Understanding roles

When an identity calls a Google Cloud API, Cloud Identity and Access Management requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.

This page describes the Cloud IAM roles that you can grant to identities to access Cloud Platform resources.

Prerequisite for this guide

Understand the basic concepts of Cloud IAM

Role types

There are three types of roles in Cloud IAM:

Primitive roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud IAM
Predefined roles, which provide granular access for a specific service and are managed by Google Cloud
Custom roles, which provide granular access according to a user-specified list of permissions

To determine if one or more permissions are included in a primitive, predefined, or custom role, you can use one of the following methods:

The gcloud iam roles describe command
The roles.get() API

The sections below describe each role type and provide examples of how to use them.

Primitive roles

There are three roles that existed prior to the introduction of Cloud IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role.

The following table summarizes the permissions that the primitive roles include across all Google Cloud services:

Primitive role definitions

Name	Title	Permissions
`roles/viewer`	Viewer	Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
`roles/editor`	Editor	All viewer permissions, plus permissions for actions that modify state, such as changing existing resources. Note: While the `roles/editor` role contains permissions to create and delete resources for most Google Cloud services, some services do not include these permissions. See the section above for more information on how to check if a role has the permissions that you need.
`roles/owner`	Owner	All editor permissions and permissions for the following actions: Manage roles and permissions for a project and all resources within the project. Set up billing for a project. Note: Granting the owner role at a resource level, such as a Pub/Sub topic, doesn't grant the owner role on the parent project. Granting the owner role at the organization level doesn't allow you to update the organization's metadata. However, it allows you to modify projects and other resources under that organization.

You can apply primitive roles at the project or service resource levels by using Cloud Console, the API and the gcloud command-line tool.

Invitation flow

You cannot grant the owner role to a member for a project using the Cloud IAM API or the gcloud command-line tool. You can only add owners to a project using the Cloud Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project.

Note that invitation emails aren't sent in the following cases:

when you're granting a role other than the owner.
when an organization member adds another member of their organization as an owner of a project within that organization.

Predefined roles

In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.

The following table lists these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the Google Cloud hierarchy. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.

Access Approval roles

Role	Title	Description	Permissions
`roles/accessapproval.approver`	Access Approval Approver ^Beta	Ability to view or act on access approval requests and view configuration	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.configEditor`	Access Approval Config Editor ^Beta	Ability update the Access Approval configuration	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
`roles/accessapproval.viewer`	Access Approval Viewer ^Beta	Ability to view access approval requests and configuration	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Access Context Manager roles

Role	Title	Description	Permissions
`roles/accesscontextmanager.policyAdmin`	Access Context Manager Admin	Full access to policies, access levels, and access zones	accesscontextmanager.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyEditor`	Access Context Manager Editor	Edit access to policies. Create, edit, and change access levels and access zones.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.policyReader`	Access Context Manager Reader	Read access to policies, access levels, and access zones.	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/accesscontextmanager.vpcScTroubleshooterViewer`	VPC Service Controls Troubleshooter Viewer ^Alpha		accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Actions roles

Role	Title	Description	Permissions	Lowest resource
`roles/actions.Admin`	Actions Admin	Access to edit and deploy an action	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list
`roles/actions.Viewer`	Actions Viewer	Access to view an action	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list

Android Management roles

Role	Title	Description	Permissions	Lowest resource
`roles/androidmanagement.user`	Android Management User	Full access to manage devices.	androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Apigee roles

Role	Title	Description	Permissions
`roles/apigee.admin`	Apigee Organization Admin ^Beta	Full access to all apigee resource features	apigee.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.analyticsAgent`	Apigee Analytics Agent ^Beta	Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization	apigee.environments.getDataLocation
`roles/apigee.analyticsEditor`	Apigee Analytics Editor ^Beta	Analytics editor for an Apigee Organization	apigee.environments.get apigee.environments.getStats apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.analyticsViewer`	Apigee Analytics Viewer ^Beta	Analytics viewer for an Apigee Organization	apigee.environments.getStats apigee.organizations.get apigee.organizations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.apiCreator`	Apigee API Creator ^Beta	Creator of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.* apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.* apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.delete apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.update apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/apigee.deployer`	Apigee Deployer ^Beta	Deployer of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.* apigee.deployments.* apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.flowhooks.* apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.developerAdmin`	Apigee Developer Admin ^Beta	Developer admin of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developers.* apigee.environments.get apigee.environments.getStats apigee.organizations.get apigee.organizations.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.readOnlyAdmin`	Apigee Read-only Admin ^Beta	Viewer of all apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.deployments.get apigee.deployments.list apigee.developerappattributes.get apigee.developerappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developers.get apigee.developers.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/apigee.synchronizerManager`	Apigee Synchronizer Manager ^Beta	Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization	apigee.environments.get apigee.environments.manageRuntime

App Engine roles

Role	Title	Description	Permissions	Lowest resource
`roles/appengine.appAdmin`	App Engine Admin	Read/Write/Modify access to all application configuration and settings.	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/appengine.appViewer`	App Engine Viewer	Read-only access to all application configuration and settings.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/appengine.codeViewer`	App Engine Code Viewer	Read-only access to all application configuration, settings, and deployed source code.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/appengine.deployer`	App Engine Deployer	Read-only access to all application configuration and settings. Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic. Note: The App Engine Deployer (`roles/appengine.deployer`) role alone grants adequate permission to deploy using the App Engine Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Compute Storage Admin (`roles/compute.storageAdmin`) and Cloud Build Editor (`cloudbuild.builds.editor`) roles.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/appengine.serviceAdmin`	App Engine Service Admin	Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version.	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list	Project

Artifact Registry roles

Role	Title	Description	Permissions
`roles/artifactregistry.admin`	Artifact Registry Administrator ^Beta	Administrator access to create and manage repositories.	artifactregistry.*
`roles/artifactregistry.reader`	Artifact Registry Reader ^Beta	Access to read repository items.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
`roles/artifactregistry.repoAdmin`	Artifact Registry Repository Administrator ^Beta	Access to manage artifacts in repositories.	artifactregistry.files.* artifactregistry.packages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.*
`roles/artifactregistry.writer`	Artifact Registry Writer ^Beta	Access to read and write repository items.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list

AutoML roles

Role	Title	Description	Permissions	Lowest resource
`roles/automl.admin`	AutoML Admin ^Beta	Full access to all AutoML resources	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	Dataset/Model
`roles/automl.editor`	AutoML Editor ^Beta	Editor of all AutoML resources	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	Dataset/Model
`roles/automl.predictor`	AutoML Predictor ^Beta	Predict using models	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list	Model
`roles/automl.viewer`	AutoML Viewer ^Beta	Viewer of all AutoML resources	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list	Dataset/Model

BigQuery roles

Role	Title	Description	Permissions	Lowest resource
`roles/bigquery.admin`	BigQuery Admin	Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.	bigquery.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/bigquery.connectionAdmin`	BigQuery Connection Admin ^Beta		bigquery.connections.*
`roles/bigquery.connectionUser`	BigQuery Connection User ^Beta		bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
`roles/bigquery.dataEditor`	BigQuery Data Editor	When applied to a dataset, dataEditor provides permissions to: Read the dataset's metadata and to list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/bigquery.dataOwner`	BigQuery Data Owner	When applied to a dataset, dataOwner provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/bigquery.dataViewer`	BigQuery Data Viewer	When applied to a dataset, dataViewer provides permissions to: Read the dataset's metadata and to list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Dataset
`roles/bigquery.jobUser`	BigQuery Job User	Provides permissions to run jobs, including queries, within the project. This role can check the existence of all jobs, enumerate their own jobs, and cancel their own jobs.	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/bigquery.metadataViewer`	BigQuery Metadata Viewer	When applied at the project or organization level, metadataViewer provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/bigquery.readSessionUser`	BigQuery Read Session User	Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.resourceAdmin`	BigQuery Resource Admin ^Beta	Administer all BigQuery resources.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/bigquery.user`	BigQuery User	Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the `bigquery.dataOwner` role for these new datasets.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list	Project

