Access Approval roles
Permissions
Access Approval Approver
(roles/)
Ability to view or act on access approval requests and view configuration.
accessapproval.requests.*
accessapproval.
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Config Editor
(roles/)
Ability to update the Access Approval configuration
accessapproval.
accessapproval.settings.*
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Invalidator
(roles/)
Ability to invalidate existing approved approval requests
accessapproval.
accessapproval.
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Viewer
(roles/)
Ability to view access approval requests and configuration
accessapproval.requests.get
accessapproval.requests.list
accessapproval.
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager roles
Permissions
Cloud Access Binding Admin
(roles/)
Create, edit, and change Cloud access bindings.
accesscontextmanager.
Cloud Access Binding Reader
(roles/)
Read access to Cloud access bindings.
accesscontextmanager.
accesscontextmanager.
Access Context Manager Admin
(roles/)
Full access to policies, access levels, access zones and authorized orgs descs.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
cloudasset.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager Editor
(roles/)
Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
cloudasset.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager Reader
(roles/)
Read access to policies, access levels, access zones and authorized orgs descs.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
VPC Service Controls Troubleshooter Viewer
(roles/)
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.get
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Actions roles
Permissions
Actions Admin
(roles/)
Access to edit and deploy an action
actions.*
firebase.projects.get
firebase.projects.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Actions Viewer
(roles/)
Access to view an action
actions.agent.get
actions.agentVersions.get
actions.agentVersions.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
AI Notebooks roles
Permissions
Notebooks Admin
(roles/)
Full access to Notebooks, all resources.
Lowest-level resources where you can grant this role:
aiplatform.
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute.diskSettings.get
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.get
compute.reservationBlocks.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.wireGroups.get
compute.wireGroups.list
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Legacy Admin
(roles/)
Full access to Notebooks all resources through compute API.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
compute.*
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Legacy Viewer
(roles/)
Read-only access to Notebooks all resources through compute API.
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute.diskSettings.get
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.get
compute.reservationBlocks.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.wireGroups.get
compute.wireGroups.list
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.
notebooks.environments.list
notebooks.executions.get
notebooks.
notebooks.executions.list
notebooks.
notebooks.instances.get
notebooks.instances.getHealth
notebooks.
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.get
notebooks.
notebooks.runtimes.list
notebooks.schedules.get
notebooks.
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Runner
(roles/)
Restricted access for running scheduled Notebooks.
aiplatform.
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute.diskSettings.get
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.get
compute.reservationBlocks.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.wireGroups.get
compute.wireGroups.list
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.
notebooks.environments.list
notebooks.executions.create
notebooks.executions.get
notebooks.
notebooks.executions.list
notebooks.
notebooks.instances.create
notebooks.instances.get
notebooks.instances.getHealth
notebooks.
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.create
notebooks.runtimes.get
notebooks.
notebooks.runtimes.list
notebooks.schedules.create
notebooks.schedules.get
notebooks.
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Viewer
(roles/)
Read-only access to Notebooks, all resources.
Lowest-level resources where you can grant this role:
aiplatform.
aiplatform.
aiplatform.schedules.get
aiplatform.schedules.list
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute.diskSettings.get
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.get
compute.reservationBlocks.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.wireGroups.get
compute.wireGroups.list
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.
notebooks.environments.list
notebooks.executions.get
notebooks.
notebooks.executions.list
notebooks.
notebooks.instances.get
notebooks.instances.getHealth
notebooks.
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.get
notebooks.
notebooks.runtimes.list
notebooks.schedules.get
notebooks.
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Permissions
AI Platform Admin
(roles/)
Provides full access to AI Platform resources, and its jobs,
operations, models, and versions.
Lowest-level resources where you can grant this role:
ml.*
resourcemanager.projects.get
AI Platform Developer
(roles/)
Provides ability to use AI Platform resources for creating models,
versions, jobs for training and prediction, and sending online prediction
requests.
Lowest-level resources where you can grant this role:
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.*
ml.trials.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get
AI Platform Job Owner
(roles/)
Provides full access to all permissions for a particular job resource. This
role is automatically granted to the user who creates the job.
Lowest-level resources where you can grant this role:
ml.jobs.*
AI Platform Model Owner
(roles/)
Provides full access to the model and its versions. This role is
automatically granted to the user who creates the model.
Lowest-level resources where you can grant this role:
ml.models.*
ml.versions.*
AI Platform Model User
(roles/)
Provides permissions to read the model and its versions, and use them for
prediction.
Lowest-level resources where you can grant this role:
ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict
AI Platform Operation Owner
(roles/)
Provides full access to all permissions for a particular operation resource.
Lowest-level resources where you can grant this role:
ml.operations.*
AI Platform Viewer
(roles/)
Provides read-only access to AI Platform resources.
Lowest-level resources where you can grant this role:
ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.get
ml.studies.getIamPolicy
ml.studies.list
ml.trials.get
ml.trials.list
ml.versions.get
ml.versions.list
resourcemanager.projects.get
Analytics Hub roles
Permissions
Analytics Hub Admin
(roles/)
Administer Data Exchanges and Listings
analyticshub.
analyticshub.
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.
analyticshub.
analyticshub.
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
analyticshub.
analyticshub.listings.update
analyticshub.
analyticshub.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Listing Admin
(roles/)
Grants full control over the Listing, including updating, deleting and setting ACLs
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
analyticshub.
analyticshub.listings.update
analyticshub.
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Publisher
(roles/)
Can publish to Data Exchanges thus creating Listings
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.listings.create
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Subscriber
(roles/)
Can browse Data Exchanges and subscribe to Listings
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
analyticshub.
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Subscription Owner
(roles/)
Grants full control over the Subscription, including updating and deleting
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
analyticshub.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Viewer
(roles/)
Can browse Data Exchanges and Listings
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list
Android Management roles
Permissions
Android Management User
(roles/)
Full access to manage devices.
androidmanagement.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Anthos Multi-cloud roles
Permissions
Anthos Multi-cloud Admin
(roles/)
Admin access to Anthos Multi-cloud resources.
gkemulticloud.*
resourcemanager.projects.get
resourcemanager.projects.list
Anthos Multi-cloud Telemetry Writer
(roles/)
Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
opsconfigmonitoring.
Anthos Multi-cloud Viewer
(roles/)
Viewer access to Anthos Multi-cloud resources.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.awsClusters.get
gkemulticloud.awsClusters.list
gkemulticloud.awsNodePools.get
gkemulticloud.
gkemulticloud.
gkemulticloud.azureClients.get
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
API Gateway roles
Permissions
ApiGateway Admin
(roles/)
Full access to ApiGateway and related resources.
apigateway.*
monitoring.
monitoring.
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.get
serviceusage.services.list
ApiGateway Viewer
(roles/)
Read-only access to ApiGateway and related resources.
apigateway.apiconfigs.get
apigateway.
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.
apigateway.
apigateway.gateways.get
apigateway.
apigateway.gateways.list
apigateway.
apigateway.
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.
monitoring.
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.get
serviceusage.services.list
Apigee roles
Permissions
Apigee Organization Admin
(roles/)
Full access to all apigee resource features
apigee.*
apihub.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Apigee Analytics Agent
(roles/)
Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization
apigee.datalocation.get
apigee.
apigee.runtimeconfigs.get
Apigee Analytics Editor
(roles/)
Analytics editor for an Apigee Organization
apigee.addonsconfig.get
apigee.datacollectors.*
apigee.datastores.*
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.*
apigee.hostqueries.*
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.queries.*
apigee.reports.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Analytics Viewer
(roles/)
Analytics viewer for an Apigee Organization
apigee.addonsconfig.get
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datastores.get
apigee.datastores.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.queries.get
apigee.queries.list
apigee.reports.get
apigee.reports.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee API Admin
(roles/)
Full read/write access to all apigee API resources
apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.deployments.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.proxies.*
apigee.proxyrevisions.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apis.get
apihub.apis.list
apihub.apis.listEffectiveTags
apihub.apis.listTagBindings
apihub.attributes.get
apihub.attributes.list
apihub.curations.get
apihub.curations.list
apihub.definitions.get
apihub.definitions.list
apihub.dependencies.get
apihub.dependencies.list
apihub.deployments.get
apihub.deployments.list
apihub.
apihub.
apihub.externalApis.get
apihub.externalApis.list
apihub.
apihub.
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.
apihub.operations.get
apihub.operations.list
apihub.plugininstances.get
apihub.plugininstances.list
apihub.plugins.get
apihub.plugins.list
apihub.
apihub.
apihub.specs.get
apihub.specs.list
apihub.styleGuides.get
apihub.versions.get
apihub.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee API Reader
(roles/)
Reader of apigee resources
apigee.
apigee.
apigee.apiproducts.get
apigee.apiproducts.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.
apigee.sharedflowrevisions.get
apigee.
apigee.
apigee.sharedflows.get
apigee.sharedflows.list
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apis.get
apihub.apis.list
apihub.apis.listEffectiveTags
apihub.apis.listTagBindings
apihub.attributes.get
apihub.attributes.list
apihub.curations.get
apihub.curations.list
apihub.definitions.get
apihub.definitions.list
apihub.dependencies.get
apihub.dependencies.list
apihub.deployments.get
apihub.deployments.list
apihub.
apihub.
apihub.externalApis.get
apihub.externalApis.list
apihub.
apihub.
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.
apihub.operations.get
apihub.operations.list
apihub.plugininstances.get
apihub.plugininstances.list
apihub.plugins.get
apihub.plugins.list
apihub.
apihub.
apihub.specs.get
apihub.specs.list
apihub.styleGuides.get
apihub.versions.get
apihub.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Deployment Invoker
(roles/)
Invoker of deployments in the apigee runtime
apigee.deployments.invoke
Apigee Developer Admin
(roles/)
Developer admin of apigee resources
apigee.
apigee.
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appgroupapps.*
apigee.appgroups.*
apigee.appkeys.*
apigee.apps.*
apigee.datacollectors.*
apigee.
apigee.developerapps.*
apigee.developerattributes.*
apigee.developerbalances.*
apigee.
apigee.developers.*
apigee.
apigee.entitlements.get
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.rateplans.get
apigee.rateplans.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Apigee Environment Admin
(roles/)
Full read/write access to apigee environment resources, including deployments.
apigee.addonsconfig.*
apigee.archivedeployments.*
apigee.datacollectors.get
apigee.datacollectors.list
apigee.deployments.*
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.
apigee.environments.getStats
apigee.environments.list
apigee.
apigee.environments.update
apigee.flowhooks.*
apigee.ingressconfigs.get
apigee.keystorealiases.*
apigee.keystores.*
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.maskconfigs.*
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.references.*
apigee.resourcefiles.*
apigee.
apigee.sharedflowrevisions.get
apigee.
apigee.
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.*
apigee.traceconfig.*
apigee.traceconfigoverrides.*
apigee.tracesessions.*
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Apigee Monetization Admin
(roles/)
All permissions related to monetization
apigee.apiproducts.get
apigee.apiproducts.list
apigee.developerbalances.*
apigee.
apigee.
apigee.entitlements.get
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.rateplans.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Portal Admin
(roles/)
Portal admin for an Apigee Organization
apigee.entitlements.get
apigee.organizations.get
apigee.organizations.list
apigee.portals.*
apigee.
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Read-only Admin
(roles/)
Viewer of all apigee resources
apigee.addonsconfig.get
apigee.
apigee.
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appgroupapps.get
apigee.appgroupapps.list
apigee.appgroups.get
apigee.appgroups.list
apigee.appkeys.get
apigee.apps.*
apigee.
apigee.archivedeployments.get
apigee.archivedeployments.list
apigee.caches.list
apigee.canaryevaluations.get
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datalocation.get
apigee.datastores.get
apigee.datastores.list
apigee.deployments.get
apigee.deployments.list
apigee.
apigee.
apigee.developerapps.get
apigee.developerapps.list
apigee.developerattributes.get
apigee.
apigee.developerbalances.get
apigee.
apigee.developers.get
apigee.developers.list
apigee.
apigee.
apigee.dnsZones.get
apigee.dnsZones.list
apigee.endpointattachments.get
apigee.
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.
apigee.
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.flowhooks.getSharedFlow
apigee.flowhooks.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hostsecurityreports.get
apigee.
apigee.hoststats.get
apigee.ingressconfigs.get
apigee.instanceattachments.get
apigee.
apigee.instances.get
apigee.instances.list
apigee.keystorealiases.get
apigee.keystorealiases.list
apigee.keystores.get
apigee.keystores.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.maskconfigs.get
apigee.nataddresses.get
apigee.nataddresses.list
apigee.operations.*
apigee.organizations.get
apigee.organizations.list
apigee.portals.get
apigee.portals.list
apigee.
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.queries.get
apigee.queries.list
apigee.rateplans.get
apigee.rateplans.list
apigee.references.get
apigee.references.list
apigee.reports.get
apigee.reports.list
apigee.resourcefiles.get
apigee.resourcefiles.list
apigee.runtimeconfigs.get
apigee.securityActions.get
apigee.securityActions.list
apigee.
apigee.
apigee.securityFeedback.get
apigee.securityFeedback.list
apigee.securityIncidents.get
apigee.securityIncidents.list
apigee.
apigee.
apigee.
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityProfilesV2.get
apigee.securityProfilesV2.list
apigee.securitySettings.get
apigee.securityStats.*
apigee.securityreports.get
apigee.securityreports.list
apigee.setupcontexts.get
apigee.sharedflowrevisions.get
apigee.
apigee.sharedflows.get
apigee.sharedflows.list
apigee.spaces.get
apigee.spaces.getIamPolicy
apigee.spaces.list
apigee.targetservers.get
apigee.targetservers.list
apigee.traceconfig.get
apigee.
apigee.
apigee.tracesessions.get
apigee.tracesessions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Apigee Runtime Agent
(roles/)
Curated set of permissions for a runtime agent to access Apigee Organization resources
apigee.canaryevaluations.*
apigee.entitlements.get
apigee.environments.get
apigee.ingressconfigs.get
apigee.instances.reportStatus
apigee.operations.*
apigee.organizations.get
apigee.
apigee.runtimeconfigs.get
Apigee Security Admin
(roles/)
Security admin for an Apigee Organization
apigee.addonsconfig.get
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.*
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.securityActions.*
apigee.securityActionsConfig.*
apigee.
apigee.securityFeedback.*
apigee.securityIncidents.*
apigee.
apigee.
apigee.securityProfiles.*
apigee.securityProfilesV2.*
apigee.securitySettings.*
apigee.securityStats.*
apigee.securityreports.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Security Viewer
(roles/)
Security viewer for an Apigee Organization
apigee.addonsconfig.get
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.get
apigee.
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.securityActions.get
apigee.securityActions.list
apigee.
apigee.
apigee.securityFeedback.get
apigee.securityFeedback.list
apigee.securityIncidents.get
apigee.securityIncidents.list
apigee.
apigee.
apigee.
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityProfilesV2.get
apigee.securityProfilesV2.list
apigee.securitySettings.get
apigee.securityStats.*
apigee.securityreports.get
apigee.securityreports.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Space Console User
(roles/)
Provides users granted permissions on an Apigee space the minimum read permissions required to manage resources in that space in the UI.
apigee.apps.list
apigee.deployments.list
apigee.entitlements.get
apigee.
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.
apigee.instances.list
apigee.organizations.get
apigee.organizations.list
apigee.
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Space Content Editor
(roles/)
Provides full access to resources that can be associated with a space. This role is intended to be granted at the space level.
apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.deployments.get
apigee.deployments.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.proxies.*
apigee.proxyrevisions.*
apigee.rateplans.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
apigee.spaces.get
apigee.spaces.list
apigee.tracesessions.*
Apigee Space Content Viewer
(roles/)
Provides read access to resources that can be associated with a space. This role is intended to be granted at the space level.
apigee.
apigee.
apigee.apiproducts.get
apigee.apiproducts.list
apigee.deployments.get
apigee.deployments.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.rateplans.get
apigee.rateplans.list
apigee.sharedflowrevisions.get
apigee.
apigee.sharedflows.get
apigee.sharedflows.list
apigee.spaces.get
apigee.spaces.list
apigee.tracesessions.get
apigee.tracesessions.list
Apigee Synchronizer Manager
(roles/)
Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization
apigee.environments.get
apigee.
apigee.ingressconfigs.get
Apigee Connect Admin
(roles/)
Admin of Apigee Connect
apigeeconnect.connections.list
Apigee Connect Agent
(roles/)
Ability to set up Apigee Connect agent between external clusters and Google.
apigeeconnect.
Apigee Registry roles
Permissions
Cloud Apigee Registry Admin
Beta
(roles/)
Full access to Cloud Apigee Registry Registry and Runtime resources.
apigeeregistry.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Editor
Beta
(roles/)
Edit access to Cloud Apigee Registry Registry resources.
apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.
apigeeregistry.
apigeeregistry.artifacts.get
apigeeregistry.
apigeeregistry.artifacts.list
apigeeregistry.
apigeeregistry.deployments.*
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Viewer
Beta
(roles/)
Read-only access to Cloud Apigee Registry Registry resources.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.deployments.get
apigeeregistry.
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.versions.get
apigeeregistry.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Worker
Beta
(roles/)
The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.
apigeeregistry.
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.
apigeeregistry.deployments.get
apigeeregistry.
apigeeregistry.
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.get
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine roles
Permissions
App Engine Admin
(roles/)
Read/Write/Modify access to all application configuration and settings.
To deploy new versions, a principal must have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account , and the Cloud Build Editor
(roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.
appengine.applications.update
appengine.instances.*
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Creator
(roles/)
Ability to create the App Engine resource for the project.
Lowest-level resources where you can grant this role:
appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Viewer
(roles/)
Read-only access to all application configuration and settings.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Code Viewer
(roles/)
Read-only access to all application configuration, settings, and deployed
source code.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.
appengine.versions.list
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Managed VM Debug Access
(roles/)
Ability to read or manage v2 instances.
appengine.applications.get
appengine.
appengine.instances.*
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Deployer
(roles/)
Read-only access to all application configuration and settings.
To deploy new versions, you must also have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account , and the Cloud
Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Cannot modify existing versions other than deleting versions that are not receiving traffic.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Memcache Data Admin
(roles/)
Can get, set, delete, and flush App Engine Memcache items.
appengine.applications.get
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Service Admin
(roles/)
Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.
appengine.instances.delete
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
Artifact Registry roles
Permissions
Artifact Registry Administrator
(roles/)
Administrator access to create and manage repositories.
artifactregistry.
artifactregistry.attachments.*
artifactregistry.
artifactregistry.files.*
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
Container Registry -> Artifact Registry Migration Admin
(roles/)
Access to run migration tooling to migrate from Container Registry to Artifact Registry
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
cloudasset.
cloudasset.
cloudasset.
iam.roles.get
resourcemanager.projects.get
resourcemanager.
serviceusage.services.use
storage.objects.get
storage.objects.list
Artifact Registry Create-on-Push Repository Administrator
(roles/)
Access to manage artifacts in repositories, as well as create new repositories on push
artifactregistry.
artifactregistry.attachments.*
artifactregistry.
artifactregistry.files.*
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.
Artifact Registry Create-on-Push Writer
(roles/)
Access to read and write repository items, as well as create new repositories on push
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.
Artifact Registry Reader
(roles/)
Access to read repository items.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
Artifact Registry Repository Administrator
(roles/)
Access to manage artifacts in repositories.
artifactregistry.
artifactregistry.attachments.*
artifactregistry.
artifactregistry.files.*
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.
Artifact Registry Writer
(roles/)
Access to read and write repository items.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.
Assured Workloads roles
Permissions
Assured Workloads Administrator
(roles/)
Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration
assuredworkloads.*
axt.labels.set
bigquery.config.update
logging.settings.update
orgpolicy.policies.*
orgpolicy.policy.*
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Assured Workloads Editor
(roles/)
Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration
assuredworkloads.*
axt.labels.set
bigquery.config.update
logging.settings.update
orgpolicy.policies.*
orgpolicy.policy.*
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Assured Workloads Reader
(roles/)
Grants read access to all Assured Workloads resources and CRM resources - project/folder
assuredworkloads.operations.*
assuredworkloads.updates.list
assuredworkloads.
assuredworkloads.
assuredworkloads.workload.get
assuredworkloads.workload.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
AutoML roles
Permissions
AutoML Admin
Beta
(roles/)
Full access to all AutoML resources
Lowest-level resources where you can grant this role:
automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
AutoML Editor
Beta
(roles/)
Editor of all AutoML resources
Lowest-level resources where you can grant this role:
automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.files.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
AutoML Predictor
Beta
(roles/)
Predict using models
Lowest-level resources where you can grant this role:
automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list
AutoML Viewer
Beta
(roles/)
Viewer of all AutoML resources
Lowest-level resources where you can grant this role:
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.files.list
automl.
automl.
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Backup and DR roles
Permissions
Backup and DR Admin
(roles/)
Provides full access to all Backup and DR resources.
backupdr.
backupdr.backupPlans.*
backupdr.backupVaults.*
backupdr.bvbackups.*
backupdr.bvdataSources.*
backupdr.
backupdr.locations.*
backupdr.managementServers.*
backupdr.operations.*
backupdr.
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Backup Config Viewer
Beta
(roles/)
Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.
backupdr.locations.list
backupdr.
Backup and DR Backup User
(roles/)
Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.locations.*
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Backup Vault Accessor
(roles/)
Allows the Backup Appliance permissions to create and manage backups in a backup vault.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.delete
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.update
backupdr.bvdataSources.*
backupdr.operations.*
Backup and DR Backup Vault Admin
(roles/)
Allows the Backup Appliance full administrative control of backup vault resources.
backupdr.backupVaults.*
backupdr.bvbackups.*
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.bvdataSources.update
backupdr.
backupdr.locations.*
backupdr.operations.*
Backup and DR Backup Vault Lister
(roles/)
Allows the Backup Appliance permission to list backup vaults in a given project.
backupdr.backupVaults.list
Backup and DR Backup Vault Viewer
(roles/)
Allows read-only permissions to access backup vault resources and backups.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.operations.get
backupdr.operations.list
Backup and DR Cloud Storage Operator
(roles/)
Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Backup and DR Compute Engine Operator
(roles/)
Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.
backupdr.
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.
compute.
compute.
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.
compute.instances.useReadOnly
compute.machineTypes.*
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.resourcePolicies.use
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Management Server Accessor
(roles/)
Grants the Backup and DR management server access role to Backup Appliances.
backupdr.
Backup and DR Mount User
(roles/)
Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.
backupdr.locations.*
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Restore User
(roles/)
Allows the user to restore or mount from a backup. This role cannot create a backup plan.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.
backupdr.locations.*
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR User
(roles/)
Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR User V2
(roles/)
Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.
backupdr.
backupdr.backupPlans.*
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.
backupdr.locations.*
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Viewer
(roles/)
Provides read-only access to all Backup and DR resources.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.locations.*
backupdr.
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE roles
Permissions
Backup for GKE Admin
(roles/)
Full access to all Backup for GKE resources.
gkebackup.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Backup Admin
(roles/)
Allows administrators to manage all BackupPlan and Backup resources.
gkebackup.backupChannels.get
gkebackup.backupChannels.list
gkebackup.backupPlanBindings.*
gkebackup.backupPlans.*
gkebackup.backups.*
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restoreChannels.*
gkebackup.
gkebackup.volumeBackups.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Delegated Backup Admin
(roles/)
Allows administrators to manage Backup resources for specific BackupPlans
gkebackup.backupChannels.get
gkebackup.backupChannels.list
gkebackup.backupPlanBindings.*
gkebackup.backupPlans.get
gkebackup.backups.*
gkebackup.volumeBackups.*
Backup for GKE Delegated Restore Admin
(roles/)
Allows administrators to manage Restore resources for specific RestorePlans
gkebackup.restorePlans.get
gkebackup.restores.*
gkebackup.volumeRestores.*
Backup for GKE Restore Admin
(roles/)
Allows administrators to manage all RestorePlan and Restore resources.
gkebackup.backupPlans.get
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restoreChannels.get
gkebackup.restoreChannels.list
gkebackup.
gkebackup.restorePlans.*
gkebackup.restores.*
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Viewer
(roles/)
Read-only access to all Backup for GKE resources.
gkebackup.backupChannels.get
gkebackup.backupChannels.list
gkebackup.backupPlanBindings.*
gkebackup.backupPlans.get
gkebackup.
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restoreChannels.get
gkebackup.restoreChannels.list
gkebackup.
gkebackup.restorePlans.get
gkebackup.
gkebackup.restorePlans.list
gkebackup.restores.get
gkebackup.restores.list
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
Permissions
(roles/)
Administrator of Bare Metal Solution resources
baremetalsolution.
baremetalsolution.instances.*
baremetalsolution.luns.*
baremetalsolution.
baremetalsolution.
baremetalsolution.networks.*
baremetalsolution.nfsshares.*
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.
baremetalsolution.skus.list
baremetalsolution.
baremetalsolution.sshKeys.*
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.*
baremetalsolution.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Editor of Bare Metal Solution resources
baremetalsolution.
baremetalsolution.instances.*
baremetalsolution.luns.*
baremetalsolution.
baremetalsolution.
baremetalsolution.networks.*
baremetalsolution.nfsshares.*
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.
baremetalsolution.skus.list
baremetalsolution.
baremetalsolution.sshKeys.*
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.*
baremetalsolution.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Admin of Bare Metal Solution Instance resources
baremetalsolution.instances.*
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Viewer of Bare Metal Solution Instance resources
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Administrator of Bare Metal Solution Lun resources
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.
(roles/)
Viewer of Bare Metal Solution Lun resources
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.
Maintenance Events Admin
(roles/)
Administrator of Bare Metal Solution maintenance events resources
baremetalsolution.
Maintenance Events Editor
(roles/)
Editor of Bare Metal Solution maintenance events resources
baremetalsolution.
Maintenance Events Viewer
(roles/)
Viewer of Bare Metal Solution maintenance events resources
baremetalsolution.
baremetalsolution.
(roles/)
Admin of Bare Metal Solution networks resources
baremetalsolution.
baremetalsolution.networks.*
baremetalsolution.
baremetalsolution.pods.list
(roles/)
Administrator of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.*
baremetalsolution.
baremetalsolution.pods.list
(roles/)
Editor of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.*
baremetalsolution.
baremetalsolution.pods.list
(roles/)
Viewer of Bare Metal Solution NFS Share resources
baremetalsolution.
baremetalsolution.
baremetalsolution.
(roles/)
Viewer of Bare Metal Solution OS images resources
baremetalsolution.
(roles/)
Administrator of Bare Metal Solution Procurements
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.skus.list
(roles/)
Editor of Bare Metal Solution Procurements
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.skus.list
(roles/)
Viewer of Bare Metal Solution Procurements
baremetalsolution.
baremetalsolution.
baremetalsolution.skus.list
(roles/)
Administrator of Bare Metal Solution storage resources
baremetalsolution.luns.*
baremetalsolution.nfsshares.*
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.*
baremetalsolution.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Viewer of Bare Metal Solution resources
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.networks.get
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.
baremetalsolution.skus.list
baremetalsolution.
baremetalsolution.
baremetalsolution.sshKeys.list
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.
baremetalsolution.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Administrator of Bare Metal Solution volume resources
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.volumes.*
(roles/)
Editor of Bare Metal Solution volumes resources
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
(roles/)
Administrator of Bare Metal Solution snapshots resources
baremetalsolution.
baremetalsolution.
(roles/)
Editor of Bare Metal Solution snapshots resources
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
(roles/)
Viewer of Bare Metal Solution snapshots resources
baremetalsolution.
baremetalsolution.
baremetalsolution.
(roles/)
Viewer of Bare Metal Solution volumes resources
baremetalsolution.
baremetalsolution.volumes.get
baremetalsolution.volumes.list
BeyondCorp roles
Permissions
Cloud BeyondCorp Admin
Beta
(roles/)
Full access to all Cloud BeyondCorp resources.
beyondcorp.appConnections.*
beyondcorp.appConnectors.*
beyondcorp.appGateways.*
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.*
beyondcorp.locations.*
beyondcorp.operations.*
beyondcorp.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Client Connector Admin
Beta
(roles/)
Full access to all BeyondCorp Client Connector resources.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Client Connector Service User
Beta
(roles/)
Access Client Connector Service
beyondcorp.
Cloud BeyondCorp Client Connector Viewer
Beta
(roles/)
Read-only access to all BeyondCorp Client Connector resources.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.get
beyondcorp.
beyondcorp.clientGateways.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Partner Service Delegate Admin
Beta
(roles/)
Delegates access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.
beyondcorp.operations.*
beyondcorp.partnerTenants.*
beyondcorp.proxyConfigs.*
resourcemanager.
Cloud BeyondCorp Partner Service Delegate Viewer
Beta
(roles/)
Delegates read-only access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.
beyondcorp.partnerTenants.get
beyondcorp.partnerTenants.list
beyondcorp.proxyConfigs.get
beyondcorp.proxyConfigs.list
resourcemanager.
Cloud BeyondCorp Subscription Admin
Beta
(roles/)
Full access to all BeyondCorp Subscription resources.
beyondcorp.subscriptions.*
resourcemanager.
Cloud BeyondCorp Subscription Viewer
Beta
(roles/)
Read-only access to all BeyondCorp Subscription resources.
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list
resourcemanager.
Cloud BeyondCorp Viewer
Beta
(roles/)
Read-only access to all Cloud BeyondCorp resources.
beyondcorp.appConnections.get
beyondcorp.
beyondcorp.appConnections.list
beyondcorp.appConnectors.get
beyondcorp.
beyondcorp.appConnectors.list
beyondcorp.appGateways.get
beyondcorp.
beyondcorp.appGateways.list
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.get
beyondcorp.
beyondcorp.clientGateways.list
beyondcorp.locations.*
beyondcorp.operations.get
beyondcorp.operations.list
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery roles
Permissions
BigQuery Admin
(roles/)
Provides permissions to manage all resources within the project. Can manage
all data within the project, and can cancel jobs from other users running
within the project.
Lowest-level resources where you can grant this role:
Datasets
Row access policies
Tables
Views
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.objectRefs.*
bigquery.readsessions.*
bigquery.
bigquery.reservations.*
bigquery.routines.*
bigquery.
bigquery.
bigquery.rowAccessPolicies.get
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
dataform.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Connection Admin
(roles/)
bigquery.connections.*
BigQuery Connection User
(roles/)
bigquery.connections.get
bigquery.
bigquery.connections.list
bigquery.connections.use
BigQuery Data Editor
(roles/)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Owner
(roles/)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.
bigquery.
bigquery.rowAccessPolicies.get
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.tables.*
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Viewer
(roles/)
When applied to a table or view, this role provides permissions to:
Read data and metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to list all of the resources in the
dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata
with applicable APIs and in queries.
When applied at the project or organization level, this role can also
enumerate all datasets in the project. Additional roles, however, are
necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Filtered Data Viewer
(roles/)
Access to view filtered table data defined by a row access policy
bigquery.
BigQuery Job User
(roles/)
Provides permissions to run jobs, including queries, within the project.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.jobs.create
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
When applied to a table or view, this role provides permissions to:
Read metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
List tables and views in the dataset.
Read metadata from the dataset's tables and views.
When applied at the project or organization level, this role provides permissions to:
List all datasets and read metadata for all datasets in the project.
List all tables and views and read metadata for all tables and views
in the project.
Additional roles are necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery ObjectRef Admin
(roles/)
Administer ObjectRef resources that includes read and write permissions
bigquery.objectRefs.*
BigQuery ObjectRef Reader
(roles/)
Role for reading referenced objects via ObjectRefs in BigQuery
bigquery.objectRefs.read
BigQuery Read Session User
(roles/)
Provides the ability to create and use read sessions.
Lowest-level resources where you can grant this role:
bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Admin
(roles/)
Administers BigQuery workloads, including slot assignments, commitments, and reservations.
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.
bigquery.
bigquery.reservations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Editor
(roles/)
Manages BigQuery workloads, but is unable to create or modify slot commitments.
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.
bigquery.
bigquery.reservations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Viewer
(roles/)
Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.
bigquery.
bigquery.
bigquery.reservations.get
bigquery.reservations.list
bigquery.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Studio Admin
(roles/)
Combination role of BigQuery Admin, Dataform Admin, Notebook Runtime Admin and Dataproc Serverless Editor.
aiplatform.
aiplatform.notebookRuntimes.*
aiplatform.operations.list
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.objectRefs.*
bigquery.readsessions.*
bigquery.
bigquery.reservations.*
bigquery.routines.*
bigquery.
bigquery.
bigquery.rowAccessPolicies.get
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
compute.projects.get
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.zones.*
dataform.*
dataplex.projects.search
dataproc.batches.*
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Studio User
(roles/)
Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, Notebook Runtime User and Dataproc Serverless Editor.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
bigquery.config.get
bigquery.jobs.create
bigquery.readsessions.*
compute.projects.get
compute.regions.*
compute.zones.*
dataform.commentThreads.get
dataform.commentThreads.list
dataform.comments.get
dataform.comments.list
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataplex.projects.search
dataproc.batches.*
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery User
(roles/)
When applied to a dataset, this role provides the ability to read the dataset's metadata and list
tables in the dataset.
When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner)
on these new datasets.
Lowest-level resources where you can grant this role:
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.
bigquery.
bigquery.reservations.get
bigquery.reservations.list
bigquery.
bigquery.reservations.use
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
bigquerymigration.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Policy Admin
(roles/)
Role for managing Data Policies in BigQuery
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
Masked Reader
(roles/)
Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns
bigquery.
Raw Data Reader
Beta
(roles/)
Raw read access to sub-resources associated with a data policy, for example, BigQuery columns
bigquery.
BigQuery Data Policy Viewer
(roles/)
Role for viewing Data Policies in BigQuery
bigquery.dataPolicies.get
bigquery.dataPolicies.list
Billing roles
Permissions
Billing Account Administrator
(roles/)
Provides access to see and manage all aspects of billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.close
billing.accounts.get
billing.
billing.accounts.getIamPolicy
billing.
billing.accounts.getPricing
billing.
billing.
billing.accounts.list
billing.accounts.move
billing.
billing.
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing.
billing.
billing.anomalies.*
billing.anomaliesConfigs.*
billing.
billing.
billing.
billing.
billing.
billing.billingAccountSkus.*
billing.budgets.*
billing.credits.list
billing.
billing.
billing.resourceAssociations.*
billing.subscriptions.*
cloudasset.
cloudnotifications.
cloudsupport.properties.get
cloudsupport.techCases.*
commerceoffercatalog.*
compute.commitments.*
consumerprocurement.accounts.*
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.events.*
consumerprocurement.
consumerprocurement.
consumerprocurement.orders.*
dataprocessing.datasources.get
dataprocessing.
dataprocessing.
dataprocessing.
logging.logEntries.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.privateLogEntries.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.costInsights.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Billing Account Costs Manager
(roles/)
Manage budgets for a billing account, and view, analyze, and export cost information of a billing
account.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.accounts.getIamPolicy
billing.
billing.
billing.accounts.list
billing.
billing.anomalies.get
billing.anomalies.list
billing.anomaliesConfigs.*
billing.budgets.*
billing.
recommender.costInsights.*
Billing Account Creator
(roles/)
Provides access to create billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.create
resourcemanager.
Project Billing Costs Manager
(roles/)
When granted in conjunction with
cost view permissions on projects , provides access to billing
information scoped to the projects to which the user has cost access.
Lowest-level resources where you can grant this role:
billing.accounts.getIamPolicy
billing.
billing.
Project Billing Manager
(roles/)
When granted in conjunction with the Billing Account User role, provides access to assign a
project's billing account or disable its billing.
Lowest-level resources where you can grant this role:
resourcemanager.
resourcemanager.
Billing Account User
(roles/)
When granted in conjunction with the Project Owner role or Project Billing Manager role, provides
access to associate projects with billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.
billing.credits.list
billing.
Billing Account Viewer
(roles/)
View billing account cost and pricing information, transactions, and billing and commitment
recommendations.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.
billing.accounts.getIamPolicy
billing.
billing.accounts.getPricing
billing.
billing.
billing.accounts.list
billing.anomalies.get
billing.anomalies.list
billing.anomaliesConfigs.get
billing.
billing.
billing.
billing.
billing.
billing.billingAccountSkus.*
billing.budgets.get
billing.budgets.list
billing.credits.list
billing.
billing.
billing.
billing.subscriptions.get
billing.subscriptions.list
commerceoffercatalog.*
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.orders.get
consumerprocurement.
dataprocessing.datasources.get
dataprocessing.
dataprocessing.
dataprocessing.
recommender.
recommender.
recommender.costInsights.get
recommender.costInsights.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
Binary Authorization roles
Permissions
Binary Authorization Attestor Admin
(roles/)
Administrator of Binary Authorization Attestors
binaryauthorization.
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Editor
(roles/)
Editor of Binary Authorization Attestors
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Image Verifier
(roles/)
Caller of Binary Authorization Attestors VerifyImageAttested
binaryauthorization.
binaryauthorization.
binaryauthorization.
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Viewer
(roles/)
Viewer of Binary Authorization Attestors
binaryauthorization.
binaryauthorization.
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Administrator
(roles/)
Administrator of Binary Authorization Policy
binaryauthorization.
binaryauthorization.
binaryauthorization.policy.*
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Editor
(roles/)
Editor of Binary Authorization Policy
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.policy.get
binaryauthorization.
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Evaluator
(roles/)
Evaluator of Binary Authorization Policy
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Viewer
(roles/)
Viewer of Binary Authorization Policy
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
CA Service roles
Permissions
CA Service Admin
(roles/)
Full access to all CA Service resources.
privateca.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
CA Service Auditor
(roles/)
Read-only access to all CA Service resources.
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.certificates.get
privateca.
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca.
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
CA Service Operation Manager
(roles/)
Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.
privateca.caPools.create
privateca.
privateca.caPools.delete
privateca.
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.
privateca.
privateca.caPools.update
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.certificates.get
privateca.
privateca.certificates.list
privateca.certificates.update
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.
privateca.
privateca.reusableConfigs.get
privateca.
privateca.reusableConfigs.list
privateca.
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
CA Service Certificate Manager
(roles/)
Create certificates and read-only access for CA Service resources.
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.certificates.create
privateca.certificates.get
privateca.
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca.
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
CA Service Certificate Requester
(roles/)
Request certificates from CA Service.
privateca.certificates.create
CA Service Pool Reader
(roles/)
Read CA Pools in CA Service.
privateca.caPools.get
CA Service Certificate Template User
(roles/)
Read, list and use certificate templates.
privateca.
privateca.
privateca.
CA Service Workload Certificate Requester
(roles/)
Request certificates from CA Service with caller's identity.
privateca.
Certificate Manager roles
Permissions
Certificate Manager Editor
(roles/)
Edit access to Certificate Manager all resources.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.certs.get
certificatemanager.certs.list
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.certs.use
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.locations.*
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Manager Owner
(roles/)
Full access to Certificate Manager all resources.
certificatemanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Manager Viewer
(roles/)
Read-only access to Certificate Manager all resources.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.certs.get
certificatemanager.certs.list
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.locations.*
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Chat roles
Permissions
Chat Apps Owner
(roles/)
Can view and modify app configurations
chat.*
Chat Apps Viewer
(roles/)
Can view app configurations
chat.bots.get
Chronicle API roles
Permissions
Chronicle API Admin
(roles/)
Full access to the Chronicle API services, including global settings.
chronicle.ais.*
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.
chronicle.bigQueryExport.*
chronicle.
chronicle.collectors.*
chronicle.conversations.*
chronicle.
chronicle.
chronicle.curatedRuleSets.*
chronicle.curatedRules.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.*
chronicle.dataAccessLabels.*
chronicle.dataAccessScopes.*
chronicle.dataExports.*
chronicle.
chronicle.dataTableRows.*
chronicle.dataTables.*
chronicle.dataTaps.*
chronicle.enrichmentControls.*
chronicle.entities.*
chronicle.
chronicle.
chronicle.events.*
chronicle.
chronicle.
chronicle.
chronicle.feeds.*
chronicle.findingsGraphs.*
chronicle.
chronicle.
chronicle.forwarders.*
chronicle.
chronicle.ingestionLogLabels.*
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.instances.get
chronicle.
chronicle.
chronicle.instances.report
chronicle.
chronicle.iocMatches.*
chronicle.iocState.*
chronicle.iocs.*
chronicle.legacies.*
chronicle.logTypeSchemas.list
chronicle.logTypes.list
chronicle.logs.*
chronicle.messages.*
chronicle.
chronicle.nativeDashboards.*
chronicle.operations.*
chronicle.parserExtensions.*
chronicle.parsers.*
chronicle.parsingErrors.list
chronicle.preferenceSets.*
chronicle.referenceLists.*
chronicle.retrohunts.*
chronicle.riskConfigs.*
chronicle.ruleDeployments.*
chronicle.
chronicle.rules.*
chronicle.searchQueries.*
chronicle.
chronicle.
chronicle.watchlists.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Data Governor
Beta
(roles/)
Grants elevated access to control the lifecycle of the Chronicle instance and its data.
chronicle.instances.delete
chronicle.instances.undelete
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Editor
(roles/)
Modify Access to Chronicle API resources.
chronicle.ais.*
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.bigQueryExport.get
chronicle.
chronicle.collectors.get
chronicle.collectors.list
chronicle.conversations.*
chronicle.
chronicle.
chronicle.curatedRuleSets.*
chronicle.curatedRules.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.*
chronicle.
chronicle.dataExports.*
chronicle.
chronicle.dataTableRows.*
chronicle.dataTables.*
chronicle.dataTaps.*
chronicle.
chronicle.
chronicle.entities.*
chronicle.
chronicle.
chronicle.
chronicle.events.*
chronicle.findingsGraphs.*
chronicle.
chronicle.
chronicle.forwarders.generate
chronicle.forwarders.get
chronicle.forwarders.list
chronicle.
chronicle.ingestionLogLabels.*
chronicle.
chronicle.
chronicle.
chronicle.instances.get
chronicle.
chronicle.instances.report
chronicle.iocMatches.*
chronicle.iocState.*
chronicle.iocs.*
chronicle.legacies.*
chronicle.logTypeSchemas.list
chronicle.logs.*
chronicle.messages.*
chronicle.
chronicle.nativeDashboards.*
chronicle.operations.*
chronicle.preferenceSets.*
chronicle.referenceLists.*
chronicle.retrohunts.*
chronicle.riskConfigs.*
chronicle.ruleDeployments.*
chronicle.
chronicle.rules.create
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.update
chronicle.rules.verifyRuleText
chronicle.searchQueries.*
chronicle.watchlists.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Federation Admin
Beta
(roles/)
Full access to Chronicle Federation features.
chronicle.federationGroups.*
chronicle.
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Federation Viewer
Beta
(roles/)
Readonly access to Chronicle Federation Features.
chronicle.federationGroups.get
chronicle.
chronicle.
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Global Data Access
Beta
(roles/)
Grants global access to data i.e. all data can be accessed.
chronicle.
Chronicle API Limited Viewer
(roles/)
Grants read-only access to Chronicle API resources, excluding Rules and Retrohunts.
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.
chronicle.conversations.get
chronicle.conversations.list
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.dashboards.schedule
chronicle.
chronicle.entities.find
chronicle.
chronicle.entities.get
chronicle.
chronicle.
chronicle.entities.summarize
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.events.batchGet
chronicle.
chronicle.events.get
chronicle.
chronicle.events.searchRawLogs
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.*
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.ingestionLogLabels.*
chronicle.
chronicle.instances.get
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.logTypeSchemas.list
chronicle.logs.export
chronicle.logs.get
chronicle.logs.list
chronicle.messages.get
chronicle.messages.list
chronicle.
chronicle.nativeDashboards.get
chronicle.
chronicle.operations.get
chronicle.operations.list
chronicle.
chronicle.operations.wait
chronicle.preferenceSets.*
chronicle.searchQueries.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Restricted Data Access
Beta
(roles/)
Grants access to data controlled by Data Access Scopes. Intended to be refined by IAM Conditions.
chronicle.
Chronicle API Restricted Data Access Viewer
Beta
(roles/)
Grants readonly access to Chronicle API resources without global data access scope.
chronicle.ais.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.entities.find
chronicle.
chronicle.entities.get
chronicle.entities.list
chronicle.
chronicle.entities.summarize
chronicle.
chronicle.events.batchGet
chronicle.
chronicle.events.get
chronicle.
chronicle.events.searchRawLogs
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.*
chronicle.
chronicle.
chronicle.instances.get
chronicle.instances.report
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.logs.get
chronicle.logs.list
chronicle.
chronicle.nativeDashboards.get
chronicle.
chronicle.operations.get
chronicle.operations.list
chronicle.
chronicle.operations.wait
chronicle.preferenceSets.*
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle.
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle.
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.verifyRuleText
chronicle.searchQueries.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle SOAR Admin
Beta
(roles/)
Grants admin access to Chronicle SOAR.
chronicle.
chronicle.instances.soarAdmin
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.
securitycenter.simulations.get
securitycenter.
securitycenter.
Chronicle SOAR Threat Manager
Beta
(roles/)
Grants threat manager access to Chronicle SOAR.
chronicle.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.
securitycenter.simulations.get
securitycenter.
securitycenter.
Chronicle SOAR Vulnerability Manager
Beta
(roles/)
Grants vulnerability manager access to Chronicle SOAR.
chronicle.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.
securitycenter.simulations.get
securitycenter.
securitycenter.
Chronicle API Viewer
(roles/)
Read-only access to the Chronicle API resources.
chronicle.ais.*
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.bigQueryExport.get
chronicle.
chronicle.collectors.get
chronicle.collectors.list
chronicle.conversations.get
chronicle.conversations.list
chronicle.
chronicle.
chronicle.
chronicle.curatedRuleSets.*
chronicle.curatedRules.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.dashboards.schedule
chronicle.
chronicle.
chronicle.dataExports.get
chronicle.
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTaps.get
chronicle.dataTaps.list
chronicle.
chronicle.
chronicle.entities.find
chronicle.
chronicle.entities.get
chronicle.entities.list
chronicle.
chronicle.
chronicle.entities.summarize
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.events.batchGet
chronicle.
chronicle.events.get
chronicle.
chronicle.events.searchRawLogs
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.*
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.forwarders.generate
chronicle.forwarders.get
chronicle.forwarders.list
chronicle.
chronicle.ingestionLogLabels.*
chronicle.
chronicle.
chronicle.
chronicle.instances.get
chronicle.
chronicle.instances.report
chronicle.iocMatches.*
chronicle.iocState.get
chronicle.iocs.*
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.logTypeSchemas.list
chronicle.logs.export
chronicle.logs.get
chronicle.logs.list
chronicle.messages.get
chronicle.messages.list
chronicle.
chronicle.nativeDashboards.get
chronicle.
chronicle.operations.get
chronicle.operations.list
chronicle.
chronicle.operations.wait
chronicle.preferenceSets.*
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle.
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.riskConfigs.get
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle.
