Comprende las funciones

Cuando una identidad llama a una API de Google Cloud Platform, Cloud Identity and Access Management exige que esta tenga los permisos necesarios para usar el recurso. Puedes otorgar permisos si asignas funciones a un usuario, a un grupo o una cuenta de servicio.

En esta página, se describen las funciones de Cloud IAM que puedes asignar a las identidades para que accedan a los recursos de Cloud Platform.

Requisitos previos para esta guía

Tipos de funciones

Existen tres tipos de funciones en Cloud IAM:

  • Funciones básicas que incluyen las funciones de propietario, editor y lector que existían antes de la introducción de Cloud IAM
  • Funciones predefinidas administradas por GCP y proporcionan acceso detallado a un servicio específico
  • Funciones personalizadas que proporcionan acceso detallado según una lista de permisos especificada por el usuario

Para determinar si se incluyen uno o más permisos en una función básica, predefinida o personalizada, puedes usar uno de los métodos siguientes:

En las secciones a continuación, se describe cada tipo de función y se proporcionan ejemplos sobre cómo usarlos.

Funciones básicas

Hay tres funciones que existían antes de la introducción de Cloud IAM: la de propietario, editor y lector. Estas funciones son concéntricas; es decir, la función de propietario incluye los permisos en la función de editor y esta última incluye los permisos en la función de lector.

En la tabla siguiente, se resumen los permisos que incluyen las funciones básicas en todos los servicios de GCP:

Definiciones de funciones básicas

Nombre Cargo Permisos
roles/viewer Lector Permisos para acciones de solo lectura que no afectan el estado, como leer (pero no modificar) los recursos o datos existentes.
roles/editor Editor Todos los permisos de la función de lector además de los permisos adicionales para acciones que modifican el estado, como el cambio de recursos existentes.
Nota: Aunque la función de roles/editor contiene los permisos para crear y borrar recursos en la mayoría de los servicios de GCP, algunos servicios (como Cloud Source Repositories y Stackdriver) no incluyen estos permisos. Consulta la sección anterior para obtener más información sobre cómo verificar si una función tiene los permisos que necesitas.
roles/owner Propietario Todos los permisos de editor además de los permisos para realizar las acciones siguientes:
  • Administrar funciones y permisos de un proyecto y todos los recursos dentro de este
  • Configurar la facturación de un proyecto
Nota:
  • Si se asigna la función de propietario a nivel de recursos, como un tema de Cloud Pub/Sub, no se la otorga al proyecto principal.
  • La función de propietario no contiene ningún permiso para el recurso de la organización. Por lo tanto, si se otorga la función de propietario a nivel de la organización, esto no te permite actualizar los metadatos de la organización. Sin embargo, sí te permite modificar proyectos bajo esa organización.

Puedes aplicar funciones básicas en los niveles de proyecto o servicio con GCP Console, la API y la herramienta de línea de comandos de gcloud.

Flujo de invitación

No puedes asignar la función de propietario a un miembro para un proyecto con la API de Cloud IAM o la herramienta de línea de comandos de gcloud. Solo puedes agregar propietarios a un proyecto con GCP Console. Se enviará una invitación al miembro por correo electrónico y este deberá aceptarla para que se convierta en propietario del proyecto.

Ten en cuenta que los correos electrónicos de invitación no se envían en los casos siguientes:

  • Cuando asignas una función que no sea la de propietario
  • Cuando un miembro de la organización agrega otro miembro de su organización como propietario de un proyecto dentro de esa

Funciones predefinidas

Además de las funciones básicas, Cloud IAM proporciona funciones predefinidas adicionales que brindan acceso detallado a recursos específicos de Google Cloud Platform y evitan el acceso no deseado a otros recursos.

En la tabla siguiente, se enumeran estas funciones, sus descripciones y el tipo de recurso de nivel más bajo en el que se pueden establecer las funciones. Se puede asignar una función en particular para este tipo de recurso o, en la mayoría de los casos, cualquier tipo que se encuentre por encima de este en la jerarquía de GCP. Puedes asignar varias funciones al mismo usuario. Por ejemplo, el mismo usuario puede tener funciones de administrador de red y de visor de registros en un proyecto y también tener una función de publicador para un tema de Pub/Sub dentro de ese proyecto. Para obtener una lista de los permisos que contiene una función, consulta Cómo obtener los metadatos de la función.

App Engine Roles

Role Title Description Permissions Lowest Resource
roles/
appengine.appAdmin		 App Engine Admin Read/Write/Modify access to all application configuration and settings. appengine.applications.get
appengine.applications.update
appengine.instances.*
appengine.operations.*
appengine.runtimes.*
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
appengine.appViewer		 App Engine Viewer Read-only access to all application configuration and settings. appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
appengine.codeViewer		 App Engine Code Viewer Read-only access to all application configuration, settings, and deployed source code. appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
appengine.deployer		 App Engine Deployer Read-only access to all application configuration and settings.

Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic.