Cloud Bigtable roles

Role	Title	Description	Permissions	Lowest resource
`roles/bigtable.admin`	Bigtable Administrator	Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance
`roles/bigtable.reader`	Bigtable Reader	Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance
`roles/bigtable.user`	Bigtable User	Provides read-write access to the data stored within tables. Intended for application developers or service accounts.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance
`roles/bigtable.viewer`	Bigtable Viewer	Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Bigtable.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get	Instance

Billing roles

Role	Title	Description	Permissions	Lowest resource
`roles/billing.admin`	Billing Account Administrator	Provides access to see and manage all aspects of billing accounts.	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	Billing Account
`roles/billing.creator`	Billing Account Creator	Provides access to create billing accounts.	billing.accounts.create resourcemanager.organizations.get	Project
`roles/billing.projectManager`	Project Billing Manager	Provides access to assign a project's billing account or disable its billing.	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	Project
`roles/billing.user`	Billing Account User	Provides access to associate projects with billing accounts.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create	Billing Account
`roles/billing.viewer`	Billing Account Viewer	View billing account cost information and transactions.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list	Organization Billing Account

Binary Authorization roles

Role	Title	Description	Permissions
`roles/binaryauthorization.attestorsAdmin`	Binary Authorization Attestor Admin ^Beta	Administrator of Binary Authorization Attestors	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsEditor`	Binary Authorization Attestor Editor ^Beta	Editor of Binary Authorization Attestors	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsVerifier`	Binary Authorization Attestor Image Verifier ^Beta	Caller of Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.attestorsViewer`	Binary Authorization Attestor Viewer ^Beta	Viewer of Binary Authorization Attestors	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyAdmin`	Binary Authorization Policy Administrator ^Beta	Administrator of Binary Authorization Policy	binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyEditor`	Binary Authorization Policy Editor ^Beta	Editor of Binary Authorization Policy	binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
`roles/binaryauthorization.policyViewer`	Binary Authorization Policy Viewer ^Beta	Viewer of Binary Authorization Policy	binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

Hangouts Chat roles

Role	Title	Description	Permissions	Lowest resource
`roles/chat.owner`	Chat Bots Owner	Can view and modify bot configurations	chat.*
`roles/chat.reader`	Chat Bots Viewer	Can view bot configurations	chat.bots.get

Cloud Asset roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudasset.owner`	Cloud Asset Owner	Full access to cloud assets metadata	cloudasset.*
`roles/cloudasset.viewer`	Cloud Asset Viewer	Read only access to cloud assets metadata	cloudasset.assets.*

Cloud Build roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudbuild.builds.builder`	Cloud Build Service Account	Can perform builds	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list cloudbuild.* logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudbuild.builds.editor`	Cloud Build Editor	Provides access to create and cancel builds.	cloudbuild.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/cloudbuild.builds.viewer`	Cloud Build Viewer	Provides access to view builds.	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list	Project

Cloud Data Fusion roles

Role	Title	Description	Permissions	Lowest resource
`roles/datafusion.admin`	Cloud Data Fusion Admin ^Beta	Full access to Cloud Data Fusion Instances and related resources.	datafusion.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datafusion.viewer`	Cloud Data Fusion Viewer ^Beta	Read-only access to Cloud Data Fusion Instances and related resources.	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list	Project

Cloud Debugger roles

Role	Title	Description	Permissions	Lowest resource
`roles/clouddebugger.agent`	Cloud Debugger Agent ^Beta	Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create	Service Account
`roles/clouddebugger.user`	Cloud Debugger User ^Beta	Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list	Project

Cloud Functions roles

Role	Title	Description	Permissions
`roles/cloudfunctions.admin`	Cloud Functions Admin ^Beta	Full access to functions, operations and locations.	cloudfunctions.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.developer`	Cloud Functions Developer ^Beta	Read and write access to all functions-related resources.	cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/cloudfunctions.invoker`	Cloud Functions Invoker ^Beta	Ability to invoke HTTP functions with restricted access.	cloudfunctions.functions.invoke
`roles/cloudfunctions.viewer`	Cloud Functions Viewer ^Beta	Read-only access to functions and locations.	cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud IAP roles

Role	Title	Description	Permissions	Lowest resource
`roles/iap.admin`	IAP Policy Admin	Provides full access to Identity-Aware Proxy resources.	iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy	Project
`roles/iap.httpsResourceAccessor`	IAP-secured Web App User	Provides permission to access HTTPS resources which use Identity-Aware Proxy.	iap.webServiceVersions.accessViaIAP	Project
`roles/iap.settingsAdmin`	IAP Settings Admin	Administrator of IAP Settings.	iap.projects.* iap.web.getSettings iap.web.updateSettings iap.webServiceVersions.getSettings iap.webServiceVersions.updateSettings iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings
`roles/iap.tunnelResourceAccessor`	IAP-secured Tunnel User	Access Tunnel resources which use Identity-Aware Proxy	iap.tunnelInstances.accessViaIAP

Cloud IoT roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudiot.admin`	Cloud IoT Admin	Full control of all Cloud IoT resources and permissions.	cloudiot.* cloudiottoken.*	Device
`roles/cloudiot.deviceController`	Cloud IoT Device Controller	Access to update the configuration of devices, but not to create or delete devices.	cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device
`roles/cloudiot.editor`	Cloud IoT Editor	Read-write access to all Cloud IoT resources.	cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.*	Device
`roles/cloudiot.provisioner`	Cloud IoT Provisioner	Access to create and delete devices from registries, but not to modify the registries.	cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device
`roles/cloudiot.viewer`	Cloud IoT Viewer	Read-only access to all Cloud IoT resources.	cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get	Device

Cloud Talent Solution roles

Role	Title	Description	Permissions
`roles/cloudjobdiscovery.admin`	Admin	Access to Cloud Job Discovery Self-Service Tools	cloudjobdiscovery.tools.* iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.jobsEditor`	Job Editor	Write access to all Cloud Job Discovery data.	cloudjobdiscovery.companies.* cloudjobdiscovery.events.* cloudjobdiscovery.jobs.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.jobsViewer`	Job Viewer	Read access to all Cloud Job Discovery data.	cloudjobdiscovery.companies.get cloudjobdiscovery.companies.list cloudjobdiscovery.jobs.get cloudjobdiscovery.jobs.search resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.profilesEditor`	Profile Editor	Write access to all profile data in Cloud Talent Solution.	cloudjobdiscovery.events.* cloudjobdiscovery.profiles.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudjobdiscovery.profilesViewer`	Profile Viewer	Read access to all profile data in Cloud Talent Solution.	cloudjobdiscovery.profiles.get cloudjobdiscovery.profiles.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list

Cloud KMS roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudkms.admin`	Cloud KMS Admin	Provides full access to Cloud KMS resources, except encrypt and decrypt operations.	cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeys.* cloudkms.importJobs.* cloudkms.keyRings.* resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyDecrypter`	Cloud KMS CryptoKey Decrypter	Provides ability to use Cloud KMS resources for decrypt operations only.	cloudkms.cryptoKeyVersions.useToDecrypt resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyEncrypter`	Cloud KMS CryptoKey Encrypter	Provides ability to use Cloud KMS resources for encrypt operations only.	cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get	CryptoKey
`roles/cloudkms.cryptoKeyEncrypterDecrypter`	Cloud KMS CryptoKey Encrypter/Decrypter	Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get	CryptoKey
`roles/cloudkms.importer`	Cloud KMS Importer	Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations	cloudkms.importJobs.create cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.importJobs.useToImport resourcemanager.projects.get
`roles/cloudkms.publicKeyViewer`	Cloud KMS CryptoKey Public Key Viewer	Enables GetPublicKey operations	cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get
`roles/cloudkms.signer`	Cloud KMS CryptoKey Signer	Enables the AsymmetricSign operation	cloudkms.cryptoKeyVersions.useToSign resourcemanager.projects.get
`roles/cloudkms.signerVerifier`	Cloud KMS CryptoKey Signer/Verifier	Enables AsymmetricSign, and GetPublicKey operations	cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get

