolicies.get

compute.securityPolicies.setLabels

compute.securityPolicies.update

compute.securityPolicies.use

compute.serviceAttachments.create

compute.serviceAttachments.get

compute.snapshots.useReadOnly

compute.sslCertificates.create

compute.sslCertificates.delete

compute.sslCertificates.get

compute.sslPolicies.create

compute.sslPolicies.delete

compute.sslPolicies.get

compute.sslPolicies.use

compute.subnetworks.create

compute.subnetworks.delete

compute.subnetworks.expandIpCidrRange

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.mirror

compute.subnetworks.update

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetHttpProxies.create

compute.targetHttpProxies.delete

compute.targetHttpProxies.get

compute.targetHttpProxies.use

compute.targetHttpsProxies.create

compute.targetHttpsProxies.delete

compute.targetHttpsProxies.get

compute.targetHttpsProxies.setSslCertificates

compute.targetHttpsProxies.setSslPolicy

compute.targetHttpsProxies.use

compute.targetInstances.create

compute.targetInstances.delete

compute.targetInstances.get

compute.targetInstances.use

compute.targetPools.addHealthCheck

compute.targetPools.addInstance

compute.targetPools.create

compute.targetPools.delete

compute.targetPools.get

compute.targetPools.removeHealthCheck

compute.targetPools.removeInstance

compute.targetPools.use

compute.targetSslProxies.create

compute.targetSslProxies.delete

compute.targetSslProxies.get

compute.targetSslProxies.setSslCertificates

compute.targetSslProxies.use

compute.targetTcpProxies.create

compute.targetTcpProxies.delete

compute.targetTcpProxies.get

compute.targetTcpProxies.use

compute.targetVpnGateways.create

compute.targetVpnGateways.delete

compute.targetVpnGateways.get

compute.targetVpnGateways.setLabels

compute.targetVpnGateways.use

compute.urlMaps.create

compute.urlMaps.delete

compute.urlMaps.get

compute.urlMaps.update

compute.urlMaps.use

compute.vpnGateways.create

compute.vpnGateways.delete

compute.vpnGateways.get

compute.vpnGateways.setLabels

compute.vpnGateways.use

compute.vpnTunnels.create

compute.vpnTunnels.delete

compute.vpnTunnels.get

compute.vpnTunnels.setLabels

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.get

container.backendConfigs.create

container.backendConfigs.delete

container.backendConfigs.get

container.clusterRoleBindings.create

container.clusterRoleBindings.delete

container.clusterRoleBindings.get

container.clusterRoles.bind

container.clusterRoles.create

container.clusterRoles.delete

container.clusterRoles.escalate

container.clusterRoles.get

container.clusters.create

container.clusters.delete

container.clusters.get

container.clusters.getCredentials

container.clusters.update

container.configMaps.create

container.configMaps.delete

container.configMaps.get

container.configMaps.update

container.cronJobs.create

container.cronJobs.delete

container.cronJobs.get

container.cronJobs.update

container.daemonSets.create

container.daemonSets.delete

container.daemonSets.get

container.daemonSets.update

container.deployments.create

container.deployments.delete

container.deployments.get

container.deployments.update

container.frontendConfigs.create

container.frontendConfigs.delete

container.frontendConfigs.get

container.horizontalPodAutoscalers.create

container.horizontalPodAutoscalers.delete

container.horizontalPodAutoscalers.get

container.ingresses.create

container.ingresses.delete

container.ingresses.get

container.jobs.create

container.jobs.delete

container.jobs.get

container.managedCertificates.create

container.managedCertificates.delete

container.managedCertificates.get

container.mutatingWebhookConfigurations.delete

container.mutatingWebhookConfigurations.get

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.networkPolicies.create

container.networkPolicies.delete

container.networkPolicies.get

container.operations.get

container.podDisruptionBudgets.create

container.podDisruptionBudgets.delete

container.podDisruptionBudgets.get

container.podSecurityPolicies.delete

container.podSecurityPolicies.get

container.priorityClasses.create

container.priorityClasses.delete

container.priorityClasses.get

container.replicationControllers.create

container.replicationControllers.delete

container.replicationControllers.get

container.roleBindings.create

container.roleBindings.delete

container.roleBindings.get

container.roles.bind

container.roles.create

container.roles.delete

container.roles.escalate

container.roles.get

container.roles.update

container.secrets.create

container.secrets.delete

container.secrets.get

container.secrets.update

container.serviceAccounts.create

container.serviceAccounts.delete

container.serviceAccounts.get

container.serviceAccounts.update

container.services.create

container.services.delete

container.services.get

container.statefulSets.create

container.statefulSets.delete

container.statefulSets.get

container.statefulSets.update

container.storageClasses.create

container.storageClasses.delete

container.storageClasses.get

container.thirdPartyObjects.create

container.thirdPartyObjects.delete

container.thirdPartyObjects.get

container.thirdPartyObjects.update

container.validatingWebhookConfigurations.delete

container.validatingWebhookConfigurations.get

datacatalog.taxonomies.get

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.use

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.nodeGroups.create

dataproc.operations.get

dataproc.workflowTemplates.create

dataproc.workflowTemplates.delete

dataproc.workflowTemplates.get

deploymentmanager.compositeTypes.get

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.update

deploymentmanager.operations.get

deploymentmanager.typeProviders.create

deploymentmanager.typeProviders.delete

deploymentmanager.typeProviders.get

deploymentmanager.typeProviders.update

dns.changes.*

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.list

dns.managedZones.update

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

dns.policies.delete

dns.policies.get

dns.resourceRecordSets.create

dns.resourceRecordSets.delete

dns.resourceRecordSets.list

dns.resourceRecordSets.update

file.instances.create

file.instances.delete

file.instances.get

file.instances.update

file.operations.get

firebase.projects.get

firebase.projects.update

firebaseanalytics.resources.googleAnalyticsEdit

iam.roles.create

iam.roles.delete

iam.roles.get

iam.roles.list

iam.roles.update

iam.serviceAccountKeys.delete

iam.serviceAccountKeys.get

iam.serviceAccounts.actAs

iam.serviceAccounts.create

iam.serviceAccounts.delete

iam.serviceAccounts.get

iam.serviceAccounts.list

iam.serviceAccounts.update

logging.buckets.update

logging.exclusions.create

logging.exclusions.delete

logging.exclusions.get

logging.exclusions.update

logging.logEntries.create

logging.logMetrics.create

logging.logMetrics.delete

logging.logMetrics.get

logging.logMetrics.update

logging.notificationRules.create

logging.sinks.create

logging.sinks.delete

logging.sinks.get

logging.sinks.update

monitoring.alertPolicies.*

monitoring.dashboards.create

monitoring.dashboards.delete

monitoring.dashboards.get

monitoring.dashboards.update

monitoring.groups.create

monitoring.groups.delete

monitoring.groups.get

monitoring.groups.update

monitoring.metricDescriptors.create

monitoring.metricDescriptors.delete

monitoring.metricDescriptors.get

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.update

monitoring.uptimeCheckConfigs.create

monitoring.uptimeCheckConfigs.delete

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.update

networksecurity.serverTlsPolicies.use

pubsub.schemas.attach

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.publish

pubsub.topics.update

redis.instances.create

redis.instances.delete

redis.instances.get

redis.instances.update

redis.instances.updateAuth

redis.operations.get

resourcemanager.folders.create

resourcemanager.folders.delete

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.list

resourcemanager.folders.update

resourcemanager.organizations.getIamPolicy

resourcemanager.projects.create

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.delete

resourcemanager.projects.deleteBillingAssignment

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.projects.move

resourcemanager.projects.update

resourcemanager.projects.updateLiens

resourcemanager.tagHolds.create

resourcemanager.tagHolds.delete

resourcemanager.tagValueBindings.*

resourcemanager.tagValues.get

runtimeconfig.configs.create

runtimeconfig.configs.delete

runtimeconfig.configs.get

runtimeconfig.configs.list

runtimeconfig.configs.update

runtimeconfig.variables.create

runtimeconfig.variables.delete

runtimeconfig.variables.get

runtimeconfig.variables.list

runtimeconfig.variables.update

runtimeconfig.waiters.create

runtimeconfig.waiters.delete

runtimeconfig.waiters.get

runtimeconfig.waiters.list

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicemanagement.services.bind

servicenetworking.operations.get

servicenetworking.services.addPeering

servicenetworking.services.get

serviceusage.operations.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.use

source.repos.create

spanner.databaseOperations.get

spanner.databases.create

spanner.databases.drop

spanner.databases.get

spanner.databases.updateDdl

spanner.instanceOperations.get

spanner.instances.create

spanner.instances.delete

spanner.instances.get

spanner.instances.update

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.update

storage.hmacKeys.create

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

vpcaccess.connectors.create

vpcaccess.connectors.delete

vpcaccess.operations.get

workflows.operations.get

workflows.workflows.create

workflows.workflows.delete

workflows.workflows.get

(roles/cloudfunctions.serviceAgent)

Gives Cloud Functions service account access to managed resources.

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.*

artifactregistry.projectsettings.*

artifactregistry.pythonpackages.*

artifactregistry.repositories.create

artifactregistry.repositories.createTagBinding

artifactregistry.repositories.delete

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.deleteTagBinding

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.setIamPolicy

artifactregistry.repositories.update

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.*

artifactregistry.versions.*

artifactregistry.yumartifacts.create

clientauthconfig.clients.list

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.operations.*

cloudbuild.workerpools.use

cloudfunctions.functions.get

cloudfunctions.functions.invoke

cloudfunctions.functions.list

cloudfunctions.operations.*

compute.globalOperations.get

compute.networks.access

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.googleChannelConfigs.*

eventarc.locations.*

eventarc.operations.*

eventarc.providers.*

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

firebasedatabase.instances.get

firebasedatabase.instances.update

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.signBlob

pubsub.subscriptions.*

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.get

pubsub.topics.list

recommender.locations.*

recommender.runServiceCostInsights.*

recommender.runServiceCostRecommendations.*

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityRecommendations.*

recommender.runServicePerformanceInsights.*

recommender.runServicePerformanceRecommendations.*

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityRecommendations.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.configurations.*

run.executions.*

run.jobs.create

run.jobs.delete

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.jobs.run

run.jobs.runWithOverrides

run.jobs.update

run.locations.list

run.operations.*

run.revisions.*

run.routes.*

run.services.create

run.services.delete

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.services.update

run.tasks.*

serviceusage.quotas.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.use

source.repos.get

source.repos.list

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

vpcaccess.connectors.get

vpcaccess.connectors.use

(roles/cloudiot.serviceAgent)

Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.

logging.logEntries.create

logging.logEntries.route

pubsub.topics.publish

(roles/cloudkms.orgServiceAgent)

Gives Cloud KMS organization-level service account access to managed resources.

cloudasset.assets.searchAllResources

(roles/cloudkms.serviceAgent)

Gives Cloud KMS service account access to managed resources.

cloudasset.assets.listCloudkmsCryptoKeys

(roles/cloudkmskacls.serviceAgent)

Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption.

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.cryptoKeys.get

(roles/cloudoptimization.serviceAgent)

Grants Cloud Optimization Service Account access to read and write data in the user project.

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/cloudscheduler.serviceAgent)

Grants Cloud Scheduler Service Account access to manage resources.

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

logging.logEntries.create

logging.logEntries.route

pubsub.topics.publish

(roles/cloudsql.serviceAgent)

Grants Cloud SQL access to services and APIs in the user project

cloudsql.instances.get

(roles/cloudtasks.serviceAgent)

Grants Cloud Tasks Service Account access to manage resources.

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

logging.logEntries.create

(roles/cloudtpu.serviceAgent)

Give Cloud TPUs service account access to managed resources

compute.acceleratorTypes.*

compute.addresses.*

compute.autoscalers.*

compute.backendBuckets.*

compute.backendServices.*

compute.diskTypes.*

compute.disks.*

compute.externalVpnGateways.*

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewallPolicies.use

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.firewalls.update

compute.forwardingRules.*

compute.globalAddresses.*

compute.globalForwardingRules.*

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.delete

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.globalPublicDelegatedPrefixes.update

compute.globalPublicDelegatedPrefixes.updatePolicy

compute.healthChecks.*

compute.httpHealthChecks.*

compute.httpsHealthChecks.*

compute.images.*

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.*

compute.instanceTemplates.*

compute.instances.*

compute.instantSnapshots.*

compute.interconnectAttachments.*

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.*

compute.licenseCodes.*

compute.licenses.*

compute.machineImages.*

compute.machineTypes.*

compute.networkAttachments.*

compute.networkEndpointGroups.*

compute.networks.*

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.publicDelegatedPrefixes.delete

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.update

compute.publicDelegatedPrefixes.updatePolicy

compute.regionBackendServices.*

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionFirewallPolicies.use

compute.regionHealthCheckServices.*

compute.regionHealthChecks.*

compute.regionNetworkEndpointGroups.*

compute.regionNotificationEndpoints.*

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSecurityPolicies.use

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.*

compute.regionTargetHttpProxies.*

compute.regionTargetHttpsProxies.*

compute.regionTargetTcpProxies.*

compute.regionUrlMaps.*

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute.routers.*

compute.routes.*

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.use

compute.serviceAttachments.*

compute.snapshots.*

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.*

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.*

compute.targetGrpcProxies.*

compute.targetHttpProxies.*

compute.targetHttpsProxies.*

compute.targetInstances.*

compute.targetPools.*

compute.targetSslProxies.*

compute.targetTcpProxies.*

compute.targetVpnGateways.*

compute.urlMaps.*

compute.vpnGateways.*

compute.vpnTunnels.*

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

networkconnectivity.internalRanges.*

networkconnectivity.locations.*

networkconnectivity.operations.*

networkconnectivity.policyBasedRoutes.*

networkconnectivity.regionalEndpoints.*

networkconnectivity.serviceClasses.*

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionPolicies.*

networksecurity.*

networkservices.*

pubsub.*

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

servicenetworking.operations.get

servicenetworking.services.addPeering

servicenetworking.services.createPeeredDnsDomain

servicenetworking.services.deleteConnection

servicenetworking.services.deletePeeredDnsDomain

servicenetworking.services.disableVpcServiceControls

servicenetworking.services.enableVpcServiceControls

servicenetworking.services.get

servicenetworking.services.listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

trafficdirector.*

(roles/cloudtranslate.serviceAgent)

Gives Cloud Translation Service Account access to consumer resources.

automl.datasets.export

automl.datasets.get

automl.datasets.list

automl.models.get

automl.models.list

automl.operations.get

storage.buckets.get

storage.objects.create

storage.objects.get

storage.objects.list

(roles/composer.serviceAgent)

Cloud Composer API service agent can manage environments.

appengine.applications.get

appengine.applications.listRuntimes

appengine.applications.update

appengine.instances.*

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

appengine.operations.*

appengine.runtimes.actAsAdmin

appengine.services.*

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry.repositories.create

artifactregistry.repositories.delete

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.update

cloudaicompanion.entitlements.get

cloudnotifications.activities.list

cloudsql.*

composer.dags.get

composer.environments.get

compute.acceleratorTypes.*

compute.addresses.*

compute.autoscalers.*

compute.backendBuckets.*

compute.backendServices.*

compute.diskTypes.*

compute.disks.*

compute.externalVpnGateways.*

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewallPolicies.use

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.*

compute.globalAddresses.*

compute.globalForwardingRules.*

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.delete

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.globalPublicDelegatedPrefixes.update

compute.globalPublicDelegatedPrefixes.updatePolicy

compute.healthChecks.*

compute.httpHealthChecks.*

compute.httpsHealthChecks.*

compute.images.*

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.*

compute.instanceTemplates.*

compute.instances.*

compute.instantSnapshots.*

compute.interconnectAttachments.*

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.*

compute.licenseCodes.*

compute.licenses.*

compute.machineImages.*

compute.machineTypes.*

compute.networkAttachments.*

compute.networkEndpointGroups.*

compute.networks.*

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.publicDelegatedPrefixes.delete

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.update

compute.publicDelegatedPrefixes.updatePolicy

compute.regionBackendServices.*

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionFirewallPolicies.use

compute.regionHealthCheckServices.*

compute.regionHealthChecks.*

compute.regionNetworkEndpointGroups.*

compute.regionNotificationEndpoints.*

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSecurityPolicies.use

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.*

compute.regionTargetHttpProxies.*

compute.regionTargetHttpsProxies.*

compute.regionTargetTcpProxies.*

compute.regionUrlMaps.*

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute.routers.*

compute.routes.*

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.use

compute.serviceAttachments.*

compute.snapshots.*

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.*

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.*

compute.targetGrpcProxies.*

compute.targetHttpProxies.*

compute.targetHttpsProxies.*

compute.targetInstances.*

compute.targetPools.*

compute.targetSslProxies.*

compute.targetTcpProxies.*

compute.targetVpnGateways.*

compute.urlMaps.*

compute.vpnGateways.*

compute.vpnTunnels.*

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

container.*

deploymentmanager.compositeTypes.*

deploymentmanager.deployments.cancelPreview

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.stop

deploymentmanager.deployments.update

deploymentmanager.manifests.*

deploymentmanager.operations.*

deploymentmanager.resources.*

deploymentmanager.typeProviders.*

deploymentmanager.types.*

dns.managedZones.get

dns.managedZones.list

dns.networks.targetWithPeeringZone

firebase.projects.get

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.list

logging.buckets.create

logging.buckets.delete

logging.buckets.get

logging.buckets.list

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.links.*

logging.locations.*

logging.logEntries.create

logging.logEntries.route

logging.logMetrics.*

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.*

logging.operations.*

logging.settings.*

logging.sinks.*

logging.views.create

logging.views.delete

logging.views.get

logging.views.list

logging.views.update

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.*

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

networkconnectivity.internalRanges.*

networkconnectivity.locations.*

networkconnectivity.operations.*

networkconnectivity.policyBasedRoutes.*

networkconnectivity.regionalEndpoints.*

networkconnectivity.serviceClasses.*

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionPolicies.*

networksecurity.*

networkservices.*

opsconfigmonitoring.resourceMetadata.list

orgpolicy.policy.get

pubsub.*

recommender.cloudsqlIdleInstanceRecommendations.*

recommender.cloudsqlInstanceActivityInsights.*

recommender.cloudsqlInstanceCpuUsageInsights.*

recommender.cloudsqlInstanceDiskUsageTrendInsights.*

recommender.cloudsqlInstanceMemoryUsageInsights.*

recommender.cloudsqlInstanceOomProbabilityInsights.*

recommender.cloudsqlInstanceOutOfDiskRecommendations.*

recommender.cloudsqlInstancePerformanceInsights.*

recommender.cloudsqlInstancePerformanceRecommendations.*

recommender.cloudsqlInstanceReliabilityInsights.*

recommender.cloudsqlInstanceReliabilityRecommendations.*

recommender.cloudsqlInstanceSecurityInsights.*

recommender.cloudsqlInstanceSecurityRecommendations.*

recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.*

recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.*

recommender.cloudsqlOverprovisionedInstanceRecommendations.*

recommender.cloudsqlUnderProvisionedInstanceRecommendations.*

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisRecommendations.*

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.*

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

servicenetworking.operations.get

servicenetworking.services.addPeering

servicenetworking.services.createPeeredDnsDomain

servicenetworking.services.deleteConnection

servicenetworking.services.deletePeeredDnsDomain

servicenetworking.services.disableVpcServiceControls

servicenetworking.services.enableVpcServiceControls

servicenetworking.services.get

servicenetworking.services.listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

trafficdirector.*

(roles/compute.instanceGroupManagerServiceAgent)