Note: The App Engine Deployer (roles/appengine.deployer) role alone grants adequate permission to deploy using the App Engine Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Compute Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (cloudbuild.builds.editor) roles. 		appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
appengine.serviceAdmin		 App Engine Service Admin Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version. 		appengine.applications.get
appengine.instances.*
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
 Project

AutoML Roles

Role Title Description Permissions Lowest Resource
roles/
automl.admin		 AutoML Admin Beta Full access to all AutoML resources automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
roles/
automl.editor		 AutoML Editor Beta Editor of all AutoML resources automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
roles/
automl.predictor		 AutoML Predictor Beta Predict using models automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list
roles/
automl.viewer		 AutoML Viewer Beta Viewer of all AutoML resources automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list

BigQuery Roles

Role Title Description Permissions Lowest Resource
roles/
bigquery.admin		 BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. bigquery.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
bigquery.dataEditor		 BigQuery Data Editor

When applied to a dataset, dataEditor provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
 Dataset
roles/
bigquery.dataOwner		 BigQuery Data Owner

When applied to a dataset, dataOwner provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

bigquery.datasets.*
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
 Dataset
roles/
bigquery.dataViewer		 BigQuery Data Viewer

When applied to a dataset, dataViewer provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
 Dataset
roles/
bigquery.jobUser		 BigQuery Job User Provides permissions to run jobs, including queries, within the project. The jobUser role can enumerate their own jobs and cancel their own jobs. bigquery.jobs.create
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
bigquery.metadataViewer		 BigQuery Metadata Viewer

When applied at the project or organization level, metadataViewer provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.tables.get
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
bigquery.readSessionUser		 BigQuery Read Session User Beta Access to create and use read sessions bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
bigquery.user		 BigQuery User Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the bigquery.dataOwner role for these new datasets. bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.readsessions.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
resourcemanager.projects.get
resourcemanager.projects.list
 Project

Billing Roles

Role Title Description Permissions Lowest Resource
roles/
billing.admin		 Billing Account Administrator Provides access to see and manage all aspects of billing accounts. billing.accounts.close
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.move
billing.accounts.redeemPromotion
billing.accounts.removeFromOrganization
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing.accounts.updatePaymentInfo
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.credits.*
billing.resourceAssociations.*
billing.subscriptions.*
cloudnotifications.*
logging.logEntries.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
 Billing Account
roles/
billing.creator		 Billing Account Creator Provides access to create billing accounts. billing.accounts.create
resourcemanager.organizations.get
 Project
roles/
billing.projectManager		 Project Billing Manager Provides access to assign a project's billing account or disable its billing. resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
 Project
roles/
billing.user		 Billing Account User Provides access to associate projects with billing accounts. billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.*
billing.resourceAssociations.create
 Billing Account
roles/
billing.viewer		 Billing Account Viewer View billing account cost information and transactions. billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.budgets.get
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.get
billing.subscriptions.list
 Organization
Billing Account

Binary Authorization Roles

Role Title Description Permissions Lowest Resource
roles/
binaryauthorization.attestorsAdmin		 Binary Authorization Attestor Admin Beta Adminstrator of Binary Authorization Attestors binaryauthorization.attestors.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsEditor		 Binary Authorization Attestor Editor Beta Editor of Binary Authorization Attestors binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsVerifier		 Binary Authorization Attestor Image Verifier Beta Caller of Binary Authorization Attestors VerifyImageAttested binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsViewer		 Binary Authorization Attestor Viewer Beta Viewer of Binary Authorization Attestors binaryauthorization.attestors.get
binaryauthorization.attestors.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyAdmin		 Binary Authorization Policy Administrator Beta Administrator of Binary Authorization Policy binaryauthorization.policy.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyEditor		 Binary Authorization Policy Editor Beta Editor of Binary Authorization Policy binaryauthorization.policy.get
binaryauthorization.policy.update
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyViewer		 Binary Authorization Policy Viewer Beta Viewer of Binary Authorization Policy binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Bigtable Roles

Role Title Description Permissions Lowest Resource
roles/
bigtable.admin		 Bigtable Administrator Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. bigtable.*
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
 Instance
roles/
bigtable.reader		 Bigtable Reader Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
 Instance
roles/
bigtable.user		 Bigtable User Provides read-write access to the data stored within tables. Intended for application developers or service accounts. bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
 Instance
roles/
bigtable.viewer		 Bigtable Viewer Provides no data access. Intended as a minimal set of permissions to access the GCP Console for Cloud Bigtable. bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
 Instance

Cloud Composer Roles

Role Title Description Permissions Lowest Resource
roles/
composer.admin		 Composer Administrator Provides full control of Cloud Composer resources. composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Project
roles/
composer.environmentAndStorageObjectAdmin		 Environment and Storage Object Administrator Provides full control of Cloud Composer resources and of the objects in all project buckets. composer.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.*
 Project
roles/
composer.environmentAndStorageObjectViewer		 Environment User and Storage Object Viewer Provides the permissions nessesary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. composer.environments.get
composer.environments.list
composer.operations.get
composer.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list
 Project
roles/
composer.user		 Composer User Provides the permissions necessary to list and get Cloud Composer environments and operations. composer.environments.get
composer.environments.list
composer.operations.get
composer.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Project
roles/
composer.worker		 Composer Worker Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. cloudbuild.*
container.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.*
 Project