Cloud Migration roles

Role	Title	Description	Permissions
`roles/cloudmigration.inframanager`	Velostrata Manager ^Beta	Ability to create and manage Compute VMs to run Velostrata Infrastructure	cloudmigration.* compute.addresses.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.updateNetworkInterface compute.instances.updateShieldedInstanceConfig compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.* gkehub.endpoints.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update
`roles/cloudmigration.storageaccess`	Velostrata Storage Access ^Beta	Ability to access migration storage	storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudmigration.velostrataconnect`	Velostrata Manager Connection Agent ^Beta	Ability to set up connection between Velostrata Manager and Google	cloudmigration.* gkehub.endpoints.*
`roles/vmmigration.admin`	VM Migration Administrator ^Beta	Ability to view and edit all VM Migration objects	vmmigration.*
`roles/vmmigration.viewer`	VM Migration Viewer ^Beta	Ability to view all VM Migration objects	vmmigration.deployments.get vmmigration.deployments.list

Cloud Private Catalog roles

Role	Title	Description	Permissions
`roles/cloudprivatecatalog.consumer`	Catalog Consumer ^Beta	Can browse catalogs in the target resource context.	cloudprivatecatalog.*
`roles/cloudprivatecatalogproducer.admin`	Catalog Admin ^Beta	Can manage catalog and view its associations.	cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get
`roles/cloudprivatecatalogproducer.manager`	Catalog Manager ^Beta	Can manage associations between a catalog and a target resource.	cloudprivatecatalog.* cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.get cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get

Stackdriver Profiler roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudprofiler.agent`	Stackdriver Profiler Agent ^Beta	Stackdriver Profiler agents are allowed to register and provide the profiling data.	cloudprofiler.profiles.create cloudprofiler.profiles.update
`roles/cloudprofiler.user`	Stackdriver Profiler User ^Beta	Stackdriver Profiler users are allowed to query and view the profiling data.	cloudprofiler.profiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Scheduler roles

Role	Title	Description	Permissions
`roles/cloudscheduler.admin`	Cloud Scheduler Admin ^Beta	Full access to jobs and executions.	appengine.applications.get cloudscheduler.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/cloudscheduler.jobRunner`	Cloud Scheduler Job Runner ^Beta	Access to run jobs.	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.run resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/cloudscheduler.viewer`	Cloud Scheduler Viewer ^Beta	Get and list access to jobs, executions, and locations.	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.list cloudscheduler.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list

Cloud Security Scanner roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudsecurityscanner.editor`	Web Security Scanner Editor	Full access to all Cloud Security Scanner resources	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/cloudsecurityscanner.runner`	Web Security Scanner Runner	Read access to Scan and ScanRun, plus the ability to start scans	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run	Project
`roles/cloudsecurityscanner.viewer`	Web Security Scanner Viewer	Read access to all Cloud Security Scanner resources	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project

Cloud Services roles

Role	Title	Description	Permissions	Lowest resource
`roles/servicebroker.admin`	Service Broker Admin ^Beta	Full access to ServiceBroker resources.	servicebroker.*
`roles/servicebroker.operator`	Service Broker Operator ^Beta	Operational access to the ServiceBroker resources.	servicebroker.bindingoperations.* servicebroker.bindings.create servicebroker.bindings.delete servicebroker.bindings.get servicebroker.bindings.list servicebroker.catalogs.create servicebroker.catalogs.delete servicebroker.catalogs.get servicebroker.catalogs.list servicebroker.instanceoperations.* servicebroker.instances.create servicebroker.instances.delete servicebroker.instances.get servicebroker.instances.list servicebroker.instances.update

Cloud SQL roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudsql.admin`	Cloud SQL Admin	Provides full control of Cloud SQL resources.	cloudsql.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/cloudsql.client`	Cloud SQL Client	Provides connectivity access to Cloud SQL instances.	cloudsql.instances.connect cloudsql.instances.get	Project
`roles/cloudsql.editor`	Cloud SQL Editor	Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.	cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.instances.restart cloudsql.instances.rotateServerCa cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/cloudsql.viewer`	Cloud SQL Viewer	Provides read-only access to Cloud SQL resources.	cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project

Cloud Tasks roles

Role	Title	Description	Permissions
`roles/cloudtasks.admin`	Cloud Tasks Admin ^Beta	Full access to queues and tasks.	cloudtasks.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.enqueuer`	Cloud Tasks Enqueuer ^Beta	Access to create tasks.	cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.queueAdmin`	Cloud Tasks Queue Admin ^Beta	Admin access to queues.	cloudtasks.locations.* cloudtasks.queues.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.taskDeleter`	Cloud Tasks Task Deleter ^Beta	Access to delete tasks.	cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.taskRunner`	Cloud Tasks Task Runner ^Beta	Access to run tasks.	cloudtasks.tasks.fullView cloudtasks.tasks.run resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtasks.viewer`	Cloud Tasks Viewer ^Beta	Get and list access to tasks, queues, and locations.	cloudtasks.locations.* cloudtasks.queues.get cloudtasks.queues.list cloudtasks.tasks.fullView cloudtasks.tasks.get cloudtasks.tasks.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Trace roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudtrace.admin`	Cloud Trace Admin	Provides full access to the Trace console and read-write access to traces.	cloudtrace.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/cloudtrace.agent`	Cloud Trace Agent	For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.	cloudtrace.traces.patch	Project
`roles/cloudtrace.user`	Cloud Trace User	Provides full access to the Trace console and read access to traces.	cloudtrace.insights.* cloudtrace.stats.* cloudtrace.tasks.* cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list	Project

Cloud Translation roles

Role	Title	Description	Permissions
`roles/cloudtranslate.admin`	Cloud Translation API Admin	Full access to all Cloud Translation resources	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.editor`	Cloud Translation API Editor	Editor of all Cloud Translation resources	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.user`	Cloud Translation API User	User of Cloud Translation and AutoML models	automl.models.get automl.models.predict cloudtranslate.generalModels.* cloudtranslate.glossaries.batchPredict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict cloudtranslate.languageDetectionModels.* cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtranslate.viewer`	Cloud Translation API Viewer	Viewer of all Translation resources	automl.models.get cloudtranslate.generalModels.get cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list

Codelab API Keys roles

Role	Title	Description	Permissions
`roles/codelabapikeys.admin`	Codelab ApiKeys Admin ^Beta	Full access to API keys	resourcemanager.projects.get resourcemanager.projects.list
`roles/codelabapikeys.editor`	Codelab API Keys Editor ^Beta	This role can view and edit all properties of API keys.	resourcemanager.projects.get resourcemanager.projects.list
`roles/codelabapikeys.viewer`	Codelab API Keys Viewer ^Beta	This role can view all properties except change history of API keys.	resourcemanager.projects.get resourcemanager.projects.list

Cloud Composer roles

Role	Title	Description	Permissions	Lowest resource
`roles/composer.admin`	Composer Administrator	Provides full control of Cloud Composer resources.	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/composer.environmentAndStorageObjectAdmin`	Environment and Storage Object Administrator	Provides full control of Cloud Composer resources and of the objects in all project buckets.	composer.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.*	Project
`roles/composer.environmentAndStorageObjectViewer`	Environment User and Storage Object Viewer	Provides the permissions nessesary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list	Project
`roles/composer.user`	Composer User	Provides the permissions necessary to list and get Cloud Composer environments and operations.	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/composer.worker`	Composer Worker	Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list cloudbuild.* container.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.*	Project