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.verifyRuleText
chronicle.searchQueries.*
chronicle.watchlists.get
chronicle.watchlists.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB roles
Permissions
Cloud AlloyDB Admin
Beta
(roles/)
Full access to Cloud AlloyDB all resources.
alloydb.*
cloudaicompanion.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB Client
Beta
(roles/)
Connectivity access to Cloud AlloyDB instances.
alloydb.
alloydb.clusters.get
alloydb.instances.connect
alloydb.instances.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB Database User
Beta
(roles/)
Role allowing access to login as a database user.
alloydb.clusters.get
alloydb.instances.executeSql
alloydb.instances.get
alloydb.users.login
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB Viewer
Beta
(roles/)
Read-only access to Cloud AlloyDB all resources.
alloydb.backups.get
alloydb.backups.list
alloydb.
alloydb.
alloydb.clusters.export
alloydb.clusters.get
alloydb.clusters.list
alloydb.
alloydb.
alloydb.databases.list
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb.
alloydb.users.get
alloydb.users.list
cloudaicompanion.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Asset roles
Permissions
Cloud Asset Owner
(roles/)
Full access to cloud assets metadata
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.feeds.*
cloudasset.
cloudasset.savedqueries.*
recommender.
recommender.locations.*
Cloud Asset Viewer
(roles/)
Read only access to cloud assets metadata
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
recommender.
recommender.
recommender.locations.*
Cloud Bigtable roles
Permissions
Bigtable Administrator
(roles/)
Administers all Bigtable instances within a project, including the data stored within
tables. Can create new instances. Intended for project administrators.
Lowest-level resources where you can grant this role:
bigtable.*
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
monitoring.
monitoring.
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable Reader
(roles/)
Provides read-only access to the data stored within Bigtable tables. Intended for
data scientists, dashboard generators, and other data-analysis scenarios.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable.
bigtable.
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.
bigtable.instances.get
bigtable.instances.list
bigtable.instances.ping
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable.logicalViews.get
bigtable.logicalViews.list
bigtable.logicalViews.readRows
bigtable.materializedViews.get
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.
monitoring.
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable User
(roles/)
Provides read-write access to the data stored within Bigtable tables. Intended for
application developers or service accounts.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable.
bigtable.
bigtable.
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.
bigtable.instances.get
bigtable.instances.list
bigtable.instances.ping
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable.logicalViews.get
bigtable.logicalViews.list
bigtable.logicalViews.readRows
bigtable.materializedViews.get
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.
monitoring.
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable Viewer
(roles/)
Provides no data access. Intended as a minimal set of permissions to access
the Google Cloud console for Bigtable.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.instances.get
bigtable.instances.list
bigtable.
bigtable.
bigtable.locations.list
bigtable.logicalViews.get
bigtable.logicalViews.list
bigtable.materializedViews.get
bigtable.
bigtable.
bigtable.
bigtable.tables.get
bigtable.tables.list
monitoring.
monitoring.
monitoring.timeSeries.list
resourcemanager.projects.get
Cloud Build roles
Permissions
Cloud Build Approver
(roles/)
Can approve or reject pending builds.
cloudbuild.builds.approve
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.locations.*
cloudbuild.operations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Service Account
(roles/)
Provides access to perform builds.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.locations.*
cloudbuild.operations.*
cloudbuild.workerpools.use
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
logging.logEntries.create
logging.logEntries.list
logging.views.access
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Build Editor
(roles/)
Provides access to create and cancel builds.
Lowest-level resources where you can grant this role:
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.locations.*
cloudbuild.operations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Viewer
(roles/)
Provides access to view builds.
Lowest-level resources where you can grant this role:
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.locations.*
cloudbuild.operations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Connection Admin
(roles/)
Can manage connections and repositories.
cloudbuild.connections.*
cloudbuild.operations.*
cloudbuild.repositories.create
cloudbuild.repositories.delete
cloudbuild.
cloudbuild.repositories.get
cloudbuild.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Connection Viewer
(roles/)
Can view and list connections and repositories.
cloudbuild.
cloudbuild.connections.get
cloudbuild.
cloudbuild.connections.list
cloudbuild.
cloudbuild.repositories.get
cloudbuild.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Editor
(roles/)
Can update Integrations
cloudbuild.integrations.get
cloudbuild.integrations.list
cloudbuild.integrations.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Owner
(roles/)
Can create/delete Integrations
cloudbuild.integrations.*
compute.firewalls.create
compute.firewalls.get
compute.firewalls.list
compute.networks.get
compute.networks.updatePolicy
compute.regions.get
compute.subnetworks.get
compute.subnetworks.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Viewer
(roles/)
Can view Integrations
cloudbuild.integrations.get
cloudbuild.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Read Only Token Accessor
(roles/)
Can view the connection and access its read-only token.
cloudbuild.connections.get
cloudbuild.
cloudbuild.repositories.get
Cloud Build Token Accessor
(roles/)
Can view the connection and access its read/write and read-only tokens.
cloudbuild.connections.get
cloudbuild.
cloudbuild.
cloudbuild.repositories.get
cloudbuild.repositories.list
Cloud Build WorkerPool Editor
(roles/)
Can update and view WorkerPools
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build WorkerPool Owner
(roles/)
Can create, delete, update, and view WorkerPools
cloudbuild.workerpools.create
cloudbuild.workerpools.delete
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build WorkerPool User
(roles/)
Can run builds in the WorkerPool
cloudbuild.workerpools.use
Cloud Build WorkerPool Viewer
(roles/)
Can view WorkerPools
cloudbuild.workerpools.get
cloudbuild.workerpools.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Composer roles
Permissions
Cloud Composer v2 API Service Agent Extension
(roles/)
Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.
iam.
iam.
Composer Administrator
(roles/)
Provides full control of Cloud Composer resources.
Lowest-level resources where you can grant this role:
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Environment and Storage Object Administrator
(roles/)
Provides full control of Cloud Composer resources and of the objects in all project buckets.
Lowest-level resources where you can grant this role:
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
composer.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Environment and Storage Object User
(roles/)
Read and use access to Cloud Composer resources and read access to Cloud Storage objects.
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer.
composer.
composer.
composer.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Environment and Storage Object Viewer
(roles/)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Provides read-only access to objects in all project buckets.
Lowest-level resources where you can grant this role:
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer.
composer.
composer.
composer.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Composer Shared VPC Agent
(roles/)
Role that should be assigned to Composer Agent service account in Shared VPC host project
compute.
compute.
compute.networkAttachments.get
compute.
compute.networks.access
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute.
compute.networks.removePeering
compute.networks.updatePeering
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zones.*
dns.managedZones.get
dns.managedZones.list
dns.
Composer User
(roles/)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Lowest-level resources where you can grant this role:
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer.
composer.
composer.
composer.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Composer Worker
(roles/)
Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.
Lowest-level resources where you can grant this role:
artifactregistry.*
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.locations.*
cloudbuild.operations.*
cloudbuild.workerpools.use
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
composer.environments.get
container.*
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
datalineage.events.create
datalineage.processes.create
datalineage.processes.get
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.update
logging.logEntries.create
logging.logEntries.list
logging.logEntries.route
logging.views.access
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.*
orgpolicy.policy.get
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Cloud Connectors roles
Permissions
Connector Admin
(roles/)
Full access to all resources of Connectors Service.
connectors.actions.*
connectors.connections.create
connectors.connections.delete
connectors.
connectors.
connectors.connections.get
connectors.
connectors.
connectors.
connectors.
connectors.connections.list
connectors.
connectors.connections.update
connectors.connectors.*
connectors.
connectors.customConnectors.*
connectors.
connectors.entities.*
connectors.entityTypes.list
connectors.
connectors.eventtypes.*
connectors.locations.*
connectors.managedZones.*
connectors.operations.*
connectors.providers.*
connectors.regionalSettings.*
connectors.runtimeconfig.get
connectors.
connectors.settings.*
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.
Custom Connectors Admin
(roles/)
Custom Connector is a global resource which creates custom connector within the given target project. This role grants Admin access to Custom Connector resources
connectors.
connectors.customConnectors.*
connectors.locations.*
Custom Connector Viewer
(roles/)
Custom Connector is a global resource which creates custom connector within the given target project. This role grants Read-only access to Custom Connector & Custom Connector Version resources.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.locations.*
Connectors Endpoint Attachment Admin
(roles/)
Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources.
connectors.
connectors.locations.*
Connectors Endpoint Attachment Viewer
(roles/)
Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources
connectors.
connectors.
connectors.
connectors.locations.*
Connectors Event Subscriptions Admin
(roles/)
Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources
connectors.
Connectors Event Subscriptions Viewer
(roles/)
Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources.
connectors.
connectors.
Connector Invoker
(roles/)
Full Access to invoke all operations on Connections.
connectors.actions.*
connectors.
connectors.entities.*
connectors.entityTypes.list
Connector Event Listener
(roles/)
Full Access to listen events by connections.
connectors.
Connectors Managed Zone Admin
(roles/)
Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources
connectors.locations.*
connectors.managedZones.*
Connectors Managed Zone Viewer
(roles/)
Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources.
connectors.locations.*
connectors.managedZones.get
connectors.
connectors.managedZones.list
Connectors Viewer
(roles/)
Read-only access to Connectors all resources.
connectors.
connectors.connections.get
connectors.
connectors.
connectors.
connectors.
connectors.connections.list
connectors.connectors.*
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.eventtypes.*
connectors.locations.*
connectors.managedZones.get
connectors.
connectors.managedZones.list
connectors.operations.get
connectors.operations.list
connectors.providers.*
connectors.
connectors.runtimeconfig.get
connectors.settings.get
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion roles
Permissions
Cloud Data Fusion Accessor
Beta
(roles/)
Read-only access to Cloud Data Fusion Instances. Use it on instance level along with the namespace grants to provide access to the specific namespace.
datafusion.instances.get
datafusion.
datafusion.instances.list
datafusion.
datafusion.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Admin
(roles/)
Full access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Developer
Beta
(roles/)
Access Cloud Data Fusion Instances, develop and run pipelines.
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.instances.get
datafusion.
datafusion.instances.list
datafusion.
datafusion.
datafusion.locations.*
datafusion.namespaces.get
datafusion.
datafusion.namespaces.list
datafusion.
datafusion.
datafusion.namespaces.update
datafusion.
datafusion.operations.get
datafusion.operations.list
datafusion.
datafusion.
datafusion.
datafusion.pipelines.*
datafusion.profiles.get
datafusion.profiles.list
datafusion.secureKeys.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Operator
Beta
(roles/)
Access Cloud Data Fusion Instances, operate namespaces and related resources.
datafusion.artifacts.*
datafusion.instances.get
datafusion.
datafusion.instances.list
datafusion.
datafusion.
datafusion.locations.*
datafusion.namespaces.get
datafusion.
datafusion.namespaces.list
datafusion.
datafusion.
datafusion.
datafusion.
datafusion.namespaces.update
datafusion.
datafusion.
datafusion.operations.get
datafusion.operations.list
datafusion.
datafusion.
datafusion.
datafusion.pipelines.create
datafusion.pipelines.delete
datafusion.pipelines.execute
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.pipelines.update
datafusion.profiles.*
datafusion.secureKeys.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Runner
(roles/)
Access to Cloud Data Fusion runtime resources.
datafusion.instances.runtime
Cloud Data Fusion Viewer
(roles/)
Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.instances.get
datafusion.
datafusion.instances.list
datafusion.
datafusion.
datafusion.locations.*
datafusion.namespaces.get
datafusion.
datafusion.namespaces.list
datafusion.operations.get
datafusion.operations.list
datafusion.
datafusion.
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.profiles.get
datafusion.profiles.list
datafusion.secureKeys.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Labeling roles
Permissions
Data Labeling Service Admin
Beta
(roles/)
Full access to all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service Editor
Beta
(roles/)
Editor of all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service Viewer
Beta
(roles/)
Viewer of all Data Labeling resources
datalabeling.
datalabeling.
datalabeling.
datalabeling.
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Dataplex roles
Permissions
Dataplex Administrator
(roles/)
Full access to Dataplex resources, except Dataplex Catalog.
cloudasset.
cloudasset.
cloudasset.
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.content.*
dataplex.
dataplex.dataAttributes.*
dataplex.dataTaxonomies.*
dataplex.datascans.*
dataplex.entities.*
dataplex.entryGroups.export
dataplex.entryGroups.import
dataplex.environments.*
dataplex.lakeActions.list
dataplex.lakes.*
dataplex.locations.*
dataplex.metadataJobs.*
dataplex.operations.*
dataplex.partitions.*
dataplex.tasks.*
dataplex.zoneActions.list
dataplex.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Aspect Type Owner
(roles/)
Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.
datacatalog.
dataplex.aspectTypes.*
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Aspect Type User
(roles/)
Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.
datacatalog.
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Binding Administrator
(roles/)
Full access on DataAttribute Bindig resources.
dataplex.
Dataplex Catalog Admin
(roles/)
Has full access to Catalog resources.
datacatalog.
dataplex.aspectTypes.*
dataplex.entries.*
dataplex.entryGroups.*
dataplex.entryTypes.*
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Catalog Editor
(roles/)
Has write access to Catalog resources. Cannot set IAM policies on resources
datacatalog.
dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.
dataplex.aspectTypes.list
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.
dataplex.entryGroups.list
dataplex.entryGroups.update
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.
dataplex.entryTypes.list
dataplex.entryTypes.update
dataplex.entryTypes.use
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Catalog Viewer
(roles/)
Has read access to Catalog resources: Entry Groups, Entry Types, Aspect Types, Entry Link Types, Entries and Entry Links. Can view IAM policies on Catalog resources.
datacatalog.
dataplex.aspectTypes.get
dataplex.
dataplex.aspectTypes.list
dataplex.entries.get
dataplex.entries.list
dataplex.entryGroups.get
dataplex.
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex.
dataplex.entryTypes.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Data Owner
(roles/)
Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.writeData
Dataplex Data Reader
(roles/)
Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.readData
Dataplex DataScan Administrator
(roles/)
Full access to DataScan resources.
dataplex.datascans.*
dataplex.operations.get
dataplex.operations.list
Dataplex DataScan Creator
(roles/)
Access to create new DataScan resources.
dataplex.datascans.create
dataplex.datascans.get
dataplex.datascans.list
dataplex.operations.get
Dataplex DataScan DataViewer
(roles/)
Read access to DataScan resources and additional contents.
dataplex.datascans.get
dataplex.datascans.getData
dataplex.
dataplex.datascans.list
Dataplex DataScan Editor
(roles/)
Write access to DataScan resources.
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.update
dataplex.operations.get
dataplex.operations.list
Dataplex DataScan Viewer
(roles/)
Read access to DataScan resources.
dataplex.datascans.get
dataplex.
dataplex.datascans.list
Dataplex Data Writer
(roles/)
Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.writeData
Dataplex Developer
(roles/)
Allows running data analytics workloads in a lake.
dataplex.content.*
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.list
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.update
Dataplex Editor
(roles/)
Write access to Dataplex resources.
cloudasset.
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.update
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.
dataplex.dataAttributes.list
dataplex.dataAttributes.update
dataplex.
dataplex.
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.update
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.get
dataplex.
dataplex.environments.list
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.update
dataplex.operations.*
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.update
Dataplex Encryption Admin
(roles/)
Gives user permissions to manage encryption config.
dataplex.encryptionConfig.*
dataplex.operations.get
dataplex.operations.list
Dataplex Entry Group Exporter
(roles/)
Grants access to export this entry group for Metadata Job processing.
dataplex.entryGroups.export
dataplex.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Group Importer
(roles/)
Grants access to import this entry group for Metadata Job processing.
dataplex.entryGroups.get
dataplex.entryGroups.import
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Group Owner
(roles/)
Owns Entry Groups and Entries inside of them.
datacatalog.
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.*
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry and EntryLink Owner
(roles/)
Owns Metadata Entries and EntryLinks.
datacatalog.
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.get
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Type Owner
(roles/)
Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.
datacatalog.
dataplex.entryTypes.*
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Type User
(roles/)
Grants access to use Entry Types to create/modify Entries of those types.
datacatalog.
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants access to creating and managing Metadata Jobs. Does not give the right to create/modify Entry Groups.
dataplex.metadataJobs.*
dataplex.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read access to Metadata Job resources.
dataplex.metadataJobs.get
dataplex.metadataJobs.list
dataplex.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read only access to metadata.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.get
dataplex.entities.list
dataplex.partitions.get
dataplex.partitions.list
dataplex.zones.get
dataplex.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Write and Read access to metadata.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.*
dataplex.partitions.*
dataplex.zones.get
dataplex.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Security Administrator
(roles/)
Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.
dataplex.
dataplex.
Dataplex Storage Data Owner
(roles/)
Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Dataplex Storage Data Reader
(roles/)
Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
storage.buckets.get
storage.objects.get
storage.objects.list
Dataplex Storage Data Writer
(roles/)
Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.tables.updateData
storage.objects.create
storage.objects.delete
storage.objects.update
Dataplex Taxonomy Administrator
(roles/)
Full access to DataTaxonomy, DataAttribute resources.
dataplex.dataAttributes.*
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.
dataplex.dataTaxonomies.list
dataplex.
dataplex.dataTaxonomies.update
Dataplex Taxonomy Viewer
(roles/)
Read access on DataTaxonomy, DataAttribute resources.
dataplex.dataAttributes.get
dataplex.
dataplex.dataAttributes.list
dataplex.dataTaxonomies.get
dataplex.
dataplex.dataTaxonomies.list
Dataplex Viewer
(roles/)
Read access to Dataplex resources.
cloudasset.
dataplex.assetActions.list
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.
dataplex.
dataplex.
dataplex.dataAttributes.get
dataplex.
dataplex.dataAttributes.list
dataplex.dataTaxonomies.get
dataplex.
dataplex.dataTaxonomies.list
dataplex.datascans.get
dataplex.
dataplex.datascans.list
dataplex.environments.get
dataplex.
dataplex.environments.list
dataplex.lakeActions.list
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.operations.get
dataplex.operations.list
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.list
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
Cloud Debugger roles
Permissions
Cloud Debugger Agent
Beta
(roles/)
Provides permissions to register the debug target, read active breakpoints,
and report breakpoint results.
Lowest-level resources where you can grant this role:
clouddebugger.breakpoints.list
clouddebugger.
clouddebugger.
clouddebugger.debuggees.create
Cloud Debugger User
Beta
(roles/)
Provides permissions to create, view, list, and delete breakpoints
(snapshots & logpoints) as well as list debug targets (debuggees).
Lowest-level resources where you can grant this role:
clouddebugger.
clouddebugger.
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
Cloud Deploy roles
Permissions
Cloud Deploy Admin
(roles/)
Full control of Cloud Deploy resources.
clouddeploy.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Approver
(roles/)
Permission to approve or reject rollouts.
clouddeploy.config.get
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.rollouts.approve
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Custom Target Type Admin
(roles/)
Permission to manage CustomTargetType resources
clouddeploy.config.get
clouddeploy.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Developer
(roles/)
Permission to manage deployment configuration without permission to access operational resources, such as targets.
clouddeploy.automationRuns.get
clouddeploy.
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.config.get
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.deployPolicies.get
clouddeploy.
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Runner
(roles/)
Permission to execute Cloud Deploy work without permission to deliver to a target.
clouddeploy.config.get
logging.logEntries.create
storage.objects.create
storage.objects.get
storage.objects.list
Cloud Deploy Operator
(roles/)
Permission to manage deployment configuration.
clouddeploy.automationRuns.*
clouddeploy.automations.*
clouddeploy.config.get
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.deployPolicies.get
clouddeploy.
clouddeploy.
clouddeploy.jobRuns.*
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.list
clouddeploy.rollouts.retryJob
clouddeploy.rollouts.rollback
clouddeploy.targets.create
clouddeploy.
clouddeploy.targets.delete
clouddeploy.
clouddeploy.targets.get
clouddeploy.
clouddeploy.targets.list
clouddeploy.
clouddeploy.
clouddeploy.targets.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Policy Admin
Beta
(roles/)
Permission to manage Deploy Policies.
clouddeploy.deployPolicies.*
clouddeploy.locations.*
clouddeploy.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Policy Overrider
Beta
(roles/)
Permission to override Deploy Policies.
clouddeploy.deployPolicies.get
clouddeploy.
clouddeploy.
clouddeploy.locations.*
clouddeploy.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Releaser
(roles/)
Permission to create Cloud Deploy releases and rollouts.
clouddeploy.config.get
clouddeploy.
clouddeploy.
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.rollouts.rollback
clouddeploy.targets.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Viewer
(roles/)
Can view Cloud Deploy resources.
clouddeploy.automationRuns.get
clouddeploy.
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.config.get
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.deployPolicies.get
clouddeploy.
clouddeploy.
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
clouddeploy.
clouddeploy.targets.list
clouddeploy.
clouddeploy.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud DLP roles
Permissions
DLP Administrator
(roles/)
Administer DLP including jobs and templates.
dlp.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
DLP Analyze Risk Templates Editor
(roles/)
Edit DLP analyze risk templates.
dlp.analyzeRiskTemplates.*
DLP Analyze Risk Templates Reader
(roles/)
Read DLP analyze risk templates.
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
DLP Column Data Profiles Reader
(roles/)
Read DLP column profiles.
dlp.columnDataProfiles.*
DLP Connections Admin
(roles/)
Manage DLP Connections.
dlp.connections.*
resourcemanager.projects.get
resourcemanager.projects.list
DLP Connections Viewer
(roles/)
View DLP Connections.
dlp.connections.get
dlp.connections.list
dlp.connections.search
DLP Data Profiles Admin
(roles/)
Manage DLP profiles.
dlp.charts.get
dlp.columnDataProfiles.*
dlp.fileStoreProfiles.*
dlp.projectDataProfiles.*
dlp.tableDataProfiles.*
DLP Data Profiles Reader
(roles/)
Read DLP profiles.
dlp.charts.get
dlp.columnDataProfiles.*
dlp.fileStoreProfiles.get
dlp.fileStoreProfiles.list
dlp.projectDataProfiles.*
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
DLP De-identify Templates Editor
(roles/)
Edit DLP de-identify templates.
dlp.deidentifyTemplates.*
DLP De-identify Templates Reader
(roles/)
Read DLP de-identify templates.
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
DLP Cost Estimation
(roles/)
Manage DLP Cost Estimates.
dlp.estimates.*
DLP File Store Data Profiles Admin
(roles/)
Manage DLP file store profiles.
dlp.fileStoreProfiles.*
DLP File Store Data Profiles Reader
(roles/)
Read DLP file store profiles.
dlp.charts.get
dlp.fileStoreProfiles.get
dlp.fileStoreProfiles.list
DLP Inspect Findings Reader
(roles/)
Read DLP stored findings.
dlp.inspectFindings.list
DLP Inspect Templates Editor
(roles/)
Edit DLP inspect templates.
dlp.inspectTemplates.*
DLP Inspect Templates Reader
(roles/)
Read DLP inspect templates.
dlp.inspectTemplates.get
dlp.inspectTemplates.list
DLP Job Triggers Editor
(roles/)
Edit job triggers configurations.
dlp.jobTriggers.*
DLP Job Triggers Reader
(roles/)
Read job triggers.
dlp.jobTriggers.get
dlp.jobTriggers.list
DLP Jobs Editor
(roles/)
Edit and create jobs
dlp.jobs.*
dlp.kms.encrypt
DLP Jobs Reader
(roles/)
Read jobs
dlp.jobs.get
dlp.jobs.list
DLP Organization Data Profiles Driver
(roles/)
Permissions needed by the DLP service account to generate data profiles within an organization or folder.
Lowest-level resources where you can grant this role:
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.annotationSpecs.get
aiplatform.
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform.
aiplatform.
aiplatform.cacheConfigs.get
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.consents.get
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform.
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.
aiplatform.
aiplatform.datasetVersions.get
aiplatform.
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.exampleStores.get
aiplatform.exampleStores.list
aiplatform.
aiplatform.executions.get
aiplatform.executions.list
aiplatform.
aiplatform.extensions.get
aiplatform.extensions.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.get
aiplatform.locations.list
aiplatform.metadataSchemas.get
aiplatform.
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform.
aiplatform.
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.nasTrialDetails.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
aiplatform.
aiplatform.
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.ragCorpora.get
aiplatform.ragCorpora.list
aiplatform.ragCorpora.query
aiplatform.ragFiles.get
aiplatform.ragFiles.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.sessionEvents.list
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.specialistPools.get
aiplatform.
aiplatform.
aiplatform.studies.get
aiplatform.studies.list
aiplatform.
aiplatform.
aiplatform.tensorboardRuns.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.
aiplatform.
aiplatform.trials.get
aiplatform.trials.list
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
alloydb.
alloydb.
alloydb.backups.get
alloydb.backups.list
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.clusters.export
alloydb.
alloydb.clusters.get
alloydb.clusters.list
alloydb.
alloydb.
alloydb.databases.list
alloydb.instances.connect
alloydb.instances.executeSql
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb.
alloydb.users.get
alloydb.users.list
alloydb.users.login
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apihub.apis.createTagBinding
apihub.apis.deleteTagBinding
apihub.apis.listEffectiveTags
apihub.apis.listTagBindings
apihub.
apihub.
apihub.
apihub.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery.
bigquery.
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.
bigquery.
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.
bigquery.models.*
bigquery.readsessions.*
bigquery.
bigquery.
bigquery.reservations.get
bigquery.reservations.list
bigquery.
bigquery.reservations.use
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.
bigquery.
bigquery.tables.replicateData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
cloudaicompanion.
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
cloudkms.keyHandles.*
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.operations.get
cloudkms.
cloudsql.instances.connect
cloudsql.
cloudsql.
cloudsql.instances.get
cloudsql.
cloudsql.
cloudsql.instances.login
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.routes.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
container.
container.
container.
container.
datacatalog.
datacatalog.entries.updateTag
datacatalog.
datacatalog.
datacatalog.tagTemplates.get
datacatalog.
datacatalog.tagTemplates.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
datafusion.
datafusion.
datafusion.
datafusion.
dataplex.entries.get
dataplex.projects.search
datastore.
datastore.
datastore.
datastore.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
dlp.*
domains.
domains.
domains.
domains.
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file.
file.
file.
file.instances.listTagBindings
file.
file.
file.
file.snapshots.listTagBindings
iam.
iam.
iam.
iam.
logging.
logging.
logging.
logging.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
monitoring.
monitoring.
monitoring.
monitoring.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
pubsub.topics.updateTag
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
redis.
redis.
redis.
redis.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager.
secretmanager.
secretmanager.
secretmanager.
serviceusage.services.use
spanner.
spanner.
spanner.
spanner.
storage.
storage.
storage.buckets.get
storage.buckets.getIamPolicy
storage.
storage.
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
workflows.
workflows.
workflows.
workflows.
workstations.
workstations.
workstations.
workstations.
DLP Project Data Profiles Reader
(roles/)
Read DLP project profiles.
dlp.projectDataProfiles.*
DLP Project Data Profiles Driver
(roles/)
Permissions needed by the DLP service account to generate data profiles within a project.
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.annotationSpecs.get
aiplatform.
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform.
aiplatform.
aiplatform.cacheConfigs.get
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.consents.get
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform.
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.
aiplatform.
aiplatform.datasetVersions.get
aiplatform.
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.exampleStores.get
aiplatform.exampleStores.list
aiplatform.
aiplatform.executions.get
aiplatform.executions.list
aiplatform.
aiplatform.extensions.get
aiplatform.extensions.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.get
aiplatform.locations.list
aiplatform.metadataSchemas.get
aiplatform.
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform.
aiplatform.
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.nasTrialDetails.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
aiplatform.
aiplatform.
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.ragCorpora.get
aiplatform.ragCorpora.list
aiplatform.ragCorpora.query
aiplatform.ragFiles.get
aiplatform.ragFiles.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.sessionEvents.list
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.specialistPools.get
aiplatform.
aiplatform.
aiplatform.studies.get
aiplatform.studies.list
aiplatform.
aiplatform.
aiplatform.tensorboardRuns.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.
aiplatform.
aiplatform.trials.get
aiplatform.trials.list
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
alloydb.
alloydb.
alloydb.backups.get
alloydb.backups.list
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.clusters.export
alloydb.
alloydb.clusters.get
alloydb.clusters.list
alloydb.
alloydb.
alloydb.databases.list
alloydb.instances.connect
alloydb.instances.executeSql
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb.
alloydb.users.get
alloydb.users.list
alloydb.users.login
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apihub.apis.createTagBinding
apihub.apis.deleteTagBinding
apihub.apis.listEffectiveTags
apihub.apis.listTagBindings
apihub.
apihub.
apihub.
apihub.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery.
bigquery.
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.
bigquery.
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.
bigquery.models.*
bigquery.readsessions.*
bigquery.
bigquery.
bigquery.reservations.get
bigquery.reservations.list
bigquery.
bigquery.reservations.use
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.
bigquery.
bigquery.tables.replicateData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
cloudaicompanion.
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
cloudkms.keyHandles.*
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.operations.get
cloudkms.
cloudsql.instances.connect
cloudsql.
cloudsql.
cloudsql.instances.get
cloudsql.
cloudsql.
cloudsql.instances.login
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.routes.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
container.
container.
container.
container.
datacatalog.
datacatalog.entries.updateTag
datacatalog.
datacatalog.
datacatalog.tagTemplates.get
datacatalog.
datacatalog.tagTemplates.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
datafusion.
datafusion.
datafusion.
datafusion.
dataplex.entries.get
dataplex.projects.search
datastore.
datastore.
datastore.
datastore.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
dlp.*
domains.
domains.
domains.
domains.
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file.
file.
file.
file.instances.listTagBindings
file.
file.
file.
file.snapshots.listTagBindings
iam.
iam.
iam.
iam.
logging.
logging.
logging.
logging.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
monitoring.
monitoring.
monitoring.
monitoring.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
pubsub.topics.updateTag
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
redis.
redis.
redis.
redis.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager.
secretmanager.
secretmanager.
secretmanager.
serviceusage.services.use
spanner.
spanner.
spanner.
spanner.
storage.
storage.
storage.buckets.get
storage.buckets.getIamPolicy
storage.
storage.
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
workflows.
workflows.
workflows.
workflows.
workstations.
workstations.
workstations.
workstations.
DLP Reader
(roles/)
Read DLP entities, such as jobs and templates.
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectFindings.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.locations.*
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor
(roles/)
Edit DLP stored info types.
dlp.storedInfoTypes.*
DLP Stored InfoTypes Reader
(roles/)
Read DLP stored info types.
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Subscription Admin
(roles/)
Manage DLP subscriptions.
dlp.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
DLP Subscription Viewer
(roles/)
View DLP subscriptions.
dlp.subscriptions.get
dlp.subscriptions.list
DLP Table Data Profiles Admin
(roles/)
Manage DLP table profiles.
dlp.tableDataProfiles.*
DLP Table Data Profiles Reader
(roles/)
Read DLP table profiles.
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
DLP User
(roles/)
Inspect, Redact, and De-identify Content
dlp.kms.encrypt
dlp.locations.*
serviceusage.services.use
Cloud Domains roles
Permissions
Cloud Domains Admin
(roles/)
Full access to Cloud Domains Registrations and related resources.
domains.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Domains Viewer
(roles/)
Read-only access to Cloud Domains Registrations and related resources.
domains.locations.*
domains.operations.get
domains.operations.list
domains.registrations.get
domains.
domains.registrations.list
domains.
domains.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Filestore roles
Permissions
Cloud Filestore Editor
Beta
(roles/)
Read-write access to Filestore instances and related resources.
file.*
Cloud Filestore Viewer
Beta
(roles/)
Read-only access to Filestore instances and related resources.
file.backups.get
file.backups.list
file.backups.listEffectiveTags
file.backups.listTagBindings
file.instances.get
file.instances.list
file.
file.instances.listTagBindings
file.locations.*
file.operations.get
file.operations.list
file.
file.snapshots.listTagBindings
Cloud Financial Services roles
Permissions
Financial Services Admin
(roles/)
Full access to all Financial Services API resources.
financialservices.*
resourcemanager.projects.get
resourcemanager.projects.list
Financial Services Viewer
(roles/)
View access to all Financial Services API resources.
financialservices.locations.*
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.v1models.get
financialservices.
financialservices.
financialservices.
financialservices.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Functions roles
Permissions
Cloud Functions Admin
(roles/)
Full access to functions, operations and locations.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
cloudasset.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.locations.*
cloudbuild.operations.*
cloudfunctions.*
eventarc.*
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Functions Developer
(roles/)
Read and write access to all functions-related resources.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
cloudasset.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.locations.*
cloudbuild.operations.*
cloudfunctions.functions.call
cloudfunctions.
cloudfunctions.
cloudfunctions.
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.
cloudfunctions.
cloudfunctions.
cloudfunctions.locations.list
cloudfunctions.operations.*
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.enrollments.update
eventarc.
eventarc.
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.
eventarc.kafkaSources.create
eventarc.kafkaSources.delete
eventarc.kafkaSources.get
eventarc.
eventarc.kafkaSources.list
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Functions Invoker
(roles/)
Ability to invoke 1st gen HTTP functions with restricted access. 2nd gen functions need the Cloud Run Invoker role instead.
cloudfunctions.
Cloud Functions Viewer
(roles/)
Read-only access to functions and locations.
cloudasset.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.locations.*
cloudbuild.operations.*
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.*
eventarc.
eventarc.
eventarc.
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.kafkaSources.get
eventarc.
eventarc.kafkaSources.list
eventarc.locations.*
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Healthcare roles
Permissions
Healthcare Annotation Editor
(roles/)
Create, delete, update, read and list annotations.
healthcare.
healthcare.
healthcare.annotations.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Reader
(roles/)
Read and list annotations in an Annotation store.
healthcare.
healthcare.
healthcare.annotations.get
healthcare.annotations.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Administrator
(roles/)
Administer Annotation stores.
healthcare.annotationStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Store Viewer
(roles/)
List Annotation Stores in a dataset.
healthcare.
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Editor
(roles/)
Edit AttributeDefinition objects.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Reader
(roles/)
Read AttributeDefinition objects in a consent store.
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Administrator
(roles/)
Administer ConsentArtifact objects.
healthcare.consentArtifacts.*
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Editor
(roles/)
Edit ConsentArtifact objects.
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Reader
(roles/)
Read ConsentArtifact objects in a consent store.
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Editor
(roles/)
Edit Consent objects.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.consents.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Reader
(roles/)
Read Consent objects in a consent store.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.consents.get
healthcare.consents.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Store Administrator
(roles/)
Administer Consent stores.
healthcare.consentStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Store Viewer
(roles/)
List Consent Stores in a dataset.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Dataset Administrator
(roles/)
Administer Healthcare Datasets.
healthcare.datasets.*
healthcare.locations.*
healthcare.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Dataset Viewer
(roles/)
List the Healthcare Datasets in a project.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Editor
(roles/)
Edit DICOM images individually and in bulk.
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.
healthcare.
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Store Administrator
(roles/)
Administer DICOM stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare.
healthcare.dicomStores.delete
healthcare.
healthcare.dicomStores.get
healthcare.
healthcare.dicomStores.list
healthcare.
healthcare.dicomStores.update
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Store Viewer
(roles/)
List DICOM Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Viewer
(roles/)
Retrieve DICOM images from a DICOM store.
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Resource Editor
(roles/)
Create, delete, update, read and search FHIR resources.
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare.
healthcare.
healthcare.
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Resource Reader
(roles/)
Read and search FHIR resources.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare.
healthcare.
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Store Administrator
(roles/)
Administer FHIR resource stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.purge
healthcare.
healthcare.
healthcare.fhirStores.create
healthcare.
healthcare.fhirStores.delete
healthcare.
healthcare.
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare.
healthcare.
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.rollback
healthcare.
healthcare.fhirStores.update
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Store Viewer
(roles/)
List FHIR Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Consumer
(roles/)
List and read HL7v2 messages, update message labels, and publish new messages.
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare.
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Editor
(roles/)
Read, write, and delete access to HL7v2 messages.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Ingest
(roles/)
Ingest HL7v2 messages received from a source network.
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Store Administrator
(roles/)
Administer HL7v2 Stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Store Viewer
(roles/)
View HL7v2 Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare NLP Service Viewer
Beta
(roles/)
Extract and analyze medical entities from a given text.
healthcare.locations.*
healthcare.
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare User Data Mapping Editor
(roles/)
Edit UserDataMapping objects.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
healthcare.userDataMappings.*
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare User Data Mapping Reader
(roles/)
Read UserDataMapping objects in a consent store.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
healthcare.
healthcare.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Hub roles
Permissions
Cloud Hub Operator
Beta
(roles/)
Allows users to view and interact with Cloud Hub.
apphub.applications.get
apphub.applications.list
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredWorkloads.get
apphub.
apphub.locations.*
apphub.operations.get
apphub.operations.list
apphub.
apphub.services.get
apphub.services.list
apphub.workloads.get
apphub.workloads.list
capacityplanner.*
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudnotifications.
cloudquotas.quotas.get
cloudsupport.properties.get
cloudsupport.techCases.get
cloudsupport.techCases.list
compute.futureReservations.get
compute.
compute.reservations.get
compute.reservations.list
errorreporting.
errorreporting.
errorreporting.
errorreporting.groups.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.get
logging.notificationRules.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
maintenance.*
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.
monitoring.
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.
monitoring.
observability.scopes.get
opsconfigmonitoring.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.costInsights.get
recommender.costInsights.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
servicehealth.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
stackdriver.
Cloud IAP roles
Permissions
IAP Policy Admin
(roles/)
Provides full access to Identity-Aware Proxy resources.
iap.tunnel.*
iap.
iap.
iap.
iap.
iap.tunnelLocations.*
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.
iap.
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
IAP-secured Web App User
(roles/)
Provides permission to access HTTPS resources which use Identity-Aware Proxy.
iap.
(roles/)
Remediate IAP resource
iap.tunnelDestGroups.remediate
iap.tunnelinstances.remediate
iap.
IAP Settings Admin
(roles/)
Administrator of IAP Settings.
iap.projects.*
iap.web.getSettings
iap.web.updateSettings
iap.
iap.
iap.webServices.getSettings
iap.webServices.updateSettings
iap.webTypes.getSettings
iap.webTypes.updateSettings
IAP-secured Tunnel Destination Group Editor
(roles/)
Edit Tunnel Destination Group resources which use Identity-Aware Proxy
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.list
iap.tunnelDestGroups.update
IAP-secured Tunnel Destination Group Viewer
(roles/)
View Tunnel Destination Group resources which use Identity-Aware Proxy
iap.tunnelDestGroups.get
iap.tunnelDestGroups.list
IAP-secured Tunnel User
(roles/)
Access Tunnel resources which use Identity-Aware Proxy
iap.
iap.
Cloud IDS roles
Permissions
Cloud IDS Admin
Beta
(roles/)
Full access to Cloud IDS all resources.
ids.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud IDS Viewer
Beta
(roles/)
Read-only access to Cloud IDS all resources.
ids.endpoints.get
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.locations.*
ids.operations.get
ids.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS roles
Permissions
Cloud KMS Admin
(roles/)
Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations.
Lowest-level resources where you can grant this role:
cloudkms.autokeyConfigs.*
cloudkms.
cloudkms.
cloudkms.cryptoKeyVersions.get
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.cryptoKeys.*
cloudkms.ekmConfigs.*
cloudkms.ekmConnections.*
cloudkms.importJobs.*
cloudkms.keyHandles.*
cloudkms.keyRings.*
cloudkms.locations.get
cloudkms.locations.list
cloudkms.
cloudkms.operations.get
cloudkms.
resourcemanager.projects.get
Cloud KMS Autokey Admin
(roles/)
Enables management of AutokeyConfig.
cloudkms.autokeyConfigs.*
cloudkms.
Cloud KMS Autokey User
(roles/)
Grants ability to use KeyHandle resources.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
Cloud KMS CryptoKey Decrypter
(roles/)
Provides ability to use Cloud KMS resources for decrypt operations
only.
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Decrypter Via Delegation
(roles/)
Enables Decrypt operations via other Google Cloud services
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS CryptoKey Encrypter
(roles/)
Provides ability to use Cloud KMS resources for encrypt operations
only.
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Encrypter/Decrypter
(roles/)
Provides ability to use Cloud KMS resources for encrypt and decrypt
operations only.
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation
(roles/)
Enables Encrypt and Decrypt operations via other Google Cloud services
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS CryptoKey Encrypter Via Delegation
(roles/)
Enables Encrypt operations via other Google Cloud services
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Crypto Operator
(roles/)
Enables all Crypto Operations.
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS EkmConnections Admin
(roles/)
Enables management of EkmConnections.
cloudkms.ekmConfigs.get
cloudkms.ekmConfigs.update
cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.list
cloudkms.ekmConnections.update
cloudkms.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Expert Raw AES-CBC Key Manager
(roles/)
Enables raw AES-CBC keys management.
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Expert Raw AES-CTR Key Manager
(roles/)
Enables raw AES-CTR keys management.
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Expert Raw PKCS#1 Key Manager
(roles/)
Enables raw PKCS#1 keys management.
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Importer
(roles/)
Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations
cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.list
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS Protected Resources Viewer
(roles/)
Enables viewing protected resources.
cloudkms.
Cloud KMS CryptoKey Public Key Viewer
(roles/)
Enables GetPublicKey operations
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Signer
(roles/)
Enables Sign operations
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Signer/Verifier
(roles/)
Enables Sign, Verify, and GetPublicKey operations
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Verifier
(roles/)
Enables Verify and GetPublicKey operations
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS Viewer
(roles/)
Enables Get and List operations.
Lowest-level resources where you can grant this role:
cloudkms.autokeyConfigs.get
cloudkms.cryptoKeyVersions.get
cloudkms.
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.list
cloudkms.ekmConfigs.get
cloudkms.ekmConnections.get
cloudkms.ekmConnections.list
cloudkms.importJobs.get
cloudkms.importJobs.list
cloudkms.keyHandles.get
cloudkms.keyHandles.list
cloudkms.keyRings.get
cloudkms.keyRings.list
cloudkms.locations.get
cloudkms.locations.list
cloudkms.operations.get
resourcemanager.projects.get
Cloud Life Sciences roles
Permissions
Cloud Life Sciences Admin
Beta
(roles/)
Full control of Cloud Life Sciences resources.
lifesciences.*
Cloud Life Sciences Editor
Beta
(roles/)
Access to read and edit Cloud Life Sciences resources.
lifesciences.*
Cloud Life Sciences Viewer
Beta
(roles/)
Access to read Cloud Life Sciences resources.
lifesciences.operations.get
lifesciences.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Life Sciences Workflows Runner
Beta
(roles/)
Full access to operate on Cloud Life Sciences workflows.
lifesciences.*
Cloud Managed Identities roles
Permissions
Google Cloud Managed Identities Admin
(roles/)
Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.
managedidentities.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Backup Admin
(roles/)
Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level
managedidentities.backups.*
managedidentities.domains.get
managedidentities.locations.*
managedidentities.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Backup Viewer
(roles/)
Read-only access to Google Cloud Managed Identities Backup and related resources.
managedidentities.backups.get
managedidentities.
managedidentities.backups.list
managedidentities.domains.get
managedidentities.locations.*
managedidentities.
managedidentities.
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Domain Admin
(roles/)
Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.
managedidentities.backups.*
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.domains.get
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.locations.*
managedidentities.
managedidentities.
managedidentities.
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Domain Join
Beta
(roles/)
Access to domain join VMs with Cloud AD
managedidentities.
managedidentities.domains.get
Google Cloud Managed Identities Peering Admin
(roles/)
Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level
managedidentities.locations.*
managedidentities.operations.*
managedidentities.peerings.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Peering Viewer
(roles/)
Read-only access to Google Cloud Managed Identities Peering and related resources.
managedidentities.locations.*
managedidentities.
managedidentities.
managedidentities.peerings.get
managedidentities.
managedidentities.
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Viewer
(roles/)
Read-only access to Google Cloud Managed Identities Domains and related resources.
managedidentities.backups.get
managedidentities.
managedidentities.backups.list
managedidentities.domains.get
managedidentities.
managedidentities.domains.list
managedidentities.
managedidentities.
managedidentities.locations.*
managedidentities.
managedidentities.
managedidentities.peerings.get
managedidentities.
managedidentities.
managedidentities.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Marketplace roles
Permissions
Commerce Business Enablement Configuration Admin
Beta
(roles/)
Admin of Various Provider Configuration resources
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/)
Administration of Payment Configuration resource
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/)
Viewer of Payment Configuration resource
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Rebates Admin
Beta
(roles/)
Provides admin access to rebates
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
Commerce Business Enablement Rebates Viewer
Beta
(roles/)
Provides read-only access to rebates
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/)
Provides admin access to reseller discount offers
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/)
Provides read-only access to reseller discount offers
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Configuration Viewer
Beta
(roles/)
Viewer of Various Provider Configuration resource
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Offer Catalog Offers Viewer
Beta
(roles/)
Allows viewing offers
commerceoffercatalog.*
Commerce Organization Governance Admin
Beta
(roles/)
Full access to Organization Governance APIs
commerceorggovernance.*
consumerprocurement.
resourcemanager.projects.get
resourcemanager.projects.list
Governed Marketplace User
Beta
(roles/)
Full access to Governed Marketplace features.
commerceorggovernance.
consumerprocurement.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Organization Governance Viewer
Beta
(roles/)
Full access to Organization Governance read-only APIs.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
consumerprocurement.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Price Management Events Viewer
Beta
(roles/)
Allows viewing key events for an offer
commerceprice.events.*
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Price Management Private Offers Admin
Beta
(roles/)
Allows managing private offers
commerceagreementpublishing.*
commerceprice.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Commerce Price Management Viewer
Beta
(roles/)
Allows viewing offers, free trials, skus
commerceagreementpublishing.
commerceagreementpublishing.
commerceagreementpublishing.
commerceagreementpublishing.
commerceprice.
commerceprice.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Commerce Producer Admin
Beta
(roles/)
Grants full access to all resources in Cloud Commerce Producer API.
commercebusinessenablement.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Producer Viewer
Beta
(roles/)
Grants read access to all resources in Cloud Commerce Producer API.
commercebusinessenablement.
resourcemanager.projects.get
resourcemanager.projects.list
Consumer Procurement Entitlement Manager
(roles/)
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
commerceoffercatalog.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Entitlement Viewer
(roles/)
Allows inspecting entitlements and service states for a consumer project.
commerceoffercatalog.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Events Viewer
(roles/)
Allows viewing key events for an offer
consumerprocurement.events.*
Consumer Procurement License Pool Editor
(roles/)
Allows managing license pools and license assignments.
consumerprocurement.
Consumer Procurement License Pool Viewer
(roles/)
Allows viewing license pools and license assignments.
consumerprocurement.
consumerprocurement.
Consumer Procurement Order Administrator
(roles/)
Allows managing purchases.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.
billing.credits.list
billing.
commerceoffercatalog.*
consumerprocurement.accounts.*
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.events.*
consumerprocurement.
consumerprocurement.
consumerprocurement.orders.*
Consumer Procurement Order Viewer
(roles/)
Allows inspecting purchases.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.orders.get
consumerprocurement.
Consumer Procurement Administrator
(roles/)
Allows managing purchases, consents at both billing account and project level.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.
billing.credits.list
billing.
commerceoffercatalog.*
consumerprocurement.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Viewer
(roles/)
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.orders.get
consumerprocurement.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Migration roles
Permissions
Velostrata Manager
Beta
(roles/)
Ability to create and manage Compute VMs to run Velostrata Infrastructure
cloudmigration.
compute.addresses.create
compute.
compute.addresses.delete
compute.