Cloud DLP Roles

Role Title Description Permissions Lowest Resource
roles/
dlp.admin		 DLP Administrator Administer DLP including jobs and templates. dlp.*
serviceusage.services.use
roles/
dlp.analyzeRiskTemplatesEditor		 DLP Analyze Risk Templates Editor Edit DLP analyze risk templates. dlp.analyzeRiskTemplates.*
roles/
dlp.analyzeRiskTemplatesReader		 DLP Analyze Risk Templates Reader Read DLP analyze risk templates. dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
roles/
dlp.deidentifyTemplatesEditor		 DLP De-identify Templates Editor Edit DLP de-identify templates. dlp.deidentifyTemplates.*
roles/
dlp.deidentifyTemplatesReader		 DLP De-identify Templates Reader Read DLP de-identify templates. dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
roles/
dlp.inspectTemplatesEditor		 DLP Inspect Templates Editor Edit DLP inspect templates. dlp.inspectTemplates.*
roles/
dlp.inspectTemplatesReader		 DLP Inspect Templates Reader Read DLP inspect templates. dlp.inspectTemplates.get
dlp.inspectTemplates.list
roles/
dlp.jobTriggersEditor		 DLP Job Triggers Editor Edit job triggers configurations. dlp.jobTriggers.*
roles/
dlp.jobTriggersReader		 DLP Job Triggers Reader Read job triggers. dlp.jobTriggers.get
dlp.jobTriggers.list
roles/
dlp.jobsEditor		 DLP Jobs Editor Edit and create jobs dlp.jobs.*
dlp.kms.*
roles/
dlp.jobsReader		 DLP Jobs Reader Read jobs dlp.jobs.get
dlp.jobs.list
roles/
dlp.reader		 DLP Reader Read DLP entities, such as jobs and templates. dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
roles/
dlp.storedInfoTypesEditor		 DLP Stored InfoTypes Editor Edit DLP stored info types. dlp.storedInfoTypes.*
roles/
dlp.storedInfoTypesReader		 DLP Stored InfoTypes Reader Read DLP stored info types. dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
roles/
dlp.user		 DLP User Inspect, Redact, and De-identify Content dlp.kms.*
serviceusage.services.use

Cloud KMS Roles

Role Title Description Permissions Lowest Resource
roles/
cloudkms.admin		 Cloud KMS Admin Provides full access to Cloud KMS resources, except encrypt and decrypt operations. cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeyVersions.destroy
cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.restore
cloudkms.cryptoKeyVersions.update
cloudkms.cryptoKeys.*
cloudkms.keyRings.*
resourcemanager.projects.get
 CryptoKey
roles/
cloudkms.cryptoKeyDecrypter		 Cloud KMS CryptoKey Decrypter Provides ability to use Cloud KMS resources for decrypt operations only. cloudkms.cryptoKeyVersions.useToDecrypt
resourcemanager.projects.get
 CryptoKey
roles/
cloudkms.cryptoKeyEncrypter		 Cloud KMS CryptoKey Encrypter Provides ability to use Cloud KMS resources for encrypt operations only. cloudkms.cryptoKeyVersions.useToEncrypt
resourcemanager.projects.get
 CryptoKey
roles/
cloudkms.cryptoKeyEncrypterDecrypter		 Cloud KMS CryptoKey Encrypter/Decrypter Provides ability to use Cloud KMS resources for encrypt and decrypt operations only. cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
resourcemanager.projects.get
 CryptoKey
roles/
cloudkms.publicKeyViewer		 Cloud KMS CryptoKey Public Key Viewer Beta Enables GetPublicKey operations cloudkms.cryptoKeyVersions.viewPublicKey
resourcemanager.projects.get
roles/
cloudkms.signer		 Cloud KMS CryptoKey Signer Beta Enables the AsymmetricSign operation cloudkms.cryptoKeyVersions.useToSign
resourcemanager.projects.get
roles/
cloudkms.signerVerifier		 Cloud KMS CryptoKey Signer/Verifier Beta Enables AsymmetricSign, and GetPublicKey operations cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.viewPublicKey
resourcemanager.projects.get

Cloud SQL Roles

Role Title Description Permissions Lowest Resource
roles/
cloudsql.admin		 Cloud SQL Admin Provides full control of Cloud SQL resources. cloudsql.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Project
roles/
cloudsql.client		 Cloud SQL Client Provides connectivity access to Cloud SQL instances. cloudsql.instances.connect
cloudsql.instances.get
 Project
roles/
cloudsql.editor		 Cloud SQL Editor Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.restart
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Project
roles/
cloudsql.viewer		 Cloud SQL Viewer Provides read-only access to Cloud SQL resources. cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.export
cloudsql.instances.get
cloudsql.instances.list
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Project

Cloud Spanner Roles

Role Title Description Permissions Lowest Resource
roles/
spanner.admin		 Cloud Spanner Admin Permission to grant and revoke permissions to other principals, allocate and delete chargeable resources, issue get/list/modify operations on resources, read from and write to databases, and fetch project metadata. monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.*
 Project
roles/
spanner.databaseAdmin		 Cloud Spanner Database Admin Permission to get/list all Cloud Spanner resources in a project, create/list/drop databases, grant/revoke access to project databases, and read from and write to all Cloud Spanner databases in the project. monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databaseOperations.*
spanner.databases.*
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.*
 Project
roles/
spanner.databaseReader		 Cloud Spanner Database Reader Permission to read from the Cloud Spanner database, execute SQL queries on the database, and view the schema. spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.read
spanner.databases.select
spanner.sessions.*
 Database
roles/
spanner.databaseUser		 Cloud Spanner Database User Permission to read from and write to the Cloud Spanner database, execute SQL queries on the database, and view and update the schema. spanner.databaseOperations.*
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.write
spanner.sessions.*
 Database
roles/
spanner.viewer		 Cloud Spanner Viewer Permission to view all Cloud Spanner instances and databases, but not modify or read from them. monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.list
spanner.instanceConfigs.*
spanner.instances.get
spanner.instances.list
 Project

Compute Engine Roles

Role Title Description Permissions Lowest Resource
roles/
compute.admin		 Compute Admin

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta
roles/
compute.imageUser		 Compute Image User

Permission to list and read images without having other permissions on the image. Granting the compute.imageUser role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 ImageBeta
roles/
compute.instanceAdmin		 Compute Instance Admin (beta)

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Disk, image, instance, instanceTemplate, snapshot Beta
roles/
compute.instanceAdmin.v1		 Compute Instance Admin (v1) Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.diskTypes.*
compute.disks.*
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.*
compute.licenses.*
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
compute.loadBalancerAdmin		 Compute Load Balancer Admin Beta

Permissions to create, modify, and delete load balancers and associate resources.