Role containing all permissions required by Managed Instance Groups to create and manage instances.

compute.addresses.*

compute.disks.addResourcePolicies

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.deleteTagBinding

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.disks.removeResourcePolicies

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.globalAddresses.get

compute.globalOperations.get

compute.healthChecks.get

compute.httpHealthChecks.get

compute.httpsHealthChecks.get

compute.images.useReadOnly

compute.instanceGroups.update

compute.instanceTemplates.useReadOnly

compute.instances.addAccessConfig

compute.instances.addMaintenancePolicies

compute.instances.addResourcePolicies

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.deleteAccessConfig

compute.instances.deleteTagBinding

compute.instances.detachDisk

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instances.osAdminLogin

compute.instances.osLogin

compute.instances.pscInterfaceCreate

compute.instances.removeMaintenancePolicies

compute.instances.removeResourcePolicies

compute.instances.reset

compute.instances.resume

compute.instances.sendDiagnosticInterrupt

compute.instances.setDeletionProtection

compute.instances.setDiskAutoDelete

compute.instances.setLabels

compute.instances.setMachineResources

compute.instances.setMachineType

compute.instances.setMetadata

compute.instances.setMinCpuPlatform

compute.instances.setName

compute.instances.setScheduling

compute.instances.setSecurityPolicy

compute.instances.setServiceAccount

compute.instances.setShieldedInstanceIntegrityPolicy

compute.instances.setShieldedVmIntegrityPolicy

compute.instances.setTags

compute.instances.simulateMaintenanceEvent

compute.instances.start

compute.instances.startWithEncryptionKey

compute.instances.stop

compute.instances.suspend

compute.instances.update

compute.instances.updateAccessConfig

compute.instances.updateDisplayDevice

compute.instances.updateNetworkInterface

compute.instances.updateSecurity

compute.instances.updateShieldedInstanceConfig

compute.instances.updateShieldedVmConfig

compute.instances.use

compute.instances.useReadOnly

compute.networks.use

compute.networks.useExternalIp

compute.regionOperations.get

compute.resourcePolicies.use

compute.snapshots.useReadOnly

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.addInstance

compute.targetPools.removeInstance

compute.zoneOperations.get

iam.serviceAccounts.actAs

(roles/compute.serviceAgent)

Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.

cloudnotifications.activities.list

compute.addresses.use

compute.addresses.useInternal

compute.disks.create

compute.disks.createTagBinding

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.images.useReadOnly

compute.instanceGroupManagers.get

compute.instanceTemplates.useReadOnly

compute.instances.create

compute.instances.createTagBinding

compute.instances.setDeletionProtection

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.updateDisplayDevice

compute.machineImages.useReadOnly

compute.networks.use

compute.networks.useExternalIp

compute.resourcePolicies.use

compute.snapshots.useReadOnly

compute.subnetworks.use

compute.subnetworks.useExternalIp

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.signJwt

logging.logEntries.create

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

storage.objects.create

storage.objects.get

storage.objects.list

storage.objects.update

(roles/connectors.serviceAgent)

Grants Connectors Platform service account to manage customer resources

connectors.actions.list

connectors.connections.get

connectors.connections.getConnectionSchemaMetadata

connectors.connections.list

connectors.connectors.*

connectors.customConnectorVersions.get

connectors.customConnectorVersions.list

connectors.customConnectors.get

connectors.customConnectors.list

connectors.endpointAttachments.get

connectors.endpointAttachments.list

connectors.entityTypes.list

connectors.eventSubscriptions.get

connectors.eventSubscriptions.list

connectors.eventtypes.*

connectors.locations.*

connectors.managedZones.get

connectors.managedZones.list

connectors.providers.*

connectors.runtimeconfig.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

(roles/contactcenterinsights.serviceAgent)

Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage.

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.tables.create

bigquery.tables.get

bigquery.tables.update

bigquery.tables.updateData

datalabeling.dataitems.*

datalabeling.datasets.create

datalabeling.datasets.delete

datalabeling.datasets.export

datalabeling.datasets.get

datalabeling.datasets.import

datalabeling.operations.get

datalabeling.operations.list

dialogflow.conversationDatasets.*

dialogflow.conversationModels.*

dialogflow.conversationProfiles.get

dialogflow.documents.*

dialogflow.operations.get

dialogflow.participants.suggest

dialogflow.sessions.detectIntent

dlp.deidentifyTemplates.get

dlp.deidentifyTemplates.list

dlp.inspectTemplates.get

dlp.inspectTemplates.list

dlp.kms.encrypt

dlp.locations.*

pubsub.topics.get

pubsub.topics.publish

serviceusage.services.use

speech.customClasses.get

speech.operations.get

speech.phraseSets.get

speech.recognizers.create

speech.recognizers.get

speech.recognizers.recognize

speech.recognizers.update

storage.objects.create

storage.objects.get

storage.objects.list

storage.objects.update

(roles/container.nodeServiceAgent)

Minimal set of permission required by a GKE node to support standard capabilities such as logging and monitoring export, and image pulls.

autoscaling.sites.writeMetrics

logging.logEntries.create

monitoring.metricDescriptors.create

monitoring.metricDescriptors.list

monitoring.timeSeries.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

storage.objects.get

storage.objects.list

(roles/container.serviceAgent)

Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.

bigquery.datasets.create

bigquery.datasets.get

bigquery.tables.create

bigquery.tables.get

bigquery.tables.update

bigquery.tables.updateData

binaryauthorization.policy.evaluatePolicy

certificatemanager.certmapentries.create

certificatemanager.certmapentries.delete

certificatemanager.certmapentries.get

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmapentries.update

certificatemanager.certmaps.create

certificatemanager.certmaps.delete

certificatemanager.certmaps.get

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certmaps.update

certificatemanager.certmaps.use

certificatemanager.certs.create

certificatemanager.certs.delete

certificatemanager.certs.get

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.certs.update

certificatemanager.certs.use

certificatemanager.dnsauthorizations.create

certificatemanager.dnsauthorizations.delete

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.update

certificatemanager.dnsauthorizations.use

compute.acceleratorTypes.*

compute.addresses.*

compute.autoscalers.*

compute.backendBuckets.*

compute.backendServices.*

compute.diskTypes.*

compute.disks.*

compute.externalVpnGateways.*

compute.firewallPolicies.*

compute.firewalls.*

compute.forwardingRules.*

compute.globalAddresses.*

compute.globalForwardingRules.*

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.delete

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.globalPublicDelegatedPrefixes.update

compute.globalPublicDelegatedPrefixes.updatePolicy

compute.healthChecks.*

compute.httpHealthChecks.*

compute.httpsHealthChecks.*

compute.images.*

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.*

compute.instanceTemplates.*

compute.instances.*

compute.instantSnapshots.*

compute.interconnectAttachments.*

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.*

compute.licenseCodes.*

compute.licenses.*

compute.machineImages.*

compute.machineTypes.*

compute.networkAttachments.*

compute.networkEndpointGroups.*

compute.networks.*

compute.nodeGroups.get

compute.packetMirrorings.*

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.publicDelegatedPrefixes.delete

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.update

compute.publicDelegatedPrefixes.updatePolicy

compute.regionBackendServices.*

compute.regionFirewallPolicies.*

compute.regionHealthCheckServices.*

compute.regionHealthChecks.*

compute.regionNetworkEndpointGroups.*

compute.regionNotificationEndpoints.*

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.*

compute.regionSslCertificates.*

compute.regionSslPolicies.*

compute.regionTargetHttpProxies.*

compute.regionTargetHttpsProxies.*

compute.regionTargetTcpProxies.*

compute.regionUrlMaps.*

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute.routers.*

compute.routes.*

compute.securityPolicies.*

compute.serviceAttachments.*

compute.snapshots.*

compute.sslCertificates.*

compute.sslPolicies.*

compute.storagePools.*

compute.subnetworks.*

compute.targetGrpcProxies.*

compute.targetHttpProxies.*

compute.targetHttpsProxies.*

compute.targetInstances.*

compute.targetPools.*

compute.targetSslProxies.*

compute.targetTcpProxies.*

compute.targetVpnGateways.*

compute.urlMaps.*

compute.vpnGateways.*

compute.vpnTunnels.*

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

container.*

dns.changes.*

dns.dnsKeys.*

dns.gkeClusters.*

dns.managedZoneOperations.*

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.getIamPolicy

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

dns.responsePolicies.*

dns.responsePolicyRules.*

file.*

iam.serviceAccounts.actAs

iam.serviceAccounts.get

logging.logEntries.create

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.timeSeries.*

networkconnectivity.internalRanges.*

networkconnectivity.locations.*

networkconnectivity.operations.*

networkconnectivity.policyBasedRoutes.*

networkconnectivity.regionalEndpoints.*

networkconnectivity.serviceClasses.*

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionPolicies.*

networksecurity.*

networkservices.*

pubsub.topics.create

pubsub.topics.get

pubsub.topics.publish

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisRecommendations.*

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

servicenetworking.operations.get

servicenetworking.services.addPeering

servicenetworking.services.createPeeredDnsDomain

servicenetworking.services.deleteConnection

servicenetworking.services.deletePeeredDnsDomain

servicenetworking.services.disableVpcServiceControls

servicenetworking.services.enableVpcServiceControls

servicenetworking.services.get

servicenetworking.services.listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

tpu.locations.*

tpu.nodes.create

tpu.nodes.delete

tpu.nodes.get

tpu.nodes.list

tpu.operations.*

trafficdirector.*

(roles/containeranalysis.ServiceAgent)

Gives Container Analysis API the access it needs to function

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

containeranalysis.notes.list

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.delete

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.objects.get

storage.objects.list

(roles/containerregistry.ServiceAgent)

Access for Container Registry

pubsub.topics.publish

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

(roles/containerscanning.ServiceAgent)

Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

containeranalysis.notes.list

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.get

storage.objects.list

(roles/containerthreatdetection.serviceAgent)

Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.

container.apiServices.get

container.apiServices.getStatus

container.apiServices.list

container.auditSinks.get

container.auditSinks.list

container.backendConfigs.get

container.backendConfigs.list

container.bindings.get

container.bindings.list

container.certificateSigningRequests.get

container.certificateSigningRequests.getStatus

container.certificateSigningRequests.list

container.clusterRoleBindings.*

container.clusterRoles.*

container.clusters.get

container.clusters.list

container.componentStatuses.*

container.configMaps.get

container.configMaps.list

container.controllerRevisions.get

container.controllerRevisions.list

container.cronJobs.get

container.cronJobs.getStatus

container.cronJobs.list

container.csiDrivers.get

container.csiDrivers.list

container.csiNodeInfos.get

container.csiNodeInfos.list

container.csiNodes.get

container.csiNodes.list

container.customResourceDefinitions.create

container.customResourceDefinitions.delete

container.customResourceDefinitions.get

container.customResourceDefinitions.getStatus

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.daemonSets.*

container.deployments.get

container.deployments.getScale

container.deployments.getStatus

container.deployments.list

container.endpointSlices.get

container.endpointSlices.list

container.endpoints.get

container.endpoints.list

container.events.get

container.events.list

container.frontendConfigs.get

container.frontendConfigs.list

container.horizontalPodAutoscalers.get

container.horizontalPodAutoscalers.getStatus

container.horizontalPodAutoscalers.list

container.ingresses.get

container.ingresses.getStatus

container.ingresses.list

container.initializerConfigurations.get

container.initializerConfigurations.list

container.jobs.get

container.jobs.getStatus

container.jobs.list

container.leases.get

container.leases.list

container.limitRanges.get

container.limitRanges.list

container.managedCertificates.get

container.managedCertificates.list

container.mutatingWebhookConfigurations.get

container.mutatingWebhookConfigurations.list

container.namespaces.get

container.namespaces.getStatus

container.namespaces.list

container.networkPolicies.get

container.networkPolicies.list

container.networkPolicies.update

container.nodes.get

container.nodes.getStatus

container.nodes.list

container.operations.*

container.persistentVolumeClaims.get

container.persistentVolumeClaims.getStatus

container.persistentVolumeClaims.list

container.persistentVolumes.get

container.persistentVolumes.getStatus

container.persistentVolumes.list

container.petSets.get

container.petSets.list

container.podDisruptionBudgets.get

container.podDisruptionBudgets.getStatus

container.podDisruptionBudgets.list

container.podPresets.get

container.podPresets.list

container.podSecurityPolicies.get

container.podSecurityPolicies.list

container.podTemplates.get

container.podTemplates.list

container.pods.attach

container.pods.create

container.pods.delete

container.pods.exec

container.pods.get

container.pods.getLogs

container.pods.getStatus

container.pods.list

container.pods.portForward

container.pods.update

container.priorityClasses.get

container.priorityClasses.list

container.replicaSets.get

container.replicaSets.getScale

container.replicaSets.getStatus

container.replicaSets.list

container.replicationControllers.get

container.replicationControllers.getScale

container.replicationControllers.getStatus

container.replicationControllers.list

container.resourceQuotas.get

container.resourceQuotas.getStatus

container.resourceQuotas.list

container.roleBindings.*

container.roles.*

container.runtimeClasses.get

container.runtimeClasses.list

container.scheduledJobs.get

container.scheduledJobs.list

container.secrets.create

container.secrets.delete

container.secrets.list

container.secrets.update

container.serviceAccounts.create

container.serviceAccounts.delete

container.serviceAccounts.get

container.serviceAccounts.list

container.serviceAccounts.update

container.services.get

container.services.getStatus

container.services.list

container.statefulSets.get

container.statefulSets.getScale

container.statefulSets.getStatus

container.statefulSets.list

container.storageClasses.get

container.storageClasses.list

container.storageStates.get

container.storageStates.getStatus

container.storageStates.list

container.storageVersionMigrations.get

container.storageVersionMigrations.getStatus

container.storageVersionMigrations.list

container.thirdPartyObjects.get

container.thirdPartyObjects.list

container.thirdPartyResources.get

container.thirdPartyResources.list

container.tokenReviews.create

container.updateInfos.get

container.updateInfos.list

container.validatingWebhookConfigurations.get

container.validatingWebhookConfigurations.list

container.volumeAttachments.get

container.volumeAttachments.getStatus

container.volumeAttachments.list

container.volumeSnapshotClasses.get

container.volumeSnapshotClasses.list

container.volumeSnapshotContents.get

container.volumeSnapshotContents.getStatus

container.volumeSnapshotContents.list

container.volumeSnapshots.get

container.volumeSnapshots.list

recommender.containerDiagnosisInsights.get

recommender.containerDiagnosisInsights.list

recommender.containerDiagnosisRecommendations.get

recommender.containerDiagnosisRecommendations.list

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.get

recommender.networkAnalyzerGkeConnectivityInsights.list

recommender.networkAnalyzerGkeIpAddressInsights.get

recommender.networkAnalyzerGkeIpAddressInsights.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/contentwarehouse.serviceAgent)

Gives the Content Warehouse service account to manage customer resources

cloudfunctions.functions.invoke

documentai.datasets.createDocuments

documentai.processors.get

documentai.processors.processBatch

pubsub.topics.publish

pubsublite.topics.publish

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/dataconnectors.serviceAgent)

Gives Data Connectors service agent permission to access the virtual private cloud

compute.globalOperations.get

compute.networks.access

vpcaccess.connectors.get

vpcaccess.connectors.use

(roles/dataflow.serviceAgent)

Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.

bigquery.bireservations.*

bigquery.capacityCommitments.*

bigquery.config.*

bigquery.connections.*

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.jobs.*

bigquery.models.*

bigquery.readsessions.*

bigquery.reservationAssignments.*

bigquery.reservations.*

bigquery.routines.*

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.tables.*

bigquery.transfers.*

bigquerymigration.translation.translate

clouddebugger.breakpoints.list

clouddebugger.breakpoints.listActive

clouddebugger.breakpoints.update

clouddebugger.debuggees.create

cloudnotifications.activities.list

compute.acceleratorTypes.*

compute.addresses.*

compute.autoscalers.*

compute.backendBuckets.*

compute.backendServices.*

compute.diskTypes.*

compute.disks.*

compute.externalVpnGateways.*

compute.firewallPolicies.get

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewallPolicies.use

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.*

compute.globalAddresses.*

compute.globalForwardingRules.*

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.delete

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.globalPublicDelegatedPrefixes.update

compute.globalPublicDelegatedPrefixes.updatePolicy

compute.healthChecks.*

compute.httpHealthChecks.*

compute.httpsHealthChecks.*

compute.images.*

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.get

compute.instanceTemplates.*

compute.instances.*

compute.instantSnapshots.*

compute.interconnectAttachments.*

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.*

compute.licenseCodes.*

compute.licenses.*

compute.machineImages.*

compute.machineTypes.*

compute.networkAttachments.*

compute.networkEndpointGroups.*

compute.networks.*

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicDelegatedPrefixes.delete

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.update

compute.publicDelegatedPrefixes.updatePolicy

compute.regionBackendServices.*

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionFirewallPolicies.use

compute.regionHealthCheckServices.*

compute.regionHealthChecks.*

compute.regionNetworkEndpointGroups.*

compute.regionNotificationEndpoints.*

compute.regionOperations.get

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSecurityPolicies.use

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.*

compute.regionTargetHttpProxies.*

compute.regionTargetHttpsProxies.*

compute.regionTargetTcpProxies.*

compute.regionUrlMaps.*

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute.routers.*

compute.routes.*

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.securityPolicies.use

compute.serviceAttachments.*

compute.snapshots.*

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.*

compute.storagePools.*

compute.subnetworks.*

compute.targetGrpcProxies.*

compute.targetHttpProxies.*

compute.targetHttpsProxies.*

compute.targetInstances.*

compute.targetPools.*

compute.targetSslProxies.*

compute.targetTcpProxies.*

compute.targetVpnGateways.*

compute.urlMaps.*

compute.vpnGateways.*

compute.vpnTunnels.*

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

dataflow.jobs.*

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

dataform.*

firebase.projects.get

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

logging.buckets.create

logging.buckets.delete

logging.buckets.get

logging.buckets.list

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.links.*

logging.locations.*

logging.logEntries.create

logging.logEntries.route

logging.logMetrics.*

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.*

logging.operations.*

logging.settings.*

logging.sinks.*

logging.views.create

logging.views.delete

logging.views.get

logging.views.list

logging.views.update

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.*

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

networkconnectivity.internalRanges.*

networkconnectivity.locations.*

networkconnectivity.operations.*

networkconnectivity.policyBasedRoutes.*

networkconnectivity.regionalEndpoints.*

networkconnectivity.serviceClasses.*

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionPolicies.*

networksecurity.*

networkservices.*

opsconfigmonitoring.resourceMetadata.list

orgpolicy.policy.get

pubsub.*

recommender.dataflowDiagnosticsInsights.*

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

servicenetworking.operations.get

servicenetworking.services.addPeering

servicenetworking.services.createPeeredDnsDomain

servicenetworking.services.deleteConnection

servicenetworking.services.deletePeeredDnsDomain

servicenetworking.services.disableVpcServiceControls

servicenetworking.services.enableVpcServiceControls

servicenetworking.services.get

servicenetworking.services.listPeeredDnsDomains

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

stackdriver.projects.get

stackdriver.resourceMetadata.list

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

trafficdirector.*

(roles/dataform.serviceAgent)