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.
compute.instances.list
compute.instances.reset
compute.
compute.instances.setLabels
compute.
compute.instances.setMetadata
compute.
compute.
compute.
compute.instances.setTags
compute.instances.start
compute.
compute.instances.stop
compute.instances.update
compute.
compute.
compute.instances.use
compute.licenseCodes.get
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.list
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
compute.zones.*
gkehub.endpoints.connect
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
Velostrata Storage Access
Beta
(roles/)
Ability to access migration storage
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Velostrata Manager Connection Agent
Beta
(roles/)
Ability to set up connection between Velostrata Manager and Google
cloudmigration.
gkehub.endpoints.connect
VM Migration Administrator
Beta
(roles/)
Ability to view and edit all VM Migration objects
resourcemanager.projects.get
resourcemanager.projects.list
vmmigration.*
VM Migration Viewer
Beta
(roles/)
Ability to view all VM Migration objects
resourcemanager.projects.get
resourcemanager.projects.list
vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.
vmmigration.
vmmigration.deployments.get
vmmigration.deployments.list
vmmigration.groups.get
vmmigration.groups.list
vmmigration.locations.*
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.operations.get
vmmigration.operations.list
vmmigration.
vmmigration.sources.get
vmmigration.sources.list
vmmigration.targets.get
vmmigration.targets.list
vmmigration.
vmmigration.
Cloud Private Catalog roles
Permissions
Catalog Consumer
Beta
(roles/)
Can browse catalogs in the target resource context.
cloudprivatecatalog.
resourcemanager.projects.get
resourcemanager.projects.list
Catalog Admin
Beta
(roles/)
Can manage catalog and view its associations.
cloudprivatecatalog.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Catalog Manager
Beta
(roles/)
Can manage associations between a catalog and a target resource.
cloudprivatecatalog.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Catalog Org Admin
Beta
(roles/)
Can manage catalog org settings.
cloudprivatecatalog.
cloudprivatecatalogproducer.*
commerceorggovernance.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Profiler roles
Permissions
Cloud Profiler Agent
(roles/)
Cloud Profiler agents are allowed to register and provide the profiling data.
cloudprofiler.profiles.create
cloudprofiler.profiles.update
Cloud Profiler User
(roles/)
Cloud Profiler users are allowed to query and view the profiling data.
cloudprofiler.profiles.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Run roles
Permissions
Cloud Run Admin
(roles/)
Full control over all Cloud Run resources.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
run.*
Cloud Run Builder
Beta
(roles/)
Can build Cloud Run functions and source deployed services.
artifactregistry.
artifactregistry.
artifactregistry.
logging.logEntries.create
source.repos.get
storage.objects.get
Cloud Run Developer
(roles/)
Read and write access to all Cloud Run resources.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
Cloud Run Invoker
(roles/)
Can invoke Cloud Run services and execute Cloud Run jobs.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
run.jobs.run
run.routes.invoke
Cloud Run Jobs Executor
(roles/)
Can execute and cancel Cloud Run jobs.
run.executions.cancel
run.jobs.run
Cloud Run Jobs Executor With Overrides
(roles/)
Can execute and cancel Cloud Run jobs with overrides.
run.executions.cancel
run.jobs.run
run.jobs.runWithOverrides
Cloud Run Service Invoker
(roles/)
Can invoke Cloud Run services.
run.routes.invoke
Cloud Run Source Developer
Beta
(roles/)
Deploy and manage Cloud Run source deployed resources.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.locations.*
cloudbuild.operations.*
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.enrollments.update
eventarc.
eventarc.
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.
eventarc.kafkaSources.create
eventarc.kafkaSources.delete
eventarc.kafkaSources.get
eventarc.
eventarc.kafkaSources.list
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
orgpolicy.policy.get
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.folders.create
storage.folders.get
storage.folders.list
storage.managedFolders.create
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.abort
storage.
storage.
storage.objects.create
storage.objects.get
storage.objects.list
Cloud Run Source Viewer
Beta
(roles/)
View Cloud Run source deployed resources.
artifactregistry.
artifactregistry.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.locations.*
cloudbuild.operations.*
eventarc.
eventarc.
eventarc.
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.kafkaSources.get
eventarc.
eventarc.kafkaSources.list
eventarc.locations.*
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Cloud Run Viewer
(roles/)
Can view the state of all Cloud Run resources, including IAM policies.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
Cloud Scheduler roles
Permissions
Cloud Scheduler Admin
(roles/)
Full access to jobs and executions.
Note that a Cloud Scheduler Admin (or any custom role with the permission
cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the
project.
appengine.applications.get
cloudscheduler.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Scheduler Job Runner
(roles/)
Access to run jobs.
appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.run
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Scheduler Viewer
(roles/)
Get and list access to jobs, executions, and locations.
appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Security Scanner roles
Permissions
Web Security Scanner Editor
(roles/)
Full access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Web Security Scanner Runner
(roles/)
Read access to Scan and ScanRun, plus the ability to start scans
Lowest-level resources where you can grant this role:
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.scans.get
cloudsecurityscanner.
cloudsecurityscanner.scans.run
Web Security Scanner Viewer
(roles/)
Read access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
cloudsecurityscanner.
cloudsecurityscanner.results.*
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.scans.get
cloudsecurityscanner.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Services roles
Permissions
Service Broker Admin
(roles/)
Full access to ServiceBroker resources.
servicebroker.*
Service Broker Operator
(roles/)
Operational access to the ServiceBroker resources.
servicebroker.
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.list
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.list
servicebroker.
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.list
servicebroker.instances.update
Cloud Spanner roles
Permissions
Cloud Spanner Admin
(roles/)
Has complete access to all Spanner
resources in a Google Cloud project. A principal with this role can:
Grant and revoke permissions to other principals for all Spanner resources in the project.
Allocate and delete chargeable Spanner resources.
Issue get/list/modify operations on Cloud Spanner resources.
Read from and write to all Cloud Spanner databases in the project.
Fetch project metadata.
Lowest-level resources where you can grant this role:
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
monitoring.timeSeries.*
resourcemanager.projects.get
resourcemanager.projects.list
spanner.*
Cloud Spanner Backup Admin
(roles/)
A principal with this role can:
Create, view, update, and delete backups.
View and manage a backup's allow policy.
This role cannot restore a database from a backup.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backupOperations.*
spanner.backupSchedules.create
spanner.backupSchedules.delete
spanner.backupSchedules.get
spanner.backupSchedules.list
spanner.backupSchedules.update
spanner.backups.copy
spanner.backups.create
spanner.backups.delete
spanner.backups.get
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner.backups.update
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner.
spanner.
spanner.
spanner.instances.get
spanner.instances.list
spanner.
spanner.
Cloud Spanner Backup Writer
(roles/)
This role is intended to be used by scripts that automate backup creation.
A principal with this role can create backups, but cannot update or delete them.
Lowest-level resources where you can grant this role:
spanner.backupOperations.get
spanner.backupOperations.list
spanner.backupSchedules.create
spanner.backupSchedules.get
spanner.backupSchedules.list
spanner.backups.copy
spanner.backups.create
spanner.backups.get
spanner.backups.list
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner.instances.get
Cloud Spanner Database Admin
(roles/)
A principal with this role can:
Get/list all Spanner instances in the project.
Create/list/drop databases in an instance.
Grant/revoke access to databases in the project.
Read from and write to all Cloud Spanner databases in the project.
Lowest-level resources where you can grant this role:
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
monitoring.timeSeries.*
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databaseOperations.*
spanner.databaseRoles.list
spanner.databases.adapt
spanner.
spanner.
spanner.
spanner.
spanner.databases.changequorum
spanner.databases.create
spanner.databases.drop
spanner.databases.get
spanner.databases.getDdl
spanner.databases.getIamPolicy
spanner.databases.list
spanner.
spanner.
spanner.databases.read
spanner.databases.select
spanner.databases.setIamPolicy
spanner.databases.update
spanner.databases.updateDdl
spanner.databases.useDataBoost
spanner.
spanner.databases.write
spanner.instancePartitions.get
spanner.
spanner.
spanner.
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner.
spanner.
spanner.sessions.*
Cloud Spanner Database Reader
(roles/)
A principal with this role can:
Read from the Spanner database.
Execute SQL queries on the database.
View schema for the database.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.create
spanner.
spanner.databases.getDdl
spanner.
spanner.
spanner.databases.read
spanner.databases.select
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
Cloud Spanner Database Reader with DataBoost
(roles/)
Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.create
spanner.
spanner.databases.getDdl
spanner.
spanner.
spanner.databases.read
spanner.databases.select
spanner.databases.useDataBoost
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
Cloud Spanner Database Role User
(roles/)
In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.
Lowest-level resources where you can grant this role:
Cloud Spanner Database User
(roles/)
A principal with this role can:
Read from and write to the Spanner database.
Execute SQL queries on the database, including DML and Partitioned DML.
View and update schema for the database.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.create
spanner.databaseOperations.*
spanner.databases.adapt
spanner.
spanner.
spanner.
spanner.databases.changequorum
spanner.databases.getDdl
spanner.
spanner.
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.write
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
Cloud Spanner Fine-grained Access User
(roles/)
Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions.
Lowest-level resources where you can grant this role:
spanner.databaseRoles.list
spanner.
Cloud Spanner Restore Admin
(roles/)
A principal with this role can restore databases from backups.
If you need to restore a backup to a different instance, apply this
role at the project level or to both instances. This role cannot create backups.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backups.get
spanner.backups.list
spanner.
spanner.databaseOperations.*
spanner.databases.create
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner.
spanner.
spanner.
spanner.instances.get
spanner.instances.list
spanner.
spanner.
Cloud Spanner Viewer
(roles/)
A principal with this role can:
View all Spanner instances (but cannot modify instances).
View all Spanner databases (but cannot modify or read from databases).
For example, you can combine this role with the roles/spanner.databaseUser role to
grant a user with access to a specific database, but only view access to other instances and
databases.
This role is recommended at the Google Cloud project level for users interacting with Cloud
Spanner resources in the Google Cloud console.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.list
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instancePartitions.get
spanner.
spanner.instances.get
spanner.instances.list
spanner.
spanner.
Cloud SQL roles
Permissions
Cloud SQL Admin
(roles/)
Provides full control of Cloud SQL resources.
Lowest-level resources where you can grant this role:
cloudaicompanion.companions.*
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
cloudsql.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud SQL Client
(roles/)
Provides connectivity access to Cloud SQL instances.
Lowest-level resources where you can grant this role:
cloudsql.instances.connect
cloudsql.instances.get
Cloud SQL Editor
(roles/)
Provides full control of existing Cloud SQL instances excluding
modifying users, SSL certificates or deleting resources.
Lowest-level resources where you can grant this role:
cloudaicompanion.
cloudsql.backupRuns.create
cloudsql.backupRuns.export
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.backupRuns.update
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.
cloudsql.instances.list
cloudsql.
cloudsql.
cloudsql.
cloudsql.
cloudsql.instances.migrate
cloudsql.
cloudsql.instances.reencrypt
cloudsql.
cloudsql.instances.restart
cloudsql.
cloudsql.
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.schemas.view
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.get
cloudsql.users.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud SQL Instance User
(roles/)
Role allowing access to a Cloud SQL instance
cloudsql.instances.get
cloudsql.instances.login
Cloud SQL Schema Viewer
(roles/)
Role allowing access to the Cloud SQL instance schema on Dataplex
cloudsql.schemas.view
Cloud SQL Studio User
(roles/)
Role allowing access to Cloud SQL Studio
cloudaicompanion.companions.*
cloudaicompanion.
cloudaicompanion.
cloudsql.databases.list
cloudsql.instances.executeSql
cloudsql.instances.get
cloudsql.instances.login
cloudsql.users.list
Cloud SQL Viewer
(roles/)
Provides read-only access to Cloud SQL resources.
Lowest-level resources where you can grant this role:
cloudaicompanion.
cloudsql.backupRuns.export
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.export
cloudsql.instances.get
cloudsql.
cloudsql.instances.list
cloudsql.
cloudsql.
cloudsql.
cloudsql.
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.get
cloudsql.users.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Storage roles
Permissions
Storage Admin
(roles/)
Grants full control of objects and buckets.
When applied to an individual bucket , control applies only to
the specified bucket and objects within the bucket.
Lowest-level resources where you can grant this role:
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
firebase.projects.get
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.intelligenceConfigs.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
Storage Bucket Viewer
Beta
(roles/)
Grants permission to view buckets and their metadata, excluding IAM policies.
storage.buckets.get
storage.buckets.list
(roles/)
Grants permission to Express Mode service accounts at a managed folder so they can create objects but not read them on input folders.
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.update
Storage Express Mode Service Output
Beta
(roles/)
Grants permission to EasyGCP service accounts at a managed folder so they can read objects but not write them on output folders.
storage.objects.delete
storage.objects.get
storage.objects.list
Storage Express Mode User Access
Beta
(roles/)
Grants permission to Express Mode accounts at the project level so they can read, list, create and delete any object in any of their buckets in Express Mode.
orgpolicy.policy.get
storage.buckets.get
storage.buckets.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.restore
storage.objects.update
Storage Folder Admin
(roles/)
Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
Storage HMAC Key Admin
(roles/)
Full control of Cloud Storage HMAC keys.
firebase.projects.get
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.hmacKeys.*
Storage Insights Collector Service
(roles/)
Read-only access to Cloud Storage Inventory metadata for Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.
Storage Object Admin
(roles/)
Grants full control of objects, including listing, creating, viewing,
and deleting objects.
Lowest-level resources where you can grant this role:
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Storage Object Creator
(roles/)
Allows users to create objects. Does not give permission to view,
delete, or overwrite objects.
Lowest-level resources where you can grant this role:
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.create
storage.managedFolders.create
storage.multipartUploads.abort
storage.
storage.
storage.objects.create
Storage Object User
(roles/)
Access to create, read, update and delete objects and multipart uploads in GCS.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.move
storage.objects.restore
storage.objects.update
Storage Object Viewer
(roles/)
Grants access to view objects and their metadata, excluding ACLs. Can
also list the objects in a bucket.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Storage Transfer Admin
(roles/)
Create, update and manage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.*
Storage Transfer Agent
(roles/)
Perform transfers from an agent.
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.
pubsub.topics.create
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
storagetransfer.
storagetransfer.
storagetransfer.operations.get
storagetransfer.
Storage Transfer User
(roles/)
Create and update storage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.
storagetransfer.agentpools.get
storagetransfer.
storagetransfer.
storagetransfer.
storagetransfer.jobs.create
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.run
storagetransfer.jobs.update
storagetransfer.operations.*
storagetransfer.
Storage Transfer Viewer
(roles/)
Read access to storage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.agentpools.get
storagetransfer.
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.operations.get
storagetransfer.
storagetransfer.
Cloud Storage Legacy roles
Permissions
Storage Legacy Bucket Owner
(roles/)
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding allow policies, when
listing; and read and edit bucket metadata, including allow policies.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs .
Lowest-level resources where you can grant this role:
storage.anywhereCaches.*
storage.bucketOperations.*
storage.
storage.
storage.
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.
storage.
storage.buckets.relocate
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update
storage.folders.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.restore
storage.objects.setRetention
Storage Legacy Bucket Reader
(roles/)
Grants permission to list a bucket's contents and read bucket metadata,
excluding allow policies. Also grants permission to read object metadata,
excluding allow policies, when listing objects.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs .
Lowest-level resources where you can grant this role:
storage.buckets.get
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.list
storage.objects.list
Storage Legacy Bucket Writer
(roles/)
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding allow policies, when
listing; and read bucket metadata, excluding allow policies.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs .
Lowest-level resources where you can grant this role:
storage.buckets.get
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.restore
storage.objects.setRetention
Storage Legacy Object Owner
(roles/)
Grants permission to view and edit objects and their metadata, including
ACLs.
Lowest-level resources where you can grant this role:
storage.objects.get
storage.objects.getIamPolicy
storage.
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
Storage Legacy Object Reader
(roles/)
Grants permission to view objects and their metadata, excluding ACLs.
Lowest-level resources where you can grant this role:
storage.objects.get
Cloud Talent Solution roles
Permissions
Cloud Talent Solution Admin
(roles/)
Access to Cloud Talent Solution Self-Service Tools.
cloudjobdiscovery.tools.access
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Job Editor
(roles/)
Write access to all job data in Cloud Talent Solution.
cloudjobdiscovery.companies.*
cloudjobdiscovery.
cloudjobdiscovery.jobs.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Job Viewer
(roles/)
Read access to all job data in Cloud Talent Solution.
cloudjobdiscovery.
cloudjobdiscovery.
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Profile Editor
(roles/)
Write access to all profile data in Cloud Talent Solution.
cloudjobdiscovery.
cloudjobdiscovery.profiles.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Profile Viewer
(roles/)
Read access to all profile data in Cloud Talent Solution.
cloudjobdiscovery.profiles.get
cloudjobdiscovery.
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks roles
Permissions
Cloud Tasks Admin
Beta
(roles/)
Full access to queues and tasks.
cloudtasks.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Enqueuer
Beta
(roles/)
Access to create tasks.
cloudtasks.tasks.create
cloudtasks.tasks.fullView
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Queue Admin
Beta
(roles/)
Admin access to queues.
cloudtasks.locations.*
cloudtasks.queues.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Task Deleter
Beta
(roles/)
Access to delete tasks.
cloudtasks.tasks.delete
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Task Runner
Beta
(roles/)
Access to run tasks.
cloudtasks.tasks.fullView
cloudtasks.tasks.run
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Viewer
Beta
(roles/)
Get and list access to tasks, queues, and locations.
cloudtasks.cmekConfig.get
cloudtasks.locations.*
cloudtasks.queues.get
cloudtasks.queues.list
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud TPU roles
Permissions
TPU Admin
(roles/)
Full access to TPU nodes and related resources.
resourcemanager.projects.get
resourcemanager.projects.list
tpu.*
TPU Viewer
(roles/)
Read-only access to TPU nodes and related resources.
resourcemanager.projects.get
resourcemanager.projects.list
tpu.acceleratortypes.*
tpu.locations.*
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
tpu.runtimeversions.*
tpu.tensorflowversions.*
TPU Shared VPC Agent
(roles/)
Can use shared VPC network (XPN) for the TPU VMs.
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.globalOperations.get
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
Cloud Trace roles
Permissions
Cloud Trace Admin
(roles/)
Provides full access to the Trace console and read-write access to traces.
Lowest-level resources where you can grant this role:
cloudtrace.*
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
telemetry.traces.write
Cloud Trace Agent
(roles/)
For service accounts. Provides ability to write traces by sending the data
to Stackdriver Trace.
Lowest-level resources where you can grant this role:
cloudtrace.traces.patch
telemetry.traces.write
Cloud Trace User
(roles/)
Provides full access to the Trace console and read access to traces.
Lowest-level resources where you can grant this role:
cloudtrace.insights.*
cloudtrace.stats.get
cloudtrace.tasks.*
cloudtrace.traceScopes.*
cloudtrace.traces.get
cloudtrace.traces.list
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation roles
Permissions
Cloud Translation API Admin
(roles/)
Full access to all Cloud Translation resources
automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API Editor
(roles/)
Editor of all Cloud Translation resources
automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API User
(roles/)
User of Cloud Translation and AutoML models
automl.models.get
automl.models.predict
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.datasets.get
cloudtranslate.datasets.list
cloudtranslate.generalModels.*
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API Viewer
(roles/)
Viewer of all Translation resources
automl.models.get
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.datasets.get
cloudtranslate.datasets.list
cloudtranslate.
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.
cloudtranslate.
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Workstations roles
Permissions
Cloud Workstations Admin
(roles/)
Grants CRUD access to all Workstation resources.
compute.acceleratorTypes.*
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
workstations.operations.get
workstations.
workstations.
workstations.
workstations.
workstations.workstations.get
workstations.
workstations.workstations.list
workstations.
workstations.
workstations.workstations.stop
workstations.
Cloud Workstations Network Admin
(roles/)
Grants ability to connect a Workstation Cluster to a shared VPC network.
compute.addresses.create
compute.
compute.addresses.delete
compute.
compute.addresses.get
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.
compute.
compute.globalOperations.get
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
compute.
compute.zoneOperations.get
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
Cloud Workstations Operation Viewer
(roles/)
Grants ability to view Cloud Workstations API operations.
workstations.operations.get
Cloud Workstations Policy Admin
(roles/)
Grants permission to set IAM policy on workstation.
workstations.
workstations.
Cloud Workstations User
(roles/)
Grants runtime access to Workstation resources.
workstations.operations.get
workstations.
workstations.workstations.get
workstations.
workstations.workstations.stop
workstations.
workstations.workstations.use
Cloud Workstations Creator
(roles/)
Grants ability to create Workstation resources.
resourcemanager.projects.get
resourcemanager.projects.list
workstations.operations.get
workstations.
workstations.
workstations.
workstations.
Cloud Workstations Limit Exempted Creator
(roles/)
Grants ability to create workstations with exemption from max_usable_workstations Limit.
resourcemanager.projects.get
resourcemanager.projects.list
workstations.operations.get
workstations.
workstations.
Compute Engine roles
Permissions
Compute Admin
(roles/)
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Node group
Node template
Snapshot
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Future Reservation Admin
Beta
(roles/)
compute.acceleratorTypes.list
compute.advice.calendarMode
compute.
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.
compute.reservations.create
compute.
compute.zones.list
Compute Future Reservation User
Beta
(roles/)
compute.acceleratorTypes.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.reservations.create
compute.zones.list
Compute Future Reservation Viewer
Beta
(roles/)
compute.acceleratorTypes.list
compute.futureReservations.get
compute.
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.zones.list
Compute Image User
(roles/)
Permission to list and read images without having other permissions on the image. Granting this role
at the project level gives users the ability to list all images in the project and create resources,
such as instances and persistent disks, based on images in the project.
Lowest-level resources where you can grant this role:
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Instance Admin (beta)
(roles/)
Permissions to create, modify, and delete virtual machine instances.
This includes permissions to create, modify, and delete disks, and also to
configure Shielded VM
settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
For example, if your company has someone who manages groups of virtual
machine instances but does not manage network or security settings and
does not manage instances that run as service accounts, you can grant this
role on the organization, folder, or project that contains the instances,
or you can grant it on individual instances.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Snapshot
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
compute.acceleratorTypes.*
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.diskSettings.get
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.
compute.
compute.
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.globalAddresses.use
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.
compute.instanceGroups.*
compute.instanceSettings.get
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.
compute.networks.get
compute.networks.list
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservationBlocks.get
compute.reservationBlocks.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.list
compute.
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Instance Admin (v1)
(roles/)
Full control of Compute Engine instances, instance groups, disks, snapshots, and images.
Read access to all Compute Engine networking resources.
If you grant a user this role only at an instance level, then that user cannot create new instances.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
compute.acceleratorTypes.*
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute.diskSettings.get
compute.diskTypes.*
compute.disks.*
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.globalAddresses.use
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.*
compute.
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.networks.list
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regions.*
compute.reservationBlocks.get
compute.reservationBlocks.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.wireGroups.get
compute.wireGroups.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Load Balancer Admin
(roles/)
Permissions to create, modify, and delete load balancers and associate
resources.
For example, if your company has a load balancing team that manages load
balancers, SSL certificates for load balancers, SSL policies, and other
load balancing resources, and a separate networking team that manages
the rest of the networking resources, then grant this role to the load
balancing team's group.
Lowest-level resources where you can grant this role:
certificatemanager.
certificatemanager.
certificatemanager.
compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.
compute.disks.listTagBindings
compute.forwardingRules.*
compute.globalAddresses.*
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.
compute.images.listTagBindings
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.
compute.
compute.instances.use
compute.instances.useReadOnly
compute.
compute.networks.get
compute.networks.list
compute.
compute.
compute.networks.use
compute.projects.get
compute.
compute.
compute.regionHealthChecks.*
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.*
compute.
compute.
compute.
compute.regionUrlMaps.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.securityPolicies.use
compute.
compute.
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
compute.zoneOperations.get
compute.zoneOperations.list
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Load Balancer Services User
(roles/)
Permissions to use services from a load balancer in other projects.
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendBuckets.use
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.backendServices.use
compute.projects.get
compute.
compute.
compute.
compute.
compute.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Network Admin
(roles/)
Permissions to create, modify, and delete networking resources,
except for firewall rules and SSL certificates. The network admin role
allows read-only access to firewall rules, SSL certificates, and instances
(to view their ephemeral IP addresses). The network admin role does not
allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the networking team's group.
Or, if you have a combined team that manages both security and networking,
then grant this role as well as the
roles/compute.securityAdmin role to the combined team's group.
Lowest-level resources where you can grant this role:
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute.crossSiteNetworks.*
compute.
compute.disks.listTagBindings
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.
compute.
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.*
compute.globalAddresses.*
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceGroups.update
compute.instanceGroups.use
compute.instanceSettings.get
compute.instances.get
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.
compute.instances.use
compute.instances.useReadOnly
compute.
compute.
compute.
compute.interconnects.*
compute.machineTypes.*
compute.networkAttachments.*
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.*
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.*
compute.
compute.
compute.
compute.regionUrlMaps.*
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.securityPolicies.use
compute.serviceAttachments.*
compute.
compute.
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.wireGroups.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.*
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.*
networkservices.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.services.get
servicenetworking.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*
Compute Network User
(roles/)
Provides access to a shared VPC network
Once granted, service owners can use VPC networks and subnets that belong
to the host project. For example, a network user can create a VM instance
that belongs to a host project network but they cannot delete or create
new networks in the host project.
Lowest-level resources where you can grant this role:
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.useInternal
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute.
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.instanceSettings.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.interconnects.use
compute.networkAttachments.get
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.access
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnGateways.use
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.wireGroups.get
compute.wireGroups.list
compute.zones.*
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.get
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.get
networksecurity.urlLists.list
networksecurity.urlLists.use
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.gateways.get
networkservices.gateways.list
networkservices.gateways.use
networkservices.grpcRoutes.get
networkservices.
networkservices.
networkservices.
networkservices.httpRoutes.get
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.use
networkservices.operations.get
networkservices.
networkservices.route_views.*
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.
networkservices.
networkservices.
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Network Viewer
(roles/)
Read-only access to all networking resources
For example, if you have software that inspects your network
configuration, you could grant this role to that software's
service account.
Lowest-level resources where you can grant this role:
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instances.get
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.machineTypes.*
compute.networkAttachments.get
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.wireGroups.get
compute.wireGroups.list
compute.zones.*
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.get
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.get
networksecurity.urlLists.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.gateways.get
networkservices.gateways.list
networkservices.grpcRoutes.get
networkservices.
networkservices.
networkservices.
networkservices.httpRoutes.get
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.operations.get
networkservices.
networkservices.route_views.*
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.
networkservices.
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*
Compute Organization Firewall Policy Admin
(roles/)
Full control of Compute Engine Organization Firewall Policies.
compute.firewallPolicies.*
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.projects.get
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Firewall Policy User
(roles/)
View or use Compute Engine Firewall Policies to associate with the organization or folders.
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.
compute.
compute.firewallPolicies.use
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Security Policy Admin
(roles/)
Full control of Compute Engine Organization Security Policies.
compute.firewallPolicies.*
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.securityPolicies.move
compute.
compute.
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Security Policy User
(roles/)
View or use Compute Engine Security Policies to associate with the organization or folders.
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.
compute.
compute.firewallPolicies.use
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.projects.get
compute.
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Resource Admin
(roles/)
Full control of Compute Engine Firewall Policy associations to the organization or folders.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Admin Login
(roles/)
Access to log in to a Compute Engine instance as an administrator
user.
Lowest-level resources where you can grant this role:
compute.
compute.disks.listTagBindings
compute.
compute.images.listTagBindings
compute.instanceSettings.get
compute.instances.get
compute.instances.list
compute.
compute.
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
compute.
compute.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Login
(roles/)
Access to log in to a Compute Engine instance as a standard user.
Lowest-level resources where you can grant this role:
compute.
compute.disks.listTagBindings
compute.
compute.images.listTagBindings
compute.instanceSettings.get
compute.instances.get
compute.instances.list
compute.
compute.
compute.instances.osLogin
compute.projects.get
compute.
compute.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Login External User
(roles/)
Available only at the organization level.
Access for an external user to set OS Login information associated with
this organization. This role does not grant access to instances. External
users must be granted one of the required
OS Login roles
in order to allow access to instances using SSH.
Lowest-level resources where you can grant this role:
compute.
Compute packet mirroring admin
(roles/)
Specify resources to be mirrored.
compute.
compute.networks.mirror
compute.projects.get
compute.subnetworks.mirror
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute packet mirroring user
(roles/)
Use Compute Engine packet mirrorings.
compute.packetMirrorings.*
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Peer Subnet Migration Admin
(roles/)
Use subnetwork whose PURPOSE is "PEER_MIGRATION"
compute.
compute.
compute.addresses.get
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.
compute.forwardingRules.update
compute.networks.use
compute.regionOperations.get
compute.regions.list
compute.subnetworks.use
compute.
servicedirectory.
servicedirectory.
servicedirectory.
Compute Public IP Admin
(roles/)
Full control of public IP address management for Compute Engine.
compute.addresses.*
compute.globalAddresses.*
compute.
compute.
compute.
resourcemanager.projects.get
resourcemanager.projects.list
Compute Security Admin
(roles/)
Permissions to create, modify, and delete firewall rules and SSL
certificates, and also to
configure Shielded VM
settings.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the security team's group.
Lowest-level resources where you can grant this role:
compute.backendBuckets.list
compute.backendServices.list
compute.firewallPolicies.*
compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instanceSettings.get
compute.
compute.instances.list
compute.
compute.
compute.
compute.
compute.
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.networks.updatePolicy
compute.packetMirrorings.*
compute.projects.get
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.regionSslPolicies.*
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.targetInstances.list
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Sole Tenant Viewer
(roles/)
Permissions to view sole tenancy node groups
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
Compute Storage Admin
(roles/)
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and
you don't want them to have the editor role on the project, then grant
this role to their account on the project.
Lowest-level resources where you can grant this role:
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
compute.diskSettings.*
compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.instanceSettings.get
compute.instantSnapshots.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.storagePools.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Viewer
(roles/)
Read-only access to get and list Compute Engine resources, without
being able to read the data stored on them.
For example, an account with this role could inventory all of the disks in
a project, but it could not read any of the data on those disks.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Node group
Node template
Snapshot
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute.diskSettings.get
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.get
compute.reservationBlocks.list
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.wireGroups.get
compute.wireGroups.list
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Shared VPC Admin
(roles/)
Permissions to administer shared VPC host projects,
specifically enabling the host projects and associating shared VPC service projects to the host
project's network.
At the organization level, this role can only be granted by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
(roles/compute.networkUser) to service owners, and the shared VPC host project owner
controls the project itself. Managing the project is easier if a single principal (individual or
group) can fulfill both roles.
Lowest-level resources where you can grant this role:
compute.globalOperations.get
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.projects.get
compute.
compute.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
OS Config Admin
(roles/)
Full access to OS Config resources
osconfig.*
GuestPolicy Admin
Beta
(roles/)
Full admin access to GuestPolicies
osconfig.guestPolicies.*
resourcemanager.projects.get
resourcemanager.projects.list
GuestPolicy Editor
Beta
(roles/)
Editor of GuestPolicy resources
osconfig.guestPolicies.get
osconfig.guestPolicies.list
osconfig.guestPolicies.update
resourcemanager.projects.get
resourcemanager.projects.list
GuestPolicy Viewer
Beta
(roles/)
Viewer of GuestPolicy resources
osconfig.guestPolicies.get
osconfig.guestPolicies.list
resourcemanager.projects.get
resourcemanager.projects.list
InstanceOSPoliciesCompliance Viewer
Beta
(roles/)
Viewer of OS Policies Compliance of VM instances
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
OS Inventory Viewer
(roles/)
Viewer of OS Inventories
osconfig.inventories.*
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignment Admin
(roles/)
Full admin access to OS Policy Assignments
osconfig.osPolicyAssignments.*
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignment Editor
(roles/)
Editor of OS Policy Assignments
osconfig.
osconfig.
osconfig.
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignmentReport Viewer
(roles/)
Viewer of OS policy assignment reports for VM instances
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignment Viewer
(roles/)
Viewer of OS Policy Assignments
osconfig.
osconfig.
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
PatchDeployment Admin
(roles/)
Full admin access to PatchDeployments
osconfig.patchDeployments.*
resourcemanager.projects.get
resourcemanager.projects.list
PatchDeployment Viewer
(roles/)
Viewer of PatchDeployment resources
osconfig.patchDeployments.get
osconfig.patchDeployments.list
resourcemanager.projects.get
resourcemanager.projects.list
Patch Job Executor
(roles/)
Access to execute Patch Jobs.
osconfig.patchJobs.*
resourcemanager.projects.get
resourcemanager.projects.list
Patch Job Viewer
(roles/)
Get and list Patch Jobs.
osconfig.patchJobs.get
osconfig.patchJobs.list
resourcemanager.projects.get
resourcemanager.projects.list
PolicyOrchestrator Admin
Beta
(roles/)
Admin of PolicyOrchestrator resources
osconfig.locations.*
osconfig.operations.get
osconfig.policyOrchestrators.*
PolicyOrchestrator Viewer
Beta
(roles/)
Viewer of PolicyOrchestrator resources
osconfig.locations.*
osconfig.operations.get
osconfig.
osconfig.
Project Feature Settings Editor
(roles/)
Read/write access to project feature settings
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
Project Feature Settings Viewer
(roles/)
Read access to project feature settings
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
Upgrade Report Viewer
Beta
(roles/)
Provides read-only access to VM Manager Upgrade Reports
osconfig.upgradeReports.*
resourcemanager.projects.get
resourcemanager.projects.list
OS Config Viewer
(roles/)
Readonly access to OS Config resources
osconfig.guestPolicies.get
osconfig.guestPolicies.list
osconfig.
osconfig.inventories.*
osconfig.locations.*
osconfig.operations.get
osconfig.operations.list
osconfig.
osconfig.
osconfig.
osconfig.
osconfig.patchDeployments.get
osconfig.patchDeployments.list
osconfig.patchJobs.get
osconfig.patchJobs.list
osconfig.
osconfig.
osconfig.
osconfig.upgradeReports.*
osconfig.
OS VulnerabilityReport Viewer
(roles/)
Viewer of OS VulnerabilityReports
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis roles
Permissions
Container Analysis Admin
(roles/)
Access to all Container Analysis resources.
containeranalysis.
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.
containeranalysis.notes.list
containeranalysis.
containeranalysis.notes.update
containeranalysis.
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Notes Attacher
(roles/)
Can attach Container Analysis Occurrences to Notes.
containeranalysis.
containeranalysis.notes.get
Container Analysis Notes Editor
(roles/)
Can edit Container Analysis Notes.
containeranalysis.
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences for Notes Viewer
(roles/)
Can view all Container Analysis Occurrences attached to a Note.
containeranalysis.notes.get
containeranalysis.
Container Analysis Notes Viewer
(roles/)
Can view Container Analysis Notes.
containeranalysis.notes.get
containeranalysis.notes.list
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences Editor
(roles/)
Can edit Container Analysis Occurrences.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences Viewer
(roles/)
Can view Container Analysis Occurrences.
containeranalysis.
containeranalysis.
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog roles
Permissions
Data Catalog Admin
(roles/)
Full access to all DataCatalog resources
bigquery.connections.get
bigquery.connections.updateTag
bigquery.datasets.get
bigquery.datasets.updateTag
bigquery.models.getMetadata
bigquery.models.updateTag
bigquery.routines.get
bigquery.routines.updateTag
bigquery.tables.get
bigquery.tables.updateTag
datacatalog.catalogs.searchAll
datacatalog.
datacatalog.
datacatalog.entries.*
datacatalog.entryGroups.*
datacatalog.migrationConfig.*
datacatalog.operations.list
datacatalog.relationships.*
datacatalog.tagTemplates.*
datacatalog.taxonomies.*
dataplex.projects.search
pubsub.topics.get
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
Policy Tag Admin
(roles/)
Manage taxonomies
datacatalog.
datacatalog.
datacatalog.taxonomies.*
resourcemanager.projects.get
resourcemanager.projects.list
Fine-Grained Reader
(roles/)
Read access to sub-resources tagged by a policy tag, for example, BigQuery columns
datacatalog.
DataCatalog Data Steward
Beta
(roles/)
Can update overview and data steward fields
datacatalog.entries.get
datacatalog.entries.list
datacatalog.
datacatalog.
datacatalog.entryGroups.get
datacatalog.
datacatalog.relationships.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog EntryGroup Creator
(roles/)
Can create new entryGroups
datacatalog.entryGroups.create
datacatalog.entryGroups.get
datacatalog.entryGroups.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog EntryGroup Owner
(roles/)
Full access to entryGroups
datacatalog.entries.*
datacatalog.entryGroups.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Entry Owner
(roles/)
Full access to entries
datacatalog.entries.*
datacatalog.entryGroups.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Entry Viewer
(roles/)
Read access to entries
datacatalog.entries.get
datacatalog.entries.list
datacatalog.entryGroups.get
datacatalog.
datacatalog.relationships.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Glossary Owner
Beta
(roles/)
Full access to glossaries
datacatalog.entries.*
datacatalog.relationships.*
dataplex.projects.search
DataCatalog Glossary User
Beta
(roles/)
Can view glossaries and associate terms to entries
datacatalog.entries.get
datacatalog.entries.list
datacatalog.relationships.*
dataplex.projects.search
DataCatalog Migration Config Admin
(roles/)
Full access to Migration Config
datacatalog.migrationConfig.*
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Search Admin
(roles/)
Can search all metadata for a project/org in DataCatalog
datacatalog.catalogs.searchAll
dataplex.projects.search
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog Tag Editor
(roles/)
Access to modify metadata tags for entries, as well as BigQuery and
Pub/Sub data assets
bigquery.connections.updateTag
bigquery.datasets.updateTag
bigquery.models.updateTag
bigquery.routines.updateTag
bigquery.tables.updateTag
datacatalog.entries.updateTag
datacatalog.
pubsub.topics.updateTag
Data Catalog TagTemplate Creator
(roles/)
Access to create new tag templates
datacatalog.
datacatalog.tagTemplates.get
dataplex.projects.search
Data Catalog TagTemplate Owner
(roles/)
Full access to tag templates
datacatalog.tagTemplates.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog TagTemplate User
(roles/)
Access to apply a tag template to an entry (to modify tags, see Data Catalog Tag Editor)
datacatalog.tagTemplates.get
datacatalog.
datacatalog.tagTemplates.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog TagTemplate Viewer
(roles/)
Read access to templates and tags created using the templates
datacatalog.tagTemplates.get
datacatalog.
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog Viewer
(roles/)
Provides metadata read access to catalogued Google Cloud assets for BigQuery
and Pub/Sub
bigquery.connections.get
bigquery.datasets.get
bigquery.models.getMetadata
bigquery.routines.get
bigquery.tables.get
datacatalog.entries.get
datacatalog.entries.list
datacatalog.entryGroups.get
datacatalog.entryGroups.list
datacatalog.
datacatalog.operations.list
datacatalog.relationships.list
datacatalog.tagTemplates.get
datacatalog.
datacatalog.taxonomies.get
datacatalog.taxonomies.list
dataplex.projects.search
pubsub.topics.get
resourcemanager.projects.get
resourcemanager.projects.list
Data Connectors roles
Permissions
Connector Admin
Beta
(roles/)
Full access to Data Connectors.
dataconnectors.*
resourcemanager.projects.get
resourcemanager.projects.list
Connector User
Beta
(roles/)
Access to use Data Connectors.
dataconnectors.connectors.get
dataconnectors.
dataconnectors.connectors.list
dataconnectors.connectors.use
Data Migration roles
Permissions
Database Migration Admin
(roles/)
Full access to all resources of Database Migration.
cloudaicompanion.
datamigration.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Pipelines roles
Permissions
Data pipelines Admin
(roles/)
Administrator of Data pipelines resources
datapipelines.*
resourcemanager.projects.get
resourcemanager.projects.list
Data pipelines Invoker
(roles/)
Invoker of Data pipelines jobs
datapipelines.pipelines.run
resourcemanager.projects.get
resourcemanager.projects.list
Data pipelines Viewer
(roles/)
Viewer of Data pipelines resources
datapipelines.jobs.list
datapipelines.pipelines.get
datapipelines.pipelines.list
resourcemanager.projects.get
resourcemanager.projects.list
Data Studio roles
Permissions
Data Studio Admin
Beta
(roles/)
Data Studio Admin
datastudio.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Studio Workspace Content Manager
Beta
(roles/)
Content Manager of a Data Studio resource
datastudio.datasources.get
datastudio.
datastudio.datasources.move
datastudio.
datastudio.datasources.search
datastudio.
datastudio.datasources.share
datastudio.datasources.trash
datastudio.datasources.update
datastudio.reports.get
datastudio.
datastudio.reports.move
datastudio.
datastudio.reports.search
datastudio.
datastudio.reports.share
datastudio.reports.trash
datastudio.reports.update
datastudio.
datastudio.workspaces.get
datastudio.
datastudio.workspaces.moveIn
datastudio.workspaces.search
resourcemanager.projects.get
resourcemanager.
Data Studio Workspace Contributor
Beta
(roles/)
Contributor of a Data Studio resource
datastudio.datasources.get
datastudio.
datastudio.
datastudio.datasources.search
datastudio.
datastudio.datasources.share
datastudio.datasources.update
datastudio.reports.get
datastudio.
datastudio.
datastudio.reports.search
datastudio.
datastudio.reports.share
datastudio.reports.update
datastudio.
datastudio.workspaces.get
datastudio.
datastudio.workspaces.moveIn
datastudio.workspaces.search
resourcemanager.projects.get
resourcemanager.
Data Studio Asset Editor
Beta
(roles/)
Editor of a Data Studio resource
datastudio.datasources.get
datastudio.
datastudio.datasources.search
datastudio.datasources.update
datastudio.reports.get
datastudio.
datastudio.reports.search
datastudio.reports.update
resourcemanager.projects.get
resourcemanager.
Data Studio Workspace Manager
Beta
(roles/)
Manager of a Data Studio resource
datastudio.*
resourcemanager.projects.get
resourcemanager.
Data Studio Asset Viewer
Beta
(roles/)
Viewer of a Data Studio resource
datastudio.datasources.get
datastudio.datasources.search
datastudio.reports.get
datastudio.reports.search
resourcemanager.projects.get
Data Studio Workspace Viewer
Beta
(roles/)
Viewer of a Data Studio Workspace
datastudio.datasources.get
datastudio.datasources.search
datastudio.reports.get
datastudio.reports.search
datastudio.workspaces.get
datastudio.workspaces.search
resourcemanager.projects.get
Looker Admin
Beta
(roles/)
Admin of Looker instance mapping to a Studio subscription
datastudio.*
resourcemanager.projects.get
resourcemanager.
Looker Studio Pro Manager
Beta
(roles/)
Looker Studio Pro Manager
lookerstudio.pro.manage
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.
Dataflow roles
Permissions
Dataflow Admin
(roles/)
Minimal role for creating and managing dataflow jobs.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.locations.*
cloudbuild.operations.*
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
compute.machineTypes.get
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Dataflow Developer
(roles/)
Provides the permissions necessary to execute and manipulate
Dataflow jobs.
Lowest-level resources where you can grant this role:
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.locations.*
cloudbuild.operations.*
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Viewer
(roles/)
Provides read-only access to all Dataflow-related
resources.
Lowest-level resources where you can grant this role:
dataflow.jobs.get
dataflow.jobs.list
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.get
dataflow.snapshots.list
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Worker
(roles/)
Provides the permissions necessary for a Compute Engine service
account to execute work units for a Dataflow pipeline.
Lowest-level resources where you can grant this role:
autoscaling.
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
compute.
compute.instances.delete
compute.
dataflow.jobs.get
dataflow.shuffle.*
dataflow.streamingWorkItems.*
dataflow.workItems.*
logging.logEntries.create
logging.logEntries.route
monitoring.timeSeries.create
storage.buckets.get
storage.objects.create
storage.objects.get
Permissions
(roles/)
Full access to all Dataform resources.
dataform.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Permissions to comment, at the repository level. Grants CRUD access over commentThread and comment resources.
dataform.commentThreads.*
dataform.comments.*
(roles/)
Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.
dataform.commentThreads.get
dataform.commentThreads.list
dataform.comments.get
dataform.comments.list
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Edit access code resources.
dataform.commentThreads.*
dataform.comments.*
dataform.compilationResults.*
dataform.locations.*
dataform.repositories.commit
dataform.
dataform.repositories.create
dataform.
dataform.
dataform.repositories.get
dataform.
dataform.repositories.list
dataform.
dataform.repositories.readFile
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.
dataform.
dataform.
dataform.workspaces.get
dataform.
dataform.
dataform.workspaces.list
dataform.
dataform.
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.
dataform.workspaces.readFile
dataform.
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.
dataform.workspaces.writeFile
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to code resources.
dataform.commentThreads.*
dataform.comments.*
dataform.compilationResults.*
dataform.locations.*
dataform.repositories.*
dataform.workspaces.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read-only access to all code resources.
dataform.compilationResults.*
dataform.locations.*
dataform.
dataform.
dataform.
dataform.repositories.get
dataform.
dataform.repositories.list
dataform.
dataform.repositories.readFile
dataform.
dataform.
dataform.
dataform.workspaces.get
dataform.
dataform.workspaces.list
dataform.
dataform.workspaces.readFile
dataform.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Edit access to Workspaces and Read-only access to Repositories.
dataform.commentThreads.get
dataform.commentThreads.list
dataform.comments.get
dataform.comments.list
dataform.compilationResults.*
dataform.config.get
dataform.locations.*
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.
dataform.
dataform.
dataform.repositories.get
dataform.
dataform.repositories.list
dataform.
dataform.repositories.readFile
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowInvocations.*
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.
dataform.
dataform.
dataform.workspaces.get
dataform.
dataform.
dataform.workspaces.list
dataform.
dataform.
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.
dataform.workspaces.readFile
dataform.
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.
dataform.workspaces.writeFile
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read-only access to all Dataform resources.
dataform.commentThreads.get
dataform.commentThreads.list
dataform.comments.get
dataform.comments.list
dataform.
dataform.
dataform.
dataform.config.get
dataform.locations.*
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.
dataform.
dataform.
dataform.repositories.get
dataform.
dataform.repositories.list
dataform.
dataform.repositories.readFile
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.
dataform.
dataform.
dataform.
dataform.
dataform.
dataform.workspaces.get
dataform.
dataform.workspaces.list
dataform.
dataform.workspaces.readFile
dataform.
resourcemanager.projects.get
resourcemanager.projects.list
Dataprep roles
Permissions
Dataprep User
Beta
(roles/)
Use of Dataprep.
dataprep.projects.use
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Dataproc roles
Permissions
Dataproc Administrator
(roles/)
Full control of Dataproc resources.
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.autoscalingPolicies.*
dataproc.batches.*
dataproc.clusters.*
dataproc.jobs.*
dataproc.nodeGroups.*
dataproc.operations.*
dataproc.sessionTemplates.*
dataproc.sessions.*
dataproc.workflowTemplates.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Editor
(roles/)
Provides the permissions necessary for viewing the resources required to
manage Dataproc, including machine types, networks, projects,
and zones.