Compute Engine roles

Role	Title	Description	Permissions	Lowest resource
`roles/compute.admin`	Compute Admin	Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role.	compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot ^Beta
`roles/compute.imageUser`	Compute Image User	Permission to list and read images without having other permissions on the image. Granting the `compute.imageUser` role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.	compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Image^Beta
`roles/compute.instanceAdmin`	Compute Instance Admin (beta)	Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM^BETA settings. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the `roles/iam.serviceAccountUser` role. For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, instance, instanceTemplate, snapshot ^Beta
`roles/compute.instanceAdmin.v1`	Compute Instance Admin (v1)	Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.loadBalancerAdmin`	Compute Load Balancer Admin ^Beta	Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant the load balancing team's group the `loadBalancerAdmin` role.	compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.networkAdmin`	Compute Network Admin	Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the networking team's group the `networkAdmin` role.	compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.externalVpnGateways.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.instances.use compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.machineTypes.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.projects.get compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.networkUser`	Compute Network User	Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.	compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.externalVpnGateways.get compute.externalVpnGateways.list compute.externalVpnGateways.use compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.access compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/compute.networkViewer`	Compute Network Viewer	Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant that software's service account the `networkViewer` role.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.orgSecurityPolicyAdmin`	Compute Organization Security Policy Admin ^Beta	Full control of Compute Engine Organization Security Policies.	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityPolicyUser`	Compute Organization Security Policy User ^Beta	View or use Compute Engine Security Policies to associate with the organization or folders.	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.orgSecurityResourceAdmin`	Compute Organization Resource Admin ^Beta	Full control of Compute Engine Security Policy associations to the organization or folders.	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.osAdminLogin`	Compute OS Admin Login	Access to log in to a Compute Engine instance as an administrator user.	compute.instances.get compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.osLogin`	Compute OS Login	Access to log in to a Compute Engine instance as a standard user.	compute.instances.get compute.instances.list compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.osLoginExternalUser`	Compute OS Login External User	Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.	compute.oslogin.*	Organization
`roles/compute.packetMirroringAdmin`	Compute packet mirroring admin	Specify resources to be mirrored.	compute.networks.mirror compute.projects.get compute.subnetworks.mirror resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.packetMirroringUser`	Compute packet mirroring user	Use Compute Engine packet mirrorings.	compute.packetMirrorings.* compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/compute.securityAdmin`	Compute Security Admin	Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM^BETA settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the security team's group the `securityAdmin` role.	compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.list compute.networks.updatePolicy compute.packetMirrorings.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Instance^Beta
`roles/compute.storageAdmin`	Compute Storage Admin	Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant their account the `storageAdmin` role on the project.	compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, snapshot ^Beta
`roles/compute.viewer`	Compute Viewer	Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot ^Beta
`roles/compute.xpnAdmin`	Compute Shared VPC Admin	Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. This role can only be granted on the organization by an organization admin. Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the `compute.networkUser` role to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.	compute.globalOperations.get compute.globalOperations.list compute.organizations.* compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Organization
`roles/osconfig.assignmentAdmin`	Assignment Admin ^Alpha	Full admin access to Assignments	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.assignmentEditor`	Assignment Editor ^Alpha	Editor of Assignment resources	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.assignmentViewer`	Assignment Viewer ^Alpha	Viewer of Assignment resources	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyAdmin`	GuestPolicy Admin ^Alpha	Full admin access to GuestPolicies	osconfig.guestPolicies.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyEditor`	GuestPolicy Editor ^Alpha	Editor of GuestPolicy resources	osconfig.guestPolicies.get osconfig.guestPolicies.list osconfig.guestPolicies.update resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.guestPolicyViewer`	GuestPolicy Viewer ^Alpha	Viewer of GuestPolicy resources	osconfig.guestPolicies.get osconfig.guestPolicies.list resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigAdmin`	OsConfig Admin ^Alpha	Full admin access to OsConfigs	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigEditor`	OsConfig Editor ^Alpha	Editor of OsConfig resources	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.osConfigViewer`	OsConfig Viewer ^Alpha	Viewer of OsConfig resources	resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchDeploymentAdmin`	PatchDeployment Admin ^Alpha	Full admin access to PatchDeployments	osconfig.patchDeployments.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchDeploymentViewer`	PatchDeployment Viewer ^Alpha	Viewer of PatchDeployment resources	osconfig.patchDeployments.get osconfig.patchDeployments.list resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchJobExecutor`	Patch Job Executor ^Alpha	Access to execute Patch Jobs.	osconfig.patchJobs.* resourcemanager.projects.get resourcemanager.projects.list
`roles/osconfig.patchJobViewer`	Patch Job Viewer ^Alpha	Get and list Patch Jobs.	osconfig.patchJobs.get osconfig.patchJobs.list resourcemanager.projects.get resourcemanager.projects.list

Kubernetes Engine roles

Role	Title	Description	Permissions	Lowest resource
`roles/container.admin`	Kubernetes Engine Admin	Provides access to full management of clusters and their Kubernetes API objects.	container.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/container.clusterAdmin`	Kubernetes Engine Cluster Admin	Provides access to management of clusters.	container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.operations.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/container.clusterViewer`	Kubernetes Engine Cluster Viewer	Read-only access to Kubernetes Clusters.	container.clusters.get container.clusters.list resourcemanager.projects.get resourcemanager.projects.list
`roles/container.developer`	Kubernetes Engine Developer	Provides access to Kubernetes API objects inside clusters.	container.apiServices.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpoints.* container.events.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.limitRanges.* container.localSubjectAccessReviews.* container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/container.hostServiceAgentUser`	Kubernetes Engine Host Service Agent User	Use access of the Kubernetes Engine Host Service Agent.	compute.firewalls.get container.hostServiceAgent.*
`roles/container.viewer`	Kubernetes Engine Viewer	Provides read-only access to GKE resources.	container.apiServices.get container.apiServices.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getStatus container.deployments.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.limitRanges.get container.limitRanges.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list	Project

Container Analysis roles

Role	Title	Description	Permissions
`roles/containeranalysis.admin`	Container Analysis Admin ^Alpha	Access to all resources.	resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.notes.attacher`	Container Analysis Notes Attacher ^Alpha	Can attach occurrences to notes
`roles/containeranalysis.notes.editor`	Container Analysis Notes Editor ^Alpha	Can edit container analysis notes	resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.notes.viewer`	Container Analysis Notes Viewer ^Alpha	Can view container analysis notes	resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.occurrences.editor`	Container Analysis Occurrences Editor ^Alpha	Can edit container analysis occurrences	resourcemanager.projects.get resourcemanager.projects.list
`roles/containeranalysis.occurrences.viewer`	Container Analysis Occurrences Viewer ^Alpha	Can view container analysis occurrences	resourcemanager.projects.get resourcemanager.projects.list