Gives permission for the Dataform API to access a secret from Secret Manager

dataform.compilationResults.create

dataform.workflowInvocations.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/datafusion.serviceAgent)

Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.

bigquery.config.get

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.jobs.create

bigquery.models.*

bigquery.routines.*

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.*

bigtable.*

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalOperations.get

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceSettings.get

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.machineTypes.*

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkAttachments.update

compute.networks.addPeering

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.networks.removePeering

compute.networks.update

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regions.*

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zones.*

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.batches.*

dataproc.clusters.create

dataproc.clusters.delete

dataproc.clusters.get

dataproc.clusters.list

dataproc.clusters.start

dataproc.clusters.stop

dataproc.clusters.update

dataproc.clusters.use

dataproc.jobs.cancel

dataproc.jobs.create

dataproc.jobs.delete

dataproc.jobs.get

dataproc.jobs.list

dataproc.jobs.update

dataproc.nodeGroups.*

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessions.*

dataproc.workflowTemplates.create

dataproc.workflowTemplates.delete

dataproc.workflowTemplates.get

dataproc.workflowTemplates.instantiate

dataproc.workflowTemplates.instantiateInline

dataproc.workflowTemplates.list

dataproc.workflowTemplates.update

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.list

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

firebase.projects.get

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.*

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.locations.*

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.policyBasedRoutes.get

networkconnectivity.policyBasedRoutes.list

networksecurity.addressGroups.get

networksecurity.addressGroups.list

networksecurity.authorizationPolicies.get

networksecurity.authorizationPolicies.list

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.firewallEndpointAssociations.get

networksecurity.firewallEndpointAssociations.list

networksecurity.firewallEndpoints.get

networksecurity.firewallEndpoints.list

networksecurity.gatewaySecurityPolicies.get

networksecurity.gatewaySecurityPolicies.list

networksecurity.gatewaySecurityPolicyRules.get

networksecurity.gatewaySecurityPolicyRules.list

networksecurity.locations.*

networksecurity.operations.get

networksecurity.operations.list

networksecurity.securityProfileGroups.get

networksecurity.securityProfileGroups.list

networksecurity.securityProfiles.get

networksecurity.securityProfiles.list

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.tlsInspectionPolicies.get

networksecurity.tlsInspectionPolicies.list

networksecurity.urlLists.get

networksecurity.urlLists.list

networkservices.endpointConfigSelectors.get

networkservices.endpointConfigSelectors.list

networkservices.endpointPolicies.get

networkservices.endpointPolicies.list

networkservices.gateways.get

networkservices.gateways.list

networkservices.grpcRoutes.get

networkservices.grpcRoutes.list

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpRoutes.get

networkservices.httpRoutes.list

networkservices.httpfilters.get

networkservices.httpfilters.list

networkservices.lbRouteExtensions.get

networkservices.lbRouteExtensions.list

networkservices.lbTrafficExtensions.get

networkservices.lbTrafficExtensions.list

networkservices.locations.*

networkservices.meshes.get

networkservices.meshes.list

networkservices.operations.get

networkservices.operations.list

networkservices.serviceBindings.get

networkservices.serviceBindings.list

networkservices.serviceLbPolicies.get

networkservices.serviceLbPolicies.list

networkservices.tcpRoutes.get

networkservices.tcpRoutes.list

networkservices.tlsRoutes.get

networkservices.tlsRoutes.list

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

servicenetworking.services.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

spanner.databaseOperations.*

spanner.databases.beginOrRollbackReadWriteTransaction

spanner.databases.beginPartitionedDmlTransaction

spanner.databases.beginReadOnlyTransaction

spanner.databases.getDdl

spanner.databases.list

spanner.databases.partitionQuery

spanner.databases.partitionRead

spanner.databases.read

spanner.databases.select

spanner.databases.updateDdl

spanner.databases.updateTag

spanner.databases.write

spanner.instanceConfigs.get

spanner.instanceConfigs.list

spanner.instances.get

spanner.instances.list

spanner.instances.listEffectiveTags

spanner.instances.listTagBindings

spanner.sessions.*

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

trafficdirector.*

(roles/datalabeling.serviceAgent)

Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.

automl.annotationSpecs.*

automl.annotations.*

automl.columnSpecs.*

automl.datasets.create

automl.datasets.delete

automl.datasets.export

automl.datasets.get

automl.datasets.import

automl.datasets.list

automl.datasets.update

automl.examples.*

automl.files.*

automl.humanAnnotationTasks.*

automl.locations.get

automl.locations.list

automl.modelEvaluations.*

automl.models.create

automl.models.delete

automl.models.deploy

automl.models.export

automl.models.get

automl.models.list

automl.models.predict

automl.models.undeploy

automl.operations.*

automl.tableSpecs.*

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.tables.create

bigquery.tables.get

bigquery.tables.getData

ml.jobs.create

ml.jobs.get

ml.jobs.getIamPolicy

ml.jobs.list

ml.locations.*

ml.models.*

ml.operations.get

ml.operations.list

ml.projects.getConfig

ml.studies.*

ml.trials.*

ml.versions.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/datamigration.serviceAgent)

Gives Cloud Database Migration service account access to Cloud SQL resources.

alloydb.clusters.create

alloydb.clusters.delete

alloydb.clusters.generateClientCertificate

alloydb.clusters.get

alloydb.clusters.list

alloydb.clusters.update

alloydb.instances.connect

alloydb.instances.create

alloydb.instances.delete

alloydb.instances.get

alloydb.instances.list

alloydb.instances.update

alloydb.operations.get

alloydb.operations.list

cloudsql.instances.connect

cloudsql.instances.create

cloudsql.instances.delete

cloudsql.instances.demoteMaster

cloudsql.instances.get

cloudsql.instances.import

cloudsql.instances.list

cloudsql.instances.migrate

cloudsql.instances.promoteReplica

cloudsql.instances.restart

cloudsql.instances.startReplica

cloudsql.instances.stopReplica

cloudsql.instances.update

compute.forwardingRules.use

compute.globalAddresses.create

compute.globalAddresses.createInternal

compute.globalAddresses.delete

compute.globalAddresses.deleteInternal

compute.globalAddresses.get

compute.globalOperations.get

compute.networks.addPeering

compute.networks.get

compute.networks.list

compute.networks.listPeeringRoutes

compute.networks.removePeering

compute.networks.use

compute.regionOperations.get

compute.regionOperations.list

compute.routers.list

compute.routes.get

compute.routes.list

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.serviceAttachments.update

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

storage.objects.get

storage.objects.list

(roles/datapipelines.serviceAgent)

Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project.

appengine.applications.get

bigquery.tables.get

bigtable.tables.get

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.operations.*

cloudscheduler.*

compute.machineTypes.get

compute.projects.get

compute.regions.list

compute.zones.list

dataflow.jobs.*

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

firebase.projects.get

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

orgpolicy.policy.get

pubsub.schemas.get

pubsub.topics.get

recommender.dataflowDiagnosticsInsights.*

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

(roles/dataplex.serviceAgent)

Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management.

bigquery.bireservations.*

bigquery.capacityCommitments.*

bigquery.config.*

bigquery.connections.*

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.jobs.*

bigquery.models.*

bigquery.readsessions.*

bigquery.reservationAssignments.*

bigquery.reservations.*

bigquery.routines.*

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.tables.*

bigquery.transfers.*

bigquerymigration.translation.translate

datacatalog.catalogs.searchAll

datacatalog.categories.getIamPolicy

datacatalog.categories.setIamPolicy

datacatalog.entries.get

datacatalog.taxonomies.create

datacatalog.taxonomies.delete

datacatalog.taxonomies.get

datacatalog.taxonomies.list

datacatalog.taxonomies.update

dataform.*

dataplex.assets.getIamPolicy

dataplex.environments.execute

dataplex.environments.get

dataplex.environments.list

dataplex.lakes.get

dataplex.lakes.getIamPolicy

dataplex.zones.getIamPolicy

dataproc.batches.cancel

dataproc.batches.create

dataproc.batches.get

dataproc.operations.cancel

dataproc.operations.get

dataproc.operations.list

firebase.projects.get

iam.serviceAccounts.actAs

logging.logEntries.create

logging.logEntries.route

metastore.services.get

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.report

serviceusage.services.use

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

(roles/dataprep.serviceAgent)

Dataprep service identity. Includes access to service accounts.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.jobs.create

bigquery.jobs.list

bigquery.models.*

bigquery.readsessions.*

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.*

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

bigquery.transfers.get

bigquerymigration.translation.translate

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.operations.*

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.getIamPolicy

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

dataflow.jobs.*

dataflow.messages.list

dataflow.metrics.get

dataflow.snapshots.*

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

orgpolicy.policy.get

recommender.dataflowDiagnosticsInsights.*

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.buckets.get

storage.buckets.list

storage.managedFolders.create

storage.managedFolders.delete

storage.managedFolders.get

storage.managedFolders.list

storage.multipartUploads.*

storage.objects.*

(roles/dataproc.serviceAgent)

Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.

compute.acceleratorTypes.*

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.diskTypes.*

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.resize

compute.disks.setLabels

compute.disks.startAsyncReplication

compute.disks.stopAsyncReplication

compute.disks.stopGroupAsyncReplication

compute.disks.update

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.get

compute.firewalls.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.images.get

compute.images.getFromFamily

compute.images.list

compute.images.useReadOnly

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.get

compute.instanceTemplates.*

compute.instances.*

compute.licenses.get

compute.licenses.list

compute.machineImages.*

compute.machineTypes.*

compute.networkEndpointGroups.*

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.nodeGroups.get

compute.nodeTypes.get

compute.projects.get

compute.regionNetworkEndpointGroups.*

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.useReadOnly

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

container.clusterRoleBindings.*

container.clusterRoles.*

container.clusters.get

container.clusters.update

container.customResourceDefinitions.create

container.customResourceDefinitions.delete

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.namespaces.list

container.namespaces.update

container.operations.get

container.roleBindings.*

container.roles.bind

container.roles.escalate

dataproc.autoscalingPolicies.create

dataproc.autoscalingPolicies.delete

dataproc.autoscalingPolicies.get

dataproc.autoscalingPolicies.getIamPolicy

dataproc.autoscalingPolicies.list

dataproc.autoscalingPolicies.update

dataproc.autoscalingPolicies.use

dataproc.clusters.*

dataproc.jobs.*

dataproc.nodeGroups.*

dataproc.operations.cancel

dataproc.sessions.*

firebase.projects.get

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

metastore.services.get

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

(roles/datastream.serviceAgent)

Grants Cloud Datastream permissions to write data in the user project.

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.delete

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.update

bigquery.tables.create

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.update

bigquery.tables.updateData

compute.globalAddresses.create

compute.globalAddresses.createInternal

compute.globalAddresses.delete

compute.globalAddresses.deleteInternal

compute.globalAddresses.get

compute.globalOperations.get

compute.networks.addPeering

compute.networks.get

compute.networks.listPeeringRoutes

compute.networks.removePeering

compute.networks.use

compute.routes.get

compute.routes.list

compute.subnetworks.get

compute.subnetworks.list

pubsub.topics.publish

storage.buckets.get

storage.objects.create

storage.objects.get

storage.objects.list

(roles/datastudio.serviceAgent)

Grants Data Studio Service Account access to manage resources.

bigquery.jobs.create

(roles/dialogflow.serviceAgent)

Gives Dialogflow Service Account access to resources on behalf of user project for Integrations (Facebook Messenger, Slack, Telephony, etc.), BigQuery, Discovery Engine, and Vertex.

aiplatform.endpoints.get

aiplatform.endpoints.predict

aiplatform.models.get

bigquery.jobs.create

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.updateData

cloudfunctions.functions.invoke

dialogflow.agents.export

dialogflow.agents.get

dialogflow.agents.list

dialogflow.agents.search

dialogflow.agents.searchResources

dialogflow.answerrecords.get

dialogflow.answerrecords.list

dialogflow.callMatchers.list

dialogflow.changelogs.*

dialogflow.contexts.*

dialogflow.conversationDatasets.get

dialogflow.conversationDatasets.list

dialogflow.conversationModels.get

dialogflow.conversationModels.list

dialogflow.conversationProfiles.get

dialogflow.conversationProfiles.list

dialogflow.conversations.*

dialogflow.deployments.*

dialogflow.documents.get

dialogflow.documents.list

dialogflow.encryptionspec.get

dialogflow.entityTypes.get

dialogflow.entityTypes.list

dialogflow.environments.get

dialogflow.environments.list

dialogflow.environments.runContinuousTest

dialogflow.examples.get

dialogflow.examples.list

dialogflow.experiments.get

dialogflow.experiments.list

dialogflow.flows.get

dialogflow.flows.list

dialogflow.fulfillments.get

dialogflow.generators.get

dialogflow.generators.list

dialogflow.integrations.get

dialogflow.integrations.list

dialogflow.intents.get

dialogflow.intents.list

dialogflow.knowledgeBases.get

dialogflow.knowledgeBases.list

dialogflow.messages.list

dialogflow.modelEvaluations.*

dialogflow.operations.get

dialogflow.pages.get

dialogflow.pages.list

dialogflow.participants.*

dialogflow.phoneNumberOrders.get

dialogflow.phoneNumberOrders.list

dialogflow.phoneNumbers.list

dialogflow.playbooks.get

dialogflow.playbooks.list

dialogflow.securitySettings.get

dialogflow.securitySettings.list

dialogflow.sessionEntityTypes.*

dialogflow.sessions.*

dialogflow.smartMessagingEntries.get

dialogflow.smartMessagingEntries.list

dialogflow.testcases.get

dialogflow.testcases.list

dialogflow.tools.get

dialogflow.tools.list

dialogflow.transitionRouteGroups.get

dialogflow.transitionRouteGroups.list

dialogflow.versions.get

dialogflow.versions.list

dialogflow.webhooks.get

dialogflow.webhooks.list

discoveryengine.engines.delete

discoveryengine.engines.get

discoveryengine.servingConfigs.search

dlp.deidentifyTemplates.get

dlp.deidentifyTemplates.list

dlp.inspectTemplates.get

dlp.inspectTemplates.list

logging.logEntries.create

logging.logEntries.route

pubsub.snapshots.seek

pubsub.subscriptions.consume

pubsub.topics.attachSubscription

pubsub.topics.publish

resourcemanager.projects.get

resourcemanager.projects.list

run.jobs.run

run.routes.invoke

serviceusage.services.use

speakerid.phrases.*

speakerid.speakers.*

speech.adaptations.execute

speech.customClasses.get

speech.customClasses.list

speech.phraseSets.get

speech.phraseSets.list

speech.recognizers.get

speech.recognizers.list

storage.managedFolders.get

storage.managedFolders.list

storage.objects.create

storage.objects.get

storage.objects.list

(roles/discoveryengine.serviceAgent)

Discovery Engine service uploads documents and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects using Cloud Logging, and writes and reads metrics for customer using Cloud Monitoring.

alloydb.instances.get

alloydb.operations.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.update

bigquery.tables.create

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.update

bigquery.tables.updateData

bigtable.tables.readRows

bigtable.tables.sampleRowKeys

cloudsql.databases.get

cloudsql.instances.export

cloudsql.instances.get

datastore.databases.export

datastore.databases.get

datastore.databases.getMetadata

datastore.operations.get

discoveryengine.conversations.converse

discoveryengine.conversations.create

discoveryengine.dataStores.completeQuery

discoveryengine.servingConfigs.search

discoveryengine.userEvents.create

logging.logEntries.create

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.*

spanner.databases.beginReadOnlyTransaction

spanner.databases.partitionQuery

spanner.databases.select

spanner.sessions.create

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/dlp.serviceAgent)

Gives the Cloud DLP API service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub, and Cloud KMS.

appengine.applications.get

bigquery.config.get

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.jobs.create

bigquery.jobs.get

bigquery.jobs.update

bigquery.models.*

bigquery.readsessions.*

bigquery.routines.*

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.*

cloudasset.assets.analyzeIamPolicy

cloudasset.assets.exportResource

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.locations.get

cloudkms.locations.list

datacatalog.categories.fineGrainedGet

datacatalog.tagTemplates.*

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

datastore.databases.get

datastore.databases.getMetadata

datastore.databases.list

datastore.entities.*

datastore.indexes.list

datastore.namespaces.*

datastore.statistics.*

dlp.analyzeRiskTemplates.get

dlp.analyzeRiskTemplates.list

dlp.deidentifyTemplates.get

dlp.deidentifyTemplates.list

dlp.inspectTemplates.get

dlp.inspectTemplates.list

dlp.jobs.*

dlp.kms.encrypt

firebase.projects.get

orgpolicy.policy.get

pubsub.*

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

(roles/documentaicore.serviceAgent)

Gives DocumentAI Core Service Account access to consumer resources.

automl.models.predict

documentai.humanReviewConfigs.review

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/edgecontainer.clusterServiceAgent)

Grants the Edge Container Cluster Service Account access to manage resources.

gkehub.endpoints.connect

gkehub.features.create

gkehub.features.get

gkehub.features.list

gkehub.features.update

gkehub.fleet.create

gkehub.fleet.delete

gkehub.fleet.get

gkehub.locations.*

gkehub.memberships.create

gkehub.memberships.delete

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.list

gkehub.memberships.update

gkehub.operations.*

logging.logEntries.create

monitoring.dashboards.*

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.*

monitoring.uptimeCheckConfigs.get

opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

stackdriver.resourceMetadata.write

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/edgecontainer.serviceAgent)

Grants the Edge Container Service Account access to manage resources.

compute.externalVpnGateways.create

compute.externalVpnGateways.delete

compute.externalVpnGateways.get

compute.externalVpnGateways.use

compute.globalOperations.get

compute.networks.get

compute.networks.updatePolicy

compute.regionOperations.get

compute.routers.*

compute.vpnGateways.create

compute.vpnGateways.delete

compute.vpnGateways.get

compute.vpnGateways.use

compute.vpnTunnels.create

compute.vpnTunnels.delete

compute.vpnTunnels.get

gkehub.memberships.create

gkehub.memberships.delete

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.update

gkehub.operations.cancel

gkehub.operations.get

(roles/endpoints.serviceAgent)

Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.

servicemanagement.services.check

servicemanagement.services.get

servicemanagement.services.quota

servicemanagement.services.report

(roles/endpointsportal.serviceAgent)

Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.

servicemanagement.services.get

servicemanagement.services.list

source.repos.get

(roles/enterpriseknowledgegraph.serviceAgent)

Gives Enterprise Knowledge Graph Service Account access to consumer resources.