Lowest-level resources where you can grant this role:
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.batches.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.nodeGroups.*
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataproc.
dataproc.
dataproc.workflowTemplates.get
dataproc.
dataproc.
dataproc.
dataproc.
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Hub Agent
(roles/)
Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.
compute.instances.get
compute.instances.setMetadata
compute.instances.setTags
compute.zoneOperations.get
compute.zones.list
dataproc.
dataproc.
dataproc.
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.create
logging.logEntries.list
logging.logEntries.route
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.get
storage.objects.list
Dataproc Serverless Editor
(roles/)
Permissions needed to run serverless sessions and batches as a user
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.batches.*
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Serverless Node.
(roles/)
Node access to Dataproc Serverless sessions and batches. Intended for service accounts.
dataproc.
dataproc.
dataproc.
dataprocrm.nodePools.*
dataprocrm.nodes.list
Dataproc Serverless Viewer
(roles/)
Permissions needed to view serverless sessions and batches
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.batches.get
dataproc.batches.list
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessions.get
dataproc.sessions.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Viewer
(roles/)
Provides read-only access to Dataproc resources.
Lowest-level resources where you can grant this role:
compute.machineTypes.get
compute.regions.*
compute.zones.*
dataproc.
dataproc.
dataproc.batches.analyze
dataproc.batches.get
dataproc.batches.list
dataproc.
dataproc.clusters.get
dataproc.clusters.list
dataproc.jobs.get
dataproc.jobs.list
dataproc.nodeGroups.get
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessions.get
dataproc.sessions.list
dataproc.
dataproc.workflowTemplates.get
dataproc.
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Worker
(roles/)
Provides worker access to Dataproc resources. Intended for service accounts.
cloudprofiler.profiles.create
cloudprofiler.profiles.update
dataproc.agents.*
dataproc.
dataproc.
dataproc.tasks.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
storage.buckets.get
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.
storage.objects.restore
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
Permissions
(roles/)
Full access to all Dataproc Metastore resources.
metastore.backups.*
metastore.federations.*
metastore.imports.*
metastore.locations.*
metastore.migrations.*
metastore.operations.*
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
metastore.services.restore
metastore.
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read and write access to all Dataproc Metastore resources.
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.list
metastore.federations.update
metastore.imports.*
metastore.locations.*
metastore.migrations.*
metastore.operations.*
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
metastore.services.restore
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Access to the Metastore Federation resource.
metastore.federations.use
(roles/)
Access to read and modify the metadata of databases and tables under those databases.
metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.
metastore.databases.list
metastore.databases.update
metastore.services.get
metastore.services.use
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.update
(roles/)
Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.
metastore.
(roles/)
Read-only access to Dataproc Metastore resources with additional metadata operations permission.
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.imports.*
metastore.locations.*
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
metastore.services.restore
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to the metadata of databases and tables under those databases.
metastore.databases.*
metastore.services.get
metastore.
metastore.services.list
metastore.services.use
metastore.tables.*
(roles/)
Access to query metadata from a Dataproc Metastore service's underlying metadata store.
metastore.
(roles/)
Access to the Dataproc Metastore gRPC endpoint
metastore.databases.get
metastore.databases.list
metastore.services.get
metastore.services.use
(roles/)
Access to read the metadata of databases and tables under those databases
metastore.databases.get
metastore.
metastore.databases.list
metastore.services.get
metastore.services.use
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
(roles/)
Access to Dataproc Metastore Managed Migration resources and workflow.
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
compute.autoscalers.create
compute.autoscalers.delete
compute.disks.create
compute.disks.delete
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.use
compute.
compute.
compute.
compute.instanceGroups.delete
compute.instanceGroups.use
compute.
compute.
compute.instanceTemplates.get
compute.
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setMetadata
compute.machineTypes.list
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.use
compute.
compute.
compute.
compute.subnetworks.get
compute.subnetworks.use
compute.zones.list
datastream.
datastream.
datastream.objects.*
datastream.operations.get
datastream.
datastream.
datastream.streams.create
datastream.streams.delete
datastream.streams.get
datastream.streams.update
(roles/)
Read-only access to all Dataproc Metastore resources.
metastore.backups.get
metastore.backups.list
metastore.federations.get
metastore.
metastore.federations.list
metastore.imports.get
metastore.imports.list
metastore.locations.*
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
resourcemanager.projects.get
resourcemanager.projects.list
Datastore roles
Permissions
Cloud Datastore Backup Schedules Admin
(roles/)
Manage backup schedules in Cloud Datastore.
datastore.backupSchedules.*
datastore.
datastore.databases.list
Cloud Datastore Backup Schedules Viewer
(roles/)
Read access to backup schedules in Cloud Datastore.
datastore.backupSchedules.get
datastore.backupSchedules.list
Cloud Datastore Backups Admin
(roles/)
Read/Write access to metadata about backups in Cloud Datastore but restore is not allowed.
datastore.backups.delete
datastore.backups.get
datastore.backups.list
Cloud Datastore Backups Viewer
(roles/)
Read access to metadata about backups in Cloud Datastore.
datastore.backups.get
datastore.backups.list
Cloud Datastore Bulk Admin
(roles/)
Full access to manage bulk operations.
datastore.databases.bulkDelete
datastore.
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Import Export Admin
(roles/)
Provides full access to manage imports and exports.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.databases.export
datastore.
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Index Admin
(roles/)
Provides full access to manage index definitions.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Key Visualizer Viewer
(roles/)
Full access to Key Visualizer scans.
datastore.
datastore.keyVisualizerScans.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Owner
(roles/)
Provides full access to Datastore resources.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Restore Admin
(roles/)
Restore into Cloud Datastore Databases from Cloud Datastore Backups.
datastore.backups.get
datastore.backups.list
datastore.
datastore.databases.create
datastore.
datastore.databases.list
datastore.operations.get
datastore.operations.list
Cloud Datastore User
(roles/)
Provides read/write access to data in a Datastore database.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.*
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore User Creds Admin
(roles/)
Manage user creds in Cloud Datastore.
datastore.
datastore.databases.list
datastore.userCreds.*
Cloud Datastore User Creds Viewer
(roles/)
Read access to user creds in Cloud Datastore.
datastore.userCreds.get
datastore.userCreds.list
Cloud Datastore Viewer
(roles/)
Provides read access to Datastore resources.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.insights.get
datastore.namespaces.*
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
DataStream roles
Permissions
Datastream Admin
(roles/)
Full access to all Datastream resources.
datastream.*
resourcemanager.projects.get
resourcemanager.projects.list
Datastream Viewer
(roles/)
Read-only access to all Datastream resources.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.locations.*
datastream.objects.get
datastream.objects.list
datastream.operations.get
datastream.operations.list
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.streams.fetchErrors
datastream.streams.get
datastream.
datastream.streams.list
datastream.
datastream.
resourcemanager.projects.get
resourcemanager.projects.list
Deployment Manager roles
Permissions
Deployment Manager Editor
(roles/)
Provides the permissions necessary to create and manage deployments.
Lowest-level resources where you can grant this role:
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Deployment Manager Type Editor
(roles/)
Provides read and write access to all Type Registry resources.
Lowest-level resources where you can grant this role:
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Deployment Manager Type Viewer
(roles/)
Provides read-only access to all Type Registry resources.
Lowest-level resources where you can grant this role:
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Deployment Manager Viewer
(roles/)
Provides read-only access to all Deployment Manager-related
resources.
Lowest-level resources where you can grant this role:
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Dialogflow roles
Permissions
CX Premium Admin
(roles/)
An admin has access to all resources and can perform all administrative actions in an AAM project.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Conversational Architect
(roles/)
A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Dialog Designer
(roles/)
A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Lead Dialog Designer
(roles/)
A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Viewer
(roles/)
A user can view the taxonomy and data reports in an AAM project.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
Dialogflow API Admin
(roles/)
Grant to Dialogflow API admins
that need full access to Dialogflow-specific resources.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
dialogflow.*
resourcemanager.projects.get
Dialogflow Agent Assist Client
(roles/)
Can create and handle live conversations using Agent Assist features.
dialogflow.answerrecords.*
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.generators.get
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.participants.*
dialogflow.
Dialogflow API Client
(roles/)
Grant to Dialogflow API clients
that perform Dialogflow-specific edits and detect intent calls
using the API.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
dialogflow.contexts.*
dialogflow.conversations.*
dialogflow.
dialogflow.messages.list
dialogflow.participants.*
dialogflow.
dialogflow.sessions.*
Dialogflow Console Agent Editor
(roles/)
Grant to Dialogflow Console editors
that edit existing agents.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
actions.agentVersions.create
dialogflow.*
resourcemanager.projects.get
Dialogflow Console Simulator User
(roles/)
Can perform query of dialogflow suggestions in the simulator in web console.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.participants.*
dialogflow.
resourcemanager.projects.get
resourcemanager.projects.list
Dialogflow Console Smart Messaging Allowlist Editor
(roles/)
Can edit allowlist for smart messaging associated with conversation model in the agent assist console
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.documents.get
dialogflow.documents.list
dialogflow.operations.get
dialogflow.
resourcemanager.projects.get
resourcemanager.projects.list
Dialogflow Conversation Manager
(roles/)
Can manage all the resources related to Dialogflow Conversations.
dialogflow.
dialogflow.conversations.*
dialogflow.participants.*
Dialogflow Entity Type Admin
(roles/)
Can read & write entity types.
dialogflow.entityTypes.*
Dialogflow Environment editor
(roles/)
Can read & update environment and its sub-resources.
dialogflow.deployments.*
dialogflow.environments.get
dialogflow.
dialogflow.environments.list
dialogflow.
dialogflow.
dialogflow.environments.update
dialogflow.experiments.*
Dialogflow Flow editor
(roles/)
Can read & update flow and its sub-resources.
dialogflow.flows.get
dialogflow.flows.list
dialogflow.flows.train
dialogflow.flows.update
dialogflow.flows.validate
dialogflow.pages.*
dialogflow.
dialogflow.versions.*
Dialogflow Integration Manager
(roles/)
Can add, remove, enable and disable Dialogflow integrations.
dialogflow.integrations.*
Dialogflow Intent Admin
(roles/)
Can read & write intents.
dialogflow.intents.*
Dialogflow API Reader
(roles/)
Grant to Dialogflow API clients
that perform Dialogflow-specific read-only calls
using the API.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
Dialogflow Test Case Admin
(roles/)
Can read & write test cases.
dialogflow.testcases.*
Dialogflow Webhook Admin
(roles/)
Can read & write webhooks.
dialogflow.webhooks.*
DNS roles
Permissions
DNS Administrator
(roles/)
Provides read-write access to all Cloud DNS resources.
Lowest-level resources where you can grant this role:
compute.networks.get
compute.networks.list
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.*
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get
resourcemanager.projects.list
DNS Peer
(roles/)
Access to target networks with DNS peering zones
dns.
DNS Reader
(roles/)
Provides read-only access to all Cloud DNS resources.
Lowest-level resources where you can grant this role:
compute.networks.get
dns.changes.get
dns.changes.list
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.projects.get
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicyRules.get
dns.responsePolicyRules.list
resourcemanager.projects.get
resourcemanager.projects.list
Document AI roles
Permissions
Document AI Administrator
Beta
(roles/)
Grants full access to all resources in Document AI
documentai.*
resourcemanager.projects.get
resourcemanager.projects.list
Document AI API User
Beta
(roles/)
Grants access to process documents in Document AI
documentai.
documentai.
documentai.
documentai.
documentai.
documentai.
Document AI Editor
Beta
(roles/)
Grants access to use all resources in Document AI
documentai.*
resourcemanager.projects.get
resourcemanager.projects.list
Document AI Viewer
Beta
(roles/)
Grants access to view all resources and process documents in Document AI
documentai.
documentai.datasetSchemas.get
documentai.datasets.get
documentai.
documentai.
documentai.
documentai.evaluations.get
documentai.evaluations.list
documentai.
documentai.
documentai.labelerPools.get
documentai.labelerPools.list
documentai.locations.*
documentai.
documentai.
documentai.processorTypes.*
documentai.
documentai.
documentai.
documentai.
documentai.
documentai.processors.get
documentai.processors.list
documentai.
documentai.
resourcemanager.projects.get
resourcemanager.projects.list
Earth Engine roles
Permissions
Earth Engine Resource Admin
Beta
(roles/)
Full access to all Earth Engine resource features
earthengine.*
resourcemanager.projects.get
resourcemanager.projects.list
Earth Engine Apps Publisher
Beta
(roles/)
Publisher of Earth Engine Apps
iam.serviceAccounts.create
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam.
iam.
resourcemanager.projects.get
serviceusage.services.get
Earth Engine Resource Viewer
Beta
(roles/)
Viewer of all Earth Engine resources
earthengine.assets.get
earthengine.
earthengine.assets.list
earthengine.
earthengine.config.get
earthengine.
earthengine.maps.get
earthengine.operations.get
earthengine.operations.list
earthengine.tables.get
earthengine.thumbnails.get
earthengine.
resourcemanager.projects.get
resourcemanager.projects.list
Earth Engine Resource Writer
Beta
(roles/)
Writer of all Earth Engine resources
earthengine.assets.create
earthengine.assets.delete
earthengine.assets.get
earthengine.
earthengine.assets.list
earthengine.assets.update
earthengine.
earthengine.config.*
earthengine.exports.create
earthengine.
earthengine.
earthengine.imports.create
earthengine.maps.*
earthengine.operations.*
earthengine.tables.*
earthengine.thumbnails.*
earthengine.videothumbnails.*
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container roles
Permissions
Edge Container Admin
(roles/)
Full access to Edge Container all resources.
edgecontainer.*
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container Machine User
(roles/)
Access to use Edge Container Machine resources.
edgecontainer.machines.get
edgecontainer.
edgecontainer.machines.list
edgecontainer.machines.use
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container Cluster offline Credential User
(roles/)
Access to get Edge Container cluster offline credentials
edgecontainer.
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container Viewer
(roles/)
Read-only access to Edge Container all resources.
edgecontainer.
edgecontainer.clusters.get
edgecontainer.
edgecontainer.clusters.list
edgecontainer.locations.*
edgecontainer.machines.get
edgecontainer.
edgecontainer.machines.list
edgecontainer.nodePools.get
edgecontainer.
edgecontainer.nodePools.list
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.serverconfig.get
edgecontainer.
edgecontainer.
edgecontainer.
resourcemanager.projects.get
resourcemanager.projects.list
Edge Network roles
Permissions
Edge Network Admin
(roles/)
Full access to Edge Network all resources.
edgenetwork.*
resourcemanager.projects.get
resourcemanager.projects.list
Edge Network Viewer
(roles/)
Read-only access to Edge Network all resources.
edgenetwork.
edgenetwork.
edgenetwork.
edgenetwork.interconnects.get
edgenetwork.
edgenetwork.
edgenetwork.interconnects.list
edgenetwork.locations.*
edgenetwork.networks.get
edgenetwork.
edgenetwork.networks.getStatus
edgenetwork.networks.list
edgenetwork.operations.get
edgenetwork.operations.list
edgenetwork.routers.get
edgenetwork.
edgenetwork.
edgenetwork.routers.list
edgenetwork.routes.get
edgenetwork.routes.list
edgenetwork.subnetworks.get
edgenetwork.
edgenetwork.
edgenetwork.subnetworks.list
edgenetwork.zones.get
edgenetwork.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Knowledge Graph roles
Permissions
Enterprise Knowledge Graph Admin
Beta
(roles/)
Administrator of Enterprise Knowledge Graph resources
enterpriseknowledgegraph.*
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Knowledge Graph Editor
Beta
(roles/)
Editor of Enterprise Knowledge Graph resources
enterpriseknowledgegraph.*
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Knowledge Graph Viewer
Beta
(roles/)
Viewer of Enterprise Knowledge Graph resources
enterpriseknowledgegraph.
enterpriseknowledgegraph.
enterpriseknowledgegraph.
enterpriseknowledgegraph.
resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting roles
Permissions
Error Reporting Admin
Beta
(roles/)
Provides full access to Error Reporting data.
Lowest-level resources where you can grant this role:
cloudnotifications.
errorreporting.*
logging.notificationRules.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Error Reporting User
Beta
(roles/)
Provides the permissions to read and write Error Reporting data, except
for sending new error events.
Lowest-level resources where you can grant this role:
cloudnotifications.
errorreporting.
errorreporting.
errorreporting.
errorreporting.groupMetadata.*
errorreporting.groups.list
logging.notificationRules.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Error Reporting Viewer
Beta
(roles/)
Provides read-only access to Error Reporting data.
Lowest-level resources where you can grant this role:
cloudnotifications.
errorreporting.
errorreporting.
errorreporting.
errorreporting.groups.list
logging.notificationRules.get
logging.notificationRules.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Error Reporting Writer
Beta
(roles/)
Provides the permissions to send error events to Error Reporting.
Lowest-level resources where you can grant this role:
errorreporting.
Eventarc roles
Permissions
Eventarc Admin
(roles/)
Full control over all Eventarc resources.
Lowest-level resources where you can grant this role:
eventarc.*
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Connection Publisher
Beta
(roles/)
Can publish events to Eventarc channel connections.
Lowest-level resources where you can grant this role:
eventarc.
eventarc.
eventarc.
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Developer
(roles/)
Access to read and write Eventarc resources.
Lowest-level resources where you can grant this role:
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.enrollments.update
eventarc.
eventarc.
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.
eventarc.kafkaSources.create
eventarc.kafkaSources.delete
eventarc.kafkaSources.get
eventarc.
eventarc.kafkaSources.list
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Event Receiver
(roles/)
Can receive events from all event providers.
Lowest-level resources where you can grant this role:
eventarc.events.*
Eventarc Message Bus Admin
Beta
(roles/)
Full control over Message Buses resources.
eventarc.messageBuses.create
eventarc.messageBuses.delete
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.publish
eventarc.messageBuses.update
eventarc.messageBuses.use
Eventarc Message Bus User
Beta
(roles/)
Access to publish to or bind to a Message Bus.
eventarc.messageBuses.get
eventarc.messageBuses.list
eventarc.messageBuses.publish
eventarc.messageBuses.use
Eventarc Publisher
Beta
(roles/)
Can publish events to Eventarc channels.
Lowest-level resources where you can grant this role:
eventarc.channels.get
eventarc.channels.list
eventarc.channels.publish
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Viewer
(roles/)
Can view the state of all Eventarc resources, including IAM policies.
Lowest-level resources where you can grant this role:
eventarc.
eventarc.
eventarc.
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.kafkaSources.get
eventarc.
eventarc.kafkaSources.list
eventarc.locations.*
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase roles
Permissions
Firebase Admin
(roles/)
Full access to Firebase products.
apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.
clientauthconfig.
clientauthconfig.clients.get
clientauthconfig.clients.list
clientauthconfig.
cloudasset.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.locations.*
cloudbuild.operations.*
cloudconfig.*
cloudfunctions.*
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
cloudmessaging.messages.create
cloudnotifications.
cloudtestservice.
cloudtestservice.matrices.*
cloudtoolresults.*
datastore.*
errorreporting.groups.list
eventarc.*
fcmdata.deliverydata.list
firebase.*
firebaseabt.*
firebaseanalytics.*
firebaseappcheck.*
firebaseappdistro.*
firebaseauth.*
firebasecrash.*
firebasecrashlytics.*
firebasedatabase.*
firebasedataconnect.*
firebasedynamiclinks.*
firebaseextensions.*
firebaseextensionspublisher.*
firebasehosting.*
firebaseinappmessaging.*
firebasemessagingcampaigns.*
firebaseml.*
firebasenotifications.*
firebaseperformance.*
firebaserules.*
firebasestorage.*
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.*
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.intelligenceConfigs.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
Firebase Analytics Admin
(roles/)
Full access to Google Analytics for Firebase.
cloudnotifications.
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseextensions.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Firebase Analytics Viewer
(roles/)
Read access to Google Analytics for Firebase.
cloudnotifications.
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.
firebaseextensions.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Firebase Develop Admin
(roles/)
Full access to Firebase Develop products and Analytics.
apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudasset.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.locations.*
cloudbuild.operations.*
cloudfunctions.*
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
cloudnotifications.
datastore.*
errorreporting.groups.list
eventarc.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseappcheck.*
firebaseauth.*
firebasedatabase.*
firebasedataconnect.*
firebaseextensions.
firebasehosting.*
firebaseml.*
firebaserules.*
firebasestorage.*
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.*
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.intelligenceConfigs.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
Firebase Develop Viewer
(roles/)
Read access to Firebase Develop products and Analytics.
apikeys.keys.get
apikeys.keys.list
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.files.list
automl.
automl.
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudasset.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.locations.*
cloudbuild.operations.*
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.*
cloudnotifications.
datastore.backups.get
datastore.backups.list
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
errorreporting.groups.list
eventarc.
eventarc.
eventarc.
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.kafkaSources.get
eventarc.
eventarc.kafkaSources.list
eventarc.locations.*
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.services.get
firebaseauth.configs.get
firebaseauth.users.get
firebasedatabase.instances.get
firebasedatabase.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebaseextensions.
firebasehosting.sites.get
firebasehosting.sites.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Firebase Grow Admin
(roles/)
Full access to Firebase Grow products and Analytics.
apikeys.keys.get
apikeys.keys.list
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudconfig.*
cloudmessaging.messages.create
cloudnotifications.
fcmdata.deliverydata.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt.*
firebaseanalytics.*
firebasedynamiclinks.*
firebaseextensions.
firebaseinappmessaging.*
firebasemessagingcampaigns.*
firebasenotifications.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Grow Viewer
(roles/)
Read access to Firebase Grow products and Analytics.
apikeys.keys.get
apikeys.keys.list
cloudconfig.configs.get
cloudnotifications.
fcmdata.deliverydata.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt.
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.
firebaseanalytics.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.links.get
firebasedynamiclinks.
firebasedynamiclinks.stats.get
firebaseextensions.
firebaseinappmessaging.
firebaseinappmessaging.
firebasemessagingcampaigns.
firebasemessagingcampaigns.
firebasenotifications.
firebasenotifications.
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Quality Admin
(roles/)
Full access to Firebase Quality products and Analytics.
apikeys.keys.get
apikeys.keys.list
cloudnotifications.
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseappdistro.*
firebasecrash.*
firebasecrashlytics.*
firebaseextensions.
firebaseperformance.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Quality Viewer
(roles/)
Read access to Firebase Quality products and Analytics.
apikeys.keys.get
apikeys.keys.list
cloudnotifications.
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.
firebaseappdistro.groups.list
firebaseappdistro.
firebaseappdistro.testers.list
firebasecrash.reports.get
firebasecrashlytics.config.get
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.
firebasecrashlytics.
firebaseextensions.
firebaseperformance.data.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Admin SDK Administrator Service Agent
(roles/)
Read and write access to Firebase products available in the Admin SDK
appengine.applications.get
cloudconfig.*
cloudmessaging.messages.create
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.*
datastore.indexes.get
datastore.indexes.list
datastore.insights.get
datastore.namespaces.*
datastore.statistics.*
firebase.clients.*
firebase.projects.get
firebase.projects.update
firebaseappcheck.*
firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.getSecret
firebaseauth.configs.update
firebaseauth.users.*
firebasedatabase.*
firebasedataconnect.*
firebasehosting.*
firebaseml.*
firebasenotifications.*
firebaserules.releases.get
firebaserules.releases.list
firebaserules.releases.update
firebaserules.rulesets.create
firebaserules.rulesets.delete
firebaserules.rulesets.get
firebaserules.rulesets.list
identitytoolkit.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Firebase SDK Provisioning Service Agent
(roles/)
Access to provision apps with the Admin SDK.
apikeys.keys.list
clientauthconfig.clients.list
cloudmessaging.messages.create
firebase.clients.create
servicemanagement.
serviceusage.services.enable
serviceusage.services.get
Firebase Viewer
(roles/)
Read-only access to Firebase products.
apikeys.keys.get
apikeys.keys.list
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.files.list
automl.
automl.
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudasset.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.locations.*
cloudbuild.operations.*
cloudconfig.configs.get
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.*
cloudnotifications.
cloudtestservice.
cloudtestservice.matrices.get
cloudtoolresults.
cloudtoolresults.
cloudtoolresults.histories.get
cloudtoolresults.
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
datastore.backups.get
datastore.backups.list
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
errorreporting.groups.list
eventarc.
eventarc.
eventarc.
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.kafkaSources.get
eventarc.
eventarc.kafkaSources.list
eventarc.locations.*
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
fcmdata.deliverydata.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt.
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.
firebaseanalytics.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.services.get
firebaseappdistro.groups.list
firebaseappdistro.
firebaseappdistro.testers.list
firebaseauth.configs.get
firebaseauth.users.get
firebasecrash.reports.get
firebasecrashlytics.config.get
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.
firebasecrashlytics.
firebasedatabase.instances.get
firebasedatabase.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.links.get
firebasedynamiclinks.
firebasedynamiclinks.stats.get
firebaseextensions.
firebaseextensionspublisher.
firebaseextensionspublisher.
firebasehosting.sites.get
firebasehosting.sites.list
firebaseinappmessaging.
firebaseinappmessaging.
firebasemessagingcampaigns.
firebasemessagingcampaigns.
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebasenotifications.
firebasenotifications.
firebaseperformance.data.get
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Firebase App Check Service Agent
(roles/)
Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise and Play Integrity API.
recaptchaenterprise.
serviceusage.services.use
Firebase Extensions API Service Agent
(roles/)
Grants Firebase Extensions API Service Account access to manage resources.
appengine.applications.get
artifactregistry.
cloudfunctions.
cloudfunctions.
cloudtasks.locations.*
cloudtasks.queues.*
cloudtasks.tasks.create
cloudtasks.tasks.fullView
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.
deploymentmanager.types.*
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.setIamPolicy
iam.serviceAccounts.actAs
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.
run.services.getIamPolicy
run.services.setIamPolicy
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Firebase Products roles
Permissions
Firebase Remote Config Admin
(roles/)
Full access to Firebase Remote Config resources.
cloudconfig.*
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Remote Config Viewer
(roles/)
Read access to Firebase Remote Config resources.
cloudconfig.configs.get
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Test Lab Direct Access Admin
Beta
(roles/)
Administrator owning access to Direct Access
cloudtestservice.
cloudtestservice.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Test Lab Direct Access Viewer
Beta
(roles/)
Viewer, able to see what direct access sessions exist
cloudtestservice.
cloudtestservice.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Test Lab Admin
(roles/)
Full access to all Test Lab features
cloudtestservice.
cloudtestservice.matrices.*
cloudtoolresults.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Firebase Test Lab Viewer
(roles/)
Read access to Test Lab features
cloudtestservice.
cloudtestservice.matrices.get
cloudtoolresults.
cloudtoolresults.
cloudtoolresults.histories.get
cloudtoolresults.
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Firebase A/B Testing Admin
Beta
(roles/)
Full read/write access to Firebase A/B Testing resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseabt.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase A/B Testing Viewer
Beta
(roles/)
Read-only access to Firebase A/B Testing resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseabt.
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase App Check Admin
(roles/)
Full management of Firebase App Check.
firebaseappcheck.*
Firebase App Check Token Verifier
(roles/)
Access to token verification capabilities for Firebase App Check.
firebaseappcheck.
Firebase App Check Viewer
(roles/)
Read-only access for Firebase App Check.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.services.get
Firebase App Distribution Admin
(roles/)
Full read/write access to Firebase App Distribution resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseappdistro.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase App Distribution Viewer
(roles/)
Read-only access to Firebase App Distribution resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseappdistro.groups.list
firebaseappdistro.
firebaseappdistro.testers.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Authentication Admin
(roles/)
Full read/write access to Firebase Authentication resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseauth.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Authentication Viewer
(roles/)
Read-only access to Firebase Authentication resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseauth.configs.get
firebaseauth.users.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Crashlytics Admin
(roles/)
Full read/write access to Firebase Crashlytics resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasecrashlytics.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Crashlytics Viewer
(roles/)
Read-only access to Firebase Crashlytics resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasecrashlytics.config.get
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.
firebasecrashlytics.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Realtime Database Admin
(roles/)
Full read/write access to Firebase Realtime Database resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedatabase.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Realtime Database Viewer
(roles/)
Read-only access to Firebase Realtime Database resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedatabase.instances.get
firebasedatabase.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Dynamic Links Admin
(roles/)
Full read/write access to Firebase Dynamic Links resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedynamiclinks.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Dynamic Links Viewer
(roles/)
Read-only access to Firebase Dynamic Links resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.links.get
firebasedynamiclinks.
firebasedynamiclinks.stats.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Developer
Beta
(roles/)
View, create, and delete Firebase Extensions Instances and Extensions Versions, and update Extensions Instances
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Viewer
Beta
(roles/)
Viewer of Firebase Extensions Instances
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Publisher - Extensions Admin
Beta
(roles/)
Fully manage Firebase Extensions
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseextensionspublisher.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Publisher - Extensions Viewer
Beta
(roles/)
View Firebase Extensions
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseextensionspublisher.
firebaseextensionspublisher.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Hosting Admin
(roles/)
Full read/write access to Firebase Hosting resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasehosting.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Hosting Viewer
(roles/)
Read-only access to Firebase Hosting resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasehosting.sites.get
firebasehosting.sites.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase In-App Messaging Admin
Beta
(roles/)
Full read/write access to Firebase In-App Messaging resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseinappmessaging.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase In-App Messaging Viewer
Beta
(roles/)
Read-only access to Firebase In-App Messaging resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseinappmessaging.
firebaseinappmessaging.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Messaging Campaigns Admin
Beta
(roles/)
Full management of Firebase Messaging Campaigns.
firebasemessagingcampaigns.*
Firebase Messaging Campaigns Viewer
Beta
(roles/)
Read-only access for Firebase Messaging Campaigns.
firebasemessagingcampaigns.
firebasemessagingcampaigns.
Firebase ML Kit Admin
Beta
(roles/)
Full read/write access to Firebase ML Kit resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseml.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase ML Kit Viewer
Beta
(roles/)
Read-only access to Firebase ML Kit resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Cloud Messaging Admin
(roles/)
Full read/write access to Firebase Cloud Messaging resources.
fcmdata.deliverydata.list
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasenotifications.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Cloud Messaging Viewer
(roles/)
Read-only access to Firebase Cloud Messaging resources.
fcmdata.deliverydata.list
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasenotifications.
firebasenotifications.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to firebaseperformance resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseperformance.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read-only access to firebaseperformance resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseperformance.data.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Rules Admin
(roles/)
Full management of Firebase Rules.
firebaserules.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Rules System
(roles/)
Read/write/list access for Datastore entities and Cloud Storage objects, as well as get/list/publish access for PubSub topics.
datastore.databases.get
datastore.entities.*
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Firebase Rules Viewer
(roles/)
Read-only access on all resources with the ability to test Rulesets.
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Storage for Firebase Admin
Beta
(roles/)
Full management of Cloud Storage for Firebase.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasestorage.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Storage for Firebase Viewer
Beta
(roles/)
Read-only access for Cloud Storage for Firebase.
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.
resourcemanager.projects.get
resourcemanager.projects.list
Fleet Engine roles
Permissions
Fleet Engine Consumer SDK User
(roles/)
Limited read access to Fleet Engine resources
fleetengine.trips.get
fleetengine.vehicles.get
fleetengine.vehicles.search
fleetengine.
Fleet Engine Delivery Admin
(roles/)
Full access to Fleet Engine Delivery resources.
fleetengine.deliveryvehicles.*
fleetengine.tasks.*
fleetengine.tasktrackinginfo.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Fleet Engine Delivery Consumer User
(roles/)
Limited read access to Fleet Engine Delivery resources
fleetengine.
fleetengine.
Fleet Engine Delivery Fleet Reader User
(roles/)
Grants read access to all Fleet Engine Delivery resources
fleetengine.
fleetengine.
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.
fleetengine.
Fleet Engine Delivery Super User
(roles/)
Full access to Fleet Engine DeliveryVehicles and Tasks resources.
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.tasks.create
fleetengine.tasks.delete
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.
fleetengine.tasks.update
fleetengine.
resourcemanager.projects.get
resourcemanager.projects.list
Fleet Engine Delivery Trusted Driver User
(roles/)
Read and write access to Fleet Engine Delivery resources
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.tasks.create
fleetengine.tasks.update
Fleet Engine Delivery Untrusted Driver User
(roles/)
Limited write access to Fleet Engine Delivery Vehicle resources
fleetengine.
fleetengine.
Fleet Engine Driver SDK User
(roles/)
Read and limited update access to Fleet Engine resources
fleetengine.trips.get
fleetengine.trips.search
fleetengine.trips.update
fleetengine.vehicles.get
fleetengine.
Fleet Engine On-Demand Admin
(roles/)
Full access to Vehicle and Trip resources.
fleetengine.trips.*
fleetengine.vehicles.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Fleet Engine Service Super User
(roles/)
Full access to all Fleet Engine resources.
fleetengine.trips.create
fleetengine.trips.delete
fleetengine.trips.get
fleetengine.trips.search
fleetengine.trips.update
fleetengine.trips.updateState
fleetengine.vehicles.create
fleetengine.vehicles.delete
fleetengine.vehicles.get
fleetengine.vehicles.list
fleetengine.vehicles.search
fleetengine.
fleetengine.vehicles.update
fleetengine.
resourcemanager.projects.get
resourcemanager.projects.list
Genomics roles
Permissions
Genomics Admin
(roles/)
Full access to genomics datasets and operations.
genomics.*
Genomics Editor
(roles/)
Access to read and edit genomics datasets and operations.
genomics.datasets.create
genomics.datasets.delete
genomics.datasets.get
genomics.datasets.list
genomics.datasets.update
genomics.operations.*
Genomics Pipelines Runner
(roles/)
Full access to operate on genomics pipelines.
genomics.operations.*
Genomics Viewer
(roles/)
Access to view genomics datasets and operations.
genomics.datasets.get
genomics.datasets.list
genomics.operations.get
genomics.operations.list
GKE Hub roles
Permissions
Fleet Admin (formerly GKE Hub Admin)
(roles/)
Full access to Fleet resources.
gkehub.features.*
gkehub.fleet.*
gkehub.locations.*
gkehub.membershipbindings.*
gkehub.membershipfeatures.*
gkehub.memberships.*
gkehub.namespaces.*
gkehub.operations.*
gkehub.rbacrolebindings.*
gkehub.scopes.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE Connect Agent
(roles/)
Ability to set up GKE Connect between external clusters and Google.
gkehub.endpoints.connect
Fleet Editor (formerly GKE Hub Editor)
(roles/)
Edit access to Fleet resources.
gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.update
gkehub.fleet.*
gkehub.locations.*
gkehub.membershipbindings.*
gkehub.membershipfeatures.*
gkehub.memberships.create
gkehub.memberships.delete
gkehub.
gkehub.memberships.get
gkehub.
gkehub.memberships.list
gkehub.memberships.update
gkehub.namespaces.*
gkehub.operations.*
gkehub.rbacrolebindings.*
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.
gkehub.scopes.update
resourcemanager.projects.get
resourcemanager.projects.list
Connect Gateway Admin
(roles/)
Full access to Connect Gateway.
gkehub.gateway.*
gkehub.memberships.get
serviceusage.services.get
Connect Gateway Editor
(roles/)
Edit access to Connect Gateway.
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.memberships.get
serviceusage.services.get
Connect Gateway Reader
(roles/)
Read-only access to Connect Gateway.
gkehub.
gkehub.gateway.get
gkehub.memberships.get
serviceusage.services.get
Fleet Scope Admin
(roles/)
Admin access to Fleet Scopes to set IAM Bindings and RBACRoleBindings.
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.rbacrolebindings.*
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.
gkehub.scopes.setIamPolicy
Fleet Scope Editor
(roles/)
Edit access to Namespaces under Fleet Scopes.
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.
Fleet Project-level Scope Editor
(roles/)
Role for project-level permissions for editor of Fleet Scopes.
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.memberships.get
gkehub.operations.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
Fleet Scope Viewer
(roles/)
Viewer of Fleet Scopes and associated resources.
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.
Fleet Project-level Scope Viewer
(roles/)
Role for project-level permissions for viewer of Fleet Scopes.
gkehub.
gkehub.gateway.get
gkehub.memberships.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
Fleet Viewer (formerly GKE Hub Viewer)
(roles/)
Read-only access to Fleets and related resources.
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub.
gkehub.memberships.get
gkehub.
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub.
resourcemanager.projects.get
resourcemanager.projects.list
GKE on-prem roles
Permissions
GKE on-prem Admin
(roles/)
Full access to GKE on-prem all resources.
gkeonprem.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE on-prem Viewer
(roles/)
Read-only access to GKE on-prem all resources.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.locations.*
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.vmwareClusters.get
gkeonprem.
gkeonprem.vmwareClusters.list
gkeonprem.
gkeonprem.vmwareNodePools.get
gkeonprem.
gkeonprem.vmwareNodePools.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Workspace Add-ons roles
Permissions
Google Workspace Add-ons Developer
(roles/)
Full access to Google Workspace Add-ons resources
gsuiteaddons.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Workspace Add-ons Reader
(roles/)
Read-only access to Google Workspace Add-ons resources
gsuiteaddons.
gsuiteaddons.deployments.get
gsuiteaddons.deployments.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Workspace Add-ons Tester
(roles/)
Testing execution access to Google Workspace Add-ons resources
gsuiteaddons.
gsuiteaddons.
gsuiteaddons.
gsuiteaddons.
resourcemanager.projects.get
resourcemanager.projects.list
IAM roles
Permissions
Deny Admin
(roles/)
Deny admin role, with permissions to read and modify deny policies
Lowest-level resources where you can grant this role:
cloudasset.assets.listResource
iam.denypolicies.*
policyanalyzer.
policysimulator.
policysimulator.
Deny Reviewer
(roles/)
Deny Reviewer role, with permissions to read deny policies
Lowest-level resources where you can grant this role:
iam.denypolicies.get
iam.denypolicies.list
IAM Operation Viewer
Beta
(roles/)
Operation user role, with permissions to view and list operations in IAM v3
iam.operations.get
Principal Access Boundary Policy Admin
Beta
(roles/)
Principal Access Boundary admin role, with permissions to read and modify principal access boundary policies, and to bind and unbind principal access boundary policies to targets. Also includes permissions to read principal authorization activities analysis and permissions to list assets from Cloud Asset Inventory
cloudasset.assets.listResource
cloudasset.
iam.
Principal Access Boundary Policy User
Beta
(roles/)
Principal Access Boundary Policies user role, with permissions to view principal access boundary policies, and to bind and unbind principal access boundary policies to targets
iam.
iam.
iam.
iam.
Principal Access Boundary Policy Viewer
Beta
(roles/)
Principal Access Boundary Reviewer role, with permissions to read principal access boundary policies and view associated policy bindings
iam.
iam.
iam.
Security Admin
(roles/)
Security admin role, with permissions to get and set any IAM policy.
accessapproval.requests.list
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
actions.agentVersions.list
advisorynotifications.
aiplatform.agentExamples.list
aiplatform.agents.list
aiplatform.
aiplatform.annotations.list
aiplatform.apps.list
aiplatform.artifacts.list
aiplatform.
aiplatform.cachedContents.list
aiplatform.contexts.list
aiplatform.customJobs.list
aiplatform.dataItems.list
aiplatform.
aiplatform.
aiplatform.datasets.list
aiplatform.
aiplatform.
aiplatform.edgeDevices.list
aiplatform.
aiplatform.endpoints.list
aiplatform.
aiplatform.
aiplatform.entityTypes.list
aiplatform.
aiplatform.exampleStores.list
aiplatform.executions.list
aiplatform.extensions.list
aiplatform.
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featureViews.list
aiplatform.
aiplatform.features.list
aiplatform.
aiplatform.featurestores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.indexEndpoints.list
aiplatform.indexes.list
aiplatform.locations.list
aiplatform.
aiplatform.metadataStores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.modelMonitors.list
aiplatform.models.list
aiplatform.nasJobs.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
aiplatform.
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.
aiplatform.ragCorpora.list
aiplatform.ragFiles.list
aiplatform.
aiplatform.schedules.list
aiplatform.sessionEvents.list
aiplatform.sessions.list
aiplatform.
aiplatform.studies.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.tensorboards.list
aiplatform.
aiplatform.trials.list
aiplatform.tuningJobs.list
alloydb.backups.list
alloydb.clusters.list
alloydb.databases.list
alloydb.instances.list
alloydb.locations.list
alloydb.operations.list
alloydb.
alloydb.users.list
analyticshub.
analyticshub.
analyticshub.
analyticshub.
analyticshub.listings.list
analyticshub.
analyticshub.
apigateway.
apigateway.apiconfigs.list
apigateway.
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.apis.setIamPolicy
apigateway.
apigateway.gateways.list
apigateway.
apigateway.locations.list
apigateway.operations.list
apigee.
apigee.apiproducts.list
apigee.appgroupapps.list
apigee.appgroups.list
apigee.apps.list
apigee.archivedeployments.list
apigee.caches.list
apigee.datacollectors.list
apigee.datastores.list
apigee.
apigee.deployments.list
apigee.
apigee.
apigee.developerapps.list
apigee.
apigee.developers.list
apigee.
apigee.dnsZones.list
apigee.
apigee.
apigee.envgroups.list
apigee.
apigee.environments.list
apigee.
apigee.exports.list
apigee.flowhooks.list
apigee.hostqueries.list
apigee.
apigee.
apigee.instances.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.nataddresses.list
apigee.operations.list
apigee.organizations.list
apigee.portals.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.rateplans.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.securityActions.list
apigee.securityFeedback.list
apigee.securityIncidents.list
apigee.
apigee.securityProfiles.list
apigee.securityProfilesV2.list
apigee.securityreports.list
apigee.
apigee.sharedflows.list
apigee.spaces.getIamPolicy
apigee.spaces.list
apigee.spaces.setIamPolicy
apigee.targetservers.list
apigee.
apigee.tracesessions.list
apigeeconnect.connections.list
apigeeregistry.
apigeeregistry.apis.list
apigeeregistry.
apigeeregistry.
apigeeregistry.artifacts.list
apigeeregistry.
apigeeregistry.
apigeeregistry.locations.list
apigeeregistry.operations.list
apigeeregistry.
apigeeregistry.specs.list
apigeeregistry.
apigeeregistry.
apigeeregistry.versions.list
apigeeregistry.
apihub.apiHubInstances.list
apihub.apiOperations.list
apihub.apis.list
apihub.attributes.list
apihub.curations.list
apihub.definitions.list
apihub.dependencies.list
apihub.deployments.list
apihub.externalApis.list
apihub.
apihub.llmEnablements.list
apihub.operations.list
apihub.plugininstances.list
apihub.plugins.list
apihub.
apihub.specs.list
apihub.versions.list
apikeys.keys.list
apim.apiObservations.list
apim.apiOperations.list
apim.locations.list
apim.observationJobs.list
apim.observationSources.list
apim.operations.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
apphub.
apphub.applications.list
apphub.
apphub.discoveredServices.list
apphub.
apphub.locations.list
apphub.operations.list
apphub.
apphub.services.list
apphub.workloads.list
applianceactivation.
artifactregistry.
artifactregistry.
artifactregistry.files.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.list
artifactregistry.tags.list
artifactregistry.versions.list
assuredoss.locations.list
assuredoss.metadata.list
assuredoss.operations.list
assuredworkloads.
assuredworkloads.updates.list
assuredworkloads.
assuredworkloads.workload.list
auditmanager.auditReports.list
auditmanager.
auditmanager.controls.list
auditmanager.
auditmanager.findings.list
auditmanager.locations.list
auditmanager.operations.list
auditmanager.
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.datasets.setIamPolicy
automl.examples.list
automl.files.list
automl.
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.models.setIamPolicy
automl.operations.list
automl.tableSpecs.list
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
autoscaling.sites.getIamPolicy
autoscaling.sites.setIamPolicy
backupdr.
backupdr.backupPlans.list
backupdr.backupVaults.list
backupdr.bvbackups.list
backupdr.bvdataSources.list
backupdr.locations.list
backupdr.
backupdr.
backupdr.
backupdr.operations.list
backupdr.
baremetalsolution.
baremetalsolution.
baremetalsolution.luns.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.skus.list
baremetalsolution.
baremetalsolution.sshKeys.list
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.list
baremetalsolution.
batch.jobs.list
batch.locations.list
batch.operations.list
batch.resourceAllowances.list
batch.tasks.list
beyondcorp.
beyondcorp.appConnections.list
beyondcorp.
beyondcorp.
beyondcorp.appConnectors.list
beyondcorp.
beyondcorp.
beyondcorp.appGateways.list
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.list
beyondcorp.
beyondcorp.locations.list
beyondcorp.operations.list
beyondcorp.partnerTenants.list
beyondcorp.proxyConfigs.list
beyondcorp.subscriptions.list
biglake.catalogs.list
biglake.databases.list
biglake.locks.list
biglake.tables.list
bigquery.
bigquery.
bigquery.connections.list
bigquery.
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.
bigquery.reservations.list
bigquery.routines.list
bigquery.
bigquery.
bigquery.
bigquery.savedqueries.list
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.setIamPolicy
bigquerymigration.
bigquerymigration.
bigtable.appProfiles.list
bigtable.
bigtable.authorizedViews.list
bigtable.
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.backups.setIamPolicy
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.
bigtable.instances.list
bigtable.
bigtable.keyvisualizer.list
bigtable.locations.list
bigtable.
bigtable.logicalViews.list
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.tables.getIamPolicy
bigtable.tables.list
bigtable.tables.setIamPolicy
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.setIamPolicy
billing.anomalies.list
billing.
billing.
billing.
billing.
billing.
billing.budgets.list
billing.credits.list
billing.
billing.subscriptions.list
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
blockchainnodeengine.
blockchainnodeengine.
blockchainnodeengine.
blockchainvalidatormanager.
blockchainvalidatormanager.
blockchainvalidatormanager.
capacityplanner.forecasts.list
capacityplanner.
carestudio.patients.list
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.certs.list
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.collectors.list
chronicle.conversations.list
chronicle.
chronicle.
chronicle.curatedRuleSets.list
chronicle.curatedRules.list
chronicle.dashboardCharts.list
chronicle.
chronicle.dashboards.list
chronicle.
chronicle.
chronicle.dataTableRows.list
chronicle.dataTables.list
chronicle.dataTaps.list
chronicle.
chronicle.entities.list
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.feeds.list
chronicle.
chronicle.
chronicle.forwarders.list
chronicle.
chronicle.
chronicle.iocMatches.list
chronicle.logTypeSchemas.list
chronicle.logTypes.list
chronicle.logs.list
chronicle.messages.list
chronicle.
chronicle.operations.list
chronicle.
chronicle.parsers.list
chronicle.parsingErrors.list
chronicle.referenceLists.list
chronicle.retrohunts.list
chronicle.ruleDeployments.list
chronicle.
chronicle.rules.list
chronicle.searchQueries.list
chronicle.
chronicle.watchlists.list
chroniclesm.
clientauthconfig.brands.list
clientauthconfig.clients.list
cloud.locations.list
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudasset.
cloudasset.feeds.list
cloudasset.
cloudasset.savedqueries.list
cloudbuild.builds.list
cloudbuild.
cloudbuild.connections.list
cloudbuild.
cloudbuild.integrations.list
cloudbuild.locations.list
cloudbuild.operations.list
cloudbuild.repositories.list
cloudbuild.workerpools.list
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
clouddeploy.
clouddeploy.automations.list
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.jobRuns.list
clouddeploy.locations.list
clouddeploy.operations.list
clouddeploy.releases.list
clouddeploy.rollouts.list
clouddeploy.
clouddeploy.targets.list
clouddeploy.