Data Catalog roles

Role	Title	Description	Permissions
`roles/datacatalog.admin`	Data Catalog Admin ^Beta	Full access to all DataCatalog resources	bigquery.datasets.get bigquery.datasets.updateTag bigquery.models.getMetadata bigquery.models.updateTag bigquery.tables.get bigquery.tables.updateTag datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.* datacatalog.entryGroups.* datacatalog.tagTemplates.* datacatalog.taxonomies.* pubsub.topics.get pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.categoryAdmin`	Policy Tag Admin ^Beta	Manage taxonomies	datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.taxonomies.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.categoryFineGrainedReader`	Fine-Grained Reader ^Beta	Read access to sub-resources tagged by a policy tag, for example, BigQuery columns	datacatalog.categories.fineGrainedGet
`roles/datacatalog.entryGroupCreator`	DataCatalog EntryGroup Creator ^Beta	Can create new entryGroups	datacatalog.entryGroups.create datacatalog.entryGroups.get datacatalog.entryGroups.list resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryGroupOwner`	DataCatalog entryGroup Owner ^Beta	Full access to entryGroups	datacatalog.entries.* datacatalog.entryGroups.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryOwner`	DataCatalog entry Owner ^Beta	Full access to entries	datacatalog.entries.* datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.entryViewer`	DataCatalog Entry Viewer ^Beta	Read access to entries	datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagEditor`	Data Catalog Tag Editor ^Beta	Gives permission to modify tags on a GCP assets (BigQuery, Pub/Sub etc).	bigquery.datasets.updateTag bigquery.models.updateTag bigquery.tables.updateTag datacatalog.entries.updateTag pubsub.topics.updateTag
`roles/datacatalog.tagTemplateCreator`	Data Catalog TagTemplate Creator ^Beta	Can create new tag templates	datacatalog.tagTemplates.create datacatalog.tagTemplates.get
`roles/datacatalog.tagTemplateOwner`	Data Catalog TagTemplate Owner ^Beta	Full acess to tag templates	datacatalog.tagTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagTemplateUser`	Data Catalog TagTemplate User ^Beta	Can use tag templates to tag resources	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.tagTemplateViewer`	Data Catalog TagTemplate Viewer ^Beta	Read access to templates and tags created using the templates	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag resourcemanager.projects.get resourcemanager.projects.list
`roles/datacatalog.viewer`	Data Catalog Viewer ^Beta	View resources in DataCatalog	bigquery.datasets.get bigquery.models.getMetadata bigquery.tables.get datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get datacatalog.entryGroups.list datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.taxonomies.get datacatalog.taxonomies.list pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.list

Dataflow roles

Role	Title	Description	Permissions	Lowest resource
`roles/dataflow.admin`	Dataflow Admin	Minimal role for creating and managing dataflow jobs.	compute.machineTypes.get dataflow.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list
`roles/dataflow.developer`	Dataflow Developer	Provides the permissions necessary to execute and manipulate Dataflow jobs.	dataflow.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/dataflow.viewer`	Dataflow Viewer	Provides read-only access to all Dataflow-related resources.	dataflow.jobs.get dataflow.jobs.list dataflow.messages.* dataflow.metrics.* dataflow.snapshots.get dataflow.snapshots.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/dataflow.worker`	Dataflow Worker	Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline.	compute.instanceGroupManagers.update compute.instances.delete compute.instances.setDiskAutoDelete dataflow.jobs.get logging.logEntries.create storage.objects.create storage.objects.get	Project

Cloud Data Labeling roles

Role	Title	Description	Permissions
`roles/datalabeling.admin`	DataLabeling Service Admin ^Beta	Full access to all DataLabeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.editor`	DataLabeling Service Editor ^Beta	Editor of all DataLabeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
`roles/datalabeling.viewer`	DataLabeling Service Viewer ^Beta	Viewer of all DataLabeling resources	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Dataprep roles

Role	Title	Description	Permissions	Lowest resource
`roles/dataprep.projects.user`	Dataprep User ^Beta	Use of Dataprep.	dataprep.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Dataproc roles

Role	Title	Description	Permissions	Lowest resource
`roles/dataproc.admin`	Dataproc Administrator	Full control of Dataproc resources.	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.* dataproc.clusters.* dataproc.jobs.* dataproc.operations.* dataproc.workflowTemplates.* resourcemanager.projects.get resourcemanager.projects.list
`roles/dataproc.editor`	Dataproc Editor	Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects and zones.	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/dataproc.viewer`	Dataproc Viewer	Provides read-only access to Dataproc resources.	compute.machineTypes.get compute.regions.* compute.zones.get dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.clusters.get dataproc.clusters.list dataproc.jobs.get dataproc.jobs.list dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.get dataproc.workflowTemplates.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/dataproc.worker`	Dataproc Worker	Worker access to Dataproc. Intended for service accounts.	dataproc.agents.* dataproc.tasks.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create storage.buckets.get storage.objects.*

Datastore roles

Role	Title	Description	Permissions	Lowest resource
`roles/datastore.importExportAdmin`	Cloud Datastore Import Export Admin	Provides full access to manage imports and exports.	appengine.applications.get datastore.databases.export datastore.databases.import datastore.operations.cancel datastore.operations.get datastore.operations.list resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datastore.indexAdmin`	Cloud Datastore Index Admin	Provides full access to manage index definitions.	appengine.applications.get datastore.indexes.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datastore.owner`	Cloud Datastore Owner	Provides full access to Datastore resources.	appengine.applications.get datastore.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datastore.user`	Cloud Datastore User	Provides read/write access to data in a Datastore database.	appengine.applications.get datastore.databases.get datastore.entities.* datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/datastore.viewer`	Cloud Datastore Viewer	Provides read access to Datastore resources.	appengine.applications.get datastore.databases.get datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list	Project

Deployment Manager roles

Role	Title	Description	Permissions	Lowest resource
`roles/deploymentmanager.editor`	Deployment Manager Editor	Provides the permissions necessary to create and manage deployments.	deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/deploymentmanager.typeEditor`	Deployment Manager Type Editor	Provides read and write access to all Type Registry resources.	deploymentmanager.compositeTypes.* deploymentmanager.operations.get deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	Project
`roles/deploymentmanager.typeViewer`	Deployment Manager Type Viewer	Provides read-only access to all Type Registry resources.	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get	Project
`roles/deploymentmanager.viewer`	Deployment Manager Viewer	Provides read-only access to all Deployment Manager-related resources.	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project

Dialogflow roles

Role	Title	Description	Permissions	Lowest resource
`roles/dialogflow.admin`	Dialogflow API Admin	Full access to Dialogflow (API only) resources. Use the `roles/owner` or `roles/editor` primitive role for access to both API and Dialogflow console (commonly needed to create an agent from the Dialogflow console).	dialogflow.* resourcemanager.projects.get	Project
`roles/dialogflow.client`	Dialogflow API Client	Client access to Dialogflow (API only) resources. This grants permission to detect intent and read/write session properties (contexts, session entity types, etc.).	dialogflow.contexts.* dialogflow.sessionEntityTypes.* dialogflow.sessions.*	Project
`roles/dialogflow.consoleAgentEditor`	Dialogflow Console Agent Editor	Can edit agent in Dialogflow Console	actions.agentVersions.create dialogflow.* resourcemanager.projects.get
`roles/dialogflow.reader`	Dialogflow API Reader	Read access to Dialogflow (API only) resources. Cannot detect intent. Use the `roles/viewer` primitive role for similar access to both API and Dialogflow console.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.search dialogflow.contexts.get dialogflow.contexts.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.operations.* dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list resourcemanager.projects.get	Project

Cloud DLP roles

Role	Title	Description	Permissions
`roles/dlp.admin`	DLP Administrator	Administer DLP including jobs and templates.	dlp.* serviceusage.services.use
`roles/dlp.analyzeRiskTemplatesEditor`	DLP Analyze Risk Templates Editor	Edit DLP analyze risk templates.	dlp.analyzeRiskTemplates.*
`roles/dlp.analyzeRiskTemplatesReader`	DLP Analyze Risk Templates Reader	Read DLP analyze risk templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
`roles/dlp.deidentifyTemplatesEditor`	DLP De-identify Templates Editor	Edit DLP de-identify templates.	dlp.deidentifyTemplates.*
`roles/dlp.deidentifyTemplatesReader`	DLP De-identify Templates Reader	Read DLP de-identify templates.	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
`roles/dlp.inspectTemplatesEditor`	DLP Inspect Templates Editor	Edit DLP inspect templates.	dlp.inspectTemplates.*
`roles/dlp.inspectTemplatesReader`	DLP Inspect Templates Reader	Read DLP inspect templates.	dlp.inspectTemplates.get dlp.inspectTemplates.list
`roles/dlp.jobTriggersEditor`	DLP Job Triggers Editor	Edit job triggers configurations.	dlp.jobTriggers.*
`roles/dlp.jobTriggersReader`	DLP Job Triggers Reader	Read job triggers.	dlp.jobTriggers.get dlp.jobTriggers.list
`roles/dlp.jobsEditor`	DLP Jobs Editor	Edit and create jobs	dlp.jobs.* dlp.kms.*
`roles/dlp.jobsReader`	DLP Jobs Reader	Read jobs	dlp.jobs.get dlp.jobs.list
`roles/dlp.reader`	DLP Reader	Read DLP entities, such as jobs and templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.storedInfoTypesEditor`	DLP Stored InfoTypes Editor	Edit DLP stored info types.	dlp.storedInfoTypes.*
`roles/dlp.storedInfoTypesReader`	DLP Stored InfoTypes Reader	Read DLP stored info types.	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
`roles/dlp.user`	DLP User	Inspect, Redact, and De-identify Content	dlp.kms.* serviceusage.services.use