For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant the load balancing team's group the loadBalancerAdmin role.

compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.instances.use
compute.networks.get
compute.networks.list
compute.networks.use
compute.projects.get
compute.regionBackendServices.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 InstanceBeta
roles/
compute.networkAdmin		 Compute Network Admin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the networking team's group the networkAdmin role.

compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.instances.use
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.networks.*
compute.projects.get
compute.regionBackendServices.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 InstanceBeta
roles/
compute.networkUser		 Compute Network User

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.useInternal
compute.firewalls.get
compute.firewalls.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Project
roles/
compute.networkViewer		 Compute Network Viewer

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant that software's service account the networkViewer role.

compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.networks.get
compute.networks.list
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 InstanceBeta
roles/
compute.osAdminLogin		 Compute OS Admin Login

Access to log in to a Compute Engine instance as an administrator user.

compute.instances.get
compute.instances.list
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 InstanceBeta
roles/
compute.osLogin		 Compute OS Login

Access to log in to a Compute Engine instance as a standard user.

compute.instances.get
compute.instances.list
compute.instances.osLogin
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 InstanceBeta
roles/
compute.osLoginExternalUser		 Compute OS Login External User

Available only at the organization level.

Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

compute.oslogin.*
 Organization
roles/
compute.securityAdmin		 Compute Security Admin

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the security team's group the securityAdmin role.

compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.updateShieldedVmConfig
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routes.get
compute.routes.list
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 InstanceBeta
roles/
compute.storageAdmin		 Compute Storage Admin

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant their account the storageAdmin role on the project.

compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Disk, image, snapshot Beta
roles/
compute.viewer		 Compute Viewer

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them.

For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networks.get
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta
roles/
compute.xpnAdmin		 Compute Shared VPC Admin

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

This role can only be granted on the organization by an organization admin.

compute.globalOperations.get
compute.globalOperations.list
compute.organizations.*
compute.projects.get
compute.subnetworks.getIamPolicy
compute.subnetworks.setIamPolicy
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
 Organization

Dataproc Roles

Role Title Description Permissions Lowest Resource
roles/
dataproc.admin		 Dataproc Administrator Full control of Dataproc resources. compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.clusters.*
dataproc.jobs.*
dataproc.operations.*
dataproc.workflowTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
dataproc.editor		 Dataproc Editor Provides the permissions necessary for viewing the resources required to manage Cloud Dataproc, including machine types, networks, projects and zones. compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.update
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
dataproc.viewer		 Dataproc Viewer Provides read-only access to Cloud Dataproc resources. compute.machineTypes.get
compute.regions.*
compute.zones.get
dataproc.clusters.get
dataproc.clusters.list
dataproc.jobs.get
dataproc.jobs.list
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.get
dataproc.workflowTemplates.list
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
dataproc.worker		 Dataproc Worker Worker access to Dataproc. Intended for service accounts. dataproc.agents.*
dataproc.tasks.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
storage.buckets.get
storage.objects.*

Datastore Roles

Role Title Description Permissions Lowest Resource
roles/
datastore.importExportAdmin		 Cloud Datastore Import Export Admin Provides full access to manage imports and exports. appengine.applications.get
datastore.databases.export
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
datastore.indexAdmin		 Cloud Datastore Index Admin Provides full access to manage index definitions. appengine.applications.get
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
datastore.owner		 Cloud Datastore Owner Provides full access to Cloud Datastore resources. appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
datastore.user		 Cloud Datastore User Provides read/write access to data in a Cloud Datastore database. appengine.applications.get
datastore.databases.get
datastore.entities.*
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
datastore.viewer		 Cloud Datastore Viewer Provides read access to Cloud Datastore resources. appengine.applications.get
datastore.databases.get
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project

Deployment Manager Roles

Role Title Description Permissions Lowest Resource
roles/
deploymentmanager.editor		 Deployment Manager Editor Provides the permissions necessary to create and manage deployments. deploymentmanager.compositeTypes.*
deploymentmanager.deployments.cancelPreview
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.stop
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Project
roles/
deploymentmanager.typeEditor		 Deployment Manager Type Editor Provides read and write access to all Type Registry resources. deploymentmanager.compositeTypes.*
deploymentmanager.operations.get
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
 Project
roles/
deploymentmanager.typeViewer		 Deployment Manager Type Viewer Provides read-only access to all Type Registry resources. deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
 Project
roles/
deploymentmanager.viewer		 Deployment Manager Viewer Provides read-only access to all Deployment Manager-related resources. deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Project