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.
cloudfunctions.locations.list
cloudfunctions.operations.list
cloudjobdiscovery.
cloudkms.
cloudkms.
cloudkms.cryptoKeys.list
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.ekmConnections.list
cloudkms.
cloudkms.
cloudkms.importJobs.list
cloudkms.
cloudkms.keyHandles.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.keyRings.setIamPolicy
cloudkms.locations.list
cloudnotifications.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.
cloudsupport.accounts.list
cloudsupport.
cloudsupport.techCases.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.setIamPolicy
cloudtasks.tasks.list
cloudtestservice.
cloudtoolresults.
cloudtoolresults.
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traceScopes.list
cloudtrace.traces.list
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.datasets.list
cloudtranslate.glossaries.list
cloudtranslate.
cloudtranslate.locations.list
cloudtranslate.operations.list
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
commerceagreementpublishing.
commerceagreementpublishing.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commerceoffercatalog.
commerceoffercatalog.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceprice.events.list
commerceprice.
composer.dags.list
composer.environments.list
composer.imageversions.list
composer.operations.list
composer.
composer.
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.list
compute.
compute.commitments.list
compute.crossSiteNetworks.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.disks.setIamPolicy
compute.
compute.
compute.firewallPolicies.list
compute.
compute.firewalls.list
compute.forwardingRules.list
compute.
compute.
compute.
compute.globalAddresses.list
compute.
compute.
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.images.setIamPolicy
compute.
compute.instanceGroups.list
compute.
compute.instanceTemplates.list
compute.
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.interconnects.list
compute.
compute.licenseCodes.list
compute.
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.
compute.machineImages.list
compute.
compute.machineTypes.list
compute.multiMig.list
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.list
compute.networks.list
compute.
compute.nodeGroups.list
compute.
compute.
compute.nodeTemplates.list
compute.
compute.nodeTypes.list
compute.packetMirrorings.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.regionUrlMaps.list
compute.regions.list
compute.reservationBlocks.list
compute.reservations.list
compute.
compute.resourcePolicies.list
compute.
compute.routers.list
compute.routes.list
compute.securityPolicies.list
compute.
compute.
compute.
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.sslCertificates.list
compute.sslPolicies.list
compute.
compute.storagePools.list
compute.
compute.
compute.subnetworks.list
compute.
compute.targetGrpcProxies.list
compute.targetHttpProxies.list
compute.
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.wireGroups.list
compute.
compute.zoneOperations.list
compute.
compute.zones.list
confidentialcomputing.
config.
config.deployments.list
config.
config.locations.list
config.operations.list
config.previews.list
config.resources.list
config.revisions.list
config.terraformversions.list
configdelivery.
configdelivery.locations.list
configdelivery.operations.list
configdelivery.releases.list
configdelivery.
configdelivery.rollouts.list
connectors.actions.list
connectors.
connectors.connections.list
connectors.
connectors.connectors.list
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.entities.list
connectors.entityTypes.list
connectors.
connectors.eventtypes.list
connectors.locations.list
connectors.
connectors.managedZones.list
connectors.
connectors.operations.list
connectors.providers.list
connectors.versions.list
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
container.apiServices.list
container.auditSinks.list
container.backendConfigs.list
container.bindings.list
container.
container.
container.clusterRoles.list
container.clusters.list
container.
container.configMaps.list
container.
container.cronJobs.list
container.csiDrivers.list
container.csiNodeInfos.list
container.csiNodes.list
container.
container.daemonSets.list
container.deployments.list
container.endpointSlices.list
container.endpoints.list
container.events.list
container.frontendConfigs.list
container.
container.ingresses.list
container.
container.jobs.list
container.leases.list
container.limitRanges.list
container.
container.
container.
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.
container.
container.petSets.list
container.
container.podPresets.list
container.
container.podTemplates.list
container.pods.list
container.priorityClasses.list
container.replicaSets.list
container.
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.storageStates.list
container.
container.
container.
container.
container.updateInfos.list
container.
container.
container.
container.
container.volumeSnapshots.list
containeranalysis.
containeranalysis.notes.list
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containersecurity.
containersecurity.
containersecurity.
contentwarehouse.corpora.list
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.ruleSets.list
contentwarehouse.
databasecenter.*
databaseinsights.
databasesconsole.
databasesconsole.
databasesconsole.
datacatalog.
datacatalog.
datacatalog.
datacatalog.entries.list
datacatalog.
datacatalog.
datacatalog.entryGroups.list
datacatalog.
datacatalog.operations.list
datacatalog.relationships.list
datacatalog.
datacatalog.
datacatalog.
datacatalog.taxonomies.list
datacatalog.
dataconnectors.
dataconnectors.connectors.list
dataconnectors.
dataconnectors.locations.list
dataconnectors.operations.list
dataflow.jobs.list
dataflow.messages.list
dataflow.snapshots.list
dataform.commentThreads.list
dataform.comments.list
dataform.
dataform.locations.list
dataform.releaseConfigs.list
dataform.
dataform.repositories.list
dataform.
dataform.workflowConfigs.list
dataform.
dataform.
dataform.workspaces.list
dataform.
datafusion.artifacts.list
datafusion.
datafusion.instances.list
datafusion.
datafusion.locations.list
datafusion.
datafusion.namespaces.list
datafusion.
datafusion.operations.list
datafusion.
datafusion.pipelines.list
datafusion.profiles.list
datafusion.secureKeys.list
datalabeling.
datalabeling.
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
datalineage.events.list
datalineage.processes.list
datalineage.runs.list
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.locations.list
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.objects.list
datamigration.operations.list
datamigration.
datamigration.
datamigration.
datapipelines.jobs.list
datapipelines.pipelines.list
dataplex.
dataplex.aspectTypes.list
dataplex.
dataplex.assetActions.list
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.dataAttributes.list
dataplex.
dataplex.
dataplex.dataTaxonomies.list
dataplex.
dataplex.
dataplex.datascans.list
dataplex.
dataplex.encryptionConfig.list
dataplex.entities.list
dataplex.entries.list
dataplex.
dataplex.entryGroups.list
dataplex.
dataplex.
dataplex.entryTypes.list
dataplex.
dataplex.
dataplex.environments.list
dataplex.
dataplex.lakeActions.list
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.locations.list
dataplex.metadataJobs.list
dataplex.operations.list
dataplex.partitions.list
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.zoneActions.list
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataproc.agents.list
dataproc.
dataproc.
dataproc.
dataproc.batches.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.setIamPolicy
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.
dataproc.operations.list
dataproc.
dataproc.sessionTemplates.list
dataproc.sessions.list
dataproc.
dataproc.
dataproc.
dataprocessing.
dataprocessing.
dataprocessing.
dataprocrm.locations.list
dataprocrm.nodePools.list
dataprocrm.nodes.list
dataprocrm.operations.list
dataprocrm.workloads.list
datastore.backupSchedules.list
datastore.backups.list
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.
datastore.locations.list
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
datastore.userCreds.list
datastream.
datastream.
datastream.
datastream.locations.list
datastream.objects.list
datastream.operations.list
datastream.
datastream.
datastream.
datastream.routes.getIamPolicy
datastream.routes.list
datastream.routes.setIamPolicy
datastream.
datastream.streams.list
datastream.
datastudio.
datastudio.
datastudio.
datastudio.
datastudio.
datastudio.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.list
designcenter.
designcenter.
designcenter.applications.list
designcenter.
designcenter.
designcenter.catalogs.list
designcenter.components.list
designcenter.connections.list
designcenter.locations.list
designcenter.operations.list
designcenter.
designcenter.
designcenter.shares.list
designcenter.
designcenter.spaces.list
designcenter.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.users.list
dialogflow.agents.list
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.list
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.list
dialogflow.deployments.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.environments.list
dialogflow.examples.list
dialogflow.experiments.list
dialogflow.flows.list
dialogflow.generators.list
dialogflow.integrations.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.
dialogflow.pages.list
dialogflow.participants.list
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.list
dialogflow.tools.list
dialogflow.
dialogflow.versions.list
dialogflow.webhooks.list
discoveryengine.
discoveryengine.branches.list
discoveryengine.
discoveryengine.
discoveryengine.controls.list
discoveryengine.
discoveryengine.
discoveryengine.documents.list
discoveryengine.engines.list
discoveryengine.
discoveryengine.models.list
discoveryengine.
discoveryengine.notebooks.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.schemas.list
discoveryengine.
discoveryengine.sessions.list
discoveryengine.
dlp.analyzeRiskTemplates.list
dlp.columnDataProfiles.list
dlp.connections.list
dlp.deidentifyTemplates.list
dlp.estimates.list
dlp.fileStoreProfiles.list
dlp.inspectFindings.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.locations.list
dlp.projectDataProfiles.list
dlp.storedInfoTypes.list
dlp.subscriptions.list
dlp.tableDataProfiles.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.setIamPolicy
dns.policies.list
dns.resourceRecordSets.list
dns.responsePolicies.list
dns.responsePolicyRules.list
documentai.
documentai.evaluations.list
documentai.labelerPools.list
documentai.locations.list
documentai.processorTypes.list
documentai.
documentai.processors.list
domains.locations.list
domains.operations.list
domains.
domains.registrations.list
domains.
earthengine.
earthengine.assets.list
earthengine.
earthengine.operations.list
edgecontainer.
edgecontainer.clusters.list
edgecontainer.
edgecontainer.locations.list
edgecontainer.
edgecontainer.machines.list
edgecontainer.
edgecontainer.
edgecontainer.nodePools.list
edgecontainer.
edgecontainer.operations.list
edgecontainer.
edgecontainer.
edgecontainer.
edgenetwork.
edgenetwork.
edgenetwork.
edgenetwork.
edgenetwork.interconnects.list
edgenetwork.
edgenetwork.locations.list
edgenetwork.
edgenetwork.networks.list
edgenetwork.
edgenetwork.operations.list
edgenetwork.
edgenetwork.routers.list
edgenetwork.
edgenetwork.routes.list
edgenetwork.
edgenetwork.subnetworks.list
edgenetwork.
edgenetwork.zones.list
enterpriseknowledgegraph.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
errorreporting.
errorreporting.
errorreporting.groups.list
essentialcontacts.
eventarc.
eventarc.
eventarc.
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.setIamPolicy
eventarc.
eventarc.enrollments.list
eventarc.
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.
eventarc.kafkaSources.list
eventarc.
eventarc.locations.list
eventarc.
eventarc.messageBuses.list
eventarc.
eventarc.operations.list
eventarc.
eventarc.pipelines.list
eventarc.
eventarc.providers.list
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
fcmdata.deliverydata.list
file.backups.list
file.instances.list
file.locations.list
file.operations.list
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
firebase.clients.list
firebase.links.list
firebase.playLinks.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.
firebaseappdistro.testers.list
firebasecrashlytics.
firebasedatabase.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.
firebaseextensions.
firebaseextensionspublisher.
firebasehosting.sites.list
firebaseinappmessaging.
firebasemessagingcampaigns.
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.
firebaserules.releases.list
firebaserules.rulesets.list
firebasestorage.buckets.list
fleetengine.
fleetengine.tasks.list
fleetengine.vehicles.list
gcp.redisenterprise.
gcp.redisenterprise.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.datasets.setIamPolicy
genomics.operations.list
gkebackup.backupChannels.list
gkebackup.
gkebackup.
gkebackup.backupPlans.list
gkebackup.
gkebackup.backups.list
gkebackup.locations.list
gkebackup.operations.list
gkebackup.restoreChannels.list
gkebackup.
gkebackup.
gkebackup.restorePlans.list
gkebackup.
gkebackup.restores.list
gkebackup.volumeBackups.list
gkebackup.volumeRestores.list
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.locations.list
gkehub.membershipbindings.list
gkehub.membershipfeatures.list
gkehub.
gkehub.memberships.list
gkehub.
gkehub.namespaces.list
gkehub.operations.list
gkehub.rbacrolebindings.list
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkemulticloud.
gkemulticloud.awsClusters.list
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.locations.list
gkeonprem.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.vmwareClusters.list
gkeonprem.
gkeonprem.
gkeonprem.vmwareNodePools.list
gkeonprem.
gsuiteaddons.deployments.list
healthcare.
healthcare.
healthcare.
healthcare.annotations.list
healthcare.
healthcare.
healthcare.
healthcare.consentStores.list
healthcare.
healthcare.consents.list
healthcare.
healthcare.datasets.list
healthcare.
healthcare.
healthcare.dicomStores.list
healthcare.
healthcare.
healthcare.fhirStores.list
healthcare.
healthcare.hl7V2Messages.list
healthcare.
healthcare.hl7V2Stores.list
healthcare.
healthcare.locations.list
healthcare.operations.list
healthcare.
iam.denypolicies.list
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.policybindings.list
iam.
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.
iam.serviceAccounts.list
iam.
iap.tunnel.*
iap.
iap.tunnelDestGroups.list
iap.
iap.
iap.
iap.tunnelLocations.*
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.
iap.
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
identitytoolkit.
identitytoolkit.tenants.list
identitytoolkit.
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.endpoints.setIamPolicy
ids.locations.list
ids.operations.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.list
integrations.certificates.list
integrations.executions.list
integrations.
integrations.integrations.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.sfdcChannels.list
integrations.
integrations.suspensions.list
integrations.testCases.list
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.operations.list
issuerswitch.ruleMetadata.list
issuerswitch.
issuerswitch.rules.list
krmapihosting.
krmapihosting.krmApiHosts.list
krmapihosting.
krmapihosting.locations.list
krmapihosting.operations.list
licensemanager.
licensemanager.instances.list
licensemanager.locations.list
licensemanager.operations.list
licensemanager.products.list
lifesciences.operations.list
livestream.assets.list
livestream.channels.list
livestream.clips.list
livestream.events.list
livestream.inputs.list
livestream.locations.list
livestream.operations.list
logging.buckets.list
logging.exclusions.list
logging.links.list
logging.locations.list
logging.logEntries.list
logging.logMetrics.list
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.list
logging.operations.list
logging.privateLogEntries.list
logging.queries.usePrivate
logging.sinks.list
logging.views.getIamPolicy
logging.views.list
logging.views.setIamPolicy
looker.backups.list
looker.instances.list
looker.locations.list
looker.operations.list
lustre.instances.list
lustre.locations.list
lustre.operations.list
maintenance.locations.list
maintenance.
managedflink.deployments.list
managedflink.jobs.list
managedflink.locations.list
managedflink.operations.list
managedflink.sessions.list
managedidentities.
managedidentities.backups.list
managedidentities.
managedidentities.
managedidentities.domains.list
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedkafka.clusters.list
managedkafka.
managedkafka.connectors.list
managedkafka.
managedkafka.locations.list
managedkafka.operations.list
managedkafka.topics.list
mapsadmin.clientMaps.list
mapsadmin.
mapsadmin.clientStyles.list
mapsadmin.mapViews.list
mapsadmin.styleSnapshots.list
mapsanalytics.
mapsplatformdatasets.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
memcache.instances.list
memcache.locations.list
memcache.operations.list
memorystore.
memorystore.backups.list
memorystore.instances.list
memorystore.locations.list
memorystore.operations.list
metastore.backups.getIamPolicy
metastore.backups.list
metastore.backups.setIamPolicy
metastore.
metastore.databases.list
metastore.
metastore.
metastore.federations.list
metastore.
metastore.imports.list
metastore.locations.list
metastore.migrations.list
metastore.operations.list
metastore.
metastore.services.list
metastore.
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
migrationcenter.assets.list
migrationcenter.
migrationcenter.
migrationcenter.
migrationcenter.groups.list
migrationcenter.
migrationcenter.
migrationcenter.locations.list
migrationcenter.
migrationcenter.
migrationcenter.relations.list
migrationcenter.
migrationcenter.reports.list
migrationcenter.sources.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.jobs.setIamPolicy
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.models.setIamPolicy
ml.operations.list
ml.studies.getIamPolicy
ml.studies.list
ml.studies.setIamPolicy
ml.trials.list
ml.versions.list
modelarmor.locations.list
modelarmor.templates.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.list
monitoring.slos.list
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.
netapp.activeDirectories.list
netapp.backupPolicies.list
netapp.backupVaults.list
netapp.backups.list
netapp.kmsConfigs.list
netapp.locations.list
netapp.operations.list
netapp.quotaRules.list
netapp.replications.list
netapp.snapshots.list
netapp.storagePools.list
netapp.volumes.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.hubs.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.list
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.list
networkservices.
networkservices.
networkservices.gateways.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.locations.list
networkservices.meshes.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.tcpRoutes.list
networkservices.tlsRoutes.list
networkservices.
notebooks.
notebooks.environments.list
notebooks.
notebooks.
notebooks.executions.list
notebooks.
notebooks.
notebooks.instances.list
notebooks.
notebooks.locations.list
notebooks.operations.list
notebooks.
notebooks.runtimes.list
notebooks.
notebooks.
notebooks.schedules.list
notebooks.
observability.
ondemandscanning.
opsconfigmonitoring.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.list
oracledatabase.operations.list
oracledatabase.
orgpolicy.constraints.list
orgpolicy.
orgpolicy.policies.list
osconfig.guestPolicies.list
osconfig.
osconfig.inventories.list
osconfig.locations.list
osconfig.operations.list
osconfig.
osconfig.
osconfig.patchDeployments.list
osconfig.patchJobs.list
osconfig.
osconfig.upgradeReports.list
osconfig.
parallelstore.instances.list
parallelstore.locations.list
parallelstore.operations.list
parametermanager.
parametermanager.
parametermanager.
paymentsresellersubscription.
paymentsresellersubscription.
policyremediatormanager.
policyremediatormanager.
policysimulator.
policysimulator.
policysimulator.
policysimulator.
policysimulator.
policysimulator.replays.*
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.setIamPolicy
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.certificates.list
privateca.
privateca.locations.list
privateca.operations.list
privateca.
privateca.reusableConfigs.list
privateca.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
proximitybeacon.
proximitybeacon.
proximitybeacon.beacons.list
proximitybeacon.
proximitybeacon.
proximitybeacon.
proximitybeacon.
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.schemas.setIamPolicy
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.setIamPolicy
pubsub.
pubsub.subscriptions.list
pubsub.
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsublite.operations.list
pubsublite.reservations.list
pubsublite.subscriptions.list
pubsublite.topics.list
recaptchaenterprise.
recaptchaenterprise.keys.list
recaptchaenterprise.
recaptchaenterprise.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.costInsights.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
redis.backupCollections.list
redis.backups.list
redis.clusters.list
redis.instances.list
redis.locations.list
redis.operations.list
remotebuildexecution.
remotebuildexecution.
resourcemanager.
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.list
resourcemanager.
resourcemanager.tagHolds.list
resourcemanager.
resourcemanager.tagKeys.list
resourcemanager.
resourcemanager.
resourcemanager.tagValues.list
resourcemanager.
resourcesettings.settings.list
retail.branches.list
retail.catalogs.list
retail.controls.list
retail.experiments.list
retail.models.list
retail.operations.list
retail.products.list
retail.servingConfigs.list
riskmanager.
riskmanager.operations.list
riskmanager.policies.list
riskmanager.reports.list
rma.collectors.list
rma.locations.list
rma.operations.list
run.configurations.list
run.executions.list
run.jobs.getIamPolicy
run.jobs.list
run.jobs.setIamPolicy
run.locations.list
run.operations.list
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
run.tasks.list
runapps.applications.list
runapps.deployments.list
runapps.locations.list
runapps.operations.list
runtimeconfig.
runtimeconfig.configs.list
runtimeconfig.
runtimeconfig.operations.list
runtimeconfig.
runtimeconfig.variables.list
runtimeconfig.
runtimeconfig.
runtimeconfig.waiters.list
runtimeconfig.
saasservicemgmt.locations.list
saasservicemgmt.
saasservicemgmt.releases.list
saasservicemgmt.
saasservicemgmt.rollouts.list
saasservicemgmt.saas.list
saasservicemgmt.unitKinds.list
saasservicemgmt.
saasservicemgmt.units.list
secretmanager.locations.list
secretmanager.
secretmanager.secrets.list
secretmanager.
secretmanager.versions.list
securedlandingzone.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securitycenter.assets.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.list
securitycenter.issues.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.sources.list
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.locations.list
securityposture.
securityposture.
securityposture.
securityposture.postures.list
securityposture.reports.list
servicebroker.
servicebroker.
servicebroker.bindings.list
servicebroker.
servicebroker.
servicebroker.catalogs.list
servicebroker.
servicebroker.
servicebroker.
servicebroker.instances.list
servicebroker.
serviceconsumermanagement.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.services.list
servicedirectory.
servicehealth.events.list
servicehealth.locations.list
servicehealth.
servicehealth.
servicemanagement.
servicemanagement.
servicemanagement.
servicenetworking.
servicesecurityinsights.
servicesecurityinsights.
servicesecurityinsights.
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
source.repos.setIamPolicy
spanner.backupOperations.list
spanner.
spanner.backupSchedules.list
spanner.
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner.
spanner.databaseRoles.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.databases.setIamPolicy
spanner.
spanner.instanceConfigs.list
spanner.
spanner.
spanner.
spanner.instances.getIamPolicy
spanner.instances.list
spanner.instances.setIamPolicy
spanner.sessions.list
speakerid.phrases.list
speakerid.speakers.list
speech.customClasses.list
speech.locations.list
speech.operations.list
speech.phraseSets.list
speech.recognizers.list
stackdriver.
storage.anywhereCaches.list
storage.bucketOperations.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.folders.list
storage.hmacKeys.list
storage.
storage.managedFolders.list
storage.
storage.multipartUploads.list
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storageinsights.
storageinsights.locations.list
storageinsights.
storageinsights.
storageinsights.
storagetransfer.
storagetransfer.jobs.list
storagetransfer.
stream.locations.list
stream.operations.list
stream.streamContents.list
stream.streamInstances.list
telcoautomation.
telcoautomation.
telcoautomation.edgeSlms.list
telcoautomation.
telcoautomation.locations.list
telcoautomation.
telcoautomation.
telcoautomation.
timeseriesinsights.
timeseriesinsights.
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.runtimeversions.list
tpu.tensorflowversions.list
transcoder.jobTemplates.list
transcoder.jobs.list
transferappliance.
transferappliance.
transferappliance.
transferappliance.orders.list
transferappliance.
translationhub.portals.list
videostitcher.cdnKeys.list
videostitcher.
videostitcher.liveConfigs.list
videostitcher.operations.list
videostitcher.slates.list
videostitcher.
videostitcher.vodConfigs.list
videostitcher.
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.analyses.setIamPolicy
visionai.annotations.list
visionai.applications.list
visionai.assets.list
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.clusters.setIamPolicy
visionai.corpora.list
visionai.dataSchemas.list
visionai.drafts.list
visionai.events.getIamPolicy
visionai.events.list
visionai.events.setIamPolicy
visionai.indexEndpoints.list
visionai.indexes.list
visionai.instances.list
visionai.locations.list
visionai.operations.list
visionai.
visionai.operators.list
visionai.
visionai.processors.list
visionai.searchConfigs.list
visionai.series.getIamPolicy
visionai.series.list
visionai.series.setIamPolicy
visionai.streams.getIamPolicy
visionai.streams.list
visionai.streams.setIamPolicy
visionai.uistreams.list
visualinspection.
visualinspection.
visualinspection.
visualinspection.datasets.list
visualinspection.images.list
visualinspection.
visualinspection.
visualinspection.models.list
visualinspection.modules.list
visualinspection.
visualinspection.
visualinspection.
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.list
vmmigration.
vmmigration.deployments.list
vmmigration.groups.list
vmmigration.locations.list
vmmigration.migratingVms.list
vmmigration.operations.list
vmmigration.
vmmigration.sources.list
vmmigration.targets.list
vmmigration.
vmwareengine.
vmwareengine.clusters.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.locations.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.nodeTypes.list
vmwareengine.nodes.list
vmwareengine.operations.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.subnets.list
vmwareengine.
vpcaccess.connectors.list
vpcaccess.locations.list
vpcaccess.operations.list
workflows.callbacks.list
workflows.executions.list
workflows.locations.list
workflows.operations.list
workflows.stepEntries.list
workflows.workflows.list
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.locations.list
workloadmanager.
workloadmanager.results.list
workloadmanager.rules.list
workstations.
workstations.
workstations.
workstations.
workstations.
workstations.workstations.list
workstations.
Security Reviewer
(roles/)
Provides permissions to list all resources and allow policies on them.
accessapproval.requests.list
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
actions.agentVersions.list
advisorynotifications.
aiplatform.agentExamples.list
aiplatform.agents.list
aiplatform.
aiplatform.annotations.list
aiplatform.apps.list
aiplatform.artifacts.list
aiplatform.
aiplatform.cachedContents.list
aiplatform.contexts.list
aiplatform.customJobs.list
aiplatform.dataItems.list
aiplatform.
aiplatform.
aiplatform.datasets.list
aiplatform.
aiplatform.
aiplatform.edgeDevices.list
aiplatform.
aiplatform.endpoints.list
aiplatform.
aiplatform.entityTypes.list
aiplatform.exampleStores.list
aiplatform.executions.list
aiplatform.extensions.list
aiplatform.
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featureViews.list
aiplatform.features.list
aiplatform.
aiplatform.featurestores.list
aiplatform.
aiplatform.
aiplatform.indexEndpoints.list
aiplatform.indexes.list
aiplatform.locations.list
aiplatform.
aiplatform.metadataStores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.modelMonitors.list
aiplatform.models.list
aiplatform.nasJobs.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
aiplatform.
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.
aiplatform.ragCorpora.list
aiplatform.ragFiles.list
aiplatform.
aiplatform.schedules.list
aiplatform.sessionEvents.list
aiplatform.sessions.list
aiplatform.
aiplatform.studies.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.tensorboards.list
aiplatform.
aiplatform.trials.list
aiplatform.tuningJobs.list
alloydb.backups.list
alloydb.clusters.list
alloydb.databases.list
alloydb.instances.list
alloydb.locations.list
alloydb.operations.list
alloydb.
alloydb.users.list
analyticshub.
analyticshub.
analyticshub.
analyticshub.listings.list
analyticshub.
apigateway.
apigateway.apiconfigs.list
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.
apigateway.gateways.list
apigateway.locations.list
apigateway.operations.list
apigee.
apigee.apiproducts.list
apigee.appgroupapps.list
apigee.appgroups.list
apigee.apps.list
apigee.archivedeployments.list
apigee.caches.list
apigee.datacollectors.list
apigee.datastores.list
apigee.
apigee.deployments.list
apigee.
apigee.developerapps.list
apigee.
apigee.developers.list
apigee.
apigee.dnsZones.list
apigee.
apigee.
apigee.envgroups.list
apigee.
apigee.environments.list
apigee.exports.list
apigee.flowhooks.list
apigee.hostqueries.list
apigee.
apigee.
apigee.instances.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.nataddresses.list
apigee.operations.list
apigee.organizations.list
apigee.portals.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.rateplans.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.securityActions.list
apigee.securityFeedback.list
apigee.securityIncidents.list
apigee.
apigee.securityProfiles.list
apigee.securityProfilesV2.list
apigee.securityreports.list
apigee.
apigee.sharedflows.list
apigee.spaces.getIamPolicy
apigee.spaces.list
apigee.targetservers.list
apigee.
apigee.tracesessions.list
apigeeconnect.connections.list
apigeeregistry.
apigeeregistry.apis.list
apigeeregistry.
apigeeregistry.artifacts.list
apigeeregistry.
apigeeregistry.locations.list
apigeeregistry.operations.list
apigeeregistry.
apigeeregistry.specs.list
apigeeregistry.
apigeeregistry.versions.list
apihub.apiHubInstances.list
apihub.apiOperations.list
apihub.apis.list
apihub.attributes.list
apihub.curations.list
apihub.definitions.list
apihub.dependencies.list
apihub.deployments.list
apihub.externalApis.list
apihub.
apihub.llmEnablements.list
apihub.operations.list
apihub.plugininstances.list
apihub.plugins.list
apihub.
apihub.specs.list
apihub.versions.list
apikeys.keys.list
apim.apiObservations.list
apim.apiOperations.list
apim.locations.list
apim.observationJobs.list
apim.observationSources.list
apim.operations.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
apphub.
apphub.applications.list
apphub.discoveredServices.list
apphub.
apphub.locations.list
apphub.operations.list
apphub.
apphub.services.list
apphub.workloads.list
applianceactivation.
artifactregistry.
artifactregistry.
artifactregistry.files.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.list
artifactregistry.tags.list
artifactregistry.versions.list
assuredoss.locations.list
assuredoss.metadata.list
assuredoss.operations.list
assuredworkloads.
assuredworkloads.updates.list
assuredworkloads.
assuredworkloads.workload.list
auditmanager.auditReports.list
auditmanager.
auditmanager.controls.list
auditmanager.
auditmanager.findings.list
auditmanager.locations.list
auditmanager.operations.list
auditmanager.
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.examples.list
automl.files.list
automl.
automl.locations.getIamPolicy
automl.locations.list
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.operations.list
automl.tableSpecs.list
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
autoscaling.sites.getIamPolicy
backupdr.
backupdr.backupPlans.list
backupdr.backupVaults.list
backupdr.bvbackups.list
backupdr.bvdataSources.list
backupdr.locations.list
backupdr.
backupdr.
backupdr.operations.list
backupdr.
baremetalsolution.
baremetalsolution.
baremetalsolution.luns.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.skus.list
baremetalsolution.
baremetalsolution.sshKeys.list
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.list
baremetalsolution.
batch.jobs.list
batch.locations.list
batch.operations.list
batch.resourceAllowances.list
batch.tasks.list
beyondcorp.
beyondcorp.appConnections.list
beyondcorp.
beyondcorp.appConnectors.list
beyondcorp.
beyondcorp.appGateways.list
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.list
beyondcorp.locations.list
beyondcorp.operations.list
beyondcorp.partnerTenants.list
beyondcorp.proxyConfigs.list
beyondcorp.subscriptions.list
biglake.catalogs.list
biglake.databases.list
biglake.locks.list
biglake.tables.list
bigquery.
bigquery.
bigquery.connections.list
bigquery.
bigquery.dataPolicies.list
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.
bigquery.reservations.list
bigquery.routines.list
bigquery.
bigquery.
bigquery.savedqueries.list
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquerymigration.
bigquerymigration.
bigtable.appProfiles.list
bigtable.
bigtable.authorizedViews.list
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.
bigtable.instances.list
bigtable.keyvisualizer.list
bigtable.locations.list
bigtable.
bigtable.logicalViews.list
bigtable.
bigtable.
bigtable.tables.getIamPolicy
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.anomalies.list
billing.
billing.
billing.
billing.
billing.
billing.budgets.list
billing.credits.list
billing.
billing.subscriptions.list
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
blockchainnodeengine.
blockchainnodeengine.
blockchainnodeengine.
blockchainvalidatormanager.
blockchainvalidatormanager.
blockchainvalidatormanager.
capacityplanner.forecasts.list
capacityplanner.
carestudio.patients.list
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.certs.list
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.collectors.list
chronicle.conversations.list
chronicle.
chronicle.
chronicle.curatedRuleSets.list
chronicle.curatedRules.list
chronicle.dashboardCharts.list
chronicle.
chronicle.dashboards.list
chronicle.
chronicle.
chronicle.dataTableRows.list
chronicle.dataTables.list
chronicle.dataTaps.list
chronicle.
chronicle.entities.list
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.feeds.list
chronicle.
chronicle.
chronicle.forwarders.list
chronicle.
chronicle.
chronicle.iocMatches.list
chronicle.logTypeSchemas.list
chronicle.logTypes.list
chronicle.logs.list
chronicle.messages.list
chronicle.
chronicle.operations.list
chronicle.
chronicle.parsers.list
chronicle.parsingErrors.list
chronicle.referenceLists.list
chronicle.retrohunts.list
chronicle.ruleDeployments.list
chronicle.
chronicle.rules.list
chronicle.searchQueries.list
chronicle.
chronicle.watchlists.list
chroniclesm.
clientauthconfig.brands.list
clientauthconfig.clients.list
cloud.locations.list
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudasset.feeds.list
cloudasset.
cloudasset.savedqueries.list
cloudbuild.builds.list
cloudbuild.
cloudbuild.connections.list
cloudbuild.integrations.list
cloudbuild.locations.list
cloudbuild.operations.list
cloudbuild.repositories.list
cloudbuild.workerpools.list
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
clouddeploy.
clouddeploy.automations.list
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.jobRuns.list
clouddeploy.locations.list
clouddeploy.operations.list
clouddeploy.releases.list
clouddeploy.rollouts.list
clouddeploy.
clouddeploy.targets.list
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.list
cloudjobdiscovery.
cloudkms.
cloudkms.
cloudkms.cryptoKeys.list
cloudkms.
cloudkms.
cloudkms.ekmConnections.list
cloudkms.
cloudkms.importJobs.list
cloudkms.keyHandles.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.locations.list
cloudnotifications.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.
cloudsupport.accounts.list
cloudsupport.techCases.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.tasks.list
cloudtestservice.
cloudtoolresults.
cloudtoolresults.
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traceScopes.list
cloudtrace.traces.list
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.datasets.list
cloudtranslate.glossaries.list
cloudtranslate.
cloudtranslate.locations.list
cloudtranslate.operations.list
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
commerceagreementpublishing.
commerceagreementpublishing.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commerceoffercatalog.
commerceoffercatalog.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceprice.events.list
commerceprice.
composer.dags.list
composer.environments.list
composer.imageversions.list
composer.operations.list
composer.
composer.
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.
compute.backendBuckets.list
compute.
compute.backendServices.list
compute.commitments.list
compute.crossSiteNetworks.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.
compute.firewallPolicies.list
compute.firewalls.list
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.list
compute.
compute.
compute.
compute.globalOperations.list
compute.
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.
compute.instanceGroups.list
compute.
compute.instanceTemplates.list
compute.instances.getIamPolicy
compute.instances.list
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.interconnects.list
compute.
compute.licenseCodes.list
compute.licenses.getIamPolicy
compute.licenses.list
compute.
compute.machineImages.list
compute.machineTypes.list
compute.multiMig.list
compute.
compute.
compute.
compute.
compute.networkProfiles.list
compute.networks.list
compute.
compute.nodeGroups.list
compute.
compute.nodeTemplates.list
compute.nodeTypes.list
compute.packetMirrorings.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.list
compute.
compute.
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.regionUrlMaps.list
compute.regions.list
compute.reservationBlocks.list
compute.reservations.list
compute.
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.list
compute.
compute.
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.
compute.storagePools.list
compute.
compute.subnetworks.list
compute.targetGrpcProxies.list
compute.targetHttpProxies.list
compute.
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.wireGroups.list
compute.
compute.zoneOperations.list
compute.zones.list
confidentialcomputing.
config.
config.deployments.list
config.locations.list
config.operations.list
config.previews.list
config.resources.list
config.revisions.list
config.terraformversions.list
configdelivery.
configdelivery.locations.list
configdelivery.operations.list
configdelivery.releases.list
configdelivery.
configdelivery.rollouts.list
connectors.actions.list
connectors.
connectors.connections.list
connectors.connectors.list
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.entities.list
connectors.entityTypes.list
connectors.
connectors.eventtypes.list
connectors.locations.list
connectors.
connectors.managedZones.list
connectors.operations.list
connectors.providers.list
connectors.versions.list
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
container.apiServices.list
container.auditSinks.list
container.backendConfigs.list
container.bindings.list
container.
container.
container.clusterRoles.list
container.clusters.list
container.
container.configMaps.list
container.
container.cronJobs.list
container.csiDrivers.list
container.csiNodeInfos.list
container.csiNodes.list
container.
container.daemonSets.list
container.deployments.list
container.endpointSlices.list
container.endpoints.list
container.events.list
container.frontendConfigs.list
container.
container.ingresses.list
container.
container.jobs.list
container.leases.list
container.limitRanges.list
container.
container.
container.
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.
container.
container.petSets.list
container.
container.podPresets.list
container.
container.podTemplates.list
container.pods.list
container.priorityClasses.list
container.replicaSets.list
container.
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.storageStates.list
container.
container.
container.
container.
container.updateInfos.list
container.
container.
container.
container.
container.volumeSnapshots.list
containeranalysis.
containeranalysis.notes.list
containeranalysis.
containeranalysis.
containersecurity.
containersecurity.
containersecurity.
contentwarehouse.corpora.list
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.ruleSets.list
contentwarehouse.
databasecenter.*
databaseinsights.
databasesconsole.
databasesconsole.
databasesconsole.
datacatalog.
datacatalog.
datacatalog.entries.list
datacatalog.
datacatalog.entryGroups.list
datacatalog.operations.list
datacatalog.relationships.list
datacatalog.
datacatalog.
datacatalog.taxonomies.list
dataconnectors.
dataconnectors.connectors.list
dataconnectors.locations.list
dataconnectors.operations.list
dataflow.jobs.list
dataflow.messages.list
dataflow.snapshots.list
dataform.commentThreads.list
dataform.comments.list
dataform.
dataform.locations.list
dataform.releaseConfigs.list
dataform.
dataform.repositories.list
dataform.workflowConfigs.list
dataform.
dataform.
dataform.workspaces.list
datafusion.artifacts.list
datafusion.
datafusion.instances.list
datafusion.locations.list
datafusion.
datafusion.namespaces.list
datafusion.operations.list
datafusion.
datafusion.pipelines.list
datafusion.profiles.list
datafusion.secureKeys.list
datalabeling.
datalabeling.
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
datalineage.events.list
datalineage.processes.list
datalineage.runs.list
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.locations.list
datamigration.
datamigration.
datamigration.
datamigration.objects.list
datamigration.operations.list
datamigration.
datamigration.
datapipelines.jobs.list
datapipelines.pipelines.list
dataplex.
dataplex.aspectTypes.list
dataplex.assetActions.list
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.
dataplex.
dataplex.
dataplex.dataAttributes.list
dataplex.
dataplex.dataTaxonomies.list
dataplex.
dataplex.datascans.list
dataplex.encryptionConfig.list
dataplex.entities.list
dataplex.entries.list
dataplex.
dataplex.entryGroups.list
dataplex.
dataplex.entryTypes.list
dataplex.
dataplex.environments.list
dataplex.lakeActions.list
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.locations.list
dataplex.metadataJobs.list
dataplex.operations.list
dataplex.partitions.list
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.list
dataplex.zones.getIamPolicy
dataplex.zones.list
dataproc.agents.list
dataproc.
dataproc.
dataproc.batches.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.
dataproc.operations.list
dataproc.sessionTemplates.list
dataproc.sessions.list
dataproc.
dataproc.
dataprocessing.
dataprocessing.
dataprocessing.
dataprocrm.locations.list
dataprocrm.nodePools.list
dataprocrm.nodes.list
dataprocrm.operations.list
dataprocrm.workloads.list
datastore.backupSchedules.list
datastore.backups.list
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.
datastore.locations.list
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
datastore.userCreds.list
datastream.
datastream.
datastream.locations.list
datastream.objects.list
datastream.operations.list
datastream.
datastream.
datastream.routes.getIamPolicy
datastream.routes.list
datastream.
datastream.streams.list
datastudio.
datastudio.
datastudio.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.list
designcenter.
designcenter.
designcenter.applications.list
designcenter.
designcenter.
designcenter.catalogs.list
designcenter.components.list
designcenter.connections.list
designcenter.locations.list
designcenter.operations.list
designcenter.
designcenter.
designcenter.shares.list
designcenter.
designcenter.spaces.list
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.users.list
dialogflow.agents.list
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.list
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.list
dialogflow.deployments.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.environments.list
dialogflow.examples.list
dialogflow.experiments.list
dialogflow.flows.list
dialogflow.generators.list
dialogflow.integrations.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.
dialogflow.pages.list
dialogflow.participants.list
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.list
dialogflow.tools.list
dialogflow.
dialogflow.versions.list
dialogflow.webhooks.list
discoveryengine.
discoveryengine.branches.list
discoveryengine.
discoveryengine.
discoveryengine.controls.list
discoveryengine.
discoveryengine.
discoveryengine.documents.list
discoveryengine.engines.list
discoveryengine.
discoveryengine.models.list
discoveryengine.
discoveryengine.notebooks.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.schemas.list
discoveryengine.
discoveryengine.sessions.list
discoveryengine.
dlp.analyzeRiskTemplates.list
dlp.columnDataProfiles.list
dlp.connections.list
dlp.deidentifyTemplates.list
dlp.estimates.list
dlp.fileStoreProfiles.list
dlp.inspectFindings.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.locations.list
dlp.projectDataProfiles.list
dlp.storedInfoTypes.list
dlp.subscriptions.list
dlp.tableDataProfiles.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.policies.list
dns.resourceRecordSets.list
dns.responsePolicies.list
dns.responsePolicyRules.list
documentai.
documentai.evaluations.list
documentai.labelerPools.list
documentai.locations.list
documentai.processorTypes.list
documentai.
documentai.processors.list
domains.locations.list
domains.operations.list
domains.
domains.registrations.list
earthengine.
earthengine.assets.list
earthengine.operations.list
edgecontainer.
edgecontainer.clusters.list
edgecontainer.locations.list
edgecontainer.
edgecontainer.machines.list
edgecontainer.
edgecontainer.nodePools.list
edgecontainer.operations.list
edgecontainer.
edgecontainer.
edgenetwork.
edgenetwork.
edgenetwork.
edgenetwork.interconnects.list
edgenetwork.locations.list
edgenetwork.
edgenetwork.networks.list
edgenetwork.operations.list
edgenetwork.
edgenetwork.routers.list
edgenetwork.routes.list
edgenetwork.
edgenetwork.subnetworks.list
edgenetwork.zones.list
enterpriseknowledgegraph.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
errorreporting.
errorreporting.
errorreporting.groups.list
essentialcontacts.
eventarc.
eventarc.
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.
eventarc.enrollments.list
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.kafkaSources.list
eventarc.locations.list
eventarc.
eventarc.messageBuses.list
eventarc.operations.list
eventarc.
eventarc.pipelines.list
eventarc.providers.list
eventarc.triggers.getIamPolicy
eventarc.triggers.list
fcmdata.deliverydata.list
file.backups.list
file.instances.list
file.locations.list
file.operations.list
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
firebase.clients.list
firebase.links.list
firebase.playLinks.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.
firebaseappdistro.testers.list
firebasecrashlytics.
firebasedatabase.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.
firebaseextensions.
firebaseextensionspublisher.
firebasehosting.sites.list
firebaseinappmessaging.
firebasemessagingcampaigns.
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.
firebaserules.releases.list
firebaserules.rulesets.list
firebasestorage.buckets.list
fleetengine.
fleetengine.tasks.list
fleetengine.vehicles.list
gcp.redisenterprise.
gcp.redisenterprise.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.operations.list
gkebackup.backupChannels.list
gkebackup.
gkebackup.
gkebackup.backupPlans.list
gkebackup.backups.list
gkebackup.locations.list
gkebackup.operations.list
gkebackup.restoreChannels.list
gkebackup.
gkebackup.
gkebackup.restorePlans.list
gkebackup.restores.list
gkebackup.volumeBackups.list
gkebackup.volumeRestores.list
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.locations.list
gkehub.membershipbindings.list
gkehub.membershipfeatures.list
gkehub.
gkehub.memberships.list
gkehub.namespaces.list
gkehub.operations.list
gkehub.rbacrolebindings.list
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkemulticloud.
gkemulticloud.awsClusters.list
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.locations.list
gkeonprem.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.vmwareClusters.list
gkeonprem.
gkeonprem.vmwareNodePools.list
gsuiteaddons.deployments.list
healthcare.
healthcare.
healthcare.annotations.list
healthcare.
healthcare.
healthcare.
healthcare.consentStores.list
healthcare.consents.list
healthcare.
healthcare.datasets.list
healthcare.
healthcare.dicomStores.list
healthcare.
healthcare.fhirStores.list
healthcare.hl7V2Messages.list
healthcare.
healthcare.hl7V2Stores.list
healthcare.locations.list
healthcare.operations.list
healthcare.
iam.denypolicies.list
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.policybindings.list
iam.
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.
iam.serviceAccounts.list
iap.tunnel.getIamPolicy
iap.
iap.tunnelDestGroups.list
iap.
iap.
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
identitytoolkit.
identitytoolkit.tenants.list
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.locations.list
ids.operations.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.list
integrations.certificates.list
integrations.executions.list
integrations.
integrations.integrations.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.sfdcChannels.list
integrations.
integrations.suspensions.list
integrations.testCases.list
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.operations.list
issuerswitch.ruleMetadata.list
issuerswitch.
issuerswitch.rules.list
krmapihosting.
krmapihosting.krmApiHosts.list
krmapihosting.locations.list
krmapihosting.operations.list
licensemanager.
licensemanager.instances.list
licensemanager.locations.list
licensemanager.operations.list
licensemanager.products.list
lifesciences.operations.list
livestream.assets.list
livestream.channels.list
livestream.clips.list
livestream.events.list
livestream.inputs.list
livestream.locations.list
livestream.operations.list
logging.buckets.list
logging.exclusions.list
logging.links.list
logging.locations.list
logging.logEntries.list
logging.logMetrics.list
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.list
logging.operations.list
logging.privateLogEntries.list
logging.queries.usePrivate
logging.sinks.list
logging.views.getIamPolicy
logging.views.list
looker.backups.list
looker.instances.list
looker.locations.list
looker.operations.list
lustre.instances.list
lustre.locations.list
lustre.operations.list
maintenance.locations.list
maintenance.
managedflink.deployments.list
managedflink.jobs.list
managedflink.locations.list
managedflink.operations.list
managedflink.sessions.list
managedidentities.
managedidentities.backups.list
managedidentities.
managedidentities.domains.list
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedkafka.clusters.list
managedkafka.
managedkafka.connectors.list
managedkafka.
managedkafka.locations.list
managedkafka.operations.list
managedkafka.topics.list
mapsadmin.clientMaps.list
mapsadmin.
mapsadmin.clientStyles.list
mapsadmin.mapViews.list
mapsadmin.styleSnapshots.list
mapsanalytics.
mapsplatformdatasets.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
memcache.instances.list
memcache.locations.list
memcache.operations.list
memorystore.
memorystore.backups.list
memorystore.instances.list
memorystore.locations.list
memorystore.operations.list
metastore.backups.getIamPolicy
metastore.backups.list
metastore.
metastore.databases.list
metastore.
metastore.federations.list
metastore.imports.list
metastore.locations.list
metastore.migrations.list
metastore.operations.list
metastore.
metastore.services.list
metastore.tables.getIamPolicy
metastore.tables.list
migrationcenter.assets.list
migrationcenter.
migrationcenter.
migrationcenter.
migrationcenter.groups.list
migrationcenter.
migrationcenter.
migrationcenter.locations.list
migrationcenter.
migrationcenter.
migrationcenter.relations.list
migrationcenter.
migrationcenter.reports.list
migrationcenter.sources.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.operations.list
ml.studies.getIamPolicy
ml.studies.list
ml.trials.list
ml.versions.list
modelarmor.locations.list
modelarmor.templates.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.list
monitoring.slos.list
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.
netapp.activeDirectories.list
netapp.backupPolicies.list
netapp.backupVaults.list
netapp.backups.list
netapp.kmsConfigs.list
netapp.locations.list
netapp.operations.list
netapp.quotaRules.list
netapp.replications.list
netapp.snapshots.list
netapp.storagePools.list
netapp.volumes.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.hubs.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.list
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.list
networkservices.
networkservices.
networkservices.gateways.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.locations.list
networkservices.meshes.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.tcpRoutes.list
networkservices.tlsRoutes.list
networkservices.
notebooks.
notebooks.environments.list
notebooks.
notebooks.executions.list
notebooks.
notebooks.instances.list
notebooks.locations.list
notebooks.operations.list
notebooks.
notebooks.runtimes.list
notebooks.
notebooks.schedules.list
observability.
ondemandscanning.
opsconfigmonitoring.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.list
oracledatabase.operations.list
oracledatabase.
orgpolicy.constraints.list
orgpolicy.
orgpolicy.policies.list
osconfig.guestPolicies.list
osconfig.
osconfig.inventories.list
osconfig.locations.list
osconfig.operations.list
osconfig.
osconfig.
osconfig.patchDeployments.list
osconfig.patchJobs.list
osconfig.
osconfig.upgradeReports.list
osconfig.
parallelstore.instances.list
parallelstore.locations.list
parallelstore.operations.list
parametermanager.
parametermanager.
parametermanager.
paymentsresellersubscription.
paymentsresellersubscription.
policyremediatormanager.
policyremediatormanager.
policysimulator.
policysimulator.
policysimulator.
policysimulator.
policysimulator.
policysimulator.replays.list
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.certificates.list
privateca.locations.list
privateca.operations.list
privateca.
privateca.reusableConfigs.list
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
proximitybeacon.
proximitybeacon.
proximitybeacon.beacons.list
proximitybeacon.
proximitybeacon.