DNS roles

Role	Title	Description	Permissions	Lowest resource
`roles/dns.admin`	DNS Administrator	Provides read-write access to all Cloud DNS resources.	compute.networks.get compute.networks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/dns.peer`	DNS Peer	Access to target networks with DNS peering zones	dns.networks.targetWithPeeringZone
`roles/dns.reader`	DNS Reader	Provides read-only access to all Cloud DNS resources.	compute.networks.get dns.changes.get dns.changes.list dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list dns.projects.* dns.resourceRecordSets.list resourcemanager.projects.get resourcemanager.projects.list	Project

Endpoints roles

Role	Title	Description	Permissions	Lowest resource
`roles/endpoints.portalAdmin`	Endpoints Portal Admin ^Beta	Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the GCP Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page.	endpoints.* resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get	Project

Error Reporting roles

Role	Title	Description	Permissions	Lowest resource
`roles/errorreporting.admin`	Error Reporting Admin ^Beta	Provides full access to Error Reporting data.	cloudnotifications.* errorreporting.*	Project
`roles/errorreporting.user`	Error Reporting User ^Beta	Provides the permissions to read and write Error Reporting data, except for sending new error events.	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.delete errorreporting.errorEvents.list errorreporting.groupMetadata.* errorreporting.groups.*	Project
`roles/errorreporting.viewer`	Error Reporting Viewer ^Beta	Provides read-only access to Error Reporting data.	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groupMetadata.get errorreporting.groups.*	Project
`roles/errorreporting.writer`	Errors Writer ^Beta	Provides the permissions to send error events to Error Reporting.	errorreporting.errorEvents.create	Service Account

Cloud Filestore roles

Role	Title	Description	Permissions	Lowest resource
`roles/file.editor`	Cloud Filestore Editor ^Beta	Read-write access to Filestore instances and related resources.	file.*
`roles/file.viewer`	Cloud Filestore Viewer ^Beta	Read-only access to Filestore instances and related resources.	file.instances.get file.instances.list file.locations.* file.operations.get file.operations.list file.snapshots.get file.snapshots.list

Firebase roles

Role	Title	Description	Permissions
`roles/firebase.admin`	Firebase Admin	Full access to Firebase products.	appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.delete clientauthconfig.clients.get clientauthconfig.clients.list clientauthconfig.clients.update cloudconfig.* cloudfunctions.* cloudmessaging.* cloudnotifications.* cloudtestservice.* cloudtoolresults.* datastore.* errorreporting.groups.* firebase.* firebaseabt.* firebaseanalytics.* firebaseappdistro.* firebaseauth.* firebasecrash.* firebasecrashlytics.* firebasedatabase.* firebasedynamiclinks.* firebaseextensions.* firebasehosting.* firebaseinappmessaging.* firebaseml.* firebasenotifications.* firebaseperformance.* firebasepredictions.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.*
`roles/firebase.analyticsAdmin`	Firebase Analytics Admin	Full access to Google Analytics for Firebase.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/firebase.analyticsViewer`	Firebase Analytics Viewer	Read access to Google Analytics for Firebase.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
`roles/firebase.developAdmin`	Firebase Develop Admin	Full access to Firebase Develop products and Analytics.	appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.get clientauthconfig.clients.list cloudfunctions.* cloudnotifications.* datastore.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseauth.* firebasedatabase.* firebaseextensions.configs.list firebasehosting.* firebaseml.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.*
`roles/firebase.developViewer`	Firebase Develop Viewer	Read access to Firebase Develop products and Analytics.	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseauth.configs.get firebaseauth.users.get firebasedatabase.instances.get firebasedatabase.instances.list firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list
`roles/firebase.growthAdmin`	Firebase Grow Admin	Full access to Firebase Grow products and Analytics.	clientauthconfig.clients.get clientauthconfig.clients.list cloudconfig.* cloudmessaging.* cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.* firebaseanalytics.* firebasedynamiclinks.* firebaseextensions.configs.list firebaseinappmessaging.* firebasenotifications.* firebasepredictions.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.growthViewer`	Firebase Grow Viewer	Read access to Firebase Grow products and Analytics.	cloudconfig.configs.get cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebasenotifications.messages.get firebasenotifications.messages.list firebasepredictions.predictions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.qualityAdmin`	Firebase Quality Admin	Full access to Firebase Quality products and Analytics.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseappdistro.* firebasecrash.* firebasecrashlytics.* firebaseextensions.configs.list firebaseperformance.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.qualityViewer`	Firebase Quality Viewer	Read access to Firebase Quality products and Analytics.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebaseextensions.configs.list firebaseperformance.data.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
`roles/firebase.viewer`	Firebase Viewer	Read-only access to Firebase products.	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudconfig.configs.get cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebaseauth.configs.get firebaseauth.users.get firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebasedatabase.instances.get firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebasenotifications.messages.get firebasenotifications.messages.list firebaseperformance.data.* firebasepredictions.predictions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list