Firebase Roles

Role Title Description Permissions Lowest Resource
roles/
cloudtestservice.testAdmin		 Firebase Test Lab Admin Full access to all Test Lab features cloudtestservice.*
cloudtoolresults.*
firebase.billingPlans.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list
roles/
cloudtestservice.testViewer		 Firebase Test Lab Viewer Read access to Test Lab features cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
roles/
firebase.admin		 Firebase Admin Beta Full access to Firebase products. appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.list
clientauthconfig.clients.update
cloudconfig.*
cloudfunctions.*
cloudnotifications.*
cloudtestservice.*
cloudtoolresults.*
datastore.*
errorreporting.groups.*
firebase.*
firebaseabt.*
firebaseanalytics.*
firebaseauth.*
firebasecrash.*
firebasedatabase.*
firebasedynamiclinks.*
firebaseextensions.*
firebasehosting.*
firebaseinappmessaging.*
firebaseml.*
firebasenotifications.*
firebaseperformance.*
firebasepredictions.*
firebaserules.*
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.*
roles/
firebase.analyticsAdmin		 Firebase Analytics Admin Beta Full access to Google Analytics for Firebase. cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
firebase.analyticsViewer		 Firebase Analytics Viewer Beta Read access to Google Analytics for Firebase. cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
firebase.developAdmin		 Firebase Develop Admin Beta Full access to Firebase Develop products and Analytics. appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudfunctions.*
cloudnotifications.*
datastore.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseauth.*
firebasedatabase.*
firebaseextensions.configs.list
firebasehosting.*
firebaseml.*
firebaserules.*
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.*
roles/
firebase.developViewer		 Firebase Develop Viewer Beta Read access to Firebase Develop products and Analytics. automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudnotifications.*
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseauth.configs.get
firebaseauth.users.get
firebasedatabase.instances.get
firebasedatabase.instances.list
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
roles/
firebase.growthAdmin		 Firebase Grow Admin Beta Full access to Firebase Grow products and Analytics. clientauthconfig.clients.get
clientauthconfig.clients.list
cloudconfig.*
cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.*
firebaseanalytics.*
firebasedynamiclinks.*
firebaseextensions.configs.list
firebaseinappmessaging.*
firebasenotifications.*
firebasepredictions.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.growthViewer		 Firebase Grow Viewer Beta Read access to Firebase Grow products and Analytics. cloudconfig.configs.get
cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasepredictions.predictions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.qualityAdmin		 Firebase Quality Admin Beta Full access to Firebase Quality products and Analytics. cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebasecrash.*
firebaseextensions.configs.list
firebaseperformance.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.qualityViewer		 Firebase Quality Viewer Beta Read access to Firebase Quality products and Analytics. cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebasecrash.reports.*
firebaseextensions.configs.list
firebaseperformance.data.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.viewer		 Firebase Viewer Beta Read-only access to Firebase products. automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudconfig.configs.get
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudnotifications.*
cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseauth.configs.get
firebaseauth.users.get
firebasecrash.reports.*
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebaseperformance.data.*
firebasepredictions.predictions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list

IAM Roles

Role Title Description Permissions Lowest Resource
roles/
iam.securityReviewer		 Security Reviewer Provides permissions to list all resources and Cloud IAM policies on them. accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.operations.list
automl.tableSpecs.list
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.savedqueries.list
bigquery.tables.list
bigtable.appProfiles.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.policy.getIamPolicy
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudbuild.builds.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.list
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudnotifications.*
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
composer.environments.list
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getIamPolicy
compute.instances.list
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.list
compute.regionBackendServices.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.list
container.apiServices.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpoints.list
container.events.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.scheduledJobs.list
container.secrets.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
dataflow.jobs.list
dataflow.messages.*
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
dataproc.agents.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.contexts.list
dialogflow.entityTypes.list
dialogflow.intents.list
dialogflow.sessionEntityTypes.list
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.storedInfoTypes.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.resourceRecordSets.list
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
file.instances.list
file.locations.list
file.operations.list
firebase.links.list
firebaseabt.experiments.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.operations.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iap.tunnel.getIamPolicy
iap.tunnelInstances.getIamPolicy
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.operations.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.topics.getIamPolicy
pubsub.topics.list
redis.instances.list
redis.locations.list
redis.operations.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
securitycenter.assets.list
securitycenter.configs.getIamPolicy
securitycenter.findings.list
securitycenter.scans.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
serviceconsumermanagement.tenancyu.list
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicenetworking.operations.list
serviceusage.apiKeys.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.getIamPolicy
storage.objects.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
 Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta

Kubernetes Engine Roles

Role Title Description Permissions Lowest Resource
roles/
container.admin		 Kubernetes Engine Admin Provides access to full management of Container Clusters and their Kubernetes API objects. container.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
container.clusterAdmin		 Kubernetes Engine Cluster Admin Provides access to management of Container Clusters. container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
container.clusterViewer		 Kubernetes Engine Cluster Viewer Read-only access to Kubernetes Clusters. container.clusters.get
container.clusters.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
container.developer		 Kubernetes Engine Developer Provides full access to Kubernetes API objects inside Container Clusters. container.apiServices.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpoints.*
container.events.*
container.horizontalPodAutoscalers.*
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.*
container.pods.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
container.hostServiceAgentUser		 Kubernetes Engine Host Service Agent User Use access of the Kubernetes Engine Host Service Agent. compute.firewalls.get
container.hostServiceAgent.*
roles/
container.viewer		 Kubernetes Engine Viewer Provides read-only access to GKE resources. container.apiServices.get
container.apiServices.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getStatus
container.deployments.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.limitRanges.get
container.limitRanges.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project

Logging Roles

Role Title Description Permissions Lowest Resource
roles/
logging.admin		 Logging Admin Provides all permissions necessary to use all features of Stackdriver Logging. logging.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
logging.configWriter		 Logs Configuration Writer Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. logging.exclusions.*
logging.logMetrics.*
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
logging.logWriter		 Logs Writer Provides the permissions to write log entries. logging.logEntries.create
 Project
roles/
logging.privateLogViewer		 Private Logs Viewer Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.projects.get
 Project
roles/
logging.viewer		 Logs Viewer Provides access to view logs. logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.projects.get
 Project