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.
pubsub.subscriptions.list
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsublite.operations.list
pubsublite.reservations.list
pubsublite.subscriptions.list
pubsublite.topics.list
recaptchaenterprise.
recaptchaenterprise.keys.list
recaptchaenterprise.
recaptchaenterprise.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.costInsights.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
redis.backupCollections.list
redis.backups.list
redis.clusters.list
redis.instances.list
redis.locations.list
redis.operations.list
remotebuildexecution.
remotebuildexecution.
resourcemanager.
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.list
resourcemanager.tagHolds.list
resourcemanager.
resourcemanager.tagKeys.list
resourcemanager.
resourcemanager.tagValues.list
resourcesettings.settings.list
retail.branches.list
retail.catalogs.list
retail.controls.list
retail.experiments.list
retail.models.list
retail.operations.list
retail.products.list
retail.servingConfigs.list
riskmanager.
riskmanager.operations.list
riskmanager.policies.list
riskmanager.reports.list
rma.collectors.list
rma.locations.list
rma.operations.list
run.configurations.list
run.executions.list
run.jobs.getIamPolicy
run.jobs.list
run.locations.list
run.operations.list
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
run.tasks.list
runapps.applications.list
runapps.deployments.list
runapps.locations.list
runapps.operations.list
runtimeconfig.
runtimeconfig.configs.list
runtimeconfig.operations.list
runtimeconfig.
runtimeconfig.variables.list
runtimeconfig.
runtimeconfig.waiters.list
saasservicemgmt.locations.list
saasservicemgmt.
saasservicemgmt.releases.list
saasservicemgmt.
saasservicemgmt.rollouts.list
saasservicemgmt.saas.list
saasservicemgmt.unitKinds.list
saasservicemgmt.
saasservicemgmt.units.list
secretmanager.locations.list
secretmanager.
secretmanager.secrets.list
secretmanager.versions.list
securedlandingzone.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securitycenter.assets.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.list
securitycenter.issues.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.sources.list
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.locations.list
securityposture.
securityposture.
securityposture.
securityposture.postures.list
securityposture.reports.list
servicebroker.
servicebroker.
servicebroker.bindings.list
servicebroker.
servicebroker.catalogs.list
servicebroker.
servicebroker.
servicebroker.instances.list
serviceconsumermanagement.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.services.list
servicehealth.events.list
servicehealth.locations.list
servicehealth.
servicehealth.
servicemanagement.
servicemanagement.
servicenetworking.
servicesecurityinsights.
servicesecurityinsights.
servicesecurityinsights.
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
spanner.backupOperations.list
spanner.
spanner.backupSchedules.list
spanner.backups.getIamPolicy
spanner.backups.list
spanner.
spanner.databaseRoles.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.
spanner.instanceConfigs.list
spanner.
spanner.
spanner.
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.list
speakerid.phrases.list
speakerid.speakers.list
speech.customClasses.list
speech.locations.list
speech.operations.list
speech.phraseSets.list
speech.recognizers.list
stackdriver.
storage.anywhereCaches.list
storage.bucketOperations.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.folders.list
storage.hmacKeys.list
storage.
storage.managedFolders.list
storage.multipartUploads.list
storage.objects.getIamPolicy
storage.objects.list
storageinsights.
storageinsights.locations.list
storageinsights.
storageinsights.
storageinsights.
storagetransfer.
storagetransfer.jobs.list
storagetransfer.
stream.locations.list
stream.operations.list
stream.streamContents.list
stream.streamInstances.list
telcoautomation.
telcoautomation.
telcoautomation.edgeSlms.list
telcoautomation.
telcoautomation.locations.list
telcoautomation.
telcoautomation.
telcoautomation.
timeseriesinsights.
timeseriesinsights.
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.runtimeversions.list
tpu.tensorflowversions.list
transcoder.jobTemplates.list
transcoder.jobs.list
transferappliance.
transferappliance.
transferappliance.
transferappliance.orders.list
transferappliance.
translationhub.portals.list
videostitcher.cdnKeys.list
videostitcher.
videostitcher.liveConfigs.list
videostitcher.operations.list
videostitcher.slates.list
videostitcher.
videostitcher.vodConfigs.list
videostitcher.
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.annotations.list
visionai.applications.list
visionai.assets.list
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.corpora.list
visionai.dataSchemas.list
visionai.drafts.list
visionai.events.getIamPolicy
visionai.events.list
visionai.indexEndpoints.list
visionai.indexes.list
visionai.instances.list
visionai.locations.list
visionai.operations.list
visionai.
visionai.operators.list
visionai.processors.list
visionai.searchConfigs.list
visionai.series.getIamPolicy
visionai.series.list
visionai.streams.getIamPolicy
visionai.streams.list
visionai.uistreams.list
visualinspection.
visualinspection.
visualinspection.
visualinspection.datasets.list
visualinspection.images.list
visualinspection.
visualinspection.
visualinspection.models.list
visualinspection.modules.list
visualinspection.
visualinspection.
visualinspection.
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.list
vmmigration.
vmmigration.deployments.list
vmmigration.groups.list
vmmigration.locations.list
vmmigration.migratingVms.list
vmmigration.operations.list
vmmigration.
vmmigration.sources.list
vmmigration.targets.list
vmmigration.
vmwareengine.
vmwareengine.clusters.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.locations.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.nodeTypes.list
vmwareengine.nodes.list
vmwareengine.operations.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.subnets.list
vmwareengine.
vpcaccess.connectors.list
vpcaccess.locations.list
vpcaccess.operations.list
workflows.callbacks.list
workflows.executions.list
workflows.locations.list
workflows.operations.list
workflows.stepEntries.list
workflows.workflows.list
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.locations.list
workloadmanager.
workloadmanager.results.list
workloadmanager.rules.list
workstations.
workstations.
workstations.
workstations.
workstations.workstations.list
Workspace Pool IAM Admin
Beta
(roles/)
IAM workspace pool admin able to bind IAM policies to Dasher accounts.
iam.workspacePools.*
Infrastructure Manager roles
Permissions
Cloud Infrastructure Manager Admin
Beta
(roles/)
Full access to Cloud Infrastructure Manager resources.
config.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Infrastructure Manager Agent
Beta
(roles/)
Required permissions to make Cloud Infrastructure Manager work with the user-specified service account
cloudbuild.connections.list
cloudbuild.
cloudbuild.repositories.list
cloudquotas.quotas.get
config.artifacts.import
config.deployments.deleteState
config.deployments.getLock
config.deployments.getState
config.deployments.updateState
config.previews.upload
config.revisions.getState
logging.logEntries.create
monitoring.timeSeries.list
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Infrastructure Manager Viewer
Beta
(roles/)
Read-only access to Cloud Infrastructure Manager resources.
config.deployments.get
config.
config.deployments.list
config.locations.*
config.operations.get
config.operations.list
config.previews.get
config.previews.list
config.resources.*
config.revisions.get
config.revisions.list
config.terraformversions.*
resourcemanager.projects.get
resourcemanager.projects.list
KRM API Hosting roles
Permissions
Config Controller Admin
(roles/)
Full access to all Config Controller resources.
krmapihosting.*
resourcemanager.projects.get
resourcemanager.projects.list
Config Controller Viewer
(roles/)
Read-only access to all Config Controller resources.
krmapihosting.krmApiHosts.get
krmapihosting.
krmapihosting.krmApiHosts.list
krmapihosting.locations.*
krmapihosting.operations.get
krmapihosting.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine roles
Permissions
Kubernetes Engine Admin
(roles/)
Provides access to full management of clusters and their
Kubernetes API objects.
To set a service account on nodes, you must also have the Service Account User role
(roles/iam.serviceAccountUser) on the
user-managed
service account that your nodes will use .
Lowest-level resources where you can grant this role:
container.*
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine KMS Crypto Key User
(roles/)
Allow the Kubernetes Engine service agent in the cluster project to call KMS with user provided crypto keys to sign payloads.
cloudkms.cryptoKeyVersions.get
cloudkms.
cloudkms.
cloudkms.
cloudkms.cryptoKeys.get
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Kubernetes Engine Cluster Admin
(roles/)
Provides access to management of clusters.
To set a service account on nodes, you must also have the Service Account User role
(roles/iam.serviceAccountUser) on the
user-managed
service account that your nodes will use .
Lowest-level resources where you can grant this role:
container.clusters.connect
container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine Cluster Viewer
(roles/)
Provides access to get and list GKE clusters.
container.clusters.connect
container.clusters.get
container.clusters.list
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine Default Node Service Account
(roles/)
Least privilege role to use as the default service account for GKE Nodes.
autoscaling.sites.writeMetrics
logging.logEntries.create
monitoring.
monitoring.
monitoring.timeSeries.*
Kubernetes Engine Developer
(roles/)
Provides access to Kubernetes API objects inside clusters.
Lowest-level resources where you can grant this role:
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container.
container.
container.
container.
container.
container.
container.
container.
container.clusterRoles.get
container.clusterRoles.list
container.clusters.connect
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.
container.
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container.
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container.
container.ingresses.*
container.
container.jobs.*
container.leases.*
container.limitRanges.*
container.
container.
container.
container.
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.
container.persistentVolumes.*
container.petSets.*
container.
container.podPresets.*
container.
container.
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container.
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.
container.
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container.
container.
container.thirdPartyObjects.*
container.
container.tokenReviews.create
container.updateInfos.*
container.
container.
container.volumeAttachments.*
container.
container.
container.volumeSnapshots.*
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine Host Service Agent User
(roles/)
Allows the Kubernetes Engine service account in the host project to configure shared network
resources for cluster management. Also gives access to inspect the firewall rules in the host
project.
compute.firewalls.get
container.hostServiceAgent.use
dns.
dns.
dns.
dns.responsePolicies.*
dns.responsePolicyRules.*
Kubernetes Engine Viewer
(roles/)
Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects.
Lowest-level resources where you can grant this role:
container.apiServices.get
container.
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.
container.
container.
container.
container.
container.clusterRoles.get
container.clusterRoles.list
container.clusters.connect
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.
container.
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.
container.
container.
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getScale
container.
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.
container.
container.
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.
container.
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.
container.
container.
container.
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.
container.
container.
container.
container.
container.
container.petSets.get
container.petSets.list
container.
container.
container.
container.podPresets.get
container.podPresets.list
container.
container.
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.
container.replicaSets.list
container.
container.
container.
container.
container.resourceQuotas.get
container.
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.
container.
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.
container.storageStates.list
container.
container.
container.
container.
container.
container.
container.
container.tokenReviews.create
container.updateInfos.get
container.updateInfos.list
container.
container.
container.
container.
container.
container.
container.
container.
container.
container.
container.volumeSnapshots.get
container.volumeSnapshots.list
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Live Stream roles
Permissions
Live Stream Editor
(roles/)
Full access to Live Stream resources.
livestream.*
resourcemanager.projects.get
resourcemanager.projects.list
Live Stream Viewer
(roles/)
Read access to Live Stream resources.
livestream.assets.get
livestream.assets.list
livestream.channels.get
livestream.channels.list
livestream.clips.get
livestream.clips.list
livestream.events.get
livestream.events.list
livestream.inputs.get
livestream.inputs.list
livestream.locations.*
livestream.operations.get
livestream.operations.list
livestream.pools.get
resourcemanager.projects.get
resourcemanager.projects.list
Logging roles
Permissions
Logging Admin
(roles/)
Provides all permissions necessary to use all features of Cloud Logging.
Lowest-level resources where you can grant this role:
logging.buckets.copyLogEntries
logging.buckets.create
logging.
logging.buckets.delete
logging.
logging.buckets.get
logging.buckets.list
logging.
logging.
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
logging.fields.access
logging.links.*
logging.locations.*
logging.logEntries.*
logging.logMetrics.*
logging.logScopes.*
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.*
logging.notificationRules.*
logging.operations.*
logging.privateLogEntries.list
logging.queries.*
logging.settings.*
logging.sinks.*
logging.sqlAlerts.*
logging.usage.get
logging.views.*
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Logs Bucket Writer
(roles/)
Ability to write logs to a log bucket.
Lowest-level resources where you can grant this role:
logging.buckets.write
Logs Configuration Writer
(roles/)
Provides permissions to read and write the configurations of logs-based
metrics and sinks for exporting logs.
Lowest-level resources where you can grant this role:
logging.buckets.create
logging.
logging.buckets.delete
logging.
logging.buckets.get
logging.buckets.list
logging.
logging.
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
logging.links.*
logging.locations.*
logging.logMetrics.*
logging.logScopes.*
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.settings.*
logging.sinks.*
logging.sqlAlerts.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.getIamPolicy
logging.views.list
logging.views.update
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Log Field Accessor
(roles/)
Ability to read restricted fields in a log bucket.
Lowest-level resources where you can grant this role:
logging.fields.access
Log Link Accessor
(roles/)
Ability to see links for a bucket.
logging.links.get
logging.links.list
Logs Writer
(roles/)
Provides the permissions to write log entries.
Lowest-level resources where you can grant this role:
logging.logEntries.create
logging.logEntries.route
Private Logs Viewer
(roles/)
Provides permissions of the Logs Viewer role and in addition, provides
read-only access to log entries in private logs.
Lowest-level resources where you can grant this role:
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.privateLogEntries.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.access
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
SQL Alert Writer
Beta
(roles/)
Ability to write SQL Alerts.
logging.sqlAlerts.*
Logs View Accessor
(roles/)
Ability to read logs in a view.
Lowest-level resources where you can grant this role:
logging.logEntries.download
logging.views.access
logging.views.listLogs
logging.views.listResourceKeys
logging.
Logs Viewer
(roles/)
Provides access to view logs.
Lowest-level resources where you can grant this role:
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
Looker roles
Permissions
Looker Admin
(roles/)
Full access to all Looker resources.
looker.*
resourcemanager.projects.get
resourcemanager.projects.list
Looker Instance User
(roles/)
Access to log in to a Looker instance.
looker.instances.get
looker.instances.login
resourcemanager.projects.get
resourcemanager.projects.list
Looker Viewer
(roles/)
Read-only access to all Looker resources.
looker.backups.get
looker.backups.list
looker.instances.get
looker.instances.list
looker.instances.login
looker.locations.*
looker.operations.get
looker.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Maps API Admin roles
Permissions
Maps API Admin
(roles/)
Read and Write all Maps Management and Maps Styles Resources.
mapsadmin.*
resourcemanager.projects.get
resourcemanager.projects.list
Maps API Viewer
(roles/)
Read all Maps Management and Maps Styles Resources.
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.mapViews.get
mapsadmin.mapViews.list
mapsadmin.
mapsadmin.styleSnapshots.list
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Memcache roles
Permissions
Cloud Memorystore Memcached Admin
(roles/)
Full access to Memcached instances and related resources.
compute.networks.list
memcache.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Memorystore Memcached Editor
(roles/)
Read-Write access to Memcached instances and related resources.
memcache.
memcache.instances.get
memcache.instances.list
memcache.instances.update
memcache.
memcache.locations.*
memcache.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Memorystore Memcached Viewer
(roles/)
Read-only access to Memcached instances and related resources.
memcache.instances.get
memcache.instances.list
memcache.locations.*
memcache.operations.get
memcache.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Redis roles
Permissions
Cloud Memorystore Redis Admin
(roles/)
Full control for all Memorystore for Redis resources.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
compute.networks.list
networkconnectivity.
redis.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Cloud Memorystore Redis Db Connection User
Beta
(roles/)
Access to connecting to Redis Server db.
redis.clusters.connect
Cloud Memorystore Redis Editor
(roles/)
Manage Memorystore for Redis instances. Can't create or delete instances.
compute.networks.list
redis.backupCollections.get
redis.backupCollections.list
redis.backups.get
redis.backups.list
redis.clusters.backup
redis.clusters.get
redis.clusters.list
redis.clusters.update
redis.instances.failover
redis.instances.get
redis.instances.list
redis.instances.update
redis.locations.*
redis.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Cloud Memorystore Redis Viewer
(roles/)
Read-only access to all Memorystore for Redis resources.
redis.backupCollections.get
redis.backupCollections.list
redis.backups.get
redis.backups.list
redis.clusters.get
redis.clusters.list
redis.instances.get
redis.instances.list
redis.
redis.
redis.locations.*
redis.operations.get
redis.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Mesh Management roles
Permissions
Mesh Config Admin
Beta
(roles/)
Full access to all mesh configuration resources
meshconfig.projects.init
Mesh Config Viewer
Beta
(roles/)
Read access to mesh configuration
Migration Center roles
Permissions
Migration Center Admin
Beta
(roles/)
Full access to Migration Center all resources.
migrationcenter.*
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
serviceusage.quotas.get
Migration Center Discovery Client
Beta
(roles/)
Migration Center Discover Client role
migrationcenter.
migrationcenter.
migrationcenter.
Migration Center Discovery Client Registrator
Beta
(roles/)
Registrator of Migration Center Discover Clients
migrationcenter.
migrationcenter.
migrationcenter.
migrationcenter.operations.get
migrationcenter.sources.create
migrationcenter.sources.delete
resourcemanager.projects.get
resourcemanager.projects.list
Migration Center Viewer
Beta
(roles/)
Read-only access to Migration Center all resources.
migrationcenter.assets.get
migrationcenter.assets.list
migrationcenter.
migrationcenter.
migrationcenter.
migrationcenter.
migrationcenter.errorFrames.*
migrationcenter.groups.get
migrationcenter.groups.list
migrationcenter.
migrationcenter.
migrationcenter.importJobs.get
migrationcenter.
migrationcenter.locations.*
migrationcenter.operations.get
migrationcenter.
migrationcenter.
migrationcenter.
migrationcenter.relations.*
migrationcenter.
migrationcenter.
migrationcenter.reports.get
migrationcenter.reports.list
migrationcenter.settings.get
migrationcenter.sources.get
migrationcenter.sources.list
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.*
rma.operations.get
rma.operations.list
serviceusage.quotas.get
Monitoring roles
Permissions
Monitoring Admin
(roles/)
Provides full access to Cloud Monitoring.
Lowest-level resources where you can grant this role:
cloudnotifications.
monitoring.*
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
stackdriver.*
Monitoring AlertPolicy Editor
(roles/)
Read/write access to alerting policies.
monitoring.alertPolicies.*
Monitoring AlertPolicy Viewer
(roles/)
Read-only access to alerting policies.
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.
monitoring.
Monitoring Cloud Console Incident Editor
Beta
(roles/)
Read/write access to incidents from Cloud Console.
Monitoring Cloud Console Incident Viewer
Beta
(roles/)
Read access to incidents from Cloud Console.
Monitoring Dashboard Configuration Editor
(roles/)
Read/write access to dashboard configurations.
monitoring.dashboards.*
Monitoring Dashboard Configuration Viewer
(roles/)
Read-only access to dashboard configurations.
monitoring.dashboards.get
monitoring.dashboards.list
Monitoring Editor
(roles/)
Provides full access to information about all monitoring data and
configurations.
Lowest-level resources where you can grant this role:
cloudnotifications.
monitoring.alertPolicies.*
monitoring.dashboards.*
monitoring.groups.*
monitoring.metricDescriptors.*
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.*
monitoring.slos.*
monitoring.snoozes.*
monitoring.timeSeries.*
monitoring.
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
stackdriver.*
Monitoring Metric Writer
(roles/)
Provides write-only access to metrics. This provides exactly the permissions
needed by the Cloud Monitoring agent and other systems that send metrics.
Lowest-level resources where you can grant this role:
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
Monitoring Metrics Scopes Admin
Beta
(roles/)
Access to add and remove monitored projects from metrics scopes.
monitoring.metricsScopes.link
resourcemanager.projects.get
resourcemanager.projects.list
Monitoring Metrics Scopes Viewer
Beta
(roles/)
Read-only access to metrics scopes and their monitored projects.
resourcemanager.projects.get
resourcemanager.projects.list
Monitoring NotificationChannel Editor
Beta
(roles/)
Read/write access to notification channels.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
Monitoring NotificationChannel Viewer
Beta
(roles/)
Read-only access to notification channels.
monitoring.
monitoring.
monitoring.
Monitoring Services Editor
(roles/)
Read/write access to services.
monitoring.services.*
monitoring.slos.*
Monitoring Services Viewer
(roles/)
Read-only access to services.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
Monitoring Snooze Editor
(roles/)
monitoring.snoozes.*
Monitoring Snooze Viewer
(roles/)
monitoring.snoozes.get
monitoring.snoozes.list
Monitoring Uptime Check Configuration Editor
Beta
(roles/)
Read/write access to uptime check configurations.
monitoring.
Monitoring Uptime Check Configuration Viewer
Beta
(roles/)
Read-only access to uptime check configurations.
monitoring.
monitoring.
Monitoring Viewer
(roles/)
Provides read-only access to get and list information about all monitoring
data and configurations.
Lowest-level resources where you can grant this role:
cloudnotifications.
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.
monitoring.
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.
monitoring.
opsconfigmonitoring.
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver.
Network Connectivity roles
Permissions
Service Automation Consumer Network Admin
(roles/)
Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Group User
(roles/)
Enables use access on group resources
networkconnectivity.groups.use
Hub & Spoke Admin
(roles/)
Enables full access to hub and spoke resources.
Lowest-level resources where you can grant this role:
networkconnectivity.groups.*
networkconnectivity.
networkconnectivity.
networkconnectivity.hubs.*
networkconnectivity.
networkconnectivity.
networkconnectivity.spokes.*
resourcemanager.projects.get
resourcemanager.projects.list
Hub & Spoke Viewer
(roles/)
Enables read-only access to hub and spoke resources.
Lowest-level resources where you can grant this role:
networkconnectivity.groups.get
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.hubs.get
networkconnectivity.
networkconnectivity.hubs.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.spokes.get
networkconnectivity.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Regional Endpoint Admin
(roles/)
Full access to all Regional Endpoint resources.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Regional Endpoint Viewer
(roles/)
Read-only access to all Regional Endpoint resources.
networkconnectivity.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Service Class User
(roles/)
Service Class User uses a ServiceClass
networkconnectivity.
networkconnectivity.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Service Automation Service Producer Admin
(roles/)
Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Spoke Admin
(roles/)
Enables full access to spoke resources and read-only access to hub resources.
Lowest-level resources where you can grant this role:
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.hubs.get
networkconnectivity.
networkconnectivity.hubs.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.spokes.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Management roles
Permissions
Network Management Admin
(roles/)
Full access to Network Management resources.
Lowest-level resources where you can grant this role:
networkmanagement.*
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Network Management Viewer
(roles/)
Read-only access to Network Management resources.
Lowest-level resources where you can grant this role:
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.locations.*
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Network Security roles
Permissions
Intercept Deployment Admin
Beta
(roles/)
Enables full access to intercept resources on the Producer's side.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Intercept Deployment User
Beta
(roles/)
Allows a consumer to view and connect to a producer's interceptDeploymentGroup.
networksecurity.
networksecurity.
networksecurity.
Intercept Deployment Viewer
Beta
(roles/)
Enables read-only access to intercept resources on the Producer's side.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Intercept Endpoint Admin
Beta
(roles/)
Enables full access to intercept resources on the consumer's side.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Intercept Endpoint User
Beta
(roles/)
Allows a consumer to connect their networks to a interceptEndpointGroup.
networksecurity.
networksecurity.
networksecurity.
Intercept Endpoint Viewer
Beta
(roles/)
Enables read-only access to intercept resources on the Consumer's side.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Deployment Admin
Beta
(roles/)
Enables full access to mirroring resources on the Producer's side.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Deployment External User
Beta
(roles/)
Allows an external consumer to a producer's mirroringDeploymentGroup.
networksecurity.
Mirroring Deployment User
Beta
(roles/)
Allows a consumer to view and connect to a Producer's mirroringDeploymentGroup.
networksecurity.
networksecurity.
networksecurity.
Mirroring Deployment Viewer
Beta
(roles/)
Enables read-only access to mirroring resources on the Producer's side.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Endpoint Admin
Beta
(roles/)
Enables full access to mirroring resources on the consumer's side.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Endpoint User
Beta
(roles/)
Allows a consumer to connect their networks to a mirroringEndpointGroup.
networksecurity.
networksecurity.
networksecurity.
Mirroring Endpoint Viewer
Beta
(roles/)
Enables read-only access to mirroring resources on the Consumer's side.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Security Profile Admin
Beta
(roles/)
Enables full access to security profile and security profile group resources.
networksecurity.operations.get
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Network Services roles
Permissions
Service Extensions Admin
Beta
(roles/)
Provides full access to Service Extensions resources.
networkservices.
networkservices.
networkservices.
networkservices.wasmPlugins.*
resourcemanager.projects.get
resourcemanager.projects.list
Service Extensions Viewer
Beta
(roles/)
Provides read-only access to Service Extensions resources.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
resourcemanager.projects.get
resourcemanager.projects.list
Observability roles
Permissions
Observability Admin
Beta
(roles/)
Full access to Observability resources.
observability.*
Observability Analytics User
Beta
(roles/)
Grants permissions to use Cloud Observability Analytics.
observability.analyticsViews.*
observability.scopes.get
Observability Editor
Beta
(roles/)
Edit access to Observability resources.
observability.*
Observability Viewer
Beta
(roles/)
Read only access to Observability resources.
observability.
observability.
observability.scopes.get
On-Demand Scanning roles
Permissions
On-Demand Scanning Admin
Beta
(roles/)
All permissions for On-Demand Scanning
ondemandscanning.*
Ops Config Monitoring roles
Permissions
(roles/)
Read-only access to resource metadata.
opsconfigmonitoring.
(roles/)
Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.
opsconfigmonitoring.
Organization Policy roles
Permissions
Access Transparency Admin
(roles/)
Enable Access Transparency for Organization
Lowest-level resources where you can grant this role:
axt.*
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Organization Policy Administrator
(roles/)
Provides access to define what restrictions an organization wants to place
on the configuration of cloud resources by setting Organization Policies.
Lowest-level resources where you can grant this role:
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
orgpolicy.*
policysimulator.
policysimulator.
recommender.
recommender.
Organization Policy Viewer
(roles/)
Provides access to view Organization Policies on resources.
Lowest-level resources where you can grant this role:
orgpolicy.constraints.list
orgpolicy.
orgpolicy.
orgpolicy.policies.list
orgpolicy.policy.get
Other roles
Permissions
Advisory Notifications Admin
(roles/)
Grants write access to settings in Advisory Notifications
advisorynotifications.*
resourcemanager.
resourcemanager.projects.get
Advisory Notifications Viewer
(roles/)
Grants view access in Advisory Notifications
advisorynotifications.
advisorynotifications.
resourcemanager.
resourcemanager.projects.get
Cloud API Hub Admin
Beta
(roles/)
Full access to all API hub resources.
apihub.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Attributes Admin
Beta
(roles/)
Full access to all Cloud API hub attribute's resources.
apihub.attributes.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API Hub Editor
Beta
(roles/)
Edit access to most of Cloud API Hub resources.
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.*
apihub.apis.*
apihub.attributes.get
apihub.attributes.list
apihub.curations.get
apihub.curations.list
apihub.definitions.*
apihub.dependencies.*
apihub.deployments.*
apihub.externalApis.*
apihub.
apihub.
apihub.llmEnablements.*
apihub.locations.*
apihub.operations.get
apihub.operations.list
apihub.plugininstances.get
apihub.plugininstances.list
apihub.plugins.get
apihub.plugins.list
apihub.
apihub.
apihub.specs.*
apihub.styleGuides.get
apihub.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Plugins Admin
Beta
(roles/)
Full access to all Cloud API hub plugin's resources.
apihub.curations.*
apihub.
apihub.operations.*
apihub.plugininstances.*
apihub.plugins.*
apihub.specs.lint
apihub.styleGuides.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Provisioning Admin
Beta
(roles/)
Full access to Cloud API hub provisioning related resources.
apihub.apiHubInstances.*
apihub.
apihub.operations.*
apihub.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Runtime Project Attachment Editor
Beta
(roles/)
Access to add/delete project as a runtime project attachment to API hub host project.
apihub.
Cloud API hub Viewer
Beta
(roles/)
View access to all Cloud API hub resources.
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apis.get
apihub.apis.list
apihub.apis.listEffectiveTags
apihub.apis.listTagBindings
apihub.attributes.get
apihub.attributes.list
apihub.curations.get
apihub.curations.list
apihub.definitions.get
apihub.definitions.list
apihub.dependencies.get
apihub.dependencies.list
apihub.deployments.get
apihub.deployments.list
apihub.
apihub.
apihub.externalApis.get
apihub.externalApis.list
apihub.
apihub.
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.
apihub.operations.get
apihub.operations.list
apihub.plugininstances.get
apihub.plugininstances.list
apihub.plugins.get
apihub.plugins.list
apihub.
apihub.
apihub.specs.get
apihub.specs.list
apihub.styleGuides.get
apihub.versions.get
apihub.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
API Management Admin
Beta
(roles/)
Full access to API Management resources.
apim.*
resourcemanager.projects.get
resourcemanager.projects.list
API Management Viewer
Beta
(roles/)
Readonly access to API Management resources.
apim.apiObservations.get
apim.apiObservations.list
apim.apiOperations.*
apim.locations.*
apim.observationJobs.get
apim.observationJobs.list
apim.observationSources.get
apim.observationSources.list
apim.operations.get
apim.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Admin
(roles/)
Full access to App Hub resources.
apphub.*
resourcemanager.projects.get
resourcemanager.projects.list
App Management Viewer
Beta
(roles/)
This role, an aggregation of read permissions across multiple app centric products.
apphub.applications.get
apphub.applications.list
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredWorkloads.get
apphub.
apphub.locations.*
apphub.operations.get
apphub.operations.list
apphub.
apphub.services.get
apphub.services.list
apphub.workloads.get
apphub.workloads.list
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudnotifications.
config.deployments.get
config.
config.deployments.list
config.locations.*
config.operations.get
config.operations.list
config.previews.get
config.previews.list
config.resources.*
config.revisions.get
config.revisions.list
config.terraformversions.*
designcenter.
designcenter.
designcenter.
designcenter.
designcenter.applications.get
designcenter.applications.list
designcenter.
designcenter.
designcenter.
designcenter.
designcenter.catalogs.get
designcenter.catalogs.list
designcenter.components.get
designcenter.components.list
designcenter.connections.get
designcenter.connections.list
designcenter.locations.*
designcenter.operations.get
designcenter.operations.list
designcenter.
designcenter.sharedTemplates.*
designcenter.shares.get
designcenter.shares.list
designcenter.spaces.get
designcenter.
designcenter.spaces.list
developerconnect.locations.*
developerconnect.
developerconnect.
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.
monitoring.
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.
monitoring.
opsconfigmonitoring.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.costInsights.get
recommender.costInsights.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
servicehealth.*
stackdriver.projects.get
stackdriver.
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
App Hub Editor
(roles/)
Edit access to App Hub resources.
apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.list
apphub.applications.update
apphub.discoveredServices.*
apphub.discoveredWorkloads.*
apphub.locations.*
apphub.operations.*
apphub.
apphub.services.*
apphub.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Viewer
(roles/)
View access to App Hub resources.
apphub.applications.get
apphub.applications.list
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredWorkloads.get
apphub.
apphub.locations.*
apphub.operations.get
apphub.operations.list
apphub.
apphub.services.get
apphub.services.list
apphub.workloads.get
apphub.workloads.list
resourcemanager.projects.get
resourcemanager.projects.list
Appliance troubleshooting commands approver
Beta
(roles/)
Grants access to approve commands to run on appliances
applianceactivation.
applianceactivation.
resourcemanager.projects.get
resourcemanager.projects.list
On-appliance troubleshooting client
Beta
(roles/)
Grants access to read commands for an appliance and send its result.
applianceactivation.
applianceactivation.
Appliance troubleshooter
Beta
(roles/)
Grants access to send new commands to run on appliances and view the outputs
applianceactivation.
applianceactivation.
applianceactivation.
resourcemanager.projects.get
resourcemanager.projects.list
Assured OSS Admin
(roles/)
Access to use Assured OSS and manage configuration.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Assured OSS Project Admin
Beta
(roles/)
Access to use Assured OSS and manage configuration.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Assured OSS Reader
(roles/)
Access to use Assured OSS and view Assured OSS configuration.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Assured OSS User
(roles/)
Access to use Assured OSS.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Audit Manager Admin
Beta
(roles/)
Full access to Audit Manager resources.
auditmanager.auditReports.*
auditmanager.
auditmanager.
auditmanager.controlReports.*
auditmanager.controls.list
auditmanager.findings.*
auditmanager.locations.*
auditmanager.operations.*
auditmanager.
cloudasset.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Audit Manager Auditor
Beta
(roles/)
Allows creating and viewing an audit report.
auditmanager.auditReports.*
auditmanager.
auditmanager.
auditmanager.controlReports.*
auditmanager.controls.list
auditmanager.findings.*
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.*
auditmanager.
cloudasset.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Custom Compliance Framework Admin
Beta
(roles/)
Full access to Custom Compliance Framework resources.
auditmanager.
auditmanager.
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.*
resourcemanager.
Custom Compliance Framework Viewer
Beta
(roles/)
Allows viewing Custom Compliance Framework resources.
auditmanager.
auditmanager.
auditmanager.
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.*
resourcemanager.
Autoscaling Metrics Writer
Beta
(roles/)
Access to write metrics for autoscaling site
autoscaling.sites.writeMetrics
Autoscaling Recommendations Reader
Beta
(roles/)
Access to read recommendations from autoscaling site
autoscaling.
Autoscaling Site Admin
Beta
(roles/)
Full access to all autoscaling site features
autoscaling.*
resourcemanager.projects.get
resourcemanager.projects.list
Autoscaling State Writer
Beta
(roles/)
Access to write state for autoscaling site
autoscaling.sites.writeState
Batch Administrator
(roles/)
Administrator of Batch resources
batch.jobs.*
batch.locations.*
batch.operations.*
batch.resourceAllowances.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch Agent Reporter
(roles/)
Reporter of Batch agent states.
batch.states.report
Batch Job Editor
(roles/)
Editor of Batch Jobs
batch.jobs.*
batch.locations.*
batch.operations.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch Job Viewer
(roles/)
Viewer of Batch Jobs, Task Groups and Tasks
batch.jobs.get
batch.jobs.list
batch.locations.*
batch.operations.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch ResourceAllowance Editor
(roles/)
Editor of Batch ResourceAllowances
batch.locations.*
batch.operations.*
batch.resourceAllowances.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch ResourceAllowance Viewer
(roles/)
Viewer of Batch ResourceAllowances
batch.locations.*
batch.operations.*
batch.resourceAllowances.get
batch.resourceAllowances.list
resourcemanager.projects.get
resourcemanager.projects.list
BigLake Admin
(roles/)
Provides full access to all BigLake resources.
biglake.*
resourcemanager.projects.get
resourcemanager.projects.list
BigLake Viewer
(roles/)
Provides read-only access to all BigLake resources.
biglake.catalogs.get
biglake.catalogs.list
biglake.databases.get
biglake.databases.list
biglake.locks.list
biglake.tables.get
biglake.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
MigrationWorkflow Editor
(roles/)
Editor of EDW migration workflows.
bigquerymigration.subtasks.*
bigquerymigration.
bigquerymigration.
bigquerymigration.
bigquerymigration.
bigquerymigration.
bigquerymigration.
bigquerymigration.
bigquerymigration.
Task Orchestrator
(roles/)
Orchestrator of EDW migration tasks.
bigquerymigration.
storage.objects.list
Migration Translation User
(roles/)
User of EDW migration interactive SQL translation service.
bigquerymigration.
MigrationWorkflow Viewer
(roles/)
Viewer of EDW migration MigrationWorkflow.
bigquerymigration.subtasks.*
bigquerymigration.
bigquerymigration.
Task Worker
(roles/)
Worker that executes EDW migration subtasks.
storage.objects.create
storage.objects.get
storage.objects.list
Carbon Footprint Viewer
(roles/)
billing.accounts.get
billing.
billing.accounts.list
Blockchain Node Engine Admin
(roles/)
Full access to Blockchain Node Engine resources.
blockchainnodeengine.*
resourcemanager.projects.get
resourcemanager.projects.list
Blockchain Node Engine Viewer
(roles/)
Read-only access to Blockchain Node Engine resources.
blockchainnodeengine.
blockchainnodeengine.
blockchainnodeengine.
blockchainnodeengine.
blockchainnodeengine.
resourcemanager.projects.get
resourcemanager.projects.list
Blockchain Validator Manager Admin
Beta
(roles/)
Full access to Blockchain Validator Manager resources.
blockchainvalidatormanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Blockchain Validator Viewer
Beta
(roles/)
Readonly access to Blockchain Validator Manager resources.
blockchainvalidatormanager.
blockchainvalidatormanager.
blockchainvalidatormanager.
blockchainvalidatormanager.
blockchainvalidatormanager.
resourcemanager.projects.get
resourcemanager.projects.list
Capacity Planner Usage Viewer
Beta
(roles/)
Read-only access to Capacity Planner usage resources
capacityplanner.*
cloudquotas.quotas.get
compute.futureReservations.get
compute.
compute.reservations.get
compute.reservations.list
monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Care Studio Patients Viewer
(roles/)
This role can view all properties of Patients.
carestudio.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle Service Admin
(roles/)
Admins can view and modify Chronicle service details.
chroniclesm.*
Chronicle Service Viewer
(roles/)
Viewers can see Chronicle service details but not change them.
chroniclesm.
chroniclesm.
chroniclesm.
chroniclesm.gcpSettings.get
Location reader
Beta
(roles/)
Read and enumerate locations available for resource creation.
cloud.*
Code Repository Indexes Admin
Beta
(roles/)
Grants full access to Code Repository Indexes resources.
cloudaicompanion.
cloudaicompanion.operations.*
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
resourcemanager.projects.get
resourcemanager.projects.list
Code Repository Indexes Viewer
Beta
(roles/)
Grants readonly access to Code Repository Indexes resources.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants full access to Code Tools resources.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
developerconnect.
developerconnect.locations.*
developerconnect.
developerconnect.
developerconnect.
developerconnect.users.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants read access to Code Tools resources.
cloudaicompanion.
cloudaicompanion.
developerconnect.
developerconnect.
developerconnect.locations.*
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.users.getSelf
developerconnect.
resourcemanager.projects.get
resourcemanager.projects.list
Repository Groups User
Beta
(roles/)
Grants Read/Use access to the Code Repository Indexes Repository Group.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
Gemini for Google Cloud Settings Admin
Beta
(roles/)
Grants read and write access to the Gemini for Cloud setting and their bindings.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
Gemini for Google Cloud Settings User
Beta
(roles/)
Grants read access to the Gemini for Cloud setting and their bindings.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
Topic Admin
Beta
(roles/)
Grants read, write and permission management access to the Topic resource.
cloudaicompanion.topics.delete
cloudaicompanion.topics.get
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.topics.update
Topic Reader
Beta
(roles/)
Grants read-only access to topic resource.
cloudaicompanion.topics.get
Gemini for Google Cloud User
Beta
(roles/)
A user who can use Gemini for Google Cloud
cloudaicompanion.companions.*
cloudaicompanion.
cloudaicompanion.instances.*
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.topics.create
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Controls Partner Admin
(roles/)
Full access to Cloud Controls Partner resources.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
Cloud Controls Partner Editor
(roles/)
Editor access to Cloud Controls Partner resources.
cloudcontrolspartner.*
Cloud Controls Partner Inspectability Reader
(roles/)
Readonly access to Cloud Controls Partner inspectability resources.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
Cloud Controls Partner Monitoring Reader
(roles/)
Read-only access to Cloud Controls Partner monitoring resources.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
Cloud Controls Partner Reader
(roles/)
Read-only access to Cloud Controls Partner resources.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
Cloud Optimization AI Admin
(roles/)
Administrator of Cloud Optimization AI resources
cloudoptimization.*
Cloud Optimization AI Editor
(roles/)
Editor of Cloud Optimization AI resources
cloudoptimization.*
Cloud Optimization AI Viewer
(roles/)
Viewer of Cloud Optimization AI resources
cloudoptimization.
Cloud Quotas Admin
Beta
(roles/)
Full access to Cloud Quotas resources.
cloudquotas.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Quotas Viewer
Beta
(roles/)
Readonly access to Cloud Quotas resources.
cloudquotas.quotas.get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Agreement Publishing Admin
Beta
(roles/)
Admin of Commerce Agreement Publishing service
commerceagreementpublishing.*
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Agreement Publishing Viewer
Beta
(roles/)
Viewer of Commerce Agreement Publishing service
commerceagreementpublishing.
commerceagreementpublishing.
commerceagreementpublishing.
commerceagreementpublishing.
resourcemanager.projects.get
resourcemanager.projects.list
Confidential Space Workload User
(roles/)
Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.
confidentialcomputing.*
logging.logEntries.create
ConfigDelivery Admin
Beta
(roles/)
Grants full access to all Config Delivery resources. Lets users create, remove and manage fleet packages and resource bundles.
configdelivery.*
resourcemanager.projects.get
resourcemanager.projects.list
ConfigDelivery Viewer
Beta
(roles/)
Grants read access to all Config Delivery resources. Lets users view existing fleet packages and resource bundles, but they will not be able to make any changes.
configdelivery.
configdelivery.
configdelivery.locations.*
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.get
configdelivery.releases.list
configdelivery.
configdelivery.
configdelivery.rollouts.get
configdelivery.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Config Delivery Resource Bundle Publisher
Beta
(roles/)
Grants read and write permissions to Config Delivery ResourceBundles and Releases.
configdelivery.locations.*
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.create
configdelivery.releases.get
configdelivery.releases.list
configdelivery.releases.update
configdelivery.
configdelivery.
configdelivery.
configdelivery.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to Contact Center AI Platform resources.
contactcenteraiplatform.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read-only access to Contact Center AI Platform resources.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenteraiplatform.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants full access to all Contact Center AI Insights resources.
contactcenterinsights.*
(roles/)
Grants read and write access to Authorized resources.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
(roles/)
Grants read access to Authorized resources.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
(roles/)
Grants read and write access to all Contact Center AI Insights resources.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.issues.*
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.views.*
contactcenterinsights.
(roles/)
Grants read access to all Contact Center AI Insights resources.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
GKE Security Posture Viewer
Beta
(roles/)
Read-only access to GKE Security Posture resources.
container.clusters.list
containersecurity.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Admin
(roles/)
Grants full access to all the resources in Content Warehouse
contentwarehouse.corpora.*
contentwarehouse.
contentwarehouse.
contentwarehouse.documents.*
contentwarehouse.locations.*
contentwarehouse.
contentwarehouse.
contentwarehouse.ruleSets.*
contentwarehouse.synonymSets.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Document Admin
(roles/)
Grants full access to the document resource in Content Warehouse
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.documents.get
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.links.*
contentwarehouse.
contentwarehouse.
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse document creator
(roles/)
Grants access to create document in Content Warehouse
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Document Editor
(roles/)
Grants access to update document resource in Content Warehouse
contentwarehouse.
contentwarehouse.documents.get
contentwarehouse.
contentwarehouse.
contentwarehouse.links.*
contentwarehouse.
contentwarehouse.
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse document schema viewer
(roles/)
Grants access to view the document schemas in Content Warehouse
contentwarehouse.
contentwarehouse.
contentwarehouse.
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Viewer
(roles/)
Grants access to view all the resources in Content Warehouse
contentwarehouse.
contentwarehouse.documents.get
contentwarehouse.
contentwarehouse.links.get
contentwarehouse.
contentwarehouse.
resourcemanager.projects.get
resourcemanager.projects.list
Database Center Admin
Beta
(roles/)
Admin role for Database Center resource data
cloudaicompanion.
databasecenter.*
databasesconsole.
databasesconsole.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Database Center Viewer
Beta
(roles/)
Viewer role for Database Center resource data
cloudaicompanion.
databasecenter.*
databasesconsole.
databasesconsole.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Database Insights assistant viewer
Beta
(roles/)
Viewer role for Database Insights assistant data
databaseinsights.
Events Service viewer
Beta
(roles/)
Viewer role for Events Service data
databaseinsights.
databaseinsights.
databaseinsights.
Database Insights monitoring viewer
Beta
(roles/)
Viewer role for Database Insights monitoring data
databaseinsights.
databaseinsights.
databaseinsights.
databaseinsights.locations.*
databaseinsights.
databaseinsights.
resourcemanager.projects.get
resourcemanager.projects.list
Database Insights performing operations
Beta
(roles/)
Admin role for performing Database Insights operations
databaseinsights.
Database Insights recommendation viewer
Beta
(roles/)
Viewer role for Database Insights recommendation data
databaseinsights.locations.*
databaseinsights.
databaseinsights.
databaseinsights.
resourcemanager.projects.get
resourcemanager.projects.list
Database Insights viewer
Beta
(roles/)
Viewer role for Database Insights data
databaseinsights.
databaseinsights.
databaseinsights.
databaseinsights.locations.*
databaseinsights.
databaseinsights.
databaseinsights.
databaseinsights.
databaseinsights.
resourcemanager.projects.get
resourcemanager.projects.list
Studio Query Admin
Beta
(roles/)
Full access to Studio Query resources.
databasesconsole.locations.*
databasesconsole.operations.*
databasesconsole.
resourcemanager.projects.get
resourcemanager.projects.list
Studio Query User
Beta
(roles/)
Access to create, update, search and delete studio queries.
databasesconsole.locations.*
databasesconsole.
databasesconsole.
databasesconsole.
databasesconsole.
databasesconsole.
databasesconsole.