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.readsessions.create

bigquery.readsessions.getData

bigquery.tables.create

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.update

bigquery.tables.updateData

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.get

storage.objects.list

(roles/eventarc.serviceAgent)

Gives Eventarc service account access to managed resources.

cloudfunctions.functions.get

compute.instanceGroupManagers.get

compute.networkAttachments.get

compute.networkAttachments.update

compute.regionOperations.get

container.clusters.get

container.deployments.create

container.deployments.delete

container.deployments.get

container.deployments.list

container.deployments.update

container.namespaces.create

container.namespaces.delete

container.namespaces.get

container.namespaces.list

container.serviceAccounts.create

container.serviceAccounts.delete

container.serviceAccounts.get

container.serviceAccounts.list

container.services.get

container.services.list

dns.networks.targetWithPeeringZone

eventarc.channels.publish

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

monitoring.timeSeries.create

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

run.jobs.get

run.services.get

serviceusage.services.use

storage.buckets.get

storage.buckets.update

workflows.workflows.get

(roles/file.serviceAgent)

Gives Cloud Filestore service account access to managed resources.

compute.globalOperations.get

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.update

compute.networks.updatePeering

compute.routes.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/firebase.appDistributionSdkServiceAgent)

Read and write access to Firebase App Distribution with the Admin SDK

firebaseappdistro.*

(roles/firebase.managementServiceAgent)

Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.

apikeys.keys.create

apikeys.keys.get

apikeys.keys.list

apikeys.keys.update

appengine.applications.create

appengine.applications.get

appengine.applications.update

appengine.operations.get

appengine.services.list

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.update

bigquery.transfers.*

clientauthconfig.brands.create

clientauthconfig.brands.update

clientauthconfig.clients.create

clientauthconfig.clients.getWithSecret

clientauthconfig.clients.list

clientauthconfig.clients.update

firebase.clients.create

firebase.clients.delete

firebase.clients.get

firebase.clients.undelete

firebase.projects.*

firebaseabt.experiments.delete

firebaseauth.configs.create

firebaseauth.configs.get

firebaseauth.configs.update

firebaserules.releases.create

firebaserules.releases.delete

firebaserules.releases.get

firebaserules.rulesets.create

firebasestorage.defaultBucket.get

iam.roles.get

iam.serviceAccounts.create

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

resourcemanager.projects.update

servicemanagement.services.bind

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.use

storage.buckets.create

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.buckets.setIamPolicy

(roles/firebasedatabase.serviceAgent)

Access to publish triggers

pubsub.topics.publish

serviceusage.services.use

(roles/firebaserules.firestoreServiceAgent)

Grants Firebase Security Rules access to Firestore for providing cross-service Rules.

datastore.entities.get

(roles/firebasestorage.serviceAgent)

Access to Cloud Storage for Firebase through API and SDK.

storage.buckets.get

storage.buckets.getIamPolicy

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

storage.objects.update

(roles/firestore.serviceAgent)

Gives Firestore service account access to managed resources.

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

(roles/firewallinsights.serviceAgent)

Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.

compute.backendServices.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.list

compute.healthChecks.list

compute.httpHealthChecks.list

compute.httpsHealthChecks.list

compute.instanceGroups.list

compute.instances.get

compute.instances.list

compute.networks.getEffectiveFirewalls

compute.networks.list

compute.projects.get

compute.regionTargetTcpProxies.list

compute.routers.list

compute.routes.get

compute.routes.list

compute.subnetworks.list

compute.targetHttpProxies.list

compute.targetHttpsProxies.list

compute.targetPools.list

compute.targetSslProxies.list

compute.targetTcpProxies.list

compute.targetVpnGateways.list

compute.urlMaps.list

compute.vpnGateways.list

compute.vpnTunnels.list

(roles/fleetengine.serviceAgent)

Grants the FleetEngine Service Account access to manage resources.

bigquery.config.get

bigquery.datasets.get

bigquery.jobs.create

bigquery.tables.getData

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gameservices.serviceAgent)

Gives Game Services Service Account access to GCP resources.

container.apiServices.*

container.auditSinks.*

container.backendConfigs.*

container.bindings.*

container.certificateSigningRequests.create

container.certificateSigningRequests.delete

container.certificateSigningRequests.get

container.certificateSigningRequests.list

container.certificateSigningRequests.update

container.certificateSigningRequests.updateStatus

container.clusterRoleBindings.create

container.clusterRoleBindings.get

container.clusterRoleBindings.list

container.clusterRoleBindings.update

container.clusterRoles.bind

container.clusterRoles.create

container.clusterRoles.escalate

container.clusterRoles.get

container.clusterRoles.list

container.clusterRoles.update

container.clusters.create

container.clusters.delete

container.clusters.get

container.clusters.list

container.clusters.update

container.componentStatuses.*

container.configMaps.*

container.controllerRevisions.get

container.controllerRevisions.list

container.cronJobs.*

container.csiDrivers.*

container.csiNodeInfos.*

container.csiNodes.*

container.customResourceDefinitions.*

container.daemonSets.*

container.deployments.*

container.endpointSlices.*

container.endpoints.*

container.events.*

container.frontendConfigs.*

container.horizontalPodAutoscalers.*

container.ingresses.*

container.initializerConfigurations.*

container.jobs.*

container.leases.*

container.limitRanges.*

container.localSubjectAccessReviews.*

container.managedCertificates.*

container.mutatingWebhookConfigurations.*

container.namespaces.*

container.networkPolicies.*

container.nodes.*

container.operations.*

container.persistentVolumeClaims.*

container.persistentVolumes.*

container.petSets.*

container.podDisruptionBudgets.*

container.podPresets.*

container.podSecurityPolicies.get

container.podSecurityPolicies.list

container.podTemplates.*

container.pods.*

container.priorityClasses.*

container.replicaSets.*

container.replicationControllers.*

container.resourceQuotas.*

container.roleBindings.create

container.roleBindings.get

container.roleBindings.list

container.roles.bind

container.roles.create

container.roles.escalate

container.roles.get

container.roles.list

container.runtimeClasses.*

container.scheduledJobs.*

container.secrets.*

container.selfSubjectAccessReviews.*

container.selfSubjectRulesReviews.create

container.serviceAccounts.*

container.services.*

container.statefulSets.*

container.storageClasses.*

container.storageStates.*

container.storageVersionMigrations.*

container.subjectAccessReviews.*

container.thirdPartyObjects.*

container.thirdPartyResources.*

container.tokenReviews.create

container.updateInfos.*

container.validatingWebhookConfigurations.*

container.volumeAttachments.*

container.volumeSnapshotClasses.*

container.volumeSnapshotContents.*

container.volumeSnapshots.*

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.fleet.get

gkehub.fleet.getFreeTrial

gkehub.locations.*

gkehub.membershipbindings.get

gkehub.membershipbindings.list

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.operations.get

gkehub.operations.list

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.scopes.get

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

iam.serviceAccounts.actAs

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisRecommendations.*

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/genomics.serviceAgent)

Gives Genomics Service Account access to compute resources. Includes access to service accounts.

compute.acceleratorTypes.*

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.diskTypes.*

compute.disks.*

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.*

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.*

compute.instanceTemplates.*

compute.instances.*

compute.instantSnapshots.*

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.*

compute.licenses.*

compute.machineImages.*

compute.machineTypes.*

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEndpointGroups.*

compute.networks.get

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.*

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.*

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

iam.serviceAccounts.actAs

pubsub.topics.publish

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

(roles/gkebackup.serviceAgent)

Grants the Backup for GKE Service Account access to managed resources.

compute.disks.create

compute.disks.createSnapshot

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.useReadOnly

compute.globalOperations.get

compute.regionOperations.get

compute.snapshots.delete

compute.snapshots.get

compute.zoneOperations.get

container.apiServices.*

container.auditSinks.*

container.backendConfigs.*

container.bindings.*

container.certificateSigningRequests.create

container.certificateSigningRequests.delete

container.certificateSigningRequests.get

container.certificateSigningRequests.list

container.certificateSigningRequests.update

container.certificateSigningRequests.updateStatus

container.clusterRoleBindings.get

container.clusterRoleBindings.list

container.clusterRoles.get

container.clusterRoles.list

container.clusters.get

container.clusters.list

container.clusters.update

container.componentStatuses.*

container.configMaps.*

container.controllerRevisions.get

container.controllerRevisions.list

container.cronJobs.*

container.csiDrivers.*

container.csiNodeInfos.*

container.csiNodes.*

container.customResourceDefinitions.*

container.daemonSets.*

container.deployments.*

container.endpointSlices.*

container.endpoints.*

container.events.*

container.frontendConfigs.*

container.horizontalPodAutoscalers.*

container.ingresses.*

container.initializerConfigurations.*

container.jobs.*

container.leases.*

container.limitRanges.*

container.localSubjectAccessReviews.*

container.managedCertificates.*

container.mutatingWebhookConfigurations.get

container.mutatingWebhookConfigurations.list

container.namespaces.*

container.networkPolicies.*

container.nodes.*

container.operations.*

container.persistentVolumeClaims.*

container.persistentVolumes.*

container.petSets.*

container.podDisruptionBudgets.*

container.podPresets.*

container.podSecurityPolicies.get

container.podSecurityPolicies.list

container.podTemplates.*

container.pods.*

container.priorityClasses.*

container.replicaSets.*

container.replicationControllers.*

container.resourceQuotas.*

container.roleBindings.get

container.roleBindings.list

container.roles.get

container.roles.list

container.runtimeClasses.*

container.scheduledJobs.*

container.secrets.*

container.selfSubjectAccessReviews.*

container.selfSubjectRulesReviews.create

container.serviceAccounts.*

container.services.*

container.statefulSets.*

container.storageClasses.*

container.storageStates.*

container.storageVersionMigrations.*

container.subjectAccessReviews.*

container.thirdPartyObjects.*

container.thirdPartyResources.*

container.tokenReviews.create

container.updateInfos.*

container.validatingWebhookConfigurations.get

container.validatingWebhookConfigurations.list

container.volumeAttachments.*

container.volumeSnapshotClasses.*

container.volumeSnapshotContents.*

container.volumeSnapshots.*

gkebackup.operations.get

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisRecommendations.*

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

resourcemanager.projects.updateLiens

(roles/gkedataplanemanagement.warpRunServiceAgent)

Gives the Warp Run service agent access to Cloud Platform resources.

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkehub.crossProjectServiceAgent)

Gives the GKE Hub service agent permission to manage the project for cross-project fleet registration.

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

(roles/gkehub.serviceAgent)

Gives the GKE Hub service agent access to Cloud Platform resources.

container.clusterRoleBindings.*

container.clusterRoles.*

container.clusters.get

container.clusters.update

container.customResourceDefinitions.create

container.customResourceDefinitions.delete

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.namespaces.get

container.operations.get

container.thirdPartyObjects.*

gkehub.features.create

gkehub.features.get

gkehub.features.list

gkehub.fleet.create

gkehub.fleet.get

gkehub.locations.*

gkehub.memberships.create

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.list

gkehub.operations.get

gkemulticloud.awsClusters.get

gkemulticloud.azureClusters.get

gkeonprem.bareMetalClusters.get

gkeonprem.vmwareClusters.get

logging.buckets.create

logging.buckets.get

logging.buckets.list

logging.buckets.update

logging.exclusions.*

logging.sinks.*

logging.views.create

logging.views.get

logging.views.list

logging.views.update

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/gkemulticloud.containerServiceAgent)

Grants the Anthos Multi-Cloud Container Service Account access to manage resources.

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

cloudnotifications.activities.list

kubernetesmetadata.*

logging.logEntries.create

logging.logEntries.route

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.*

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

stackdriver.projects.get

stackdriver.resourceMetadata.list

(roles/gkemulticloud.controlPlaneMachineServiceAgent)

Grants the Anthos Multi-Cloud Control Plane Machine Service Account access to manage resources.

artifactregistry.dockerimages.get

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

serviceusage.services.use

(roles/gkemulticloud.nodePoolMachineServiceAgent)

Grants the Anthos Multi-Cloud Node Pool Machine Service Account access to manage resources.

artifactregistry.dockerimages.get

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

serviceusage.services.use

(roles/gkemulticloud.serviceAgent)

Grants the Anthos Multi-Cloud Service Account access to manage resources.

gkehub.features.*

gkehub.fleet.*

gkehub.locations.*

gkehub.membershipbindings.*

gkehub.memberships.*

gkehub.namespaces.*

gkehub.operations.*

gkehub.rbacrolebindings.*

gkehub.scopes.create

gkehub.scopes.delete

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

gkehub.scopes.update

gkemulticloud.awsClusters.delete

gkemulticloud.awsNodePools.delete

gkemulticloud.azureClients.delete

gkemulticloud.azureClusters.delete

gkemulticloud.azureNodePools.delete

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkeonprem.serviceAgent)

Gives the GKE On-Prem service agent access to Cloud Platform resources.

gkehub.memberships.delete

gkehub.memberships.get

gkehub.memberships.update

gkeonprem.bareMetalAdminClusters.connect

gkeonprem.bareMetalAdminClusters.enroll

gkeonprem.bareMetalAdminClusters.get

gkeonprem.bareMetalAdminClusters.unenroll

gkeonprem.bareMetalClusters.enroll

gkeonprem.bareMetalClusters.get

gkeonprem.bareMetalClusters.unenroll

gkeonprem.bareMetalNodePools.enroll

gkeonprem.bareMetalNodePools.get

gkeonprem.bareMetalNodePools.unenroll

gkeonprem.operations.get

gkeonprem.operations.list

gkeonprem.vmwareAdminClusters.connect

gkeonprem.vmwareAdminClusters.enroll

gkeonprem.vmwareAdminClusters.get

gkeonprem.vmwareAdminClusters.unenroll

gkeonprem.vmwareClusters.enroll

gkeonprem.vmwareClusters.get

gkeonprem.vmwareClusters.unenroll

gkeonprem.vmwareNodePools.enroll

gkeonprem.vmwareNodePools.get

gkeonprem.vmwareNodePools.unenroll

(roles/healthcare.serviceAgent)

Gives the Healthcare Service Account access to networks,Kubernetes engine, and pubsub resources.

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.*

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

pubsub.snapshots.seek

pubsub.subscriptions.consume

pubsub.topics.attachSubscription

pubsub.topics.publish

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

(roles/identitytoolkit.serviceAgent)

Gives Identity Platform service account access to customer project resources.

recaptchaenterprise.assessments.create

recaptchaenterprise.keys.create

recaptchaenterprise.keys.delete

recaptchaenterprise.keys.get

(roles/integrations.serviceAgent)

Service agent that grants access to execute an integration.

cloudfunctions.functions.invoke

cloudscheduler.jobs.create

cloudscheduler.jobs.delete

cloudscheduler.jobs.enable

cloudscheduler.jobs.fullView

cloudscheduler.jobs.get

cloudscheduler.jobs.pause

cloudscheduler.jobs.run

cloudscheduler.jobs.update

cloudscheduler.locations.*

connectors.actions.*

connectors.connections.executeSqlQuery

connectors.connections.get

connectors.entities.*

connectors.entityTypes.list

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

integrations.apigeeAuthConfigs.*

integrations.apigeeCertificates.*

integrations.apigeeExecutions.list

integrations.apigeeIntegrationVers.*

integrations.apigeeIntegrations.*

integrations.apigeeSfdcChannels.*

integrations.apigeeSfdcInstances.*

integrations.apigeeSuspensions.*

integrations.authConfigs.*

integrations.certificates.*

integrations.executions.list

integrations.integrationVersions.create

integrations.integrationVersions.delete

integrations.integrationVersions.deploy

integrations.integrationVersions.get

integrations.integrationVersions.list

integrations.integrationVersions.update

integrations.integrations.*

integrations.sfdcChannels.*

integrations.sfdcInstances.*

integrations.suspensions.*

pubsub.schemas.attach

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.delete

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

run.jobs.run

run.routes.invoke

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

storage.buckets.create

storage.buckets.get

storage.buckets.list

storage.buckets.update

storage.objects.create

storage.objects.get

storage.objects.list

storage.objects.update

(roles/krmapihosting.anthosApiEndpointServiceAgent)

Grants permissions to resources managed by AnthosApiEndpoint.

compute.instanceGroupManagers.get

container.*

gkehub.features.*

gkehub.fleet.*

gkehub.gateway.*

gkehub.locations.*

gkehub.membershipbindings.*

gkehub.memberships.*

gkehub.namespaces.*

gkehub.operations.*

gkehub.rbacrolebindings.*

gkehub.scopes.create

gkehub.scopes.delete

gkehub.scopes.get

gkehub.scopes.getIamPolicy

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

gkehub.scopes.update

iam.serviceAccounts.actAs

meshconfig.projects.init

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisRecommendations.*

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.*

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.projects.setIamPolicy

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

(roles/krmapihosting.serviceAgent)

Gives KRM API Hosting service account access to managed resource.

compute.instanceGroupManagers.get

compute.regions.get

container.*

iam.serviceAccounts.actAs

recommender.containerDiagnosisInsights.*

recommender.containerDiagnosisRecommendations.*

recommender.locations.*

recommender.networkAnalyzerGkeConnectivityInsights.*

recommender.networkAnalyzerGkeIpAddressInsights.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

(roles/kuberun.eventsControlPlaneServiceAgent)

Service account role used to setup authentication for the control plane used by KubeRun Events.

cloudscheduler.jobs.create

cloudscheduler.jobs.delete

cloudscheduler.jobs.get

logging.sinks.create

logging.sinks.delete

logging.sinks.get

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.setIamPolicy

resourcemanager.projects.get

storage.buckets.get

storage.buckets.update

(roles/kuberun.eventsDataPlaneServiceAgent)

Service account role used to setup authentication for the data plane used by KubeRun Events.

cloudtrace.traces.patch

monitoring.timeSeries.create

pubsub.subscriptions.consume

pubsub.subscriptions.get

pubsub.topics.get

pubsub.topics.publish

resourcemanager.projects.get

(roles/lifesciences.serviceAgent)

Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.

compute.acceleratorTypes.*

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.backendBuckets.get

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.diskTypes.*

compute.disks.*

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.*

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.*

compute.instanceTemplates.*

compute.instances.*

compute.instantSnapshots.*

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.*

compute.licenses.*

compute.machineImages.*

compute.machineTypes.*

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkEndpointGroups.*

compute.networks.get

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.*

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.list

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.list

compute.snapshots.*

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

iam.serviceAccounts.actAs

pubsub.topics.publish

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

(roles/livestream.serviceAgent)

Uploads media files to customer Cloud Storage buckets.

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/logging.serviceAgent)

Grants a Cloud Logging Service Account the ability to create and link datasets.