Machine Learning Engine Roles

Role Title Description Permissions Lowest Resource
roles/
ml.admin		 ML Engine Admin Provides full access to AI Platform resources, and its jobs, operations, models, and versions. ml.*
resourcemanager.projects.get
 Project
roles/
ml.developer		 ML Engine Developer Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get
 Project
roles/
ml.jobOwner		 ML Engine Job Owner Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. ml.jobs.*
 Job
roles/
ml.modelOwner		 ML Engine Model Owner Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. ml.models.*
ml.versions.*
 Model
roles/
ml.modelUser		 ML Engine Model User Provides permissions to read the model and its versions, and use them for prediction. ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict
 Model
roles/
ml.operationOwner		 ML Engine Operation Owner Provides full access to all permissions for a particular operation resource. ml.operations.*
 Operation
roles/
ml.viewer		 ML Engine Viewer Provides read-only access to AI Platform resources. ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.*
ml.versions.get
ml.versions.list
resourcemanager.projects.get
 Project

Monitoring Roles

Role Title Description Permissions Lowest Resource
roles/
monitoring.admin		 Monitoring Admin Provides the same access as roles/monitoring.editor. cloudnotifications.*
monitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.*
 Project
roles/
monitoring.alertPolicyEditor		 Monitoring AlertPolicy Editor Beta Read/write access to alerting policies. monitoring.alertPolicies.*
roles/
monitoring.alertPolicyViewer		 Monitoring AlertPolicy Viewer Beta Read-only access to alerting policies. monitoring.alertPolicies.get
monitoring.alertPolicies.list
roles/
monitoring.editor		 Monitoring Editor Provides full access to information about all monitoring data and configurations. cloudnotifications.*
monitoring.alertPolicies.*
monitoring.dashboards.*
monitoring.groups.*
monitoring.metricDescriptors.*
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.publicWidgets.*
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.*
 Project
roles/
monitoring.metricWriter		 Monitoring Metric Writer Provides write-only access to metrics. This provides exactly the permissions needed by the Stackdriver agent and other systems that send metrics. monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
 Project
roles/
monitoring.notificationChannelEditor		 Monitoring NotificationChannel Editor Beta Read/write access to notification channels. monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
roles/
monitoring.notificationChannelViewer		 Monitoring NotificationChannel Viewer Beta Read-only access to notification channels. monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
roles/
monitoring.uptimeCheckConfigEditor		 Monitoring Uptime Check Configuration Editor Beta Read/write access to uptime check configurations. monitoring.uptimeCheckConfigs.*
roles/
monitoring.uptimeCheckConfigViewer		 Monitoring Uptime Check Configuration Viewer Beta Read-only access to uptime check configurations. monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
roles/
monitoring.viewer		 Monitoring Viewer Provides read-only access to get and list information about all monitoring data and configurations. cloudnotifications.*
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
 Project

Other Roles

Role Title Description Permissions Lowest Resource
roles/
accesscontextmanager.policyAdmin		 Access Context Manager Admin Full access to policies, access levels, and access zones accesscontextmanager.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
accesscontextmanager.policyEditor		 Access Context Manager Editor Edit access to policies. Create, edit, and change access levels and access zones. accesscontextmanager.accessLevels.*
accesscontextmanager.accessPolicies.create
accesscontextmanager.accessPolicies.delete
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.update
accesscontextmanager.accessZones.*
accesscontextmanager.policies.create
accesscontextmanager.policies.delete
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.update
accesscontextmanager.servicePerimeters.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
accesscontextmanager.policyReader		 Access Context Manager Reader Read access to policies, access levels, and access zones. accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.get
accesscontextmanager.accessZones.list
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
dlpscanner.serviceAgent		 DLP Scanner Service Agent Allows DLP API access for DLP Scanner.
roles/
indexstore.serviceAgent		 Cloud Indexstore API Service Agent Grants Cloud Indexstore access to services and APIs in the user project
roles/
mobilecrashreporting.symbolMappingsAdmin		 Firebase Crash Symbol Uploader (Deprecated) Full read/write access to symbol mapping file resources for Firebase Crash Reporting.Deprecated in favor of firebasecrash.symbolMappingsAdmin firebase.clients.get
resourcemanager.projects.get
roles/
resourcemanager.organizationCreator		 Organization Creator Access to create and list organizations.
roles/
runtimeconfig.admin		 Cloud RuntimeConfig Admin Full access to RuntimeConfig resources. runtimeconfig.*
roles/
subscribewithgoogledeveloper.developer		 Subscribe with Google Developer Beta Access DevTools for Subscribe with Google resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper.*

Pub/Sub Roles

Role Title Description Permissions Lowest Resource
roles/
pubsub.admin		 Pub/Sub Admin Provides full access to topics and subscriptions. pubsub.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Topic
roles/
pubsub.editor		 Pub/Sub Editor Provides access to modify topics and subscriptions, and access to publish and consume messages. pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Topic
roles/
pubsub.publisher		 Pub/Sub Publisher Provides access to publish messages to a topic. pubsub.topics.publish
 Topic
roles/
pubsub.subscriber		 Pub/Sub Subscriber Provides access to consume messages from a subscription and to attach subscriptions to a topic. pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
 Topic
roles/
pubsub.viewer		 Pub/Sub Viewer Provides access to view topics and subscriptions. pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Topic