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Administrator
(roles/)
Grants full access to all resources in Data Lineage API
datalineage.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Editor
(roles/)
Grants edit access to all resources in Data Lineage API
datalineage.events.*
datalineage.
datalineage.operations.get
datalineage.processes.create
datalineage.processes.get
datalineage.processes.list
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.list
datalineage.runs.update
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Events Producer
(roles/)
Grants access to creating all resources in Data Lineage API
datalineage.events.create
datalineage.processes.create
datalineage.processes.get
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.update
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Viewer
(roles/)
Grants read access to all resources in Data Lineage API
datalineage.events.get
datalineage.events.list
datalineage.
datalineage.processes.get
datalineage.processes.list
datalineage.runs.get
datalineage.runs.list
resourcemanager.projects.get
resourcemanager.projects.list
Data Processing Controls Resource Admin
(roles/)
Data processing controls admin who can fully manage data processing controls settings and view all datasource data.
billing.accounts.get
billing.accounts.list
dataprocessing.*
Data Processing Controls Data Source Manager
(roles/)
Data processing controls data source manager who can get, list, and update the underlying data.
dataprocessing.
dataprocessing.
Dataproc Resource Manager Admin
Beta
(roles/)
Grants full access to all Dataproc Resource Manager resources. Intended for users that need to create and delete any Dataproc Resource Manager resources.
dataprocrm.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Resource Manager Viewer
Beta
(roles/)
Grants read access to all Dataproc Resource Manager resources. Intended for users that need read-only access to Dataproc Resource Manager resources.
dataprocrm.locations.*
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodes.get
dataprocrm.nodes.list
dataprocrm.
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.get
dataprocrm.workloads.list
resourcemanager.projects.get
resourcemanager.projects.list
Application Design Center Admin
Beta
(roles/)
Full access to Application Design Center resources.
apphub.
designcenter.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.move
storage.objects.restore
storage.objects.update
Application Admin
Beta
(roles/)
Admin access to Application.
apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.list
apphub.applications.update
apphub.locations.*
apphub.
config.deployments.get
config.
config.deployments.list
config.locations.*
config.operations.get
config.operations.list
config.previews.get
config.previews.list
config.resources.*
config.revisions.get
config.revisions.list
config.terraformversions.*
designcenter.
designcenter.
designcenter.
designcenter.
designcenter.applications.*
designcenter.
designcenter.sharedTemplates.*
designcenter.shares.get
designcenter.shares.list
designcenter.spaces.get
designcenter.spaces.list
resourcemanager.projects.get
resourcemanager.projects.list
Application Editor
Beta
(roles/)
Read and Write access to Application.
apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.list
apphub.applications.update
apphub.locations.*
apphub.
config.deployments.get
config.
config.deployments.list
config.locations.*
config.operations.get
config.operations.list
config.previews.get
config.previews.list
config.resources.*
config.revisions.get
config.revisions.list
config.terraformversions.*
designcenter.
designcenter.
designcenter.
designcenter.
designcenter.applications.*
designcenter.
designcenter.sharedTemplates.*
designcenter.shares.get
designcenter.shares.list
designcenter.spaces.get
designcenter.spaces.list
resourcemanager.projects.get
resourcemanager.projects.list
Application Viewer
Beta
(roles/)
Readonly access to Application.
apphub.applications.get
apphub.applications.list
apphub.locations.*
config.deployments.get
config.
config.deployments.list
config.locations.*
config.operations.get
config.operations.list
config.previews.get
config.previews.list
config.resources.*
config.revisions.get
config.revisions.list
config.terraformversions.*
designcenter.
designcenter.
designcenter.
designcenter.
designcenter.applications.get
designcenter.applications.list
designcenter.
designcenter.sharedTemplates.*
designcenter.shares.get
designcenter.shares.list
designcenter.spaces.get
designcenter.spaces.list
resourcemanager.projects.get
resourcemanager.projects.list
Application Design Center User
Beta
(roles/)
Readonly access to Application Design Center resources.
apphub.
designcenter.
designcenter.
designcenter.applications.get
designcenter.applications.list
designcenter.
designcenter.
designcenter.
designcenter.
designcenter.catalogs.get
designcenter.catalogs.list
designcenter.components.*
designcenter.connections.*
designcenter.locations.*
designcenter.operations.get
designcenter.operations.list
designcenter.
designcenter.sharedTemplates.*
designcenter.shares.get
designcenter.shares.list
designcenter.spaces.get
designcenter.
designcenter.spaces.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.move
storage.objects.restore
storage.objects.update
Application Design Center Viewer
Beta
(roles/)
Readonly access to Application Design Center resources.
designcenter.
designcenter.
designcenter.
designcenter.
designcenter.applications.get
designcenter.applications.list
designcenter.
designcenter.
designcenter.
designcenter.
designcenter.catalogs.get
designcenter.catalogs.list
designcenter.components.get
designcenter.components.list
designcenter.connections.get
designcenter.connections.list
designcenter.locations.*
designcenter.operations.get
designcenter.operations.list
designcenter.
designcenter.sharedTemplates.*
designcenter.shares.get
designcenter.shares.list
designcenter.spaces.get
designcenter.
designcenter.spaces.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Developer Connect Admin
Beta
(roles/)
Full access to Developer Connect resources.
developerconnect.connections.*
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.locations.*
developerconnect.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Git Proxy Reader
Beta
(roles/)
Grants read-only access to repositories through the Git Proxy.
developerconnect.
Developer Connect Git Proxy User
Beta
(roles/)
Grants read and write access to repositories through the Git Proxy.
developerconnect.
developerconnect.
Developer Connect OAuth Admin
Beta
(roles/)
Grants read and write access to AccountConnector resources.
developerconnect.
developerconnect.locations.*
developerconnect.
developerconnect.
developerconnect.
developerconnect.users.*
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect OAuth User
Beta
(roles/)
Grants read and write access to User resources, and read access to AccountConnectors.
developerconnect.
developerconnect.
developerconnect.locations.*
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.users.getSelf
developerconnect.
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Read Token Accessor
Beta
(roles/)
Grants access to Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.
developerconnect.
developerconnect.
developerconnect.
Developer Connect Token Accessor
Beta
(roles/)
Grants access to Read/Write and Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
Developer Connect User
Beta
(roles/)
Grants access to view the connection and to the features that interact with the actual repository such as reading content from the repository
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.locations.*
developerconnect.
developerconnect.
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Viewer
Beta
(roles/)
Readonly access to Developer Connect resources.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.locations.*
developerconnect.
developerconnect.
resourcemanager.projects.get
resourcemanager.projects.list
Discovery Engine Admin
(roles/)
Grants full access to all discoveryengine resources.
discoveryengine.aclConfigs.*
discoveryengine.analytics.*
discoveryengine.answers.get
discoveryengine.
discoveryengine.assistants.*
discoveryengine.branches.*
discoveryengine.cmekConfigs.*
discoveryengine.collections.*
discoveryengine.
discoveryengine.controls.*
discoveryengine.
discoveryengine.dataStores.*
discoveryengine.
discoveryengine.documents.*
discoveryengine.engines.*
discoveryengine.evaluations.*
discoveryengine.
discoveryengine.
discoveryengine.models.*
discoveryengine.operations.*
discoveryengine.projects.*
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.schemas.*
discoveryengine.
discoveryengine.sessions.*
discoveryengine.
discoveryengine.sitemaps.*
discoveryengine.
discoveryengine.targetSites.*
discoveryengine.userEvents.*
discoveryengine.
resourcemanager.projects.get
resourcemanager.projects.list
Discovery Engine Editor
(roles/)
Grants read and write access to all discovery engine resources.
discoveryengine.aclConfigs.get
discoveryengine.analytics.*
discoveryengine.answers.get
discoveryengine.
discoveryengine.
discoveryengine.assistants.get
discoveryengine.
discoveryengine.branches.*
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.
discoveryengine.
discoveryengine.dataStores.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.documents.get
discoveryengine.
discoveryengine.documents.list
discoveryengine.
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.models.*
discoveryengine.operations.*
discoveryengine.projects.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.sessions.*
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud NotebookLM Notebook Editor
Beta
(roles/)
Grants read and write access to a Cloud NotebookLM Notebook.
discoveryengine.
discoveryengine.
discoveryengine.notebooks.get
discoveryengine.
discoveryengine.
discoveryengine.notebooks.list
discoveryengine.
discoveryengine.
discoveryengine.notes.*
discoveryengine.sources.*
Cloud NotebookLM Admin
Beta
(roles/)
Grants full access to Cloud NotebookLM resources.
discoveryengine.
discoveryengine.aclConfigs.*
discoveryengine.
discoveryengine.notebooks.*
discoveryengine.notes.*
discoveryengine.sources.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud NotebookLM User
Beta
(roles/)
Grants user-level access to Cloud NotebookLM resources.
discoveryengine.
discoveryengine.
discoveryengine.notebooks.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud NotebookLM Notebook Owner
Beta
(roles/)
Grants full access to a Cloud NotebookLM Notebook.
discoveryengine.
discoveryengine.
discoveryengine.notebooks.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.notebooks.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.notes.*
discoveryengine.sources.*
Cloud NotebookLM Notebook Viewer
Beta
(roles/)
Grants read-only access to a Cloud NotebookLM Notebook.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.notebooks.get
discoveryengine.
discoveryengine.
discoveryengine.notebooks.list
discoveryengine.
discoveryengine.notes.get
discoveryengine.
discoveryengine.
discoveryengine.sources.get
Discovery Engine User
Beta
(roles/)
Grants user-level access to Discovery Engine resources.
discoveryengine.answers.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.sessions.get
discoveryengine.sessions.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
Discovery Engine Viewer
(roles/)
Grants read access to all discovery engine resources.
discoveryengine.aclConfigs.get
discoveryengine.analytics.*
discoveryengine.answers.get
discoveryengine.
discoveryengine.assistants.get
discoveryengine.
discoveryengine.branches.*
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.dataStores.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.documents.get
discoveryengine.documents.list
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.models.get
discoveryengine.models.list
discoveryengine.operations.*
discoveryengine.projects.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.sessions.get
discoveryengine.sessions.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Admin
Beta
(roles/)
Full access to Enterprise Purchasing resources.
enterprisepurchasing.*
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Editor
Beta
(roles/)
Edit access to Enterprise Purchasing resources.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Viewer
Beta
(roles/)
Readonly access to Enterprise Purchasing resources.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to all essential contacts
essentialcontacts.*
(roles/)
Viewer for all essential contacts
essentialcontacts.contacts.get
essentialcontacts.
Firebase Cloud Messaging API Admin
Beta
(roles/)
Full read/write access to Firebase Cloud Messaging API resources.
cloudmessaging.messages.create
fcmdata.deliverydata.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Crash Symbol Uploader
(roles/)
Full read/write access to symbol mapping file resources for Firebase Crash Reporting.
firebase.clients.get
firebase.clients.list
resourcemanager.projects.get
Firebase Data Connect API Admin
Beta
(roles/)
Full access to Firebase Data Connect API resources, including data.
firebasedataconnect.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Data Connect API Data Admin
Beta
(roles/)
Full access to data sources.
firebasedataconnect.
firebasedataconnect.
Firebase Data Connect API Data Viewer
Beta
(roles/)
Readonly access to data sources.
firebasedataconnect.
Firebase Data Connect API Viewer
Beta
(roles/)
Readonly access to Firebase Data Connect API resources. Role does not grant access to data.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Admin
Beta
(roles/)
Full access to GDC Hardware Management resources.
gdchardwaremanagement.*
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Operator
Beta
(roles/)
Create, read, and update access to GDC Hardware Management resources that support those operations. Also grants delete access to HardwareGroup resource.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.sites.*
gdchardwaremanagement.skus.*
gdchardwaremanagement.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Reader
Beta
(roles/)
Readonly access to GDC Hardware Management resources.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.skus.*
gdchardwaremanagement.
gdchardwaremanagement.
resourcemanager.projects.get
resourcemanager.projects.list
Gemini Cloud Assist User
Beta
(roles/)
A user who can use Gemini Cloud Assist
cloudaicompanion.companions.*
cloudaicompanion.
cloudaicompanion.instances.*
cloudaicompanion.
cloudaicompanion.topics.create
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to Identity Platform resources.
firebaseauth.*
identitytoolkit.*
(roles/)
Read access to Identity Platform resources.
firebaseauth.configs.get
firebaseauth.users.get
identitytoolkit.tenants.get
identitytoolkit.
identitytoolkit.tenants.list
(roles/)
Full access to Identity Toolkit resources.
firebaseauth.*
identitytoolkit.*
(roles/)
Read access to Identity Toolkit resources.
firebaseauth.configs.get
firebaseauth.users.get
identitytoolkit.tenants.get
identitytoolkit.
identitytoolkit.tenants.list
Apigee Integration Admin
(roles/)
A user that has full access to all Apigee integrations.
connectors.actions.*
connectors.
connectors.entities.*
connectors.entityTypes.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.*
integrations.certificates.*
integrations.executions.get
integrations.executions.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
integrations.
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.suspensions.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Deployer
(roles/)
A developer that can deploy/undeploy Apigee integrations to the integration runtime.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Editor
(roles/)
A developer that can list, create and update Apigee integrations.
connectors.actions.*
connectors.
connectors.entities.*
connectors.entityTypes.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.get
integrations.authConfigs.list
integrations.
integrations.certificates.get
integrations.executions.get
integrations.executions.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
integrations.
integrations.sfdcChannels.*
integrations.sfdcInstances.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Invoker
(roles/)
A role that can invoke Apigee integrations.
connectors.actions.*
connectors.
connectors.entities.*
connectors.entityTypes.list
integrations.
integrations.
integrations.
integrations.
integrations.executions.get
integrations.executions.list
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Viewer
(roles/)
A developer that can list and view Apigee integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.get
integrations.authConfigs.list
integrations.certificates.get
integrations.certificates.list
integrations.executions.get
integrations.executions.list
integrations.
integrations.
integrations.integrations.get
integrations.integrations.list
integrations.sfdcChannels.list
integrations.
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Approver
(roles/)
A role that can approve / reject Apigee integrations that contain a suspension/wait task.
integrations.
integrations.suspensions.*
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Viewer
(roles/)
A developer that can list and view Certificates.
integrations.certificates.get
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Admin
(roles/)
A user that has full access (CRUD) to all integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.*
integrations.certificates.*
integrations.executions.*
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.*
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.suspensions.*
integrations.testCases.*
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Deployer
(roles/)
A developer that can deploy/undeploy integrations to the integration runtime.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Editor
(roles/)
A developer that can list, create and update integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.get
integrations.authConfigs.list
integrations.
integrations.certificates.get
integrations.executions.*
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
integrations.
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.testCases.*
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Invoker
(roles/)
A role that can invoke integrations.
integrations.
integrations.
integrations.
integrations.
integrations.executions.*
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
integrations.testCases.get
integrations.testCases.invoke
integrations.testCases.list
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Viewer
(roles/)
A developer that can list and view integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.get
integrations.authConfigs.list
integrations.certificates.get
integrations.certificates.list
integrations.executions.get
integrations.executions.list
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.integrations.list
integrations.sfdcChannels.list
integrations.
integrations.testCases.get
integrations.testCases.list
resourcemanager.projects.get
resourcemanager.projects.list
Security Integration Admin
Beta
(roles/)
A user that has full access to all Security integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
Application Integration SFDC Instance Admin
(roles/)
A user that has full access (CRUD) to all SFDC instances.
integrations.sfdcChannels.*
integrations.sfdcInstances.*
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration SFDC Instance Editor
(roles/)
A developer that can list, create and update integrations.
integrations.
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.
integrations.
integrations.sfdcInstances.get
integrations.
integrations.
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration SFDC Instance Viewer
(roles/)
A developer that can list and view SFDC instances.
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcInstances.get
integrations.
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Approver
(roles/)
A role that can resolve suspended integrations.
integrations.
integrations.suspensions.*
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Account Manager Admin
Beta
(roles/)
This role can perform all account manager related operations
issuerswitch.
issuerswitch.managedAccounts.*
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Account Manager Transactions Admin
Beta
(roles/)
This role can perform all account manager transactions related operations
issuerswitch.
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Account Manager Transactions Viewer
Beta
(roles/)
This role can view all account manager transactions
issuerswitch.
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Admin
Beta
(roles/)
Access to all issuer switch roles
issuerswitch.*
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Participants Admin
Beta
(roles/)
Full access to issuer switch participants
issuerswitch.
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Resolutions Admin
Beta
(roles/)
Full access to issuer switch resolutions
issuerswitch.
issuerswitch.complaints.*
issuerswitch.disputes.*
issuerswitch.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Rules Admin
Beta
(roles/)
Full access to issuer switch rules
issuerswitch.ruleMetadata.list
issuerswitch.
issuerswitch.rules.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Rules Viewer
Beta
(roles/)
This role can view rules and related metadata.
issuerswitch.ruleMetadata.list
issuerswitch.
issuerswitch.rules.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Transactions Viewer
Beta
(roles/)
This role can view all transactions
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Publisher of Kubernetes clusters metadata
kubernetesmetadata.*
Cloud License Manager Admin
(roles/)
Full access to Cloud License Manager resources.
licensemanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud License Manager Viewer
(roles/)
Readonly access to Cloud License Manager resources.
licensemanager.
licensemanager.
licensemanager.instances.*
licensemanager.locations.*
licensemanager.operations.get
licensemanager.operations.list
licensemanager.products.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Lustre Admin
(roles/)
Full access to Google Cloud Managed Lustre resources.
lustre.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Lustre Viewer
(roles/)
Readonly access to Google Cloud Managed Lustre resources.
lustre.instances.get
lustre.instances.list
lustre.locations.*
lustre.operations.get
lustre.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Maintenance API Viewer
Beta
(roles/)
Readonly access to Maintenance API resources.
maintenance.*
resourcemanager.projects.get
resourcemanager.projects.list
Managed Flink Admin
Beta
(roles/)
Full access to Managed Flink resources.
managedflink.*
resourcemanager.projects.get
resourcemanager.projects.list
Managed Flink Developer
Beta
(roles/)
Full access to Managed Flink Jobs and Sessions and read access to Deployments.
managedflink.deployments.get
managedflink.deployments.list
managedflink.jobs.*
managedflink.locations.*
managedflink.operations.get
managedflink.operations.list
managedflink.sessions.*
resourcemanager.projects.get
resourcemanager.projects.list
Managed Flink Viewer
Beta
(roles/)
Readonly access to Managed Flink resources.
managedflink.deployments.get
managedflink.deployments.list
managedflink.jobs.get
managedflink.jobs.list
managedflink.locations.*
managedflink.operations.get
managedflink.operations.list
managedflink.sessions.get
managedflink.sessions.list
resourcemanager.projects.get
resourcemanager.projects.list
Managed Kafka Admin
(roles/)
Full access to Managed Kafka resources.
cloudasset.
managedkafka.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Client
(roles/)
Provides access to connect to the Kafka servers in a cluster, i.e. provides Kafka data plane access. Intended for, e.g., producers and consumers.
cloudasset.
managedkafka.
managedkafka.clusters.connect
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.
managedkafka.
managedkafka.connectors.get
managedkafka.connectors.list
managedkafka.consumerGroups.*
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Cluster Editor
(roles/)
Provides read and write access to Kafka clusters. Intended for, e.g., IT Departments that provision Kafka clusters, but need not be able to read or modify topics or consumer groups.
cloudasset.
managedkafka.clusters.create
managedkafka.clusters.delete
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.clusters.update
managedkafka.
managedkafka.
managedkafka.connectors.get
managedkafka.connectors.list
managedkafka.
managedkafka.
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.get
managedkafka.topics.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Connect Cluster Editor
Beta
(roles/)
Provides read and write access to Kafka Connect clusters. Intended for, e.g., IT Departments that provision Kafka Connect clusters, but need not be able to read or modify connectors.
managedkafka.connectClusters.*
managedkafka.connectors.get
managedkafka.connectors.list
Managed Kafka Connector Editor
Beta
(roles/)
Provides read and write access to connectors. Intended for, e.g., developers who configure and operate connectors.
cloudasset.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.
managedkafka.
managedkafka.connectors.*
managedkafka.
managedkafka.
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.get
managedkafka.topics.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Consumer Group Editor
(roles/)
Provides read and write access to consumer group metadata. Intended for, e.g., developers who configure consumer groups.
cloudasset.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.
managedkafka.
managedkafka.connectors.get
managedkafka.connectors.list
managedkafka.consumerGroups.*
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.get
managedkafka.topics.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Topic Editor
(roles/)
Provides read and write access to topic metadata. Intended for, e.g., developers who configure topics.
cloudasset.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.
managedkafka.
managedkafka.connectors.get
managedkafka.connectors.list
managedkafka.
managedkafka.
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Viewer
(roles/)
Readonly access to Managed Kafka resources.
cloudasset.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.
managedkafka.
managedkafka.connectors.get
managedkafka.connectors.list
managedkafka.
managedkafka.
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.get
managedkafka.topics.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Mandiant Attack Surface Management Editor
Beta
(roles/)
Access to write Attack Surface Management
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Attack Surface Management Viewer
Beta
(roles/)
Access to read Attack Surface Management
mandiant.
mandiant.genericPlatforms.get
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Digital Threat Monitoring Editor
Beta
(roles/)
Access to write Digital Threat Monitoring
mandiant.
mandiant.
mandiant.
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Digital Threat Monitoring Viewer
Beta
(roles/)
Access to read Digital Threat Monitoring
mandiant.
mandiant.genericPlatforms.get
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Expertise On Demand Editor
Beta
(roles/)
Access to write Expertise On Demand
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Expertise On Demand Viewer
Beta
(roles/)
Access to read Expertise On Demand
mandiant.
mandiant.genericPlatforms.get
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Threat Intel Editor
Beta
(roles/)
Access to write Threat Intel
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Threat Intel Viewer
Beta
(roles/)
Access to read Threat Intel
mandiant.genericPlatforms.get
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Validation Editor
Beta
(roles/)
Access to write Validation
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Validation Viewer
Beta
(roles/)
Access to read Validation
mandiant.genericPlatforms.get
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mobility Solutions Overages Viewer
Beta
(roles/)
Grants read-only access to Mobility Solutions Overages metric data.
mapsanalytics.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
Maps Analytics Viewer
Beta
(roles/)
Grants read-only access to all of the Maps Analytics resources.
mapsanalytics.metricData.query
mapsanalytics.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
(roles/)
Grants read and write access to all the Maps Platform Datasets API resources
mapsadmin.clientStyles.*
mapsplatformdatasets.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants read-only access to all the Maps Platform Datasets API resources
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsplatformdatasets.
mapsplatformdatasets.
mapsplatformdatasets.
resourcemanager.projects.get
resourcemanager.projects.list
Marketplace Solutions Admin
Beta
(roles/)
Full access to Marketplace Solutions resources.
marketplacesolutions.*
resourcemanager.projects.get
resourcemanager.projects.list
Marketplace Solutions Editor
Beta
(roles/)
Edit access to Marketplace Solutions resources.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
resourcemanager.projects.get
resourcemanager.projects.list
Marketplace Solutions Viewer
Beta
(roles/)
Readonly access to Marketplace Solutions resources.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Admin
(roles/)
Full access to Memorystore resources.
memorystore.*
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore DB Connector User
(roles/)
Access to connecting to Memorystore Server db.
memorystore.instances.connect
Memorystore Viewer
(roles/)
Readonly access to Memorystore resources.
memorystore.
memorystore.backups.get
memorystore.backups.list
memorystore.instances.get
memorystore.instances.list
memorystore.locations.*
memorystore.operations.get
memorystore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Model Armor Admin
(roles/)
Grants full access to all modelarmor resources. Intended for administrators & owners.
modelarmor.locations.*
modelarmor.templates.*
resourcemanager.projects.get
resourcemanager.projects.list
Model Armor Callout User
Beta
(roles/)
Grants access to use Model Armor Callout service. Intended for users & applications which plan to use Model Armor Callout service.
modelarmor.callouts.invoke
modelarmor.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Model Armor Floor Setting Admin
(roles/)
Grants full access to all Model Armor Floor Setting resources. Intended for administrators & owners.
modelarmor.floorSettings.*
modelarmor.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Model Armor Floor Setting Viewer
(roles/)
Grants read access to all Model Armor Floor Setting resources. Intended for viewers.
modelarmor.floorSettings.get
modelarmor.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Model Armor User
(roles/)
Grants access to sanitize APIs for templates. Intended for users & applications which plan to use a template.
modelarmor.locations.*
modelarmor.
modelarmor.
resourcemanager.projects.get
resourcemanager.projects.list
Model Armor Viewer
(roles/)
Grants read access to all model armor resources. Intended for viewers.
modelarmor.locations.*
modelarmor.templates.get
modelarmor.templates.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Home Developer Console Admin
(roles/)
Admin access to Google Home Developer Console resources
nestconsole.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Home Developer Console Editor
(roles/)
Read-Write access to Google Home Developer Console resources
nestconsole.
nestconsole.
nestconsole.
nestconsole.
resourcemanager.projects.get
resourcemanager.projects.list
Google Home Developer Console Reader
(roles/)
Read-only access to Google Home Developer Console resources
nestconsole.
nestconsole.
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud NetApp Volumes Admin
Beta
(roles/)
Full access to Google Cloud NetApp Volumes resources.
netapp.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud NetApp Volumes Viewer
Beta
(roles/)
Readonly access to Google Cloud NetApp Volumes resources.
netapp.activeDirectories.get
netapp.activeDirectories.list
netapp.backupPolicies.get
netapp.backupPolicies.list
netapp.backupVaults.get
netapp.backupVaults.list
netapp.backups.get
netapp.backups.list
netapp.kmsConfigs.get
netapp.kmsConfigs.list
netapp.locations.*
netapp.operations.get
netapp.operations.list
netapp.quotaRules.get
netapp.quotaRules.list
netapp.replications.get
netapp.replications.list
netapp.snapshots.get
netapp.snapshots.list
netapp.storagePools.get
netapp.storagePools.list
netapp.volumes.get
netapp.volumes.list
resourcemanager.projects.get
resourcemanager.projects.list
OAuth Config Editor
Beta
(roles/)
Read/write access to OAuth config resources
clientauthconfig.*
firebase.clients.create
firebase.clients.get
firebase.clients.list
firebase.clients.update
firebaseappcheck.
oauthconfig.*
OAuth Config Viewer
Beta
(roles/)
Read-only access to OAuth config resources
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.clients.get
clientauthconfig.clients.list
firebase.clients.get
firebase.clients.list
firebaseappcheck.
oauthconfig.clientpolicy.get
oauthconfig.testusers.get
oauthconfig.verification.get
Oracle Database@Google Cloud admin
(roles/)
Grants full access to manage all Oracle Database resources.
oracledatabase.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Autonomous Database Admin
(roles/)
Grants full access to manage all Autonomous Database resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.locations.*
oracledatabase.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Autonomous Database Viewer
(roles/)
Grants read access to see all Autonomous Database resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Exadata Infrastructure Admin
(roles/)
Grants full access to manage all Exadata Infrastructure resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Exadata Infrastructure User
(roles/)
Grants user access to use all Exadata Infrastructure resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Exadata Infrastructure Viewer
(roles/)
Grants read access to see all Exadata Infrastructure resources.
oracledatabase.
oracledatabase.
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud VM Cluster Admin
(roles/)
Grants full access to manage all VM Cluster resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.*
oracledatabase.
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud VM Cluster Viewer
(roles/)
Grants read access to see all VM Cluster resources.
oracledatabase.
oracledatabase.
oracledatabase.dbNodes.list
oracledatabase.
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud viewer
(roles/)
Grants view access to all Oracle Database resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Parallelstore Admin
(roles/)
Full access to Parallelstore resources.
parallelstore.*
resourcemanager.projects.get
resourcemanager.projects.list
Parallelstore Viewer
(roles/)
Readonly access to Parallelstore resources.
parallelstore.instances.get
parallelstore.instances.list
parallelstore.locations.*
parallelstore.operations.get
parallelstore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Admin
(roles/)
Grants full access to all Parameter Manager resources. Intended for project admins & owners who need to perform all administrative tasks.
parametermanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Accessor
(roles/)
Grants read access to ParameterManager ParameterVersion resources. Intended for users & applications that need to perform read operations on ParameterVersion only.
parametermanager.locations.*
parametermanager.
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Version Adder
(roles/)
Grants create access to Parameter Manager ParameterVersion resources. Intended for users & applications that need to perform create operations on ParameterVersions only.
parametermanager.locations.*
parametermanager.
parametermanager.
parametermanager.
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Version Manager
(roles/)
Grants read & write access to all Parameter Manager ParameterVersion resources. Intended for users & applications that need to view Parameters & perform create/read/update/delete/list operations on ParameterVersions only.
parametermanager.locations.*
parametermanager.
parametermanager.
parametermanager.
parametermanager.
parametermanager.
parametermanager.
parametermanager.
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Viewer
(roles/)
Grants read access to Parameter Manager Parameter & ParameterVersion resources. Intended for users & applications that need to perform read/list operations on Parameters & ParameterVersions only.
parametermanager.locations.*
parametermanager.
parametermanager.
parametermanager.
parametermanager.
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Admin
Beta
(roles/)
Full access to all Payments Reseller resources, including subscriptions, products and promotions
paymentsresellersubscription.*
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Viewer
Beta
(roles/)
Read access to all Payments Reseller resources, including subscriptions, products and promotions
paymentsresellersubscription.
paymentsresellersubscription.
paymentsresellersubscription.
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Products Viewer
Beta
(roles/)
Read access to Payments Reseller Product resource
paymentsresellersubscription.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read access to Payments Reseller Promotion resource
paymentsresellersubscription.
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Subscriptions Editor
Beta
(roles/)
Write access to Payments Reseller Subscription resource
paymentsresellersubscription.
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Subscriptions Viewer
Beta
(roles/)
Read access to Payments Reseller Subscription resource
paymentsresellersubscription.
resourcemanager.projects.get
resourcemanager.projects.list
Payments Partner UserSessions Editor
Beta
(roles/)
Editor of UserSessions for a Payments Partner
paymentsresellersubscription.
Activity Analysis Viewer
Beta
(roles/)
Viewer user that can read all activity analysis.
policyanalyzer.*
(roles/)
Grants the ability to enable and disable the usage of the policy remediator for the organization
policyremediatormanager.*
(roles/)
Grants the ability to read/view the state of the policy remediator for the organization
policyremediatormanager.
policyremediatormanager.
policyremediatormanager.
policyremediatormanager.
Simulator Admin
Beta
(roles/)
Admin user that can run and access replays.
policysimulator.
policysimulator.
policysimulator.
policysimulator.replays.*
OrgPolicy Simulator Admin
Beta
(roles/)
OrgPolicy Admin that can run and access simulations.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
orgpolicy.
orgpolicy.
orgpolicy.policies.list
orgpolicy.policy.get
policysimulator.
policysimulator.
resourcemanager.
External Account Key Creator
Beta
(roles/)
This role can create a new externalAccountKey resource.
publicca.
resourcemanager.projects.get
resourcemanager.projects.list
Subscription Linking Admin
(roles/)
Full access to publication reader resources
readerrevenuesubscriptionlinking.*
resourcemanager.projects.get
resourcemanager.projects.list
Subscription Linking Entitlements Viewer
(roles/)
This role can view all publication reader entitlements
readerrevenuesubscriptionlinking.
Subscription Linking Viewer
(roles/)
This role can view all publication reader resources
readerrevenuesubscriptionlinking.
readerrevenuesubscriptionlinking.
resourcemanager.projects.get
resourcemanager.projects.list
Recommendations Exporter
(roles/)
Exporter of Recommendations
recommender.resources.export
Remote Build Execution Action Cache Writer
Beta
(roles/)
Remote Build Execution Action Cache Writer
remotebuildexecution.
remotebuildexecution.
Remote Build Execution Artifact Admin
Beta
(roles/)
Remote Build Execution Artifact Admin
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.blobs.*
remotebuildexecution.
Remote Build Execution Artifact Creator
Beta
(roles/)
Remote Build Execution Artifact Creator
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.blobs.*
remotebuildexecution.
Remote Build Execution Artifact Viewer
Beta
(roles/)
Remote Build Execution Artifact Viewer
remotebuildexecution.
remotebuildexecution.blobs.get
remotebuildexecution.
Remote Build Execution Configuration Admin
Beta
(roles/)
Remote Build Execution Configuration Admin
remotebuildexecution.
remotebuildexecution.
Remote Build Execution Configuration Viewer
Beta
(roles/)
Remote Build Execution Configuration Viewer
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
Remote Build Execution Logstream Writer
Beta
(roles/)
Remote Build Execution Logstream Writer
remotebuildexecution.
remotebuildexecution.
Remote Build Execution Reservation Admin
Beta
(roles/)
Remote Build Execution Reservation Admin
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
Remote Build Execution Worker
Beta
(roles/)
Remote Build Execution Worker
remotebuildexecution.
remotebuildexecution.blobs.*
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
Retail Admin
(roles/)
Full access to Retail api resources.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
retail.alertConfigs.*
retail.attributesConfigs.*
retail.branches.*
retail.catalogs.*
retail.controls.*
retail.experiments.*
retail.models.*
retail.operations.*
retail.placements.*
retail.products.*
retail.retailProjects.*
retail.servingConfigs.*
retail.userEvents.*
Retail Editor
(roles/)
Full access to Retail api resources except purge, rejoin, and setSponsorship.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
retail.alertConfigs.*
retail.
retail.
retail.attributesConfigs.get
retail.
retail.
retail.
retail.branches.*
retail.catalogs.*
retail.controls.*
retail.experiments.*
retail.models.*
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.retailProjects.get
retail.servingConfigs.*
retail.userEvents.create
retail.userEvents.import
Retail Merchant Approver
Beta
(roles/)
Grants access and approval rights to MerchantControls in the merchant console.
retail.attributesConfigs.get
retail.merchantControls.*
retail.servingConfigs.list
retail.servingConfigs.search
Retail Merchant Creator
Beta
(roles/)
Grants access to own MerchantControls in the merchant console.
retail.attributesConfigs.get
retail.
retail.
retail.
retail.
retail.
retail.
retail.servingConfigs.search
Retail Viewer
(roles/)
Grants access to read all resources in Retail.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
retail.alertConfigs.get
retail.
retail.attributesConfigs.get
retail.branches.*
retail.catalogs.completeQuery
retail.
retail.catalogs.get
retail.catalogs.list
retail.controls.export
retail.controls.get
retail.controls.list
retail.experiments.get
retail.experiments.list
retail.
retail.
retail.models.get
retail.models.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.get
retail.servingConfigs.get
retail.servingConfigs.list
retail.servingConfigs.predict
retail.servingConfigs.search
RISC Configuration Admin
Beta
(roles/)
Read/write access to RISC config resources.
clientauthconfig.clients.list
riscconfigurationservice.*
RISC Configuration Viewer
Beta
(roles/)
Read-only access to RISC config resources.
clientauthconfig.clients.list
riscconfigurationservice.
Route Optimization Editor
(roles/)
This role can create long-running operations via BatchOptimizeTours.
resourcemanager.projects.get
resourcemanager.projects.list
routeoptimization.*
Route Optimization Viewer
(roles/)
This role can view any long-running Operations.
resourcemanager.projects.get
resourcemanager.projects.list
routeoptimization.
Serverless Integrations Developer
Beta
(roles/)
Access to create and change Serverless Integrations and their configuration.
resourcemanager.projects.get
resourcemanager.projects.list
runapps.applications.*
runapps.deployments.get
runapps.deployments.list
runapps.locations.*
runapps.operations.*
Serverless Integrations Operator
Beta
(roles/)
Access to deploy Serverless Integrations.
resourcemanager.projects.get
resourcemanager.projects.list
runapps.applications.get
runapps.applications.getStatus
runapps.applications.list
runapps.deployments.*
runapps.locations.*
runapps.operations.*
Serverless Integrations Viewer
Beta
(roles/)
Read-only access to Serverless Integrations resources.
resourcemanager.projects.get
resourcemanager.projects.list
runapps.applications.get
runapps.applications.getStatus
runapps.applications.list
runapps.deployments.get
runapps.deployments.list
runapps.locations.*
runapps.operations.get
runapps.operations.list
Cloud RuntimeConfig Admin
(roles/)
Full access to RuntimeConfig resources.
runtimeconfig.*
SaaS Service Management Admin
Beta
(roles/)
Full access to SaaS Service Management resources.
resourcemanager.projects.get
resourcemanager.projects.list
saasservicemgmt.*
SaaS Service Management Viewer
Beta
(roles/)
Readonly access to SaaS Service Management resources.
resourcemanager.projects.get
resourcemanager.projects.list
saasservicemgmt.locations.*
saasservicemgmt.operations.get
saasservicemgmt.
saasservicemgmt.releases.get
saasservicemgmt.releases.list
saasservicemgmt.
saasservicemgmt.
saasservicemgmt.rollouts.get
saasservicemgmt.rollouts.list
saasservicemgmt.saas.get
saasservicemgmt.saas.list
saasservicemgmt.unitKinds.get
saasservicemgmt.unitKinds.list
saasservicemgmt.
saasservicemgmt.
saasservicemgmt.units.get
saasservicemgmt.units.list
(roles/)
Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
(roles/)
Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.datasets.update
cloudkms.cryptoKeys.get
cloudkms.
cloudkms.cryptoKeys.list
cloudkms.
cloudkms.cryptoKeys.update
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.setIamPolicy
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsub.topics.update
resourcemanager.
serviceusage.services.use
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.buckets.update
Overwatch Activator
Beta
(roles/)
This role can activate or suspend Overwatches
resourcemanager.projects.get
resourcemanager.projects.list
securedlandingzone.
securedlandingzone.
Overwatch Admin
Beta
(roles/)
Full access to Overwatches
resourcemanager.projects.get
resourcemanager.projects.list
securedlandingzone.*
Overwatch Viewer
Beta
(roles/)
This role can view all properties of Overwatches
resourcemanager.projects.get
resourcemanager.projects.list
securedlandingzone.
securedlandingzone.
securedlandingzone.
Security Posture Admin
(roles/)
Full access to Security Posture service APIs.
orgpolicy.*
resourcemanager.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.*
Security Posture Deployer
(roles/)
Mutate and read permissions to the Posture Deployment resource.
orgpolicy.*
resourcemanager.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.operations.get
securityposture.
Security Posture Deployments Viewer
(roles/)
Read only access to the Posture Deployment resource.
resourcemanager.
securityposture.operations.get
securityposture.
securityposture.
Security Posture Resource Editor
(roles/)
Mutate and read permissions to the Posture resource.
securityposture.operations.get
securityposture.postures.*
Security Posture Resource Viewer
(roles/)
Read only access to the Posture resource.
resourcemanager.
securityposture.operations.get
securityposture.postures.get
securityposture.postures.list
Security Posture Shift-Left Validator
(roles/)
Create access for Reports, e.g. IaC Validation Report.
securityposture.operations.get
securityposture.reports.*
Security Posture Viewer
(roles/)
Read only access to all the SecurityPosture Service resources.
resourcemanager.
securityposture.operations.get
securityposture.
securityposture.
securityposture.
securityposture.postures.get
securityposture.postures.list
Personalized Service Health Viewer
(roles/)
Readonly access to Personalized Service Health resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicehealth.*
Security Insights Viewer
Beta
(roles/)
Read-only access to Security Insights resources
servicesecurityinsights.*
Speaker ID Admin
(roles/)
Grants full access to all Speaker ID resources, including project settings.
speakerid.*
Speaker ID Editor
(roles/)
Grants access to read and write all Speaker ID resources.
speakerid.phrases.*
speakerid.speakers.*
Speaker ID Verifier
(roles/)
Grants read access to all Speaker ID resources, and allows verification.
speakerid.phrases.get
speakerid.phrases.list
speakerid.speakers.get
speakerid.speakers.list
speakerid.speakers.verify
Speaker ID Viewer
(roles/)
Grants read access to all Speaker ID resources.
speakerid.phrases.get
speakerid.phrases.list
speakerid.speakers.get
speakerid.speakers.list
Cloud Speech Administrator
(roles/)
Grants full access to all resources in Speech-to-text
speech.*
Cloud Speech Client
(roles/)
Grants access to the recognition APIs.
speech.adaptations.execute
speech.customClasses.get
speech.customClasses.list
speech.locations.*
speech.operations.get
speech.operations.list
speech.operations.wait
speech.phraseSets.get
speech.phraseSets.list
speech.recognizers.get
speech.recognizers.list
speech.recognizers.recognize
Cloud Speech Editor
(roles/)
Grants access to edit resources in Speech-to-text
speech.adaptations.execute
speech.customClasses.*
speech.locations.*
speech.operations.*
speech.phraseSets.*
speech.recognizers.*
Storage Insights Admin
(roles/)
Full access to Storage Insights resources.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.*
Storage Insights Analyst
(roles/)
Data access to Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.
storageinsights.
storageinsights.
storageinsights.
storageinsights.locations.*
storageinsights.operations.get
storageinsights.
storageinsights.
storageinsights.
storageinsights.
Storage Insights Viewer
(roles/)
Read-only access to Storage Insights resources.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.
storageinsights.
storageinsights.locations.*
storageinsights.operations.get
storageinsights.
storageinsights.
storageinsights.
storageinsights.
Subscribe with Google Developer
Beta
(roles/)
Access DevTools for Subscribe with Google
resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper.
Telco Automation Admin
Beta
(roles/)
Full access to Telco Automation resources.
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
monitoring.timeSeries.list
observability.scopes.get
resourcemanager.projects.get
serviceusage.quotas.*
serviceusage.services.*
source.repos.get
source.repos.list
telcoautomation.*
Telco Automation Blueprint Designer
Beta
(roles/)
Ability to manage blueprints
telcoautomation.
telcoautomation.
telcoautomation.blueprints.get
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
Telco Automation Deployment Admin
Beta
(roles/)
Ability to manage deployments
telcoautomation.blueprints.get
telcoautomation.
telcoautomation.deployments.*
telcoautomation.
telcoautomation.
telcoautomation.
Telco Automation Tier 1 Operations Admin
Beta
(roles/)
Ability to get status of deployments
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
telcoautomation.blueprints.get
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
Telco Automation Tier 4 Operations Admin
Beta
(roles/)
Ability to manage deployments and their status
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
telcoautomation.blueprints.get
telcoautomation.
telcoautomation.deployments.*
telcoautomation.
telcoautomation.
telcoautomation.
Telco Automation Service Orchestrator
Beta
(roles/)
Ability to manage deployments
telcoautomation.blueprints.get
telcoautomation.
telcoautomation.deployments.*
telcoautomation.
telcoautomation.
telcoautomation.
Timeseries Insights DataSet Editor
Beta
(roles/)
Edit access to DataSets.
timeseriesinsights.*
Timeseries Insights DataSet Owner
Beta
(roles/)
Full access to DataSets.
timeseriesinsights.*
Timeseries Insights DataSet Viewer
Beta
(roles/)
Read-only access (List and Query) to DataSets.
timeseriesinsights.
timeseriesinsights.
timeseriesinsights.
timeseriesinsights.locations.*
Traffic Director Client
Beta
(roles/)
Fetch service configurations and report metrics.
trafficdirector.*
Translation Hub Admin
Beta
(roles/)
Admin of Translation Hub
automl.models.get
automl.models.list
automl.models.predict
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.
resourcemanager.projects.get
resourcemanager.projects.list
translationhub.*
Translation Hub Portal User
Beta
(roles/)
Portal user of Translation Hub
automl.models.get
automl.models.list
automl.models.predict
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.
resourcemanager.projects.get
resourcemanager.projects.list
translationhub.portals.get
translationhub.portals.list
Visual Inspection AI Solution Editor
(roles/)
Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics
visualinspection.
visualinspection.
visualinspection.annotations.*
visualinspection.datasets.*
visualinspection.images.*
visualinspection.locations.get
visualinspection.
visualinspection.
visualinspection.models.*
visualinspection.modules.*
visualinspection.operations.*
visualinspection.
visualinspection.solutions.*
Visual Inspection AI Usage Metrics Reporter
(roles/)
ReportUsageMetric access to Visual Inspection AI Service
visualinspection.
Visual Inspection AI Viewer
(roles/)
Read access to Visual Inspection AI resources
visualinspection.
visualinspection.
visualinspection.
visualinspection.
visualinspection.
visualinspection.
visualinspection.
visualinspection.datasets.get
visualinspection.datasets.list
visualinspection.images.get
visualinspection.images.list
visualinspection.locations.get
visualinspection.
visualinspection.
visualinspection.models.get
visualinspection.models.list
visualinspection.modules.get
visualinspection.modules.list
visualinspection.operations.*
visualinspection.
visualinspection.
visualinspection.
visualinspection.solutions.get
visualinspection.
PAM roles
Permissions
Privileged Access Manager Admin
(roles/)
Full access to Privileged Access Manager resources.
privilegedaccessmanager.*
resourcemanager.projects.get
Privileged Access Manager Viewer
(roles/)
Readonly access to Privileged Access Manager resources.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
resourcemanager.projects.get
Project roles
Permissions
Browser
(roles/)
Read access to browse the hierarchy for a project, including the folder, organization, and allow
policy. This role doesn't include permission to view resources in the project.
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Proximity Beacon roles
Permissions
Beacon Attachment Editor
(roles/)
Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.
proximitybeacon.attachments.*
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Attachment Publisher
(roles/)
Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.
proximitybeacon.beacons.attach
proximitybeacon.beacons.get
proximitybeacon.beacons.list
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Attachment Viewer
(roles/)
Can view all attachments under a namespace; no beacon or namespace permissions.
proximitybeacon.
proximitybeacon.
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Editor
(roles/)
Necessary access to register, modify, and view beacons; no attachment or namespace permissions.
proximitybeacon.beacons.create
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.beacons.update
resourcemanager.projects.get
resourcemanager.projects.list
Pub/Sub roles
Permissions
Pub/Sub Admin
(roles/)
Provides full access to topics and subscriptions.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Editor
(roles/)
Provides access to modify topics and subscriptions, and access to publish
and consume messages.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Publisher
(roles/)
Provides access to publish messages to a topic.
Lowest-level resources where you can grant this role:
pubsub.topics.publish
Pub/Sub Subscriber
(roles/)
Provides access to consume messages from a subscription and to attach
subscriptions to a topic.
Lowest-level resources where you can grant this role:
Snapshot
Subscription
Topic
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.
Pub/Sub Viewer
(roles/)
Provides access to view topics and subscriptions.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Lite roles
Permissions
Pub/Sub Lite Admin
(roles/)
Full access to topics, subscriptions and reservations.
pubsublite.*
Pub/Sub Lite Editor
(roles/)
Modify topics, subscriptions and reservations, publish and consume messages.
pubsublite.*
Pub/Sub Lite Publisher
(roles/)
Publish messages to a topic.
pubsublite.
pubsublite.
pubsublite.topics.publish
Pub/Sub Lite Subscriber
(roles/)
Subscribe to and read messages from a topic.
pubsublite.
pubsublite.operations.get
pubsublite.
pubsublite.subscriptions.seek
pubsublite.
pubsublite.
pubsublite.
pubsublite.
pubsublite.
pubsublite.
pubsublite.topics.subscribe
Pub/Sub Lite Viewer
(roles/)
View topics, subscriptions and reservations.
pubsublite.operations.*
pubsublite.reservations.get
pubsublite.reservations.list
pubsublite.
pubsublite.subscriptions.get
pubsublite.
pubsublite.subscriptions.list
pubsublite.topics.get
pubsublite.
pubsublite.topics.list
pubsublite.