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.link

(roles/looker.serviceAgent)

Gives the Looker service account permission to manage customer resources

bigquery.config.get

bigquery.datasets.get

bigquery.jobs.create

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.tables.create

bigquery.tables.createSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

compute.globalAddresses.get

looker.backups.create

resourcemanager.projects.get

serviceusage.services.use

(roles/managedidentities.serviceAgent)

Gives Managed Identities service account access to managed resources.

compute.globalOperations.get

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.update

compute.routes.list

dns.changes.*

dns.dnsKeys.*

dns.managedZoneOperations.*

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.list

dns.managedZones.update

dns.networks.bindPrivateDNSPolicy

dns.networks.bindPrivateDNSZone

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

dns.responsePolicies.*

dns.responsePolicyRules.*

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/mediaasset.serviceAgent)

Downloads and uploads media files from and to customer Cloud Storage buckets.

pubsub.topics.get

pubsub.topics.publish

storage.objects.create

storage.objects.delete

storage.objects.get

transcoder.jobs.create

transcoder.jobs.delete

transcoder.jobs.get

(roles/memcache.serviceAgent)

Gives Cloud Memorystore Memcached service account access to managed resource

compute.globalOperations.get

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.update

compute.routes.get

compute.routes.list

compute.subnetworks.get

compute.subnetworks.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/meshconfig.serviceAgent)

Apply mesh configuration

compute.backendServices.create

compute.backendServices.delete

compute.backendServices.get

compute.backendServices.list

compute.backendServices.setSecurityPolicy

compute.backendServices.update

compute.backendServices.use

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.list

compute.firewalls.update

compute.globalForwardingRules.create

compute.globalForwardingRules.delete

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.setLabels

compute.globalForwardingRules.setTarget

compute.globalOperations.get

compute.globalOperations.list

compute.healthChecks.create

compute.healthChecks.delete

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.update

compute.healthChecks.use

compute.healthChecks.useReadOnly

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.use

compute.networks.get

compute.networks.updatePolicy

compute.networks.use

compute.regionTargetTcpProxies.*

compute.subnetworks.use

compute.targetHttpProxies.create

compute.targetHttpProxies.delete

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.setUrlMap

compute.targetHttpProxies.use

compute.targetHttpsProxies.create

compute.targetHttpsProxies.delete

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.setSslCertificates

compute.targetHttpsProxies.setSslPolicy

compute.targetHttpsProxies.setUrlMap

compute.targetHttpsProxies.use

compute.targetSslProxies.create

compute.targetSslProxies.delete

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.setBackendService

compute.targetSslProxies.setProxyHeader

compute.targetSslProxies.setSslCertificates

compute.targetSslProxies.use

compute.targetTcpProxies.create

compute.targetTcpProxies.delete

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.update

compute.targetTcpProxies.use

compute.urlMaps.create

compute.urlMaps.delete

compute.urlMaps.get

compute.urlMaps.invalidateCache

compute.urlMaps.list

compute.urlMaps.update

compute.urlMaps.use

compute.urlMaps.validate

networksecurity.clientTlsPolicies.create

networksecurity.clientTlsPolicies.delete

networksecurity.clientTlsPolicies.get

networksecurity.clientTlsPolicies.list

networksecurity.clientTlsPolicies.update

networksecurity.serverTlsPolicies.create

networksecurity.serverTlsPolicies.delete

networksecurity.serverTlsPolicies.get

networksecurity.serverTlsPolicies.list

networksecurity.serverTlsPolicies.update

networkservices.endpointConfigSelectors.create

networkservices.endpointConfigSelectors.delete

networkservices.endpointConfigSelectors.get

networkservices.endpointConfigSelectors.list

networkservices.endpointConfigSelectors.update

networkservices.httpFilters.create

networkservices.httpFilters.delete

networkservices.httpFilters.get

networkservices.httpFilters.list

networkservices.httpFilters.update

networkservices.httpfilters.create

networkservices.httpfilters.delete

networkservices.httpfilters.get

networkservices.httpfilters.list

networkservices.httpfilters.update

(roles/meshcontrolplane.serviceAgent)

Anthos Service Mesh Managed Control Plane Agent

container.apiServices.*

container.auditSinks.*

container.backendConfigs.*

container.bindings.*

container.certificateSigningRequests.*

container.clusterRoleBindings.*

container.clusterRoles.*

container.clusters.get

container.clusters.getCredentials

container.clusters.list

container.clusters.update

container.componentStatuses.*

container.configMaps.*

container.controllerRevisions.*

container.cronJobs.*

container.csiDrivers.*

container.csiNodeInfos.*

container.csiNodes.*

container.customResourceDefinitions.*

container.daemonSets.*

container.deployments.*

container.endpointSlices.*

container.endpoints.*

container.events.*

container.frontendConfigs.*

container.horizontalPodAutoscalers.*

container.hostServiceAgent.use

container.ingresses.*

container.initializerConfigurations.*

container.jobs.*

container.leases.*

container.limitRanges.*

container.localSubjectAccessReviews.*

container.managedCertificates.*

container.mutatingWebhookConfigurations.*

container.namespaces.*

container.networkPolicies.*

container.nodes.*

container.operations.*

container.persistentVolumeClaims.*

container.persistentVolumes.*

container.petSets.*

container.podDisruptionBudgets.*

container.podPresets.*

container.podSecurityPolicies.*

container.podTemplates.*

container.pods.*

container.priorityClasses.*

container.replicaSets.*

container.replicationControllers.*

container.resourceQuotas.*

container.roleBindings.*

container.roles.*

container.runtimeClasses.*

container.scheduledJobs.*

container.secrets.*

container.selfSubjectAccessReviews.*

container.selfSubjectRulesReviews.create

container.serviceAccounts.*

container.services.*

container.statefulSets.*

container.storageClasses.*

container.storageStates.*

container.storageVersionMigrations.*

container.subjectAccessReviews.*

container.thirdPartyObjects.*

container.thirdPartyResources.*

container.tokenReviews.create

container.updateInfos.*

container.validatingWebhookConfigurations.*

container.volumeAttachments.*

container.volumeSnapshotClasses.*

container.volumeSnapshotContents.*

container.volumeSnapshots.*

gkehub.features.get

gkehub.features.getIamPolicy

gkehub.features.list

gkehub.fleet.get

gkehub.fleet.getFreeTrial

gkehub.gateway.*

gkehub.locations.*

gkehub.membershipbindings.get

gkehub.membershipbindings.list

gkehub.memberships.generateConnectManifest

gkehub.memberships.get

gkehub.memberships.getIamPolicy

gkehub.memberships.list

gkehub.namespaces.get

gkehub.namespaces.list

gkehub.operations.get

gkehub.operations.list

gkehub.rbacrolebindings.get

gkehub.rbacrolebindings.list

gkehub.scopes.get

gkehub.scopes.list

gkehub.scopes.listBoundMemberships

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.use

trafficdirector.*

(roles/meshdataplane.serviceAgent)

Run user-space Istio components

cloudtrace.traces.patch

compute.forwardingRules.get

compute.globalForwardingRules.get

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

serviceusage.services.use

(roles/metastore.serviceAgent)

Gives the Dataproc Metastore service account access to managed resources.

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalAddresses.createInternal

compute.globalAddresses.deleteInternal

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalOperations.get

compute.globalOperations.list

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.updatePeering

compute.networks.use

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.use

dns.changes.create

dns.changes.get

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.list

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

dns.resourceRecordSets.*

metastore.databases.get

metastore.databases.setIamPolicy

metastore.databases.update

metastore.services.get

metastore.tables.get

metastore.tables.setIamPolicy

metastore.tables.update

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/migrationcenter.serviceAgent)

Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products.

storage.objects.get

vmmigration.migratingVms.create

(roles/ml.serviceAgent)

AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.update

bigquery.tables.create

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.updateData

firebase.projects.get

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

logging.logEntries.create

logging.logEntries.route

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

(roles/monitoring.notificationServiceAgent)

Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.

cloudfunctions.functions.get

cloudtrace.traces.patch

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.list

run.routes.invoke

servicedirectory.networks.access

servicedirectory.services.resolve

serviceusage.services.use

(roles/multiclusteringress.serviceAgent)

Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.

certificatemanager.certmapentries.create

certificatemanager.certmapentries.delete

certificatemanager.certmapentries.get

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmapentries.update

certificatemanager.certmaps.create

certificatemanager.certmaps.delete

certificatemanager.certmaps.get

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certmaps.update

certificatemanager.certmaps.use

certificatemanager.certs.create

certificatemanager.certs.delete

certificatemanager.certs.get

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.certs.update

certificatemanager.certs.use

certificatemanager.dnsauthorizations.create

certificatemanager.dnsauthorizations.delete

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.update

certificatemanager.dnsauthorizations.use

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.backendServices.*

compute.firewalls.*

compute.forwardingRules.*

compute.globalAddresses.create

compute.globalAddresses.delete

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalForwardingRules.*

compute.healthChecks.*

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.use

compute.networks.updatePolicy

compute.networks.use

compute.regionBackendServices.*

compute.regionHealthChecks.*

compute.regionSslCertificates.*

compute.regionTargetHttpProxies.*

compute.regionTargetHttpsProxies.*

compute.regionUrlMaps.*

compute.securityPolicies.use

compute.sslCertificates.*

compute.sslPolicies.use

compute.subnetworks.list

compute.subnetworks.use

compute.targetHttpProxies.*

compute.targetHttpsProxies.*

compute.urlMaps.*

container.backendConfigs.*

container.clusters.get

container.customResourceDefinitions.create

container.customResourceDefinitions.delete

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.customResourceDefinitions.update

container.deployments.*

container.events.create

container.events.update

container.frontendConfigs.*

container.namespaces.list

container.secrets.get

container.secrets.list

container.services.*

container.thirdPartyObjects.*

gkehub.features.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

(roles/multiclustermetering.serviceAgent)

Gives the Multi-cluster metering service agent access to CloudPlatform resources.

gkehub.features.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

(roles/multiclusterservicediscovery.serviceAgent)

Gives the Multi-Cluster Service Discovery service access to Cloud Platform resources.

compute.backendServices.*

compute.firewalls.*

compute.forwardingRules.*

compute.globalForwardingRules.*

compute.globalOperations.get

compute.healthChecks.*

compute.httpHealthChecks.*

compute.httpsHealthChecks.*

compute.networkEndpointGroups.use

compute.networks.get

compute.networks.list

compute.networks.updatePolicy

compute.networks.use

compute.regionTargetTcpProxies.*

compute.regions.*

compute.targetHttpProxies.*

compute.targetHttpsProxies.*

compute.targetTcpProxies.*

compute.urlMaps.*

container.clusters.get

container.clusters.list

container.thirdPartyObjects.update

dns.changes.*

dns.dnsKeys.*

dns.gkeClusters.*

dns.managedZoneOperations.*

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.getIamPolicy

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

dns.responsePolicies.*

dns.responsePolicyRules.*

gkehub.features.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkactions.serviceAgent)

Gives Network Actions service account access to read required resources.

artifactregistry.repositories.downloadArtifacts

(roles/networkconnectivity.serviceAgent)

Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.forwardingRules.pscSetLabels

compute.forwardingRules.pscSetTarget

compute.forwardingRules.pscUpdate

compute.instances.get

compute.interconnectAttachments.get

compute.networks.get

compute.networks.use

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.setIamPolicy

compute.subnetworks.use

compute.vpnTunnels.get

dns.managedZones.create

dns.networks.bindPrivateDNSZone

networkconnectivity.operations.get

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

(roles/networkmanagement.serviceAgent)

Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.

cloudsql.instances.get

cloudsql.instances.list

compute.addresses.get

compute.addresses.list

compute.backendServices.get

compute.backendServices.list

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instances.get

compute.instances.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.subnetworks.get

compute.subnetworks.list

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

container.clusters.get

container.clusters.list

container.nodes.get

container.nodes.list

(roles/notebooks.serviceAgent)

Provide access for notebooks service agent to manage notebook instances in user projects

aiplatform.customJobs.cancel

aiplatform.customJobs.create

aiplatform.customJobs.get

aiplatform.customJobs.list

compute.acceleratorTypes.*

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.autoscalers.*

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.*

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.use

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.*

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.*

compute.instanceGroupManagers.*

compute.instanceGroups.*

compute.instanceSettings.*

compute.instanceTemplates.*

compute.instances.*

compute.instantSnapshots.*

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.licenseCodes.*

compute.licenses.*

compute.machineImages.*

compute.machineTypes.*

compute.maintenancePolicies.get

compute.maintenancePolicies.getIamPolicy

compute.maintenancePolicies.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEndpointGroups.*

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.networks.use

compute.networks.useExternalIp

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.*

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.*

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.getIamPolicy

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.snapshotSettings.get

compute.snapshots.*

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.storagePools.use

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

dataproc.clusters.get

dataproc.clusters.use

dataproc.jobs.cancel

dataproc.jobs.create

dataproc.jobs.delete

dataproc.jobs.get

dataproc.jobs.list

dataproc.jobs.update

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.list

ml.jobs.create

ml.jobs.get

ml.jobs.list

notebooks.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/ondemandscanning.serviceAgent)

Gives the On-Demand Scanning API the access it needs to function.

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.get

storage.objects.list

(roles/osconfig.serviceAgent)

Grants OS Config Service Account access to Google Compute Engine instances.

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.list

compute.instances.setMetadata

compute.zones.*

containeranalysis.notes.attachOccurrence

containeranalysis.notes.create

containeranalysis.notes.delete

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.update

containeranalysis.occurrences.create

containeranalysis.occurrences.delete

containeranalysis.occurrences.get

containeranalysis.occurrences.list

containeranalysis.occurrences.update

iam.serviceAccounts.actAs

resourcemanager.projects.get

resourcemanager.projects.list

(roles/parallelstore.serviceAgent)

Gives the Parallelstore service agent ability to access customer resources.

resourcemanager.projects.get

resourcemanager.projects.list

(roles/privilegedaccessmanager.folderServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP folders

resourcemanager.folders.get

resourcemanager.folders.getIamPolicy

resourcemanager.folders.setIamPolicy

(roles/privilegedaccessmanager.organizationServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP organizations

resourcemanager.organizations.*

(roles/privilegedaccessmanager.projectServiceAgent)

Gives privileged access manager service account access to modify IAM policies on GCP projects

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.setIamPolicy

(roles/pubsub.serviceAgent)

Grants Cloud Pub/Sub Service Account access to manage resources.

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

resourcemanager.projects.get

resourcemanager.projects.list

(roles/pubsublite.serviceAgent)

Grants Pub/Sub Lite Service Agent access to project resources.

pubsub.topics.publish

pubsublite.subscriptions.get

pubsublite.subscriptions.getCursor

pubsublite.subscriptions.setCursor

pubsublite.subscriptions.subscribe

pubsublite.topics.computeHeadCursor

pubsublite.topics.getPartitions

pubsublite.topics.publish

pubsublite.topics.subscribe

(roles/rapidmigrationassessment.serviceAgent)

Gives RMA service account access to MC resources.

autoscaling.sites.writeMetrics

cloudasset.assets.exportResource

cloudasset.feeds.create

logging.logEntries.create

migrationcenter.assets.list

migrationcenter.assets.reportFrames

migrationcenter.importJobs.get

migrationcenter.importJobs.list

migrationcenter.sources.*

monitoring.metricDescriptors.create

monitoring.metricDescriptors.list

monitoring.timeSeries.create

resourcemanager.projects.get

(roles/redis.serviceAgent)

Gives Cloud Memorystore Redis service account access to managed resource

compute.globalOperations.get

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.update

compute.projects.get

compute.routes.get

compute.routes.list

compute.subnetworks.get

compute.subnetworks.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/remotebuildexecution.serviceAgent)

Gives Remote Build Execution service account access to managed resources.

remotebuildexecution.actions.update

remotebuildexecution.blobs.*

remotebuildexecution.botsessions.*

remotebuildexecution.logstreams.create

remotebuildexecution.logstreams.update

(roles/retail.serviceAgent)

Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Google Cloud Observability metrics for customer projects.

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.update

bigquery.tables.create

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.list

bigquery.tables.update

bigquery.tables.updateData

cloudnotifications.activities.list

dataflow.jobs.*

dataflow.messages.list

dataflow.metrics.get

logging.logEntries.create

logging.logEntries.route

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.*

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

(roles/riskmanager.serviceAgent)

Service agent that grants Risk Manager service access to fetch findings for generating Reports

cloudasset.assets.*

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.assets.group

securitycenter.assets.list

securitycenter.assets.listAssetPropertyNames

securitycenter.bigQueryExports.get

securitycenter.bigQueryExports.list

securitycenter.compliancesnapshots.list

securitycenter.containerthreatdetectionsettings.calculate

securitycenter.containerthreatdetectionsettings.get

securitycenter.effectivesecurityhealthanalyticscustommodules.*

securitycenter.eventthreatdetectionsettings.calculate

securitycenter.eventthreatdetectionsettings.get

securitycenter.findingexplanations.get

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.integratedvulnerabilityscannersettings.calculate

securitycenter.integratedvulnerabilityscannersettings.get

securitycenter.muteconfigs.get

securitycenter.muteconfigs.list

securitycenter.notificationconfig.get

securitycenter.notificationconfig.list

securitycenter.organizationsettings.get

securitycenter.rapidvulnerabilitydetectionsettings.calculate

securitycenter.rapidvulnerabilitydetectionsettings.get

securitycenter.securitycentersettings.get

securitycenter.securityhealthanalyticscustommodules.get

securitycenter.securityhealthanalyticscustommodules.list

securitycenter.securityhealthanalyticssettings.calculate

securitycenter.securityhealthanalyticssettings.get

securitycenter.sources.get

securitycenter.sources.list

securitycenter.subscription.get

securitycenter.userinterfacemetadata.get

securitycenter.virtualmachinethreatdetectionsettings.calculate

securitycenter.virtualmachinethreatdetectionsettings.get

securitycenter.websecurityscannersettings.calculate

securitycenter.websecurityscannersettings.get

securitycentermanagement.effectiveEventThreatDetectionCustomModules.*

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.eventThreatDetectionCustomModules.get

securitycentermanagement.eventThreatDetectionCustomModules.list

securitycentermanagement.eventThreatDetectionCustomModules.validate

securitycentermanagement.locations.*

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.test

(roles/routeoptimization.serviceAgent)

Grants Route Optimization Service Account access to read and write GCS objects in the host project.

storage.buckets.get

storage.objects.create

storage.objects.get

storage.objects.list

storage.objects.update

(roles/run.serviceAgent)

Gives Cloud Run service account access to managed resources.