Resource Manager Roles

Role Title Description Permissions Lowest Resource
roles/
resourcemanager.folderAdmin		 Folder Admin Provides all available permissions for working with folders. orgpolicy.policy.get
resourcemanager.folders.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager.projects.setIamPolicy
 Folder
roles/
resourcemanager.folderCreator		 Folder Creator Provides permissions needed to browse the hierarchy and create folders. orgpolicy.policy.get
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
 Folder
roles/
resourcemanager.folderEditor		 Folder Editor Provides permission to modify folders as well as to view a folder's Cloud IAM policy. orgpolicy.policy.get
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.undelete
resourcemanager.folders.update
resourcemanager.projects.get
resourcemanager.projects.list
 Folder
roles/
resourcemanager.folderIamAdmin		 Folder IAM Admin Provides permissions to administer Cloud IAM policies on folders. resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.setIamPolicy
 Folder
roles/
resourcemanager.folderMover		 Folder Mover Provides permission to move projects and folders into and out of a parent Organization or folder. resourcemanager.folders.move
resourcemanager.projects.move
 Folder
roles/
resourcemanager.folderViewer		 Folder Viewer Provides permission to get a folder and list the folders and projects below a resource. orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
 Folder
roles/
resourcemanager.lienModifier		 Project Lien Modifier Provides access to modify Liens on projects. resourcemanager.projects.updateLiens
 Project
roles/
resourcemanager.organizationAdmin		 Organization Administrator Access to administer all resources belonging to the organization. orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
roles/
resourcemanager.organizationViewer		 Organization Viewer Provides access to view an organization. resourcemanager.organizations.get
 Organization
roles/
resourcemanager.projectCreator		 Project Creator Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project. resourcemanager.organizations.get
resourcemanager.projects.create
 Folder
roles/
resourcemanager.projectDeleter		 Project Deleter Provides access to delete GCP projects. resourcemanager.projects.delete
 Folder
roles/
resourcemanager.projectIamAdmin		 Project IAM Admin Provides permissions to administer Cloud IAM policies on projects. resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
 Project
roles/
resourcemanager.projectMover		 Project Mover Provides access to update and move projects. resourcemanager.projects.get
resourcemanager.projects.update
 Project

Security Center Roles

Role Title Description Permissions Lowest Resource
roles/
securitycenter.admin		 Security Center Admin Beta Admin(super user) access to security center resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.*
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.findingsecuritymarks.*
securitycenter.organizationsettings.*
securitycenter.sources.*
 Organization
roles/
securitycenter.adminEditor		 Security Center Admin Editor Beta Admin Read-write access to security center resourcemanager.organizations.get
securitycenter.assets.runDiscovery
securitycenter.assetsecuritymarks.*
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.findingsecuritymarks.*
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
 Organization
roles/
securitycenter.adminViewer		 Security Center Admin Viewer Beta Admin Read access to security center resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
 Organization
roles/
securitycenter.assetSecurityMarksWriter		 Security Center Asset Security Marks Writer Beta Write access to asset security marks securitycenter.assetsecuritymarks.*
 Organization
roles/
securitycenter.assetsDiscoveryRunner		 Security Center Assets Discovery Runner Beta Run asset discovery access to assets securitycenter.assets.runDiscovery
 Organization
roles/
securitycenter.assetsViewer		 Security Center Assets Viewer Beta Read access to assets resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
 Organization
roles/
securitycenter.editor		 Security Center Editor Beta Read-write access to assets, configs, notification streams, and marks, readonly access to scans resourcemanager.organizations.get
securitycenter.assets.get
securitycenter.assets.getFieldNames
securitycenter.assets.list
securitycenter.assets.triggerDiscovery
securitycenter.assets.update
securitycenter.configs.get
securitycenter.configs.getIamPolicy
securitycenter.configs.update
securitycenter.scans.*
 Organization
roles/
securitycenter.findingSecurityMarksWriter		 Security Center Finding Security Marks Writer Beta Write access to finding security marks securitycenter.findingsecuritymarks.*
 Organization
roles/
securitycenter.findingsEditor		 Security Center Findings Editor Beta Read-write access to findings resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
 Organization
roles/
securitycenter.findingsStateSetter		 Security Center Findings State Setter Beta Set state access to findings securitycenter.findings.setState
 Organization
roles/
securitycenter.findingsViewer		 Security Center Findings Viewer Beta Read access to findings resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
 Organization
roles/
securitycenter.sourcesAdmin		 Security Center Sources Admin Beta Admin access to sources resourcemanager.organizations.get
securitycenter.sources.*
 Organization
roles/
securitycenter.sourcesEditor		 Security Center Sources Editor Beta Read-write access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
 Organization
roles/
securitycenter.sourcesViewer		 Security Center Sources Viewer Beta Read access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
 Organization
roles/
securitycenter.viewer		 Security Center Viewer Beta Read access to assets, configs, notification streams, scans, and marks resourcemanager.organizations.get
securitycenter.assets.get
securitycenter.assets.getFieldNames
securitycenter.assets.list
securitycenter.configs.get
securitycenter.configs.getIamPolicy
securitycenter.scans.*
 Organization

Service Accounts Roles

Role Title Description Permissions Lowest Resource
roles/
iam.serviceAccountAdmin		 Service Account Admin Create and manage service accounts. iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list
 Service Account
roles/
iam.serviceAccountCreator		 Create Service Accounts Access to create service accounts. iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
iam.serviceAccountDeleter		 Delete Service Accounts Access to delete service accounts. iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
iam.serviceAccountKeyAdmin		 Service Account Key Admin Create and manage (and rotate) service account keys. iam.serviceAccountKeys.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
 Service Account
roles/
iam.serviceAccountTokenCreator		 Service Account Token Creator Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
 Service Account
roles/
iam.serviceAccountUser		 Service Account User Run operations as the service account. iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
 Service Account