Rapid Migration Assessment roles
Permissions
Rapid Migration Assessment Admin
(roles/)
Full access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
Rapid Migration Assessment Runner
(roles/)
Update and Read access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.*
rma.operations.get
rma.operations.list
Rapid Migration Assessment Viewer
(roles/)
Read-only access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.*
rma.operations.get
rma.operations.list
reCAPTCHA Enterprise roles
Permissions
reCAPTCHA Enterprise Admin
(roles/)
Access to view and modify reCAPTCHA Enterprise keys
monitoring.timeSeries.list
recaptchaenterprise.
recaptchaenterprise.keys.*
recaptchaenterprise.
recaptchaenterprise.
resourcemanager.projects.get
resourcemanager.projects.list
reCAPTCHA Enterprise Agent
(roles/)
Access to create and annotate reCAPTCHA Enterprise assessments
recaptchaenterprise.
recaptchaenterprise.
recaptchaenterprise.
recaptchaenterprise.
resourcemanager.projects.get
resourcemanager.projects.list
reCAPTCHA Enterprise Viewer
(roles/)
Access to view reCAPTCHA Enterprise keys and metrics
monitoring.timeSeries.list
recaptchaenterprise.
recaptchaenterprise.
recaptchaenterprise.keys.get
recaptchaenterprise.keys.list
recaptchaenterprise.
recaptchaenterprise.
resourcemanager.projects.get
resourcemanager.projects.list
Recommendations AI roles
Permissions
Recommendations AI Admin
Beta
(roles/)
Full access to all Recommendations AI resources.
automlrecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.catalogs.update
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.purge
retail.products.update
retail.retailProjects.*
retail.userEvents.*
serviceusage.services.get
serviceusage.services.list
Recommendations AI Admin Viewer
Beta
(roles/)
Viewer of all Recommendations AI resources.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.get
serviceusage.services.get
serviceusage.services.list
Recommendations AI Editor
Beta
(roles/)
Editor of all Recommendations AI resources.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.catalogs.update
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.retailProjects.get
retail.userEvents.create
retail.userEvents.import
serviceusage.services.get
serviceusage.services.list
Recommendations AI Viewer
Beta
(roles/)
Viewer of all Recommendations resources except apiKeys. To view all resources,
including apiKeys, grant the Recommendations AI Admin Viewer role
(roles/automlrecommendations.adminViewer).
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.get
serviceusage.services.get
serviceusage.services.list
Recommender roles
Permissions
AlloyDB Recommender Admin
(roles/)
Admin of AlloyDB insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
AlloyDB Recommender Viewer
(roles/)
Viewer of AlloyDB insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Slot Recommender Admin
Beta
(roles/)
Admin of BigQuery Capacity Commitments insights and recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Recommender Billing Account Admin
Beta
(roles/)
Billing Account Admin of BigQuery Capacity Commitments insights and recommendations.
billing.accounts.get
billing.accounts.list
recommender.
recommender.
BigQuery Recommender Billing Account Viewer
Beta
(roles/)
Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations.
billing.accounts.get
billing.accounts.list
recommender.
recommender.
recommender.
recommender.
BigQuery Recommender Project Admin
Beta
(roles/)
Project Admin of BigQuery Capacity Commitments insights and recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Recommender Project Viewer
Beta
(roles/)
Project Viewer of BigQuery Capacity Commitments insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Slot Recommender Viewer
Beta
(roles/)
Viewer of BigQuery Capacity Commitments insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Materialized View Recommender Admin
(roles/)
Admin of BigQuery Materialized View Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Materialized View Recommender Viewer
(roles/)
Viewer of BigQuery Materialized View Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Partitioning Clustering Recommender Admin
Beta
(roles/)
Admin of BigQuery Partitioning Clustering recommendations.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Partitioning Clustering Recommender Viewer
Beta
(roles/)
Viewer of BigQuery Partitioning Clustering recommendations.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Admin of Bigtable Cluster Performance Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Viewer of Bigtable Cluster Performance Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Billing Account Usage Commitment Recommender Admin
Beta
(roles/)
Admin of Billing Account Usage Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender.
recommender.
Billing Account Usage Commitment Recommender Viewer
Beta
(roles/)
Viewer of Billing Account Usage Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender.
recommender.
recommender.
recommender.
Cloud Asset Insights Admin
(roles/)
Admin of all Cloud Asset insights.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Asset Insights Viewer
(roles/)
Viewer of all Cloud Asset insights.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Cost General Recommendations Recommender Admin
Beta
(roles/)
Admin of Cloud Cost General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Cost General Recommendations Recommender Viewer
Beta
(roles/)
Viewer of Cloud Cost General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deprecation General Recommender Admin
Beta
(roles/)
Admin of Cloud Deprecation General Recommender Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deprecation General Recommender Viewer
Beta
(roles/)
Viewer of Cloud Deprecation General Recommender Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Manageability General Recommendations Recommender Admin
Beta
(roles/)
Admin of Cloud Manageability General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Manageability General Recommendations Recommender Viewer
Beta
(roles/)
Viewer of Cloud Manageability General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Admin of Cloud Performance General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Viewer of Cloud Performance General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Reliability General Recommendations Recommender Admin
Beta
(roles/)
Admin of Cloud Reliability General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Reliability General Recommendations Recommender Viewer
Beta
(roles/)
Viewer of Cloud Reliability General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Security General Recommendations Recommender Admin
Beta
(roles/)
Admin of Cloud Security General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Security General Recommendations Recommender Viewer
Beta
(roles/)
Viewer of Cloud Security General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud SQL Recommender Admin
Beta
(roles/)
Admin of Cloud SQL insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud SQL Recommender Viewer
Beta
(roles/)
Viewer of Cloud SQL insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Compute Recommender Admin
(roles/)
Admin of compute recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Compute Recommender Viewer
(roles/)
Viewer of compute recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE Diagnosis Recommender Admin
(roles/)
Admin of GKE Diagnosis Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE Diagnosis Recommender Viewer
(roles/)
Viewer of GKE Diagnosis Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Diagnostics Admin
(roles/)
Admin of Diagnostics recommendations.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Diagnostics Viewer
(roles/)
Viewer of Diagnostics recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting Recommender Admin
(roles/)
Admin of Error Reporting Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting Recommender Viewer
(roles/)
Viewer of Error Reporting Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firestore Database Reliability Recommender Admin
(roles/)
Admin of Firestore Database Reliability Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firestore Database Reliability Recommender Viewer
(roles/)
Viewer of Firestore Database Reliability Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firewall Recommender Admin
(roles/)
Admin of Firewall insights and recommendations.
monitoring.timeSeries.list
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firewall Recommender Viewer
(roles/)
Viewer of Firewall insights and recommendations.
monitoring.timeSeries.list
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Maps Platform Insights/Recommendations Admin
(roles/)
Admin of all Google Maps Platform insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Google Maps Platform Insights/Recommendations Viewer
(roles/)
Viewer of all Google Maps Platform insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
IAM Recommender Admin
(roles/)
Admin of IAM recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Recommender Viewer
(roles/)
Viewer of IAM recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Policy Change Risk Recommender Admin
Beta
(roles/)
Admin of IAM Policy Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Policy Change Risk Recommender Viewer
Beta
(roles/)
Viewer of IAM Policy Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Manageability Recommender Admin
Beta
(roles/)
Admin of Memorystore Manageability Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Manageability Recommender Viewer
Beta
(roles/)
Viewer of Memorystore Manageability Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Admin of Memorystore Performance Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Viewer of Memorystore Performance Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Reliability Recommender Admin
Beta
(roles/)
Admin of Memorystore Reliability Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Reliability Recommender Viewer
Beta
(roles/)
Viewer of Memorystore Reliability Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Recommender Admin
(roles/)
Admin of Network Analyzer Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Cloud SQL Recommender Admin
(roles/)
Admin of Network Analyzer Cloud SQL Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Cloud SQL Recommender Viewer
(roles/)
Viewer of Network Analyzer Cloud SQL Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Dynamic Route Recommender Admin
(roles/)
Admin of Network Analyzer Dynamic Route Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Dynamic Route Recommender Viewer
(roles/)
Viewer of Network Analyzer Dynamic Route Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Connectivity Recommender Admin
(roles/)
Admin of Network Analyzer GKE Connectivity Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Connectivity Recommender Viewer
(roles/)
Viewer of Network Analyzer GKE Connectivity Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE IP Address Recommender Admin
(roles/)
Admin of Network Analyzer GKE IP Address Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE IP Address Recommender Viewer
(roles/)
Viewer of Network Analyzer GKE IP Address Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Service Account Insights Recommender Admin
(roles/)
Admin of Network Analyzer GKE Service Account Insights Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Service Account Insights Recommender Viewer
(roles/)
Viewer of Network Analyzer GKE Service Account Insights Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer IP Address Recommender Admin
(roles/)
Admin of Network Analyzer IP Address Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer IP Address Recommender Viewer
(roles/)
Viewer of Network Analyzer IP Address Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Load Balancer Recommender Admin
(roles/)
Admin of Network Analyzer Load Balancer Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Load Balancer Recommender Viewer
(roles/)
Viewer of Network Analyzer Load Balancer Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Recommender Viewer
(roles/)
Viewer of Network Analyzer Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer VPC Connectivity Recommender Admin
(roles/)
Admin of Network Analyzer VPC Connectivity Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer VPC Connectivity Recommender Viewer
(roles/)
Viewer of Network Analyzer VPC Connectivity Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Org Policy Recommender Admin
Beta
(roles/)
Admin of Org Policy Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Org Policy Recommender Viewer
Beta
(roles/)
Viewer of Org Policy Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Product Suggestion Recommenders Admin
Beta
(roles/)
Admin of all Product Suggestion insights and recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Product Suggestion Recommenders Viewer
Beta
(roles/)
Viewer of all Product Suggestion insights and recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Project Usage Commitment Recommender Admin
Beta
(roles/)
Admin of Project Usage Commitment Recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Project Usage Commitment Recommender Viewer
Beta
(roles/)
Viewer of Project Usage Commitment Recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Project Utilization Recommender Admin
(roles/)
Admin of Project Utilization insights and recommendations.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Project Utilization Recommender Viewer
(roles/)
Viewer of Project Utilization insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
RecentChange RecommenderConfig Admin
(roles/)
Admin of RecentChange RecommenderConfigs.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Recent Change Risk Recommender Admin
(roles/)
Admin of Recent Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Recent Change Risk Recommender Viewer
(roles/)
Viewer of Recent Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Service Limit Recommender Admin
Beta
(roles/)
Admin of Service Limit insights and recommendations.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Service Limit Recommender Viewer
Beta
(roles/)
Viewer of Service Limit insights and recommendations.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Service Account Change Risk Recommender Admin
Beta
(roles/)
Admin of Service Account Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Service Account Change Risk Recommender Viewer
Beta
(roles/)
Viewer of Service Account Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Spanner Project Reliability Recommender Admin
Beta
(roles/)
Admin of Spanner Project Reliability Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Spanner Project Reliability Recommender Viewer
Beta
(roles/)
Viewer of Spanner Project Reliability Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Spend Based Commitment Recommender Admin
Beta
(roles/)
Admin of Spend Based Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender.locations.*
recommender.
recommender.
recommender.
Spend Based Commitment Recommender Viewer
Beta
(roles/)
Viewer of Spend Based Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
Recommender Viewer
(roles/)
Enables Get and List operations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.costInsights.get
recommender.costInsights.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
Resource Manager roles
Permissions
Folder Admin
(roles/)
Provides all available permissions for working with folders.
Lowest-level resources where you can grant this role:
essentialcontacts.*
iam.policybindings.*
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.capabilities.*
resourcemanager.folders.*
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager.
resourcemanager.
resourcemanager.
Folder Creator
(roles/)
Provides permissions needed to browse the hierarchy and create folders.
Lowest-level resources where you can grant this role:
essentialcontacts.contacts.get
essentialcontacts.
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
Folder Editor
(roles/)
Provides permission to modify folders as well as to view a folder's allow policy.
Lowest-level resources where you can grant this role:
essentialcontacts.contacts.get
essentialcontacts.
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.capabilities.*
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager.
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.folders.update
resourcemanager.projects.get
resourcemanager.projects.list
Folder IAM Admin
(roles/)
Provides permissions to administer allow policies on folders.
Lowest-level resources where you can grant this role:
iam.policybindings.*
resourcemanager.
resourcemanager.
resourcemanager.folders.get
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
Folder Mover
(roles/)
Provides permission to move projects and folders into and out of a parent
organization or folder.
Lowest-level resources where you can grant this role:
resourcemanager.folders.move
resourcemanager.projects.move
Folder Viewer
(roles/)
Provides permission to get a folder and list the folders and projects below
a resource.
Lowest-level resources where you can grant this role:
essentialcontacts.contacts.get
essentialcontacts.
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
Project Lien Modifier
(roles/)
Provides access to modify Liens on projects.
Lowest-level resources where you can grant this role:
resourcemanager.
Organization Administrator
(roles/)
Access to manage IAM policies and view organization policies for organizations, folders, and projects.
Lowest-level resources where you can grant this role:
essentialcontacts.*
iam.policybindings.*
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.capabilities.*
resourcemanager.
resourcemanager.
resourcemanager.folders.get
resourcemanager.
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
resourcemanager.
resourcemanager.
resourcemanager.
Organization Viewer
(roles/)
Provides access to view an organization.
Lowest-level resources where you can grant this role:
resourcemanager.
Project Creator
(roles/)
Provides access to create new projects. Once a user creates a project,
they're automatically granted the owner role for that project.
Lowest-level resources where you can grant this role:
resourcemanager.
resourcemanager.
Project Deleter
(roles/)
Provides access to delete Google Cloud projects.
Lowest-level resources where you can grant this role:
resourcemanager.
Project IAM Admin
(roles/)
Provides permissions to administer allow policies on projects.
Lowest-level resources where you can grant this role:
iam.policybindings.*
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
Project Mover
(roles/)
Provides access to update and move projects.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.move
resourcemanager.
Tag Administrator
(roles/)
Access to create, delete, update, and manage access to Tags
resourcemanager.tagHolds.*
resourcemanager.tagKeys.*
resourcemanager.tagValues.*
Tag Hold Administrator
(roles/)
Access to create, delete and list TagHolds under a TagValue
resourcemanager.tagHolds.*
Tag User
(roles/)
Access to list Tags and manage their associations with resources
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apigateway.
apihub.apis.createTagBinding
apihub.apis.deleteTagBinding
apihub.apis.listEffectiveTags
apihub.apis.listTagBindings
apihub.
apihub.
apihub.
apihub.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudsql.
cloudsql.
cloudsql.
cloudsql.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.routes.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
container.
container.
container.
container.
datafusion.
datafusion.
datafusion.
datafusion.
datastore.
datastore.
datastore.
datastore.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
domains.
domains.
domains.
domains.
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file.
file.
file.
file.instances.listTagBindings
file.
file.
file.
file.snapshots.listTagBindings
iam.
iam.
iam.
iam.
logging.
logging.
logging.
logging.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
monitoring.
monitoring.
monitoring.
monitoring.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
redis.
redis.
redis.
redis.
resourcemanager.
resourcemanager.projects.get
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager.
secretmanager.
secretmanager.
secretmanager.
spanner.
spanner.
spanner.
spanner.
storage.
storage.
storage.
storage.
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
transcoder.
workflows.
workflows.
workflows.
workflows.
workstations.
workstations.
workstations.
workstations.
Tag Viewer
(roles/)
Access to list Tags and their associations with resources
alloydb.
alloydb.
alloydb.
alloydb.
apigateway.
apigateway.
apigateway.
apigateway.
apihub.apis.listEffectiveTags
apihub.apis.listTagBindings
apihub.
apihub.
artifactregistry.
artifactregistry.
bigquery.
bigquery.
bigquery.
bigquery.
bigtable.
bigtable.
bigtable.
bigtable.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
cloudkms.
cloudkms.
cloudsql.
cloudsql.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.routes.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
container.
container.
datafusion.
datafusion.
datastore.
datastore.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
domains.
domains.
file.backups.listEffectiveTags
file.backups.listTagBindings
file.
file.instances.listTagBindings
file.
file.snapshots.listTagBindings
iam.
iam.
logging.
logging.
managedidentities.
managedidentities.
monitoring.
monitoring.
privateca.
privateca.
privateca.
privateca.
redis.
redis.
resourcemanager.
resourcemanager.
resourcemanager.tagHolds.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager.
secretmanager.
spanner.
spanner.
storage.
storage.
transcoder.
transcoder.
transcoder.
transcoder.
workflows.
workflows.
workstations.
workstations.
Resource Settings roles
Permissions
Resource Settings Administrator
(roles/)
Provides admin capabilities to set Resource Setting Values on resources.
Lowest-level resources where you can grant this role:
resourcesettings.*
Resource Settings Viewer
(roles/)
Provides capabilities to view Resource Settings and Resource Setting Values on resources.
resourcesettings.settings.get
resourcesettings.settings.list
Risk Manager roles
Permissions
Risk Manager Admin
Beta
(roles/)
Grants all Risk Manager permissions
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.*
Risk Manager Editor
Beta
(roles/)
Access to edit Risk Manager resources
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.
riskmanager.operations.*
riskmanager.policies.*
riskmanager.reports.create
riskmanager.reports.delete
riskmanager.reports.get
riskmanager.reports.list
riskmanager.
riskmanager.settings.*
Risk Manager Report Reviewer
Beta
(roles/)
Access to review Risk Manager reports
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.
riskmanager.operations.get
riskmanager.operations.list
riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.review
Risk Manager Viewer
Beta
(roles/)
Access to view Risk Manager resources
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.
riskmanager.operations.get
riskmanager.operations.list
riskmanager.policies.*
riskmanager.reports.get
riskmanager.reports.list
riskmanager.settings.get
Roles roles
Permissions
Organization Role Administrator
(roles/)
Provides access to administer all custom roles in the organization and the
projects below it.
Lowest-level resources where you can grant this role:
iam.roles.*
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Organization Role Viewer
(roles/)
Provides read access to all custom roles in the organization and the
projects below it.
Lowest-level resources where you can grant this role:
iam.roles.get
iam.roles.list
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Role Administrator
(roles/)
Provides access to all custom roles in the project.
Lowest-level resources where you can grant this role:
iam.roles.*
resourcemanager.projects.get
resourcemanager.
Role Viewer
(roles/)
Provides read access to all custom roles in the project.
Lowest-level resources where you can grant this role:
iam.roles.get
iam.roles.list
resourcemanager.projects.get
resourcemanager.
Secret Manager roles
Permissions
Secret Manager Admin
(roles/)
Full access to administer Secret Manager resources.
Lowest-level resources where you can grant this role:
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.*
Secret Manager Secret Accessor
(roles/)
Allows accessing the payload of secrets.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.access
Secret Manager Secret Version Adder
(roles/)
Allows adding versions to existing secrets.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.add
Secret Manager Secret Version Manager
(roles/)
Allows creating and managing versions of existing secrets.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.add
secretmanager.versions.destroy
secretmanager.versions.disable
secretmanager.versions.enable
secretmanager.versions.get
secretmanager.versions.list
Secret Manager Viewer
(roles/)
Allows viewing metadata of all Secret Manager resources
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.locations.*
secretmanager.secrets.get
secretmanager.
secretmanager.secrets.list
secretmanager.
secretmanager.
secretmanager.versions.get
secretmanager.versions.list
Secure Source Manager roles
Permissions
Secure Source Manager Admin
Beta
(roles/)
Full access to all Secure Source Manager resources.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.*
Secure Source Manager Instance Accessor
Beta
(roles/)
An instance accessor can access an instance, but not necessarily create resources in the instance.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
Secure Source Manager Instance Manager
Beta
(roles/)
Read-write access to all Secure Source Manager resources (full control except for the ability to modify permissions).
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.sshkeys.*
Secure Source Manager Instance Owner
Beta
(roles/)
Full control over Secure Source Manager instances, including listing, creating, and deleting them. Also enables instance user management.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.sshkeys.*
Secure Source Manager Instance Repository Creator
Beta
(roles/)
An instance repository creator can connect to a Cloud Git instance via IAP (HTTPS) and create repositories in the instance.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
Secure Source Manager Repository Admin
Beta
(roles/)
A repoAdmin has the ability to CRUD a repository and its children as well as assign users to a repository. They can also set, get, or check IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
Secure Source Manager Repository Creator
Beta
(roles/)
A repoCreator has access to create repostiory in a project, the creator will then become the repoAdmin on this repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
Secure Source Manager Repository Pull Request Approver
Beta
(roles/)
A pull request approver can approve pull requests in a repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
Secure Source Manager Repository Reader
Beta
(roles/)
A repoReader has read access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
Secure Source Manager Repository Writer
Beta
(roles/)
A repoWriter has read/write access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
Secure Source Manager SSH Key User
Beta
(roles/)
An sshKeyUser can create SSH keys for themselves and list/delete SSH keys they own.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
Security Center roles
Permissions
Security Center Admin
(roles/)
Admin(super user) access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudsecurityscanner.*
compute.addresses.list
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.*
securitycentermanagement.*
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Security Center Admin Editor
(roles/)
Admin Read-write access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudsecurityscanner.*
compute.addresses.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.*
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.*
securitycenter.
securitycenter.
securitycenter.
securitycenter.issues.*
securitycenter.muteconfigs.*
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Admin Viewer
(roles/)
Admin Read access to security center
Lowest-level resources where you can grant this role:
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudsecurityscanner.
cloudsecurityscanner.results.*
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.scans.get
cloudsecurityscanner.
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.issues.get
securitycenter.issues.group
securitycenter.issues.list
securitycenter.
securitycenter.muteconfigs.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Asset Security Marks Writer
(roles/)
Write access to asset security marks
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Assets Discovery Runner
(roles/)
Run asset discovery access to assets
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Assets Viewer
(roles/)
Read access to assets
Lowest-level resources where you can grant this role:
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.
securitycenter.
Security Center Attack Paths Reader
(roles/)
Read access to security center attack paths
securitycenter.
securitycenter.
Security Center BigQuery Exports Editor
(roles/)
Read-Write access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
Security Center BigQuery Exports Viewer
(roles/)
Read access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
Security Center Compliance Reports Viewer
Beta
(roles/)
Read access to security center compliance reports
securitycenter.
Security Center Compliance Snapshots Viewer
Beta
(roles/)
Read access to security center compliance snapshots
securitycenter.
securitycenter.
Security Center External Systems Editor
(roles/)
Write access to security center external systems
securitycenter.
Security Center Finding Security Marks Writer
(roles/)
Write access to finding security marks
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Findings Bulk Mute Editor
(roles/)
Ability to mute findings in bulk
securitycenter.
Security Center Findings Editor
(roles/)
Read-write access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.issues.*
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
securitycenter.
Security Center Findings Mute Setter
(roles/)
Set mute access to findings
securitycenter.
Security Center Findings State Setter
(roles/)
Set state access to findings
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Findings Viewer
(roles/)
Read access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.issues.get
securitycenter.issues.group
securitycenter.issues.list
securitycenter.
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
securitycenter.
Security Center Findings Workflow State Setter
Beta
(roles/)
Set workflow state access to findings
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Issues Editor
Beta
(roles/)
Write access to security center issues
securitycenter.issues.*
Security Center Issues Viewer
Beta
(roles/)
Read access to security center issues
securitycenter.issues.get
securitycenter.issues.group
securitycenter.issues.list
securitycenter.
Security Center Mute Configurations Editor
(roles/)
Read-Write access to security center mute configurations
securitycenter.muteconfigs.*
Security Center Mute Configurations Viewer
(roles/)
Read access to security center mute configurations
securitycenter.muteconfigs.get
securitycenter.
Security Center Notification Configurations Editor
(roles/)
Write access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Notification Configurations Viewer
(roles/)
Read access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
securitycenter.
Security Center Resource Value Configurations Editor
(roles/)
Read-Write access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter.
Security Center Resource Value Configurations Viewer
(roles/)
Read access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter.
securitycenter.
Security Health Analytics Custom Modules Tester
(roles/)
Test access to Security Health Analytics Custom Modules
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
Security Center Settings Admin
(roles/)
Admin(super user) access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.*
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.*
Security Center Settings Editor
(roles/)
Read-Write access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.*
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.*
Security Center Settings Viewer
(roles/)
Read access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Simulations Reader
(roles/)
Read access to security center simulations
securitycenter.simulations.get
Security Center Sources Admin
(roles/)
Admin access to sources
Lowest-level resources where you can grant this role:
resourcemanager.
securitycenter.sources.*
securitycenter.
Security Center Sources Editor
(roles/)
Read-write access to sources
Lowest-level resources where you can grant this role:
resourcemanager.
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.
Security Center Sources Viewer
(roles/)
Read access to sources
Lowest-level resources where you can grant this role:
resourcemanager.
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
Security Center Valued Resources Reader
(roles/)
Read access to security center valued resources
securitycenter.
Security Center Management Admin
(roles/)
Full access to manage Cloud Security Command Center services and custom modules configuration.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycentermanagement.*
Security Center Management Custom Modules Editor
(roles/)
Full access to manage Cloud Security Command Center custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management Custom Modules Viewer
(roles/)
Readonly access to Cloud Security Command Center custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management Custom ETD Modules Editor
(roles/)
Full access to manage Cloud Security Command Center ETD custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management ETD Custom Modules Viewer
(roles/)
Readonly access to Cloud Security Command Center ETD custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management Services Editor
(roles/)
Full access to manage Cloud Security Command Center services configuration.
securitycentermanagement.
Security Center Management Services Viewer
(roles/)
Readonly access to Cloud Security Command Center services configuration.
securitycentermanagement.
securitycentermanagement.
Security Center Management Settings Editor
(roles/)
Full access to manage Cloud Security Command Center settings
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycentermanagement.*
Security Center Management Settings Viewer
(roles/)
Readonly access to Cloud Security Command Center settings
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management SHA Custom Modules Editor
(roles/)
Full access to manage Cloud Security Command Center SHA custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management SHA Custom Modules Viewer
(roles/)
Readonly access to Cloud Security Command Center SHA custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management Viewer
(roles/)
Readonly access to Cloud Security Command Center services and custom modules configuration.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Serverless VPC Access roles
Permissions
Serverless VPC Access Admin
(roles/)
Full access to all Serverless VPC Access resources
resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.*
Serverless VPC Access User
(roles/)
User of Serverless VPC Access connectors
compute.networks.access
resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.connectors.use
vpcaccess.locations.list
vpcaccess.operations.*
Serverless VPC Access Viewer
(roles/)
Viewer of all Serverless VPC Access resources
resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.locations.list
vpcaccess.operations.*
Service Accounts roles
Permissions
Service Account Admin
(roles/)
Create and manage service accounts.
Lowest-level resources where you can grant this role:
iam.serviceAccounts.create
iam.
iam.serviceAccounts.delete
iam.
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam.
iam.serviceAccounts.list
iam.
iam.
iam.
iam.serviceAccounts.undelete
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list
Create Service Accounts
(roles/)
Access to create service accounts.
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Delete Service Accounts
(roles/)
Access to delete service accounts.
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account Key Admin
(roles/)
Create and manage (and rotate) service account keys.
Lowest-level resources where you can grant this role:
iam.serviceAccountKeys.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account OpenID Connect Identity Token Creator
(roles/)
Create OpenID Connect (OIDC) identity tokens
iam.
Service Account Token Creator
(roles/)
Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).
Lowest-level resources where you can grant this role:
iam.serviceAccounts.get
iam.
iam.
iam.
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Service Account User
(roles/)
Run operations as the service account.
Lowest-level resources where you can grant this role:
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
View Service Accounts
(roles/)
Read access to service accounts, metadata, and keys.
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.
iam.serviceAccounts.list
iam.
iam.
resourcemanager.projects.get
resourcemanager.projects.list
Workload Identity User
(roles/)
Impersonate service accounts from federated workloads.
iam.serviceAccounts.get
iam.
iam.
iam.serviceAccounts.list
Service Agents roles
Permissions
Warning: Do not grant service agent roles to any principals except
service agents . Some
service agent roles contain very powerful permissions, and the permissions within these roles
can change without notice. Instead, choose a different
predefined role , or create a
custom role with the permissions you need.
(roles/)
Vertex AI Batch Prediction Service Agent for serving batch prediction requests.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.models.create
bigquery.models.export
bigquery.models.getData
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/)
Gives Vertex AI Colab the proper permissions to function.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.instances.attachDisk
compute.instances.create
compute.
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.useReadOnly
compute.networks.get
compute.networks.use
compute.networks.useExternalIp
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
iam.serviceAccounts.actAs
notebooks.instances.create
notebooks.instances.delete
notebooks.instances.get
(roles/)
Gives Vertex AI Custom Code the proper permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.agentExamples.*
aiplatform.agents.*
aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.apps.*
aiplatform.artifacts.*
aiplatform.
aiplatform.cacheConfigs.get
aiplatform.cachedContents.*
aiplatform.consents.get
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasetVersions.*
aiplatform.datasets.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.edgeDevices.*
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.entityTypes.create
aiplatform.entityTypes.delete
aiplatform.
aiplatform.
aiplatform.entityTypes.get
aiplatform.
aiplatform.entityTypes.list
aiplatform.
aiplatform.
aiplatform.entityTypes.update
aiplatform.
aiplatform.exampleStores.*
aiplatform.executions.*
aiplatform.extensions.*
aiplatform.
aiplatform.
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.features.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featurestores.get
aiplatform.
aiplatform.featurestores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.humanInTheLoops.*
aiplatform.
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.
aiplatform.
aiplatform.modelEvaluations.*
aiplatform.
aiplatform.modelMonitors.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.nasTrialDetails.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.notebookRuntimes.*
aiplatform.operations.list
aiplatform.
aiplatform.
aiplatform.pipelineJobs.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.ragCorpora.*
aiplatform.ragFiles.*
aiplatform.reasoningEngines.*
aiplatform.schedules.*
aiplatform.sessionEvents.*
aiplatform.sessions.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform.
aiplatform.tensorboardRuns.*
aiplatform.
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
aiplatform.tuningJobs.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.get
artifactregistry.versions.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
iam.serviceAccounts.get
iam.
iam.
iam.
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/)
Gives Vertex AI Extension that executes custom code the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
logging.logEntries.create
logging.logEntries.route
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
(roles/)
Gives Vertex AI Extension the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
aiplatform.locations.get
aiplatform.ragCorpora.query
discoveryengine.
iam.
iam.
logging.logEntries.create
logging.logEntries.route
serviceusage.services.use
storage.objects.get
(roles/)
Gives Vertex AI Model Monitoring the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.
aiplatform.
aiplatform.
aiplatform.
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
monitoring.
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/)
Vertex AI Service Agent used to run Notebook managed resources in user project with restricted permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
(roles/)
Gives Vertex AI Online Prediction the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.
gkehub.memberships.list
serviceusage.services.get
(roles/)
Vertex AI Service Agent used by Vertex RAG to access user imported data, Vertex AI, Document AI processors in the project
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.get
aiplatform.endpoints.predict
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.models.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
documentai.
documentai.processors.get
documentai.
logging.logEntries.create
logging.logEntries.route
storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
(roles/)
Vertex AI Service Agent used by GenAI Rapid Evaluation Service to access publisher model endpoints in the user project
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
(roles/)
Gives Vertex AI Reasoning Engine the proper permissions to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.sessionEvents.*
aiplatform.sessions.create
aiplatform.sessions.delete
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.sessions.update
cloudtrace.traces.patch
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
serviceusage.services.use
storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
(roles/)
Gives Vertex AI the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.agentExamples.*
aiplatform.agents.*
aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.apps.*
aiplatform.artifacts.*
aiplatform.
aiplatform.cacheConfigs.get
aiplatform.cachedContents.*
aiplatform.consents.get
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasetVersions.*
aiplatform.datasets.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.edgeDevices.*
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.entityTypes.create
aiplatform.entityTypes.delete
aiplatform.
aiplatform.
aiplatform.entityTypes.get
aiplatform.
aiplatform.entityTypes.list
aiplatform.
aiplatform.
aiplatform.entityTypes.update
aiplatform.
aiplatform.exampleStores.*
aiplatform.executions.*
aiplatform.extensions.*
aiplatform.
aiplatform.
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.features.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featurestores.get
aiplatform.
aiplatform.featurestores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.humanInTheLoops.*
aiplatform.
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.
aiplatform.
aiplatform.modelEvaluations.*
aiplatform.
aiplatform.modelMonitors.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.nasTrialDetails.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.notebookRuntimes.*
aiplatform.operations.list
aiplatform.
aiplatform.
aiplatform.pipelineJobs.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.ragCorpora.*
aiplatform.ragFiles.*
aiplatform.reasoningEngines.*
aiplatform.schedules.*
aiplatform.sessionEvents.*
aiplatform.sessions.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform.
aiplatform.tensorboardRuns.*
aiplatform.
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
aiplatform.tuningJobs.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.get
artifactregistry.versions.get
automl.datasets.export
automl.datasets.get
automl.datasets.list
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.tableSpecs.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.models.create
bigquery.models.export
bigquery.models.getData
bigquery.objectRefs.read
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.instances.attachDisk
compute.instances.create
compute.
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.useReadOnly
compute.machineTypes.get
compute.networks.get
compute.networks.use
compute.networks.useExternalIp
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
datalabeling.
datalabeling.datasets.export
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.operations.get
iam.serviceAccounts.actAs
iam.
iam.
logging.logEntries.create
logging.logEntries.route
ml.models.list
ml.operations.get
ml.versions.get
ml.versions.list
monitoring.
notebooks.instances.create
notebooks.instances.delete
notebooks.instances.get
resourcemanager.projects.get
resourcemanager.projects.list
run.executions.delete
run.executions.get
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.run
run.jobs.update
run.operations.delete
run.operations.get
run.routes.invoke
run.services.create
run.services.delete
run.services.get
serviceusage.services.list
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/)
Vertex AI Service Agent used for tuning in user project.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.artifacts.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.contexts.*
aiplatform.endpoints.create
aiplatform.endpoints.deploy
aiplatform.endpoints.get
aiplatform.locations.get
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.models.get
aiplatform.models.update
aiplatform.models.upload
aiplatform.operations.list
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.tensorboardRuns.*
aiplatform.
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.tuningJobs.*
resourcemanager.projects.get
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.update
AlloyDB Service Agent
(roles/)
Gives the AlloyDB service account permission to manage customer resources
Warning: Do not grant service agent roles to any principals except
service agents .
alloydb.clusters.list
Anthos Service Agent
(roles/)
Gives the Anthos service agent access to Google Cloud resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
serviceusage.services.get
serviceusage.services.list
Anthos Audit Service Agent
(roles/)
Gives the Anthos Audit service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Config Management Service Agent
(roles/)
Gives the Anthos Config Management service agent access to Google Cloud resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.clusters.get
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Identity Service Agent
(roles/)
Gives the Anthos Identity service agent access to Google Cloud resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Policy Controller Service Agent
(roles/)
Gives the Anthos Policy Controller service agent access toCloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Service Mesh Service Agent
(roles/)
Gives the Anthos Service Mesh service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.
compute.instances.use
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networks.updatePolicy
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regions.list
compute.zones.list
container.backendConfigs.*
container.
container.clusterRoles.*
container.clusters.get
container.clusters.update
container.configMaps.*
container.
container.
container.
container.
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container.deployments.get
container.deployments.list
container.events.get
container.events.list
container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.list
container.jobs.update
container.
container.
container.
container.
container.namespaces.create
container.namespaces.get
container.namespaces.list
container.operations.get
container.pods.get
container.pods.list
container.secrets.*
container.
container.
container.serviceAccounts.get
container.serviceAccounts.list
container.
container.services.get
container.services.list
container.
container.
container.
container.
container.
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
logging.logEntries.create
meshconfig.projects.init
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.operations.*
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networkservices.
networkservices.gateways.*
networkservices.grpcRoutes.*
networkservices.httpFilters.*
networkservices.httpRoutes.*
networkservices.meshes.*
networkservices.operations.*
networkservices.
networkservices.tcpRoutes.*
networkservices.tlsRoutes.*
resourcemanager.projects.get
serviceusage.services.get
serviceusage.services.use
trafficdirector.*
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
Anthos Support Service Agent
(roles/)
Gives the Anthos Support Service Agent access to Cloud Platform resource.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.
gkehub.gateway.get
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub.
gkehub.memberships.get
gkehub.
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
Cloud API Gateway Service Agent
(roles/)
Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.
iam.
servicemanagement.
servicemanagement.
servicemanagement.
Cloud API Gateway Management Service Agent
(roles/)
Gives Cloud API Gateway service account access to retrieve a Service configuration.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.serviceAccounts.get
servicemanagement.
servicemanagement.
servicemanagement.services.get
servicemanagement.
servicemanagement.
serviceusage.services.get
Apigee Service Agent
(roles/)
Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.
Warning: Do not grant service agent roles to any principals except
service agents .
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appkeys.create
apigee.appkeys.delete
apigee.appkeys.manage
apigee.apps.get
apigee.canaryevaluations.*
apigee.developerapps.*
apigee.developers.create
apigee.developers.delete
apigee.developers.get
apigee.environments.get
apigee.
apigee.
apigee.ingressconfigs.get
apigee.instances.reportStatus
apigee.operations.*
apigee.organizations.get
apigee.proxyrevisions.get
apigee.runtimeconfigs.get
cloudtrace.traces.patch
iam.
iam.
logging.buckets.create
logging.buckets.get
logging.buckets.list
logging.views.create
logging.views.get
logging.views.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
telemetry.traces.write
API-Hub Runtime Project Service Agent
(roles/)
Gives API-Hub Service Account access to runtime project resources.
Warning: Do not grant service agent roles to any principals except
service agents .
apigee.deployments.list
apigee.
apigee.envgroups.list
apigee.environments.get
apigee.organizations.get
apigee.proxies.get
apigee.proxyrevisions.get
apihub.apiOperations.delete
apihub.apiOperations.list
apihub.apis.create
apihub.apis.delete
apihub.apis.list
apihub.apis.update
apihub.attributes.create
apihub.attributes.list
apihub.attributes.update
apihub.curations.list
apihub.definitions.list
apihub.dependencies.delete
apihub.dependencies.list
apihub.deployments.create
apihub.deployments.delete
apihub.deployments.list
apihub.deployments.update
apihub.externalApis.list
apihub.
apihub.operations.list
apihub.plugininstances.create
apihub.plugininstances.list
apihub.plugins.create
apihub.plugins.list
apihub.
apihub.specs.create
apihub.specs.delete
apihub.specs.list
apihub.specs.update
apihub.versions.create
apihub.versions.delete
apihub.versions.list
apihub.versions.update
APIM API Discovery Service Agent
(roles/)
Gives APIM the ability to manage resources in consumer project
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.globalOperations.get
compute.networks.use
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.subnetworks.use
networkservices.operations.*
App Development Experience Service Agent
(roles/)
Give the App Development Experience service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.clusters.get
container.clusters.update
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
App Engine Standard Environment Service Agent
(roles/)
Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.
datastore.databases.get
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
iam.
iam.
iam.serviceAccounts.signBlob
serviceusage.services.enable
serviceusage.services.get
storage.buckets.create
storage.buckets.get
App Engine flexible environment Service Agent
(roles/)
Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
billing.accounts.get
cloudbuild.builds.create
cloudbuild.builds.get
compute.addresses.create
compute.addresses.delete
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.update
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.disks.create
compute.disks.list
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.globalAddresses.create
compute.globalAddresses.delete
compute.globalAddresses.get
compute.globalAddresses.use
compute.
compute.
compute.
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.update
compute.
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.use
compute.
compute.
compute.
compute.httpsHealthChecks.get
compute.
compute.httpsHealthChecks.use
compute.
compute.images.get
compute.images.useReadOnly
compute.
compute.
compute.
compute.
compute.
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.update
compute.instanceGroups.use
compute.
compute.
compute.instanceTemplates.get
compute.
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.
compute.
compute.instances.list
compute.instances.reset
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.use
compute.machineTypes.get
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.regions.get
compute.routes.create
compute.routes.delete
compute.routes.get
compute.routes.list
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.use
compute.
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.use
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.targetHttpsProxies.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.update
compute.urlMaps.use
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.
deploymentmanager.
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.update
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.
serviceusage.services.enable
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Artifact Registry Service Agent
(roles/)
Gives the Artifact Registry service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
pubsub.topics.publish
Assured Workloads Monitoring Service Agent
(roles/)
Gives the Assured Workloads service account access to create CAIS feed and monitor Assured Workloads.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
cloudasset.assets.listResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
Assured Workloads Service Agent
(roles/)
Gives the Assured Workloads service account access to create KMS keyrings and keys, monitor Assured Workloads and read Organization Policies.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudkms.cryptoKeys.create
cloudkms.keyRings.create
orgpolicy.policies.list
orgpolicy.policy.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
Audit Manager Auditing Service Agent
(roles/)
Grants Audit Manager Service Agent access to various list/get rpcs of products to perform an audit.
Warning: Do not grant service agent roles to any principals except
service agents .
accessapproval.settings.get
artifactregistry.
artifactregistry.
bigquery.datasets.get
certificatemanager.certs.list
certificatemanager.
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.list
cloudkms.keyRings.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.
cloudsql.instances.get
cloudsql.instances.list
compute.autoscalers.list
compute.backendServices.list
compute.disks.list
compute.firewallPolicies.list
compute.firewalls.list
compute.forwardingRules.list
compute.
compute.
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute.regionSslPolicies.list
compute.
compute.regionUrlMaps.list
compute.routers.list
compute.securityPolicies.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetSslProxies.list
compute.urlMaps.list
compute.vpnGateways.list
compute.zones.list
container.clusters.get
container.clusters.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dns.managedZones.list
iam.serviceAccounts.get
iam.
logging.buckets.list
monitoring.alertPolicies.list
monitoring.timeSeries.list
orgpolicy.constraints.list
orgpolicy.policy.get
privateca.certificates.list
recommender.
recommender.
recommender.locations.*
resourcemanager.folders.get
resourcemanager.
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
resourcemanager.tagHolds.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValues.get
resourcemanager.tagValues.list
secretmanager.secrets.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
AutoML Service Agent
(roles/)
AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
serviceusage.services.use
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Recommendations AI Service Agent
(roles/)
Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
cloudnotifications.
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
logging.logEntries.create
logging.logEntries.route
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.
monitoring.
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.
monitoring.
opsconfigmonitoring.
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver.
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Backup and DR Service Agent
(roles/)
Grants the Backup and DR Service access to protect Compute Engine instances.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsql.instances.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.useReadOnly
compute.machineTypes.*
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Gives permission to manage network resources such as interconnect pairing keys, required for Bare Metal Solution.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.networks.get
compute.networks.list
compute.projects.get
resourcemanager.projects.get
Google Batch Service Agent
(roles/)
Gives Google Batch account access to manage customer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.acceleratorTypes.*
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.crossSiteNetworks.get
compute.crossSiteNetworks.list
compute.diskSettings.get
compute.diskTypes.*
compute.
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.disks.resize
compute.disks.setLabels
compute.
compute.
compute.
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.globalAddresses.use
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.create
compute.
compute.images.delete
compute.
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.images.setLabels
compute.images.update
compute.images.useReadOnly
compute.
compute.instanceGroups.*
compute.instanceSettings.*
compute.
compute.
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.
compute.
compute.
compute.
compute.instances.attachDisk
compute.instances.create
compute.
compute.instances.delete
compute.
compute.
compute.
compute.instances.detachDisk
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instances.osAdminLogin
compute.instances.osLogin
compute.
compute.
compute.instances.reset
compute.instances.resume
compute.
compute.
compute.
compute.instances.setLabels
compute.
compute.
compute.instances.setMetadata
compute.
compute.instances.setName
compute.
compute.
compute.
compute.
compute.
compute.instances.setTags
compute.
compute.instances.start
compute.
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.
compute.
compute.
compute.
compute.
compute.
compute.instances.use
compute.instances.useReadOnly
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.
compute.machineImages.list
compute.
compute.
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.networks.list
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regions.*
compute.reservationBlocks.get
compute.reservationBlocks.list
compute.reservations.get
compute.reservations.list
compute.
compute.
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.
compute.resourcePolicies.use
compute.
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.snapshots.create
compute.
compute.snapshots.delete
compute.
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.wireGroups.get
compute.wireGroups.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
BigQuery Connection Service Agent
(roles/)
Gives BigQuery Connection Service access to Cloud SQL instances in user projects.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsql.instances.connect
cloudsql.instances.get
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
BigQuery Continuous Query Service Agent
(roles/)
Gives BigQuery Continuous Query access to the service accounts in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.
BigQuery Data Transfer Service Agent
(roles/)
Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.jobs.create
compute.networkAttachments.get
compute.
compute.regionOperations.get
compute.subnetworks.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
iam.
logging.logEntries.create
logging.logEntries.route
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Omni Service Agent
(roles/)
Gives BigQuery Omni access to tables in user projects.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.jobs.create
bigquery.tables.updateData
BigQuery Spark Service Agent
(roles/)
Gives BigQuery Spark access to the service accounts in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.
Binary Authorization Service Agent
(roles/)
Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
cloudasset.
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.
containeranalysis.
containeranalysis.
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.list
Blockchain Node Engine Service Agent
(roles/)
Grants Blockchain Node Engine access to metrics in user project
Warning: Do not grant service agent roles to any principals except
service agents .
monitoring.timeSeries.list
Certificate Manager Service Agent
(roles/)
Grants Certificate Manager access to services and APIs in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
certificatemanager.
Chronicle Service Agent
(roles/)
Grants Chronicle scoped access to customer project
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.
bigquery.connections.list
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use
bigquery.datasets.create
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
chronicle.dashboards.copy
chronicle.dashboards.create
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.events.udmSearch
chronicle.instances.get
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle.
chronicle.retrohunts.create
chronicle.rules.get
monitoring.
monitoring.
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Chronicle SOAR Service Agent
(roles/)
Gives Chronicle SOAR the ability to perform remediation on Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
compute.firewalls.get
compute.firewalls.update
compute.
compute.instances.get
compute.instances.list
compute.instances.stop
compute.
compute.networks.updatePolicy
compute.zones.list
iam.serviceAccounts.disable
iam.serviceAccounts.list
recommender.
resourcemanager.
securitycenter.
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.sources.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.update
CIEM Service Agent
(roles/)
Gives CIEM Service Account permission to access GCP resources
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
cloudasset.
resourcemanager.
Gemini for Google Cloud Service Agent
(roles/)
Gives Gemini for Google Cloud components the proper permissions to function.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudbuild.connections.get
cloudbuild.
cloudbuild.
cloudbuild.repositories.get
cloudbuild.repositories.list
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
serviceusage.services.use
Effective Policies Service Agent
(roles/)
Give effective policy service account access to search all resources and IAM policies.
Warning: Do not grant service agent roles to any principals except
service age 