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.policy.evaluatePolicy

clientauthconfig.clients.list

cloudbuild.builds.create

cloudbuild.builds.get

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.globalOperations.get

compute.networks.access

compute.networks.get

compute.subnetworks.get

compute.subnetworks.use

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.signBlob

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.routes.invoke

serviceusage.services.use

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

vpcaccess.connectors.get

vpcaccess.connectors.use

(roles/runapps.serviceAgent)

Gives Serverless Integrations Service Account access to customer project resources.

cloudbuild.builds.create

cloudbuild.builds.get

cloudsql.databases.get

cloudsql.instances.get

cloudsql.users.get

compute.backendServices.get

compute.backendServices.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.networks.get

compute.networks.list

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.sslCertificates.get

compute.sslCertificates.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.urlMaps.get

compute.urlMaps.list

firebasehosting.sites.get

iam.serviceAccounts.actAs

redis.instances.get

redis.instances.list

run.jobs.get

run.jobs.list

run.services.get

run.services.list

serviceusage.services.use

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

vpcaccess.connectors.get

vpcaccess.connectors.list

(roles/securedlandingzone.serviceAgent)

Grants Secured Landing Zone service account permissions to manage resources in the customer project

cloudasset.assets.exportOrgPolicy

cloudasset.assets.exportResource

cloudasset.feeds.create

cloudasset.feeds.delete

cloudasset.feeds.update

logging.logEntries.list

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.getIamPolicy

pubsub.topics.setIamPolicy

resourcemanager.projects.get

securitycenter.assetsecuritymarks.update

securitycenter.findings.list

securitycenter.findings.update

securitycenter.sources.list

securitycenter.sources.update

serviceusage.services.use

(roles/securitycenter.attackSurfaceManagementScannerServiceAgent)

Gives Mandiant Attack Surface Management the ability to scan Cloud Platform resources.

apigateway.apiconfigs.get

cloudasset.assets.listResource

dns.managedZones.list

dns.resourceRecordSets.list

resourcemanager.projects.get

(roles/securitycenter.automationServiceAgent)

Security Center automation service agent can configure GCP resources to enable security scanning.

cloudasset.feeds.*

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

(roles/securitycenter.controlServiceAgent)

Security Center Control service agent can monitor and configure GCP resources and import security findings.

bigquery.datasets.get

binaryauthorization.policy.get

cloudasset.assets.*

cloudasset.feeds.*

cloudsql.instances.connect

cloudsql.users.list

compute.disks.useReadOnly

compute.globalOperations.get

compute.instances.get

compute.instances.list

compute.networkEndpointGroups.get

compute.projects.get

container.clusters.get

iam.denypolicies.get

iam.denypolicies.list

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPools.list

logging.logEntries.list

monitoring.alertPolicies.list

monitoring.timeSeries.list

orgpolicy.policies.list

orgpolicy.policy.get

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.list

securitycenter.assetsecuritymarks.update

securitycenter.findings.list

securitycenter.notificationconfig.create

securitycenter.notificationconfig.delete

securitycenter.notificationconfig.update

securitycenter.organizationsettings.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

securitycenter.sources.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.update

serviceusage.operations.*

serviceusage.quotas.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

stackdriver.projects.get

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

(roles/securitycenter.integrationExecutorServiceAgent)

Gives Security Center access to execute Integrations.

integrations.securityExecutions.cancel

integrations.securityExecutions.list

integrations.securityIntegrations.invoke

(roles/securitycenter.notificationServiceAgent)

Security Center service agent can publish notifications to Pub/Sub topics.

pubsub.topics.publish

(roles/securitycenter.securityHealthAnalyticsServiceAgent)

Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.

bigquery.datasets.get

binaryauthorization.policy.get

cloudasset.assets.*

cloudasset.feeds.*

cloudsql.instances.connect

cloudsql.users.list

compute.globalOperations.get

compute.instances.get

compute.instances.list

compute.networkEndpointGroups.get

compute.projects.get

container.clusters.get

monitoring.alertPolicies.list

orgpolicy.policy.get

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.organizationsettings.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

stackdriver.projects.get

(roles/securitycenter.securityResponseServiceAgent)

Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks

compute.instances.deleteAccessConfig

compute.instances.get

compute.instances.setMetadata

iam.serviceAccounts.actAs

pubsub.topics.publish

securitycenter.findings.list

storage.buckets.get

storage.buckets.update

(roles/securitycenter.serviceAgent)

Security Center service agent can scan GCP resources and import security scans.

bigquery.datasets.get

binaryauthorization.policy.get

cloudasset.assets.*

cloudasset.feeds.*

cloudsql.instances.connect

cloudsql.users.list

compute.disks.useReadOnly

compute.globalOperations.get

compute.instances.get

compute.instances.list

compute.networkEndpointGroups.get

compute.projects.get

container.clusters.get

iam.denypolicies.get

iam.denypolicies.list

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPools.list

logging.logEntries.list

monitoring.alertPolicies.list

monitoring.timeSeries.list

orgpolicy.policies.list

orgpolicy.policy.get

recommender.cloudAssetInsights.get

recommender.cloudAssetInsights.list

recommender.locations.*

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

resourcemanager.tagValues.get

securitycenter.assets.list

securitycenter.assetsecuritymarks.update

securitycenter.findings.list

securitycenter.notificationconfig.create

securitycenter.notificationconfig.delete

securitycenter.notificationconfig.update

securitycenter.organizationsettings.get

securitycenter.resourcevalueconfigs.get

securitycenter.resourcevalueconfigs.list

securitycenter.sources.list

securitycentermanagement.effectiveSecurityHealthAnalyticsCustomModules.*

securitycentermanagement.securityHealthAnalyticsCustomModules.create

securitycentermanagement.securityHealthAnalyticsCustomModules.delete

securitycentermanagement.securityHealthAnalyticsCustomModules.get

securitycentermanagement.securityHealthAnalyticsCustomModules.list

securitycentermanagement.securityHealthAnalyticsCustomModules.simulate

securitycentermanagement.securityHealthAnalyticsCustomModules.update

serviceusage.operations.*

serviceusage.quotas.get

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

stackdriver.projects.get

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

(roles/servicedirectory.serviceAgent)

Give the Service Directory service agent access to Cloud Platform resources.

container.clusters.get

gkehub.features.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.create

servicedirectory.endpoints.delete

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.endpoints.update

servicedirectory.locations.*

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.namespaces.update

servicedirectory.networks.attach

servicedirectory.services.bind

servicedirectory.services.create

servicedirectory.services.delete

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

servicedirectory.services.update

(roles/servicenetworking.serviceAgent)

Gives permission to manage network configuration, such as establishing network peering, necessary for service producers

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalOperations.get

compute.networks.addPeering

compute.networks.create

compute.networks.delete

compute.networks.get

compute.networks.list

compute.networks.listPeeringRoutes

compute.networks.removePeering

compute.networks.update

compute.networks.updatePeering

compute.networks.updatePolicy

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.routers.list

compute.routes.list

compute.subnetworks.create

compute.subnetworks.delete

compute.subnetworks.get

compute.subnetworks.list

dns.changes.*

dns.dnsKeys.*

dns.gkeClusters.*

dns.managedZoneOperations.*

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.getIamPolicy

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

dns.responsePolicies.*

dns.responsePolicyRules.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/sourcerepo.serviceAgent)

Allow Cloud Source Repositories to integrate with other Cloud services.

iam.serviceAccounts.getAccessToken

pubsub.topics.publish

(roles/spanner.serviceAgent)

Cloud Spanner API Service Agent

aiplatform.endpoints.get

aiplatform.endpoints.list

aiplatform.endpoints.predict

aiplatform.models.get

aiplatform.models.list

(roles/speech.serviceAgent)

Gives Speech-to-Text service account access to Cloud Storage resources.

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.get

storage.objects.list

storage.objects.update

(roles/storageinsights.serviceAgent)

Permissions for Insights to write reports into customer project

bigquery.datasets.create

serviceusage.services.use

storageinsights.reportDetails.list

(roles/storagetransfer.serviceAgent)

Grants Storage Transfer Service Agent permissions required to run transfers

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.publish

pubsub.topics.update

(roles/stream.serviceAgent)

Gives Immersive Stream for XR access to the required resources.

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.get

storage.objects.list

(roles/tpu.serviceAgent)

Give Cloud TPUs service account access to managed resources

compute.globalOperations.get

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.update

compute.routes.get

compute.routes.list

compute.subnetworks.get

compute.subnetworks.list

compute.zones.*

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/transcoder.serviceAgent)

Downloads and uploads media files from and to customer Cloud Storage buckets. Publishes status updates to customer Pub/Sub.

pubsub.topics.publish

storage.objects.create

storage.objects.delete

storage.objects.get

transcoder.jobs.delete

(roles/visionai.serviceAgent)

Grants Cloud Vision AI service account permissions to manage resources in consumer project

aiplatform.models.export

aiplatform.models.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.jobs.create

bigquery.jobs.get

bigquery.models.export

bigquery.readsessions.create

bigquery.tables.create

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.update

bigquery.tables.updateData

bigtable.tables.get

bigtable.tables.list

bigtable.tables.readRows

cloudfunctions.functions.get

cloudfunctions.functions.invoke

cloudfunctions.functions.list

compute.machineTypes.get

logging.logEntries.create

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

run.jobs.run

run.routes.invoke

serviceusage.services.use

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

visionai.analyses.create

visionai.analyses.delete

visionai.analyses.get

visionai.analyses.list

visionai.analyses.update

visionai.annotations.*

visionai.applications.*

visionai.assets.*

visionai.clusters.create

visionai.clusters.delete

visionai.clusters.get

visionai.clusters.list

visionai.clusters.update

visionai.clusters.watch

visionai.corpora.*

visionai.dataSchemas.*

visionai.drafts.*

visionai.events.create

visionai.events.delete

visionai.events.get

visionai.events.list

visionai.events.update

visionai.indexEndpoints.*

visionai.indexes.*

visionai.instances.*

visionai.operations.get

visionai.operations.list

visionai.operators.create

visionai.operators.delete

visionai.operators.get

visionai.operators.list

visionai.operators.update

visionai.processors.create

visionai.processors.delete

visionai.processors.get

visionai.processors.list

visionai.processors.update

visionai.searchConfigs.*

visionai.series.acquireLease

visionai.series.create

visionai.series.delete

visionai.series.get

visionai.series.list

visionai.series.receive

visionai.series.releaseLease

visionai.series.renewLease

visionai.series.send

visionai.series.update

visionai.streams.create

visionai.streams.delete

visionai.streams.get

visionai.streams.list

visionai.streams.receive

visionai.streams.send

visionai.streams.update

visionai.uistreams.*

(roles/visualinspection.serviceAgent)

Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs.

aiplatform.*

artifactregistry.aptartifacts.create

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.*

artifactregistry.projectsettings.*

artifactregistry.pythonpackages.*

artifactregistry.repositories.create

artifactregistry.repositories.createTagBinding

artifactregistry.repositories.delete

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.deleteTagBinding

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.setIamPolicy

artifactregistry.repositories.update

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.*

artifactregistry.versions.*

artifactregistry.yumartifacts.create

firebase.projects.get

orgpolicy.policy.get

recommender.iamPolicyInsights.*

recommender.iamPolicyRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

storage.anywhereCaches.*

storage.bucketOperations.*

storage.buckets.*

storage.managedFolders.*

storage.multipartUploads.*

storage.objects.*

(roles/vmmigration.serviceAgent)

Grants VM Migration Service Account access to create migrated VMs, disks and images in the user project.

compute.addresses.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.disks.create

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.globalOperations.get

compute.globalOperations.list

compute.images.create

compute.images.get

compute.images.setLabels

compute.images.useReadOnly

compute.instances.create

compute.instances.delete

compute.instances.get

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zoneOperations.list

(roles/vmwareengine.serviceAgent)

Gives permission to manage network configuration, such as establishing network peering, necessary for GCVE

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalOperations.get

compute.networks.addPeering

compute.networks.get

compute.networks.list

compute.networks.listPeeringRoutes

compute.networks.removePeering

compute.networks.update

compute.networks.updatePeering

compute.networks.updatePolicy

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.routers.list

compute.routes.list

compute.subnetworks.get

compute.subnetworks.list

dns.changes.*

dns.dnsKeys.*

dns.gkeClusters.*

dns.managedZoneOperations.*

dns.managedZones.create

dns.managedZones.delete

dns.managedZones.get

dns.managedZones.getIamPolicy

dns.managedZones.list

dns.managedZones.update

dns.networks.*

dns.policies.create

dns.policies.delete

dns.policies.get

dns.policies.getIamPolicy

dns.policies.list

dns.policies.update

dns.projects.get

dns.resourceRecordSets.*

dns.responsePolicies.*

dns.responsePolicyRules.*

resourcemanager.projects.get

resourcemanager.projects.list

vmwareengine.externalAddresses.get

vmwareengine.externalAddresses.list

vmwareengine.nodes.*

(roles/vpcaccess.serviceAgent)

Can create and manage resources to support serverless application to connect to virtual private cloud.

billing.accounts.get

compute.autoscalers.*

compute.disks.create

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.list

compute.firewalls.update

compute.healthChecks.create

compute.healthChecks.delete

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.update

compute.healthChecks.use

compute.healthChecks.useReadOnly

compute.httpHealthChecks.create

compute.httpHealthChecks.delete

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.use

compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.create

compute.httpsHealthChecks.delete

compute.httpsHealthChecks.get

compute.httpsHealthChecks.update

compute.httpsHealthChecks.use

compute.httpsHealthChecks.useReadOnly

compute.images.get

compute.images.useReadOnly

compute.instanceGroupManagers.create

compute.instanceGroupManagers.delete

compute.instanceGroupManagers.get

compute.instanceGroupManagers.update

compute.instanceGroupManagers.use

compute.instanceGroups.create

compute.instanceGroups.delete

compute.instanceGroups.get

compute.instanceGroups.update

compute.instanceTemplates.create

compute.instanceTemplates.delete

compute.instanceTemplates.get

compute.instanceTemplates.useReadOnly

compute.instances.create

compute.instances.delete

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.list

compute.instances.reset

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.use

compute.machineTypes.get

compute.networks.get

compute.networks.use

compute.projects.get

compute.projects.setCommonInstanceMetadata

compute.regionOperations.get

compute.regionOperations.list

compute.regions.*

compute.subnetworks.create

compute.subnetworks.delete

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.zoneOperations.get

compute.zoneOperations.list

compute.zones.*

deploymentmanager.compositeTypes.get

deploymentmanager.deployments.create

deploymentmanager.deployments.delete

deploymentmanager.deployments.get

deploymentmanager.deployments.list

deploymentmanager.deployments.update

deploymentmanager.manifests.*

deploymentmanager.operations.*

deploymentmanager.typeProviders.create

deploymentmanager.typeProviders.get

logging.logEntries.create

logging.logMetrics.create

logging.logMetrics.delete

logging.logMetrics.get

logging.logMetrics.update

resourcemanager.projects.get

(roles/websecurityscanner.serviceAgent)

Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.

appengine.applications.get

cloudasset.assets.listResource

compute.addresses.list

compute.backendServices.get

compute.forwardingRules.get

compute.globalForwardingRules.get

compute.sslCertificates.list

compute.targetHttpProxies.get

compute.targetHttpsProxies.get

compute.urlMaps.get

(roles/workflows.serviceAgent)

Gives Cloud Workflows service account access to managed resources.

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

serviceusage.services.use

(roles/workloadcertificate.serviceAgent)

Gives the Workload Certificate service agent access to Cloud Platform resources.

container.clusterRoleBindings.get

container.clusterRoleBindings.list

container.clusters.get

container.clusters.update

container.customResourceDefinitions.create

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.operations.get

container.thirdPartyObjects.update

gkehub.features.get

gkehub.fleet.create

gkehub.fleet.get

gkehub.locations.*

gkehub.memberships.get

gkehub.memberships.list

gkehub.operations.get

serviceconsumermanagement.tenancyu.addResource

serviceconsumermanagement.tenancyu.create

serviceconsumermanagement.tenancyu.delete

serviceconsumermanagement.tenancyu.removeResource

serviceusage.services.use

workloadcertificate.workloadCertificateFeature.get

workloadcertificate.workloadRegistrations.list

(roles/workloadmanager.serviceAgent)

Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring.

cloudasset.assets.exportAccessPolicy

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportOrgPolicy

cloudasset.assets.exportResource

cloudasset.assets.searchAllResources

config.deployments.create

config.deployments.delete

config.deployments.get

config.deployments.list

config.deployments.update

config.locations.*

config.operations.*

config.resources.list

config.revisions.get

config.revisions.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.list

workloadmanager.insights.export

(roles/workstations.serviceAgent)

Grants the Workstations Service Account access to manage resources in consumer project.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.deleteTagBinding

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.update

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalOperations.get

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.deleteTagBinding

compute.instances.detachDisk

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.regionOperations.get

compute.regions.get

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.tagValueBindings.*

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

Permissions

(roles/serviceconsumermanagement.tenancyUnitsAdmin)

Administrate tenancy units

serviceconsumermanagement.tenancyu.*

(roles/serviceconsumermanagement.tenancyUnitsViewer)

View tenancy units

serviceconsumermanagement.tenancyu.list

Permissions

(roles/servicedirectory.admin)

Full control of all Service Directory resources and permissions.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.*

servicedirectory.locations.*

servicedirectory.namespaces.*

servicedirectory.networks.attach

servicedirectory.services.*

(roles/servicedirectory.editor)

Edit Service Directory resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.create

servicedirectory.endpoints.delete

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.endpoints.update

servicedirectory.locations.*

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.namespaces.update

servicedirectory.networks.attach

servicedirectory.services.bind

servicedirectory.services.create

servicedirectory.services.delete

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

servicedirectory.services.update

(roles/servicedirectory.networkAttacher)

Gives access to attach VPC Networks to Service Directory Endpoints

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.networks.attach

(roles/servicedirectory.pscAuthorizedService)

Gives access to VPC Networks via Service Directory

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.networks.access

(roles/servicedirectory.viewer)

View Service Directory resources.

resourcemanager.projects.get

resourcemanager.projects.list

servicedirectory.endpoints.get

servicedirectory.endpoints.getIamPolicy

servicedirectory.endpoints.list

servicedirectory.locations.*

servicedirectory.namespaces.get

servicedirectory.namespaces.getIamPolicy

servicedirectory.namespaces.list

servicedirectory.services.get

servicedirectory.services.getIamPolicy

servicedirectory.services.list

servicedirectory.services.resolve

Permissions

(roles/serverless.serviceAgent)

Gives Cloud Run service account access to managed resources.

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.policy.evaluatePolicy

clientauthconfig.clients.list

cloudbuild.builds.create

cloudbuild.builds.get

compute.addresses.createInternal

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.list

compute.globalOperations.get

compute.networks.access

compute.networks.get

compute.subnetworks.get

compute.subnetworks.use

iam.serviceAccounts.actAs

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.signBlob

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

run.routes.invoke

serviceusage.services.use

storage.managedFolders.get

storage.managedFolders.list

storage.objects.get

storage.objects.list

vpcaccess.connectors.get

vpcaccess.connectors.use

(roles/servicemanagement.admin)

Full control of Google Service Management resources.

monitoring.timeSeries.list

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceconsumermanagement.*

servicemanagement.*

serviceusage.quotas.get

serviceusage.services.get

(roles/servicemanagement.configEditor)

Access to update the service config and create rollouts.

servicemanagement.services.get

servicemanagement.services.update

(roles/servicemanagement.quotaAdmin)

Provides access to administer service quotas.

Lowest-level resources where you can grant this role:

  • Project

cloudquotas.*

monitoring.alertPolicies.*

monitoring.timeSeries.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.*

serviceusage.services.disable

serviceusage.services.enable

serviceusage.services.get

serviceusage.services.list

(roles/servicemanagement.quotaViewer)

Provides access to view service quotas.

Lowest-level resources where you can grant this role:

  • Project

cloudquotas.quotas.get

monitoring.timeSeries.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/servicemanagement.reporter)

Can report usage of a service during runtime.

servicemanagement.services.report

(roles/servicemanagement.serviceConsumer)

Can enable the service.

servicemanagement.services.bind

(roles/servicemanagement.serviceController)

Can check preconditions and report usage of a service during runtime.