Service Management Roles

Role Title Description Permissions Lowest Resource
roles/
servicemanagement.admin		 Service Management Administrator Full control of Google Service Management resources. monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceconsumermanagement.*
servicemanagement.services.*
serviceusage.quotas.get
serviceusage.services.get
roles/
servicemanagement.configEditor		 Service Config Editor Access to update the service config and create rollouts. servicemanagement.services.get
servicemanagement.services.update
roles/
servicemanagement.quotaAdmin		 Quota Administrator Beta Provides access to administer service quotas. monitoring.timeSeries.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.consumerSettings.*
serviceusage.quotas.*
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
 Project
roles/
servicemanagement.quotaViewer		 Quota Viewer Beta Provides access to view service quotas. monitoring.timeSeries.list
servicemanagement.consumerSettings.get
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
 Project
roles/
servicemanagement.serviceConsumer		 Service Consumer Can enable the service. servicemanagement.services.bind
roles/
servicemanagement.serviceController		 Service Controller Runtime control of checking and reporting usage of a service. servicemanagement.services.check
servicemanagement.services.get
servicemanagement.services.quota
servicemanagement.services.report
 Project

Storage Legacy Roles

Role Title Description Permissions Lowest Resource
roles/
storage.legacyBucketOwner		 Storage Legacy Bucket Owner Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read and edit bucket metadata, including Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.list
 Bucket
roles/
storage.legacyBucketReader		 Storage Legacy Bucket Reader Grants permission to list a bucket's contents and read bucket metadata, excluding Cloud IAM policies. Also grants permission to read object metadata, excluding Cloud IAM policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

storage.buckets.get
storage.objects.list
 Bucket
roles/
storage.legacyBucketWriter		 Storage Legacy Bucket Writer Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read bucket metadata, excluding Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.list
 Bucket
roles/
storage.legacyObjectOwner		 Storage Legacy Object Owner Grants permission to view and edit objects and their metadata, including ACLs. storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
 Bucket
roles/
storage.legacyObjectReader		 Storage Legacy Object Reader Grants permission to view objects and their metadata, excluding ACLs. storage.objects.get
 Bucket

Funciones personalizadas

Además de las funciones predefinidas, Cloud IAM también proporciona la capacidad de crear funciones de Cloud IAM personalizadas. Puedes crear una función personalizada de Cloud IAM con uno o más permisos y, luego, asignarla a los usuarios que forman la organización. Consulta Explicación de las funciones personalizadas y Crea y administra funciones personalizadas para obtener más información.

Documentación de Cloud IAM específica del producto

En la documentación de Cloud IAM específica del producto, se explica más sobre las funciones predefinidas que ofrece cada producto. Lee las páginas siguientes para obtener más información sobre las funciones predefinidas.

Documentación Descripción
Cloud IAM para App Engine Explica las funciones de Cloud IAM para App Engine
Cloud IAM para BigQuery Explica las funciones de Cloud IAM para BigQuery
Cloud IAM para Cloud Bigtable Explica las funciones de Cloud IAM para Cloud Bigtable
Cloud IAM para la API de Cloud Billing Explica las funciones y los permisos de Cloud IAM para la API de Cloud Billing
Cloud IAM para Cloud Dataflow Explica las funciones de Cloud IAM para Cloud Dataflow
Cloud IAM para Cloud Dataproc Explica las funciones y los permisos de Cloud IAM para Cloud Dataproc
Cloud IAM para Cloud Datastore Explica las funciones y los permisos de Cloud IAM para Cloud Datastore
Cloud IAM para Cloud DNS Explica las funciones y los permisos de Cloud IAM para Cloud DNS
Cloud IAM para Cloud KMS Explica las funciones y los permisos de Cloud IAM para Cloud KMS
Cloud IAM para Cloud ML Engine Explica las funciones y los permisos de Cloud IAM para Cloud ML Engine
Cloud IAM para Cloud Pub/Sub Explica las funciones de Cloud IAM para Cloud Pub/Sub
Cloud IAM para Cloud Spanner Explica las funciones y los permisos de Cloud IAM para Cloud Spanner
Cloud IAM para Cloud SQL Explica las funciones de Cloud IAM para Cloud SQL
Cloud IAM para Cloud Storage Explica las funciones de Cloud IAM para Cloud Storage
Cloud IAM para Compute Engine Explica las funciones de Cloud IAM para Compute Engine
Cloud IAM para Cloud GKE Explica las funciones y los permisos de Cloud IAM para GKE
Cloud IAM para Cloud Deployment Manager Explica las funciones y los permisos de Cloud IAM para Cloud Deployment Manager
Cloud IAM para organizaciones Explica las funciones de Cloud IAM para organizaciones
Cloud IAM para carpetas Explica las funciones de Cloud IAM para carpetas
Cloud IAM para proyectos Explica las funciones de Cloud IAM para proyectos
Cloud IAM para la administración de servicios Explica las funciones y los permisos de Cloud IAM para la administración de servicios
Cloud IAM para Stackdriver Debugger Explica las funciones de Cloud IAM para Debugger
Cloud IAM para Stackdriver Logging Explica las funciones de Cloud IAM para Logging
Cloud IAM para Stackdriver Monitoring Explica las funciones de Cloud IAM para Monitoring
Cloud IAM para Stackdriver Trace Explica las funciones y los permisos de Cloud IAM para Trace

Pasos siguientes

¿Te sirvió esta página? Envíanos tu opinión:

Enviar comentarios sobre…

Esta página
Comentarios sobre la documentación
Cloud IAM Documentation
Comentarios sobre el producto