Lowest-level resources where you can grant this role:

  • Project

servicemanagement.services.check

servicemanagement.services.get

servicemanagement.services.quota

servicemanagement.services.report

Permissions

(roles/servicenetworking.networksAdmin)

Full control of service networking with projects.

servicenetworking.*

Permissions

(roles/serviceusage.apiKeysAdmin)

Ability to create, delete, update, get and list API keys for a project.

apikeys.*

serviceusage.apiKeys.*

serviceusage.operations.get

(roles/serviceusage.apiKeysViewer)

Ability to get and list API keys for a project.

apikeys.keys.get

apikeys.keys.getKeyString

apikeys.keys.list

apikeys.keys.lookup

(roles/serviceusage.serviceUsageAdmin)

Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.

monitoring.timeSeries.list

serviceusage.operations.*

serviceusage.quotas.*

serviceusage.services.*

(roles/serviceusage.serviceUsageConsumer)

Ability to inspect service states and operations, and consume quota and billing for a consumer project.

monitoring.timeSeries.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

(roles/serviceusage.serviceUsageViewer)

Ability to inspect service states and operations for a consumer project.

monitoring.timeSeries.list

serviceusage.operations.get

serviceusage.operations.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/source.admin)

Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies.

Lowest-level resources where you can grant this role:

  • Repository

source.*

(roles/source.reader)

Provides permissions to list, clone, fetch, and browse repositories.

Lowest-level resources where you can grant this role:

  • Repository

source.repos.get

source.repos.list

(roles/source.writer)

Provides permissions to list, clone, fetch, browse, and update repositories.

Lowest-level resources where you can grant this role:

  • Repository

source.repos.get

source.repos.list

source.repos.update

Permissions

(roles/stackdriver.accounts.editor)

Read/write access to manage Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.projects.*

(roles/stackdriver.accounts.viewer)

Read-only access to get and list information about Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

(roles/stackdriver.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

stackdriver.resourceMetadata.write

Permissions

(roles/stream.admin)

Full access to Stream all resources.

resourcemanager.projects.get

resourcemanager.projects.list

stream.*

(roles/stream.contentAdmin)

Full access to all StreamContent resources.

resourcemanager.projects.get

resourcemanager.projects.list

stream.streamContents.*

(roles/stream.contentBuilder)

Read and build access to StreamContent resources.

resourcemanager.projects.get

resourcemanager.projects.list

stream.streamContents.build

stream.streamContents.get

stream.streamContents.list

(roles/stream.instanceAdmin)

Full access to all StreamInstance resources and Read access to all StreamContent resources.

resourcemanager.projects.get

resourcemanager.projects.list

stream.streamContents.get

stream.streamContents.list

stream.streamInstances.*

(roles/stream.viewer)

Read-only access to Stream all resources.

resourcemanager.projects.get

resourcemanager.projects.list

stream.locations.*

stream.operations.get

stream.operations.list

stream.streamContents.get

stream.streamContents.list

stream.streamInstances.get

stream.streamInstances.list

Permissions

(roles/cloudsupport.admin)

Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information.

Lowest-level resources where you can grant this role:

  • Organization

cloudsupport.accounts.*

cloudsupport.operations.get

cloudsupport.properties.get

resourcemanager.organizations.get

(roles/cloudsupport.techSupportEditor)

Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support). See the Cloud Support documentation for more information.

cloudasset.assets.searchAllResources

cloudsupport.properties.get

cloudsupport.techCases.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudsupport.techSupportViewer)

Read-only access to technical support cases (applicable for GCP Customer Care and Maps support). See the Cloud Support documentation for more information.

cloudsupport.properties.get

cloudsupport.techCases.get

cloudsupport.techCases.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudsupport.viewer)

Read-only access to details of a support account. This does not allow viewing cases. See the Cloud Support documentation for more information.

Lowest-level resources where you can grant this role:

  • Organization

cloudsupport.accounts.get

cloudsupport.accounts.getUserRoles

cloudsupport.accounts.list

cloudsupport.properties.get

Permissions

(roles/dellemccloudonefs.admin)

This role is managed by Dell EMC, not Google.

cloudonefs.isiloncloud.com/*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dellemccloudonefs.user)

This role is managed by Dell EMC, not Google.

cloudonefs.isiloncloud.com/clusters.create

cloudonefs.isiloncloud.com/clusters.delete

cloudonefs.isiloncloud.com/clusters.get

cloudonefs.isiloncloud.com/clusters.list

cloudonefs.isiloncloud.com/clusters.update

cloudonefs.isiloncloud.com/fileshares.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/dellemccloudonefs.viewer)

This role is managed by Dell EMC, not Google.

cloudonefs.isiloncloud.com/clusters.get

cloudonefs.isiloncloud.com/clusters.list

cloudonefs.isiloncloud.com/fileshares.get

cloudonefs.isiloncloud.com/fileshares.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/netappcloudvolumes.admin)

This role is managed by NetApp, not Google.

cloudvolumesgcp-api.netapp.com/*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/netappcloudvolumes.viewer)

This role is managed by NetApp, not Google.

cloudvolumesgcp-api.netapp.com/activeDirectories.get

cloudvolumesgcp-api.netapp.com/activeDirectories.list

cloudvolumesgcp-api.netapp.com/ipRanges.list

cloudvolumesgcp-api.netapp.com/jobs.*

cloudvolumesgcp-api.netapp.com/regions.list

cloudvolumesgcp-api.netapp.com/serviceLevels.list

cloudvolumesgcp-api.netapp.com/snapshots.get

cloudvolumesgcp-api.netapp.com/snapshots.list

cloudvolumesgcp-api.netapp.com/volumes.get

cloudvolumesgcp-api.netapp.com/volumes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/redisenterprisecloud.admin)

This role is managed by Redis Labs, not Google.

gcp.redisenterprise.com/*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/redisenterprisecloud.viewer)

This role is managed by Redis Labs, not Google.

gcp.redisenterprise.com/databases.get

gcp.redisenterprise.com/databases.list

gcp.redisenterprise.com/subscriptions.get

gcp.redisenterprise.com/subscriptions.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/transcoder.admin)

Full access to all transcoder resources.

resourcemanager.projects.get

resourcemanager.projects.list

transcoder.*

(roles/transcoder.viewer)

Viewer of all transcoder resources.

resourcemanager.projects.get

resourcemanager.projects.list

transcoder.jobTemplates.get

transcoder.jobTemplates.list

transcoder.jobs.get

transcoder.jobs.list

Permissions

(roles/transferappliance.admin)

Full access to Transfer Appliance all resources.

resourcemanager.projects.get

resourcemanager.projects.list

transferappliance.*

(roles/transferappliance.viewer)

Read-only access to Transfer Appliance all resources.

resourcemanager.projects.get

resourcemanager.projects.list

transferappliance.appliances.get

transferappliance.appliances.list

transferappliance.locations.*

transferappliance.operations.get

transferappliance.operations.list

transferappliance.orders.get

transferappliance.orders.list

transferappliance.savedAddresses.get

transferappliance.savedAddresses.list

Permissions

(roles/aiplatform.admin)

Grants full access to all resources in Vertex AI

aiplatform.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.colabEnterpriseAdmin)

Admin role of using colab enterprise.

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.create

aiplatform.notebookRuntimeTemplates.delete

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimeTemplates.setIamPolicy

aiplatform.notebookRuntimes.*

aiplatform.operations.list

aiplatform.pipelineJobs.create

aiplatform.schedules.*

compute.reservations.get

compute.reservations.list

dataform.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.colabEnterpriseUser)

User role of using colab enterprise.

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimes.assign

aiplatform.notebookRuntimes.get

aiplatform.notebookRuntimes.list

aiplatform.operations.list

aiplatform.pipelineJobs.create

aiplatform.schedules.*

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.entityTypeOwner)

Provides full access to all permissions for a particular entity type resource.

Lowest-level resources where you can grant this role:

  • Entity type

aiplatform.entityTypes.delete

aiplatform.entityTypes.deleteFeatureValues

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.getIamPolicy

aiplatform.entityTypes.importFeatureValues

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.setIamPolicy

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.entityTypes.update

aiplatform.entityTypes.writeFeatureValues

aiplatform.featureGroups.get

aiplatform.featureGroups.list

aiplatform.featureOnlineStores.get

aiplatform.featureOnlineStores.list

aiplatform.featureViewSyncs.*

aiplatform.featureViews.fetchFeatureValues

aiplatform.featureViews.get

aiplatform.featureViews.list

aiplatform.featureViews.searchNearestEntities

aiplatform.features.*

aiplatform.featurestores.batchReadFeatureValues

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.featurestoreAdmin)

Grants full access to all resources in Vertex AI Feature Store

Lowest-level resources where you can grant this role:

  • Entity type

aiplatform.entityTypes.*

aiplatform.featureGroups.*

aiplatform.featureOnlineStores.*

aiplatform.featureViewSyncs.*

aiplatform.featureViews.*

aiplatform.features.*

aiplatform.featurestores.*

aiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.featurestoreDataViewer)

This role provides permissions to read Feature data.

Lowest-level resources where you can grant this role:

  • Entity type

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.featureGroups.get

aiplatform.featureGroups.list

aiplatform.featureOnlineStores.get

aiplatform.featureOnlineStores.list

aiplatform.featureViewSyncs.*

aiplatform.featureViews.fetchFeatureValues

aiplatform.featureViews.get

aiplatform.featureViews.list

aiplatform.featureViews.searchNearestEntities

aiplatform.features.get

aiplatform.features.list

aiplatform.featurestores.batchReadFeatureValues

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.featurestoreDataWriter)

This role provides permissions to read and write Feature data.

Lowest-level resources where you can grant this role:

  • Entity type

aiplatform.entityTypes.deleteFeatureValues

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.importFeatureValues

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.entityTypes.writeFeatureValues

aiplatform.featureGroups.get

aiplatform.featureGroups.list

aiplatform.featureOnlineStores.get

aiplatform.featureOnlineStores.list

aiplatform.featureViewSyncs.*

aiplatform.featureViews.fetchFeatureValues

aiplatform.featureViews.get

aiplatform.featureViews.list

aiplatform.featureViews.searchNearestEntities

aiplatform.features.get

aiplatform.features.list

aiplatform.featurestores.batchReadFeatureValues

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.featurestoreInstanceCreator)

Administrator of Featurestore resources, but not the child resources under Featurestores.

Lowest-level resources where you can grant this role:

  • Featurestore

aiplatform.featurestores.create

aiplatform.featurestores.delete

aiplatform.featurestores.get

aiplatform.featurestores.list

aiplatform.featurestores.update

(roles/aiplatform.featurestoreResourceViewer)

Viewer of all resources in Vertex AI Feature Store but cannot make changes.

Lowest-level resources where you can grant this role:

  • Entity type

aiplatform.entityTypes.get

aiplatform.entityTypes.list

aiplatform.featureGroups.get

aiplatform.featureGroups.list

aiplatform.featureOnlineStores.get

aiplatform.featureOnlineStores.list

aiplatform.featureViewSyncs.*

aiplatform.featureViews.get

aiplatform.featureViews.list

aiplatform.features.get

aiplatform.features.list

aiplatform.featurestores.get

aiplatform.featurestores.list

aiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.featurestoreUser)

Deprecated. Use featurestoreAdmin instead.

aiplatform.entityTypes.*

aiplatform.features.*

aiplatform.featurestores.*

aiplatform.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.migrator)

Grants access to use migration service in Vertex AI

aiplatform.migratableResources.*

(roles/aiplatform.notebookExecutorUser)

Grants users full access to schedules and notebook execution jobs.

aiplatform.operations.list

aiplatform.pipelineJobs.create

aiplatform.schedules.*

(roles/aiplatform.notebookRuntimeAdmin)

Grants full access to all runtime templates and runtimes in Notebook Service.

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.create

aiplatform.notebookRuntimeTemplates.delete

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimeTemplates.setIamPolicy

aiplatform.notebookRuntimes.*

aiplatform.operations.list

compute.reservations.get

compute.reservations.list

(roles/aiplatform.notebookRuntimeUser)

Grants users permissions to create runtime resources using a runtime template and manage the runtime resources they created.

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimes.assign

aiplatform.notebookRuntimes.get

aiplatform.notebookRuntimes.list

aiplatform.operations.list

(roles/aiplatform.tensorboardWebAppUser)

Grants access to the Vertex AI TensorBoard web app.

aiplatform.tensorboards.recordAccess

(roles/aiplatform.user)

Grants access to use all resource in Vertex AI

aiplatform.annotationSpecs.*

aiplatform.annotations.*

aiplatform.artifacts.*

aiplatform.batchPredictionJobs.*

aiplatform.contexts.*

aiplatform.customJobs.*

aiplatform.dataItems.*

aiplatform.dataLabelingJobs.*

aiplatform.datasetVersions.*

aiplatform.datasets.*

aiplatform.deploymentResourcePools.*

aiplatform.edgeDeploymentJobs.*

aiplatform.edgeDeviceDebugInfo.get

aiplatform.edgeDevices.*

aiplatform.endpoints.create

aiplatform.endpoints.delete

aiplatform.endpoints.deploy

aiplatform.endpoints.explain

aiplatform.endpoints.get

aiplatform.endpoints.list

aiplatform.endpoints.predict

aiplatform.endpoints.undeploy

aiplatform.endpoints.update

aiplatform.entityTypes.create

aiplatform.entityTypes.delete

aiplatform.entityTypes.deleteFeatureValues

aiplatform.entityTypes.exportFeatureValues

aiplatform.entityTypes.get

aiplatform.entityTypes.importFeatureValues

aiplatform.entityTypes.list

aiplatform.entityTypes.readFeatureValues

aiplatform.entityTypes.streamingReadFeatureValues

aiplatform.entityTypes.update

aiplatform.entityTypes.writeFeatureValues

aiplatform.executions.*

aiplatform.featureGroups.*

aiplatform.featureOnlineStores.*

aiplatform.featureViewSyncs.*

aiplatform.featureViews.*

aiplatform.features.*

aiplatform.featurestores.batchReadFeatureValues

aiplatform.featurestores.create

aiplatform.featurestores.delete

aiplatform.featurestores.exportFeatures

aiplatform.featurestores.get

aiplatform.featurestores.importFeatures

aiplatform.featurestores.list

aiplatform.featurestores.readFeatures

aiplatform.featurestores.update

aiplatform.featurestores.writeFeatures

aiplatform.humanInTheLoops.*

aiplatform.hyperparameterTuningJobs.*

aiplatform.indexEndpoints.*

aiplatform.indexes.*

aiplatform.locations.*

aiplatform.metadataSchemas.*

aiplatform.metadataStores.*

aiplatform.modelDeploymentMonitoringJobs.*

aiplatform.modelEvaluationSlices.*

aiplatform.modelEvaluations.*

aiplatform.models.*

aiplatform.nasJobs.*

aiplatform.nasTrialDetails.*

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.create

aiplatform.notebookRuntimeTemplates.delete

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimeTemplates.update

aiplatform.notebookRuntimes.*

aiplatform.operations.list

aiplatform.persistentResources.get

aiplatform.persistentResources.list

aiplatform.pipelineJobs.*

aiplatform.schedules.*

aiplatform.specialistPools.*

aiplatform.studies.*

aiplatform.tensorboardExperiments.*

aiplatform.tensorboardRuns.*

aiplatform.tensorboardTimeSeries.*

aiplatform.tensorboards.create

aiplatform.tensorboards.delete

aiplatform.tensorboards.get

aiplatform.tensorboards.list

aiplatform.tensorboards.update

aiplatform.trainingPipelines.*

aiplatform.trials.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/aiplatform.viewer)

Grants access to view all resource in Vertex AI

aiplatform.annotationSpecs.get

aiplatform.annotationSpecs.list

aiplatform.annotations.get

aiplatform.annotations.list

aiplatform.artifacts.get

aiplatform.artifacts.list

aiplatform.batchPredictionJobs.get

aiplatform.batchPredictionJobs.list

aiplatform.contexts.get

aiplatform.contexts.list

aiplatform.contexts.queryContextLineageSubgraph

aiplatform.customJobs.get

aiplatform.customJobs.list

aiplatform.dataItems.get

aiplatform.dataItems.list

aiplatform.dataLabelingJobs.get

aiplatform.dataLabelingJobs.list

aiplatform.datasetVersions.get

aiplatform.datasetVersions.list

aiplatform.datasets.get

aiplatform.datasets.list

aiplatform.deploymentResourcePools.get

aiplatform.deploymentResourcePools.list

aiplatform.deploymentResourcePools.queryDeployedModels

aiplatform.edgeDeploymentJobs.get

aiplatform.edgeDeploymentJobs.list

aiplatform.edgeDeviceDebugInfo.get

aiplatform.edgeDevices.get

aiplatform.edgeDevices.list

aiplatform.endpoints.get

aiplatform.endpoints.list

aiplatform.entityTypes.get

aiplatform.entityTypes.list

aiplatform.executions.get

aiplatform.executions.list

aiplatform.executions.queryExecutionInputsAndOutputs

aiplatform.featureGroups.get

aiplatform.featureGroups.list

aiplatform.featureOnlineStores.get

aiplatform.featureOnlineStores.list

aiplatform.featureViewSyncs.*

aiplatform.featureViews.fetchFeatureValues

aiplatform.featureViews.get

aiplatform.featureViews.list

aiplatform.featureViews.searchNearestEntities

aiplatform.features.get

aiplatform.features.list

aiplatform.featurestores.get

aiplatform.featurestores.list

aiplatform.humanInTheLoops.get

aiplatform.humanInTheLoops.list

aiplatform.hyperparameterTuningJobs.get

aiplatform.hyperparameterTuningJobs.list

aiplatform.indexEndpoints.get

aiplatform.indexEndpoints.list

aiplatform.indexEndpoints.queryVectors

aiplatform.indexes.get

aiplatform.indexes.list

aiplatform.locations.*

aiplatform.metadataSchemas.get

aiplatform.metadataSchemas.list

aiplatform.metadataStores.get

aiplatform.metadataStores.list

aiplatform.modelDeploymentMonitoringJobs.get

aiplatform.modelDeploymentMonitoringJobs.list

aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies

aiplatform.modelEvaluationSlices.get

aiplatform.modelEvaluationSlices.list

aiplatform.modelEvaluations.get

aiplatform.modelEvaluations.list

aiplatform.models.get

aiplatform.models.list

aiplatform.nasJobs.get

aiplatform.nasJobs.list

aiplatform.nasTrialDetails.*

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimes.get

aiplatform.notebookRuntimes.list

aiplatform.operations.list

aiplatform.persistentResources.get

aiplatform.persistentResources.list

aiplatform.pipelineJobs.get

aiplatform.pipelineJobs.list

aiplatform.schedules.get

aiplatform.schedules.list

aiplatform.specialistPools.get

aiplatform.specialistPools.list

aiplatform.specialistPools.update

aiplatform.studies.get

aiplatform.studies.list

aiplatform.tensorboardExperiments.get

aiplatform.tensorboardExperiments.list

aiplatform.tensorboardRuns.get

aiplatform.tensorboardRuns.list

aiplatform.tensorboardTimeSeries.batchRead

aiplatform.tensorboardTimeSeries.get

aiplatform.tensorboardTimeSeries.list

aiplatform.tensorboardTimeSeries.read

aiplatform.tensorboards.get

aiplatform.tensorboards.list

aiplatform.trainingPipelines.get

aiplatform.trainingPipelines.list

aiplatform.trials.get

aiplatform.trials.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/videostitcher.admin)

Full access to all video stitcher resources.

resourcemanager.projects.get

resourcemanager.projects.list

videostitcher.*

(roles/videostitcher.user)

Full access to video stitcher sessions.

resourcemanager.projects.get

resourcemanager.projects.list

videostitcher.liveSessions.*

videostitcher.vodSessions.*

(roles/videostitcher.viewer)

Read-only access to video stitcher resources.

resourcemanager.projects.get

resourcemanager.projects.list

videostitcher.cdnKeys.get

videostitcher.cdnKeys.list

videostitcher.liveAdTagDetails.*

videostitcher.liveConfigs.get

videostitcher.liveConfigs.list

videostitcher.liveSessions.get

videostitcher.slates.get

videostitcher.slates.list

videostitcher.vodAdTagDetails.*

videostitcher.vodSessions.get

videostitcher.vodStitchDetails.*

Permissions

(roles/visionai.admin)

Full access to Vision AI all resources.

resourcemanager.projects.get

resourcemanager.projects.list

visionai.*

(roles/visionai.analysisEditor)

Access to read and write Vision AI Analyses.

visionai.analyses.create

visionai.analyses.delete

visionai.analyses.get

visionai.analyses.list

visionai.analyses.update

(roles/visionai.analysisViewer)

Access to read Vision AI Analyses.

visionai.analyses.get

visionai.analyses.list

(roles/visionai.annotationEditor)

Grants access to edit media asset annotations into the Warehouse.

visionai.annotations.*

(roles/visionai.annotationViewer)

Grants access to view media asset annotations into the Warehouse.

visionai.annotations.get

visionai.annotations.list

(roles/visionai.applicationEditor)

Access to read and write Vision AI Applications.

visionai.applications.*

visionai.drafts.*

visionai.instances.*

(roles/visionai.applicationViewer)

Access to read Vision AI Applications.

visionai.applications.get

visionai.applications.list

visionai.drafts.get

visionai.drafts.list

visionai.instances.*

(roles/visionai.assetCreator)

Grants access to ingest media assets into the Warehouse.

visionai.assets.create

visionai.assets.ingest

(roles/visionai.assetEditor)

Grants access to edit media assets into the Warehouse.

visionai.assets.*

(roles/visionai.assetViewer)

Grants access to view media assets into the Warehouse.

visionai.assets.get

visionai.assets.list

visionai.assets.search

(roles/visionai.clusterEditor)

Access to read and write Vision AI Cluster.

visionai.clusters.create

visionai.clusters.delete

visionai.clusters.get

visionai.clusters.list

visionai.clusters.update

visionai.clusters.watch

(roles/visionai.clusterViewer)

Access to read Vision AI Clusters.

visionai.clusters.get

visionai.clusters.list

(roles/visionai.corpusAdmin)

Full control to everything in a corpus including corpus access control.

visionai.annotations.*

visionai.assets.*

visionai.corpora.*

visionai.dataSchemas.*

visionai.indexes.*

visionai.operations.get

visionai.operations.list

visionai.searchConfigs.*

(roles/visionai.corpusEditor)

Read-write access to everything in a corpus.

visionai.annotations.*

visionai.assets.*

visionai.corpora.*

visionai.dataSchemas.*

visionai.indexes.*

visionai.operations.get

visionai.operations.list

visionai.searchConfigs.*

(roles/visionai.corpusViewer)

Grants access to view everything in a corpus.

visionai.annotations.get

visionai.annotations.list

visionai.assets.clip

visionai.assets.generateHlsUri

visionai.assets.get

visionai.assets.list

visionai.assets.search

visionai.corpora.get

visionai.corpora.list

visionai.corpora.suggest

visionai.dataSchemas.get

visionai.dataSchemas.list

visionai.dataSchemas.validate

visionai.indexes.get

visionai.indexes.list

visionai.indexes.viewAssets

visionai.operations.get

visionai.operations.list

visionai.searchConfigs.get

visionai.searchConfigs.list

(roles/visionai.corpusWriter)

Grants access to create/update/delete everything in a corpus.

visionai.annotations.*

visionai.assets.*

visionai.corpora.analyze

visionai.corpora.delete

visionai.corpora.import

visionai.corpora.update

visionai.dataSchemas.create

visionai.dataSchemas.delete

visionai.dataSchemas.update

visionai.indexes.create

visionai.indexes.delete

visionai.indexes.update

visionai.operations.get

visionai.operations.list

visionai.searchConfigs.create

visionai.searchConfigs.delete

visionai.searchConfigs.update

(roles/visionai.editor)

Edit access to Vision AI all resources.

resourcemanager.projects.get

resourcemanager.projects.list

visionai.analyses.create

visionai.analyses.delete

visionai.analyses.get

visionai.analyses.getIamPolicy

visionai.analyses.list

visionai.analyses.update

visionai.annotations.*

visionai.applications.*

visionai.assets.*

visionai.clusters.create

visionai.clusters.delete

visionai.clusters.get

visionai.clusters.getIamPolicy

visionai.clusters.list

visionai.clusters.update

visionai.clusters.watch

visionai.corpora.*

visionai.dataSchemas.*

visionai.drafts.*

visionai.events.create

visionai.events.delete

visionai.events.get

visionai.events.getIamPolicy

visionai.events.list

visionai.events.update

visionai.indexEndpoints.*

visionai.indexes.*

visionai.instances.*

visionai.locations.*

visionai.operations.*

visionai.operators.create

visionai.operators.delete

visionai.operators.get

visionai.operators.getIamPolicy

visionai.operators.list

visionai.operators.update

visionai.processors.*

visionai.searchConfigs.*

visionai.series.acquireLease

visionai.series.create

visionai.series.delete

visionai.series.get

visionai.series.getIamPolicy

visionai.series.list

visionai.series.receive

visionai.series.releaseLease

visionai.series.renewLease

visionai.series.send

visionai.series.update

visionai.streams.create

visionai.streams.delete

visionai.streams.get

visionai.streams.getIamPolicy

visionai.streams.list

visionai.streams.receive

visionai.streams.send

visionai.streams.update

visionai.uistreams.*

(roles/visionai.eventEditor)

Access to read and write Vision AI Events.

visionai.events.create

visionai.events.delete

visionai.events.get

visionai.events.list

visionai.events.update

(roles/visionai.eventViewer)

Access to read Vision AI Events.

visionai.events.get

visionai.events.list

(roles/visionai.indexEndpointAdmin)

Full control of all Media Warehouse resources and permissions.

visionai.indexEndpoints.*

(roles/visionai.indexEndpointEditor)

Read, write and create access to all index endpoints level resources.

visionai.indexEndpoints.*

(roles/visionai.indexEndpointViewer)

Grants access to view all index endpoint resources and be able to search on them. (ReadOnly)

visionai.indexEndpoints.get

visionai.indexEndpoints.list

visionai.indexEndpoints.search

(roles/visionai.indexEndpointWriter)

Grants access to perform update, delete, deploy and undeploy operations on the index endpoint.

visionai.indexEndpoints.delete

visionai.indexEndpoints.deploy

visionai.indexEndpoints.undeploy

visionai.indexEndpoints.update

(roles/visionai.operatorEditor)

Access to read and write Vision AI Operators.

visionai.operators.create

visionai.operators.delete

visionai.operators.get

visionai.operators.list

visionai.operators.update

(roles/visionai.operatorViewer)

Access to read Vision AI Operators.

visionai.operators.get

visionai.operators.list

(roles/visionai.packetReceiver)

Access to read Vision AI Series.

visionai.clusters.watch

visionai.series.acquireLease

visionai.series.receive

visionai.series.releaseLease

visionai.series.renewLease

visionai.streams.receive

(roles/visionai.packetSender)

Packet sender to the series.

visionai.series.acquireLease

visionai.series.releaseLease

visionai.series.renewLease

visionai.series.send

visionai.streams.send

(roles/visionai.processorEditor)

Access to read and write Vision AI Processors.

visionai.processors.*

(roles/visionai.processorViewer)

Access to read Vision AI Processors.

visionai.processors.get

visionai.processors.list

visionai.processors.listPrebuilt

(roles/visionai.retailcatalogEditor)

Access to read and write Vision AI RetailCatalogs.

(roles/visionai.retailcatalogViewer)

Access to read Vision AI RetailCatalogs.

(roles/visionai.retailendpointEditor)

Access to read and write Vision AI RetailEndpoints.

(roles/visionai.retailendpointViewer)

Access to read Vision AI RetailEndpoints.

(roles/visionai.seriesEditor)

Access to read and write Vision AI Series.

visionai.clusters.watch

visionai.series.acquireLease

visionai.series.create

visionai.series.delete

visionai.series.get

visionai.series.list

visionai.series.receive

visionai.series.releaseLease

visionai.series.renewLease

visionai.series.send

visionai.series.update

visionai.streams.receive

visionai.streams.send

(roles/visionai.seriesViewer)

Access to read Vision AI Series.

visionai.series.get

visionai.series.list

(roles/visionai.streamEditor)

Access to read and write Vision AI Streams.

visionai.clusters.watch

visionai.series.acquireLease

visionai.series.receive

visionai.series.releaseLease

visionai.series.renewLease

visionai.series.send

visionai.streams.create

visionai.streams.delete

visionai.streams.get

visionai.streams.list

visionai.streams.receive

visionai.streams.send

visionai.streams.update

(roles/visionai.streamViewer)

Access to read Vision AI Streams.

visionai.streams.get

visionai.streams.list

(roles/visionai.uiStreamEditor)

Access to read & write Vision AI UI Streams.

visionai.uistreams.*

(roles/visionai.uiStreamViewer)

Access to read Vision AI UI Streams.

visionai.uistreams.get

visionai.uistreams.list

(roles/visionai.viewer)

View access to Vision AI all resources.

resourcemanager.projects.get

resourcemanager.projects.list

visionai.analyses.get

visionai.analyses.getIamPolicy

visionai.analyses.list

visionai.annotations.get

visionai.annotations.list

visionai.applications.get

visionai.applications.list

visionai.assets.clip

visionai.assets.generateHlsUri

visionai.assets.get

visionai.assets.list

visionai.assets.search

visionai.clusters.get

visionai.clusters.getIamPolicy

visionai.clusters.list

visionai.corpora.get

visionai.corpora.list

visionai.corpora.suggest

visionai.dataSchemas.get

visionai.dataSchemas.list

visionai.dataSchemas.validate

visionai.drafts.get

visionai.drafts.list

visionai.events.get

visionai.events.getIamPolicy

visionai.events.list

visionai.indexEndpoints.get

visionai.indexEndpoints.list

visionai.indexEndpoints.search

visionai.indexes.get

visionai.indexes.list

visionai.indexes.viewAssets

visionai.instances.*

visionai.locations.*

visionai.operations.get

visionai.operations.list

visionai.operators.get

visionai.operators.getIamPolicy

visionai.operators.list

visionai.processors.get

visionai.processors.list

visionai.processors.listPrebuilt

visionai.searchConfigs.get

visionai.searchConfigs.list

visionai.series.get

visionai.series.getIamPolicy

visionai.series.list

visionai.streams.get

visionai.streams.getIamPolicy

visionai.streams.list

visionai.uistreams.get

visionai.uistreams.list

Permissions

(roles/vmwareengine.vmwareengineAdmin)

Admin has full access to VMware Engine Service

resourcemanager.projects.get

resourcemanager.projects.list

vmwareengine.*

(roles/vmwareengine.vmwareengineViewer)

Viewer has read-only access to VMware Engine Service

resourcemanager.projects.get

resourcemanager.projects.list

vmwareengine.clusters.get

vmwareengine.clusters.getIamPolicy

vmwareengine.clusters.list

vmwareengine.dnsBindPermission.get

vmwareengine.dnsForwarding.get

vmwareengine.externalAccessRules.get

vmwareengine.externalAccessRules.list

vmwareengine.externalAddresses.get

vmwareengine.externalAddresses.list

vmwareengine.hcxActivationKeys.get

vmwareengine.hcxActivationKeys.getIamPolicy

vmwareengine.hcxActivationKeys.list

vmwareengine.locations.*

vmwareengine.loggingServers.get

vmwareengine.loggingServers.list

vmwareengine.managementDnsZoneBindings.get

vmwareengine.managementDnsZoneBindings.list

vmwareengine.networkPeerings.get

vmwareengine.networkPeerings.list

vmwareengine.networkPeerings.listPeeringRoutes

vmwareengine.networkPolicies.fetchExternalAddresses

vmwareengine.networkPolicies.get

vmwareengine.networkPolicies.list

vmwareengine.nodeTypes.*

vmwareengine.nodes.*

vmwareengine.operations.get

vmwareengine.operations.list

vmwareengine.privateClouds.get

vmwareengine.privateClouds.getIamPolicy

vmwareengine.privateClouds.list

vmwareengine.privateConnections.get

vmwareengine.privateConnections.list

vmwareengine.privateConnections.listPeeringRoutes

vmwareengine.services.view

vmwareengine.subnets.get

vmwareengine.subnets.list

vmwareengine.vmwareEngineNetworks.get

vmwareengine.vmwareEngineNetworks.list

Permissions

(roles/workflows.admin)

Full access to workflows and related resources.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.*

(roles/workflows.editor)

Read and write access to workflows and related resources, including development and debugging of workflows.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.*

(roles/workflows.invoker)

Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.callbacks.*

workflows.executions.*

workflows.stepEntries.*

(roles/workflows.viewer)

Read-only access to workflows and related resources.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.callbacks.list

workflows.executions.get

workflows.executions.list

workflows.locations.*

workflows.operations.get

workflows.operations.list

workflows.stepEntries.*

workflows.workflows.get

workflows.workflows.list

workflows.workflows.listRevision

Permissions

(roles/iam.workforcePoolAdmin)

Full rights to create and manage all workforce pools in the org, along with the ability to delegate permissions to other admins.

iam.workforcePoolProviderKeys.*

iam.workforcePoolProviders.*

iam.workforcePoolSubjects.*

iam.workforcePools.*

(roles/iam.workforcePoolEditor)

Rights to edit a particular instance of a workforce pool.

iam.googleapis.com/workforcePoolProviderKeys.get

iam.googleapis.com/workforcePoolProviderKeys.list

iam.googleapis.com/workforcePools.get

iam.googleapis.com/workforcePools.list

iam.googleapis.com/workforcePools.update

iam.workforcePoolProviders.*

(roles/iam.workforcePoolViewer)

Rights to read workforce pool.

iam.googleapis.com/workforcePoolProviderKeys.get

iam.googleapis.com/workforcePoolProviderKeys.list

iam.googleapis.com/workforcePoolProviders.get

iam.googleapis.com/workforcePoolProviders.list

iam.googleapis.com/workforcePools.get

iam.googleapis.com/workforcePools.list

Permissions

(roles/workloadcertificate.admin)

Full access to all Workload Certificate API resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadcertificate.*

(roles/workloadcertificate.registrationAdmin)

Full access to WorkloadRegistration resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadcertificate.locations.*

workloadcertificate.operations.*

workloadcertificate.workloadRegistrations.*

(roles/workloadcertificate.registrationViewer)

Read-only access to WorkloadRegistration resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadcertificate.locations.*

workloadcertificate.operations.get

workloadcertificate.operations.list

workloadcertificate.workloadRegistrations.get

workloadcertificate.workloadRegistrations.list

(roles/workloadcertificate.viewer)

Read-only access to Workload Certificate all resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadcertificate.locations.*

workloadcertificate.operations.get

workloadcertificate.operations.list

workloadcertificate.workloadCertificateFeature.get

workloadcertificate.workloadRegistrations.get

workloadcertificate.workloadRegistrations.list

Permissions

(roles/iam.workloadIdentityPoolAdmin)

Full rights to create and manage workload identity pools.

iam.workloadIdentityPoolProviderKeys.*

iam.workloadIdentityPoolProviders.*

iam.workloadIdentityPools.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/iam.workloadIdentityPoolViewer)

Read access to workload identity pools.

iam.googleapis.com/workloadIdentityPoolProviderKeys.get

iam.googleapis.com/workloadIdentityPoolProviderKeys.list

iam.googleapis.com/workloadIdentityPoolProviders.get

iam.googleapis.com/workloadIdentityPoolProviders.list

iam.googleapis.com/workloadIdentityPools.get

iam.googleapis.com/workloadIdentityPools.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/workloadmanager.admin)

Full access to Workload Manager all resources.

compute.acceleratorTypes.list

compute.diskTypes.list

compute.machineTypes.list

compute.networks.list

compute.projects.get

compute.regions.list

compute.subnetworks.list

compute.zones.list

dns.managedZones.list

iam.serviceAccounts.list

monitoring.timeSeries.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

storage.buckets.list

storage.objects.list

workloadmanager.*

(roles/workloadmanager.deploymentAdmin)

Full access to Workload Manager deployment resources.

compute.acceleratorTypes.list

compute.diskTypes.list

compute.machineTypes.list

compute.networks.list

compute.projects.get

compute.regions.list

compute.subnetworks.list

compute.zones.list

dns.managedZones.list

iam.serviceAccounts.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

storage.buckets.list

storage.objects.list

workloadmanager.actuations.*

workloadmanager.deployments.*

workloadmanager.locations.*

workloadmanager.operations.*

(roles/workloadmanager.deploymentViewer)

Read-only access to Workload Manager deployment resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.get

workloadmanager.actuations.list

workloadmanager.deployments.get

workloadmanager.deployments.list

(roles/workloadmanager.evaluationAdmin)

Full access to Workload Manager evaluation resources.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.evaluations.*

workloadmanager.executions.*

workloadmanager.locations.*

workloadmanager.operations.*

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.evaluationViewer)

Read-only access to Workload Manager evaluation resources.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.evaluations.get

workloadmanager.evaluations.list

workloadmanager.executions.get

workloadmanager.executions.list

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.evaluationWorker)

The role used by Workload Manager application runners to read and update workloads.

workloadmanager.evaluations.*

workloadmanager.executions.*

(roles/workloadmanager.insightWriter)

The role used to write data to WLM data warehouse.

workloadmanager.insights.write

(roles/workloadmanager.viewer)

Read-only access to Workload Manager all resources.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.get

workloadmanager.actuations.list

workloadmanager.deployments.get

workloadmanager.deployments.list

workloadmanager.evaluations.get

workloadmanager.evaluations.list

workloadmanager.executions.get

workloadmanager.executions.list

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.worker)

The role used by Workload Manager application runners to read and update workloads.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.*

workloadmanager.deployments.*

workloadmanager.evaluations.*

workloadmanager.executions.*

workloadmanager.insights.write

workloadmanager.results.list

workloadmanager.rules.list