Firebase Products roles

Role	Title	Description	Permissions
`roles/cloudconfig.admin`	Firebase Remote Config Admin	Full access to Firebase Remote Config resources.	cloudconfig.* firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudconfig.viewer`	Firebase Remote Config Viewer	Read access to Firebase Remote Config resources.	cloudconfig.configs.get firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudtestservice.testAdmin`	Firebase Test Lab Admin	Full access to all Test Lab features	cloudtestservice.* cloudtoolresults.* firebase.billingPlans.get firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.get storage.buckets.update storage.objects.create storage.objects.get storage.objects.list
`roles/cloudtestservice.testViewer`	Firebase Test Lab Viewer	Read access to Test Lab features	cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
`roles/firebaseabt.admin`	Firebase A/B Testing Admin ^Beta	Full read/write access to Firebase A/B Testing resources.	firebase.clients.get firebase.projects.get firebaseabt.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseabt.viewer`	Firebase A/B Testing Viewer ^Beta	Read-only access to Firebase A/B Testing resources.	firebase.clients.get firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseappdistro.admin`	Firebase App Distribution Admin ^Beta	Full read/write access to Firebase App Distribution resources.	firebase.clients.get firebase.projects.get firebaseappdistro.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseappdistro.viewer`	Firebase App Distribution Viewer ^Beta	Read-only access to Firebase App Distribution resources.	firebase.clients.get firebase.projects.get firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseauth.admin`	Firebase Authentication Admin	Full read/write access to Firebase Authentication resources.	firebase.clients.get firebase.projects.get firebaseauth.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseauth.viewer`	Firebase Authentication Viewer	Read-only access to Firebase Authentication resources.	firebase.clients.get firebase.projects.get firebaseauth.configs.get firebaseauth.users.get resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasecrashlytics.admin`	Firebase Crashlytics Admin	Full read/write access to Firebase Crashlytics resources.	firebase.clients.get firebase.projects.get firebasecrashlytics.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasecrashlytics.viewer`	Firebase Crashlytics Viewer	Read-only access to Firebase Crashlytics resources.	firebase.clients.get firebase.projects.get firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedatabase.admin`	Firebase Realtime Database Admin	Full read/write access to Firebase Realtime Database resources.	firebase.clients.get firebase.projects.get firebasedatabase.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedatabase.viewer`	Firebase Realtime Database Viewer	Read-only access to Firebase Realtime Database resources.	firebase.clients.get firebase.projects.get firebasedatabase.instances.get firebasedatabase.instances.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedynamiclinks.admin`	Firebase Dynamic Links Admin	Full read/write access to Firebase Dynamic Links resources.	firebase.clients.get firebase.projects.get firebasedynamiclinks.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasedynamiclinks.viewer`	Firebase Dynamic Links Viewer	Read-only access to Firebase Dynamic Links resources.	firebase.clients.get firebase.projects.get firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasehosting.admin`	Firebase Hosting Admin	Full read/write access to Firebase Hosting resources.	firebase.clients.get firebase.projects.get firebasehosting.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasehosting.viewer`	Firebase Hosting Viewer	Read-only access to Firebase Hosting resources.	firebase.clients.get firebase.projects.get firebasehosting.sites.get firebasehosting.sites.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseinappmessaging.admin`	Firebase In-App Messaging Admin ^Beta	Full read/write access to Firebase In-App Messaging resources.	firebase.clients.get firebase.projects.get firebaseinappmessaging.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseinappmessaging.viewer`	Firebase In-App Messaging Viewer ^Beta	Read-only access to Firebase In-App Messaging resources.	firebase.clients.get firebase.projects.get firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseml.admin`	Firebase ML Kit Admin ^Beta	Full read/write access to Firebase ML Kit resources.	firebase.clients.get firebase.projects.get firebaseml.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseml.viewer`	Firebase ML Kit Viewer ^Beta	Read-only access to Firebase ML Kit resources.	firebase.clients.get firebase.projects.get firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasenotifications.admin`	Firebase Cloud Messaging Admin	Full read/write access to Firebase Cloud Messaging resources.	firebase.clients.get firebase.projects.get firebasenotifications.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasenotifications.viewer`	Firebase Cloud Messaging Viewer	Read-only access to Firebase Cloud Messaging resources.	firebase.clients.get firebase.projects.get firebasenotifications.messages.get firebasenotifications.messages.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseperformance.admin`	Firebase Performance Reporting Admin	Full access to firebaseperformance resources.	firebase.clients.get firebase.projects.get firebaseperformance.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaseperformance.viewer`	Firebase Performance Reporting Viewer	Read-only access to firebaseperformance resources.	firebase.clients.get firebase.projects.get firebaseperformance.data.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasepredictions.admin`	Firebase Predictions Admin	Full read/write access to Firebase Predictions resources.	firebase.clients.get firebase.projects.get firebasepredictions.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebasepredictions.viewer`	Firebase Predictions Viewer	Read-only access to Firebase Predictions resources.	firebase.clients.get firebase.projects.get firebasepredictions.predictions.list resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaserules.admin`	Firebase Rules Admin	Full management of Firebase Rules.	firebaserules.* resourcemanager.projects.get resourcemanager.projects.list
`roles/firebaserules.viewer`	Firebase Rules Viewer	Read-only access on all resources with the ability to test Rulesets.	firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Game Services roles

Role	Title	Description	Permissions	Lowest resource
`roles/gameservices.admin`	Game Services API Admin ^Beta	Full access to Game Services API and related resources.	gameservices.* resourcemanager.projects.get resourcemanager.projects.list
`roles/gameservices.viewer`	Game Services API Viewer ^Beta	Read-only access to Game Services API and related resources.	gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list

Genomics roles

Role	Title	Description	Permissions
`roles/genomics.admin`	Genomics Admin	Full access to genomics datasets and operations.	genomics.*
`roles/genomics.editor`	Genomics Editor	Access to read and edit genomics datasets and operations.	genomics.datasets.create genomics.datasets.delete genomics.datasets.get genomics.datasets.list genomics.datasets.update genomics.operations.*
`roles/genomics.pipelinesRunner`	Genomics Pipelines Runner	Full access to operate on genomics pipelines.	genomics.operations.*
`roles/genomics.viewer`	Genomics Viewer	Access to view genomics datasets and operations.	genomics.datasets.get genomics.datasets.list genomics.operations.get genomics.operations.list

GKE Hub roles

Role	Title	Description	Permissions
`roles/gkehub.admin`	GKE Hub Admin ^Beta	Full access to GKE Hubs and related resources.	gkehub.locations.* gkehub.memberships.* gkehub.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/gkehub.connect`	GKE Hub Connection Agent ^Beta	Ability to set up GKE Connect between external clusters and Google.	gkehub.endpoints.*
`roles/gkehub.viewer`	GKE Hub Viewer ^Beta	Read-only access to GKE Hubs and related resources.	gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Healthcare roles

Role	Title	Description	Permissions
`roles/healthcare.annotationEditor`	Healthcare Annotation Editor ^Beta	Create, delete, update, read and list annotations.	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationReader`	Healthcare Annotation Reader ^Beta	Read and list annotations in an Annotation store.	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationStoreAdmin`	Healthcare Annotation Administrator ^Beta	Administer Annotation stores.	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.annotationStoreViewer`	Healthcare Annotation Store Viewer ^Beta	List Annotation Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.datasetAdmin`	Healthcare Dataset Administrator ^Beta	Administer Healthcare Datasets.	healthcare.datasets.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.datasetViewer`	Healthcare Dataset Viewer ^Beta	List the Healthcare Datasets in a project.	healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomEditor`	Healthcare DICOM Editor ^Beta	Edit DICOM images individually and in bulk.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomStoreAdmin`	Healthcare DICOM Store Administrator ^Beta	Administer DICOM stores.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.deidentify healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomStoreViewer`	Healthcare DICOM Store Viewer ^Beta	List DICOM Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.dicomViewer`	Healthcare DICOM Viewer ^Beta	Retrieve DICOM images from a DICOM store.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirResourceEditor`	Healthcare FHIR Resource Editor ^Beta	Create, delete, update, read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.update healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirResourceReader`	Healthcare FHIR Resource Reader ^Beta	Read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirStoreAdmin`	Healthcare FHIR Store Administrator ^Beta	Administer FHIR resource stores.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare.fhirStores.create healthcare.fhirStores.deidentify healthcare.fhirStores.delete healthcare.fhirStores.export healthcare.fhirStores.get healthcare.fhirStores.getIamPolicy healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.fhirStores.update healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.fhirStoreViewer`	Healthcare FHIR Store Viewer ^Beta	List FHIR Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Consumer`	Healthcare HL7v2 Message Consumer ^Beta	List and read HL7v2 messages, update message labels, and publish new messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.create healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare.hl7V2Messages.update healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Editor`	Healthcare HL7v2 Message Editor ^Beta	Read, write, and delete access to HL7v2 messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2Ingest`	Healthcare HL7v2 Message Ingest ^Beta	Ingest HL7v2 messages received from a source network.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.ingest healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2StoreAdmin`	Healthcare HL7v2 Store Administrator ^Beta	Administer HL7v2 Stores.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/healthcare.hl7V2StoreViewer`	Healthcare HL7v2 Store Viewer ^Beta	View HL7v2 Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list

IAM roles

roles/iam.securityAdmin Security Admin Security admin role, with permissions to get and set any IAM policy.

accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.setIamPolicy
accesscontextmanager.accessZones.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.setIamPolicy
accesscontextmanager.servicePerimeters.list
actions.agentVersions.list
apigee.apiproductattributes.list
apigee.apiproducts.list
apigee.apps.list
apigee.deployments.list
apigee.developerappattributes.list
apigee.developerapps.list
apigee.developerattributes.list
apigee.developers.list
apigee.environments.getIamPolicy
apigee.environments.list
apigee.environments.setIamPolicy
apigee.flowhooks.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemaps.list
apigee.organizations.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.sharedflowrevisions.list
apigee.sharedflows.list
apigee.targetservers.list
apigee.tracesessions.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
artifactregistry.files.list
artifactregistry.packages.list
artifactregistry.repositories.getIamPolicy
artifactregistry.repositories.list
artifactregistry.repositories.setIamPolicy
artifactregistry.tags.list
artifactregistry.versions.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.datasets.setIamPolicy
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.models.setIamPolicy
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.*
bigquery.capacityCommitments.list
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.reservationAssignments.list
bigquery.reservations.list
bigquery.routines.list
bigquery.savedqueries.list
bigquery.tables.list
bigtable.appProfiles.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.instances.setIamPolicy
bigtable.keyvisualizer.list
bigtable.locations.*
bigtable.tables.getIamPolicy
bigtable.tables.list
bigtable.tables.setIamPolicy
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.setIamPolicy
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.attestors.setIamPolicy
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudasset.feeds.list
cloudbuild.builds.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy
cloudfunctions.locations.*
cloudfunctions.operations.list
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudiot.registries.setIamPolicy
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.importJobs.setIamPolicy
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.keyRings.setIamPolicy
cloudnotifications.*
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.catalogs.setIamPolicy
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudsupport.accounts.setIamPolicy
cloudsupport.techCases.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.setIamPolicy
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
cloudtranslate.glossaries.list
cloudtranslate.locations.list
cloudtranslate.operations.list
composer.environments.list
composer.imageversions.*
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.disks.setIamPolicy
compute.externalVpnGateways.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.images.setIamPolicy
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.setIamPolicy
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.maintenancePolicies.setIamPolicy
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeGroups.setIamPolicy
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTemplates.setIamPolicy
compute.nodeTypes.list
compute.regionBackendServices.list
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
compute.regions.list
compute.reservations.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.securityPolicies.setIamPolicy
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.setIamPolicy
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zoneOperations.setIamPolicy
compute.zones.list
container.apiServices.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.csiDrivers.list
container.csiNodes.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpoints.list
container.events.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.secrets.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.entries.getIamPolicy
datacatalog.entries.list
datacatalog.entries.setIamPolicy
datacatalog.entryGroups.getIamPolicy
datacatalog.entryGroups.list
datacatalog.entryGroups.setIamPolicy
datacatalog.tagTemplates.getIamPolicy
datacatalog.tagTemplates.setIamPolicy
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
dataflow.jobs.list
dataflow.messages.*
dataflow.snapshots.list
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.setIamPolicy
datafusion.locations.list
datafusion.operations.list
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
dataproc.agents.list
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.setIamPolicy
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.setIamPolicy
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.operations.setIamPolicy
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
dataproc.workflowTemplates.setIamPolicy
dataprocessing.featurecontrols.list
dataprocessing.groupcontrols.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.databases.setIamPolicy
datastore.entities.list
datastore.indexes.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.namespaces.setIamPolicy
datastore.operations.list
datastore.statistics.list
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.deployments.setIamPolicy
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.contexts.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.sessionEntityTypes.list
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.storedInfoTypes.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.policies.setIamPolicy
dns.resourceRecordSets.list
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
file.instances.list
file.locations.list
file.operations.list
file.snapshots.list
firebase.links.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrashlytics.issues.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
gameservices.gameServerClusters.list
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.list
gameservices.locations.list
gameservices.operations.list
gameservices.realms.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.datasets.setIamPolicy
genomics.operations.list
gkehub.locations.list
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.memberships.setIamPolicy
gkehub.operations.list
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.datasets.setIamPolicy
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.dicomStores.setIamPolicy
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.list
healthcare.fhirStores.setIamPolicy
healthcare.hl7V2Messages.list
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.list
healthcare.hl7V2Stores.setIamPolicy
healthcare.operations.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iap.tunnel.*
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
identityplatform.workloadPoolProviders.list
identityplatform.workloadPools.list
lifesciences.operations.list
logging.buckets.list
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.list
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.domains.setIamPolicy
managedidentities.locations.list
managedidentities.operations.list
memcache.instances.list
memcache.locations.list
memcache.operations.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.jobs.setIamPolicy
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.models.setIamPolicy
ml.operations.list
ml.studies.getIamPolicy
ml.studies.list
ml.studies.setIamPolicy
ml.trials.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
netappcloudvolumes.activeDirectories.list
netappcloudvolumes.ipRanges.*
netappcloudvolumes.jobs.list
netappcloudvolumes.regions.*
netappcloudvolumes.serviceLevels.*
netappcloudvolumes.snapshots.list
netappcloudvolumes.volumes.list
networkmanagement.connectivitytests.getIamPolicy
networkmanagement.connectivitytests.list
networkmanagement.connectivitytests.setIamPolicy
networkmanagement.locations.list
networkmanagement.operations.list
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.environments.setIamPolicy
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.instances.setIamPolicy
notebooks.locations.list
notebooks.operations.list
osconfig.guestPolicies.list
osconfig.patchDeployments.list
osconfig.patchJobs.list
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.beacons.setIamPolicy
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
proximitybeacon.namespaces.setIamPolicy
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.setIamPolicy
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.subscriptions.setIamPolicy
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
recaptchaenterprise.keys.list
recommender.computeFirewallInsights.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceIdleResourceRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.list
recommender.iamPolicyInsights.list
recommender.iamPolicyRecommendations.list
recommender.locations.list
redis.instances.list
redis.locations.list
redis.operations.list
redisenterprisecloud.databases.list
redisenterprisecloud.subscriptions.list
remotebuildexecution.instances.list
remotebuildexecution.workerpools.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
run.configurations.list
run.locations.*
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.configs.setIamPolicy
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.variables.setIamPolicy
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
runtimeconfig.waiters.setIamPolicy
secretmanager.locations.list
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.secrets.setIamPolicy
secretmanager.versions.list
securitycenter.assets.list
securitycenter.findings.list
securitycenter.notificationconfig.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
securitycenter.sources.setIamPolicy
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.bindings.setIamPolicy
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.catalogs.setIamPolicy
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
servicebroker.instances.setIamPolicy
serviceconsumermanagement.tenancyu.list
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.setIamPolicy
servicedirectory.locations.list
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.setIamPolicy
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.setIamPolicy
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
servicemanagement.consumerSettings.setIamPolicy
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicemanagement.services.setIamPolicy
servicenetworking.operations.list
serviceusage.apiKeys.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
source.repos.setIamPolicy
spanner.backupOperations.list
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.databases.setIamPolicy
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.instances.setIamPolicy
spanner.sessions.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.hmacKeys.list
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storagetransfer.jobs.list
storagetransfer.operations.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
vmmigration.deployments.list
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.list

roles/iam.securityReviewer Security Reviewer Provides permissions to list all resources and Cloud IAM policies on them.

accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.list
actions.agentVersions.list
apigee.apiproductattributes.list
apigee.apiproducts.list
apigee.apps.list
apigee.deployments.list
apigee.developerappattributes.list
apigee.developerapps.list
apigee.developerattributes.list
apigee.developers.list
apigee.environments.getIamPolicy
apigee.environments.list
apigee.flowhooks.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemaps.list
apigee.organizations.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.sharedflowrevisions.list
apigee.sharedflows.list
apigee.targetservers.list
apigee.tracesessions.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
artifactregistry.files.list
artifactregistry.packages.list
artifactregistry.repositories.getIamPolicy
artifactregistry.repositories.list
artifactregistry.tags.list
artifactregistry.versions.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.*
bigquery.capacityCommitments.list
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.reservationAssignments.list
bigquery.reservations.list
bigquery.routines.list
bigquery.savedqueries.list
bigquery.tables.list
bigtable.appProfiles.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.keyvisualizer.list
bigtable.locations.*
bigtable.tables.getIamPolicy
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.policy.getIamPolicy
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudasset.feeds.list
cloudbuild.builds.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.list
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudnotifications.*
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudsupport.techCases.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
cloudtranslate.glossaries.list
cloudtranslate.locations.list
cloudtranslate.operations.list
composer.environments.list
composer.imageversions.*
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getIamPolicy
compute.instances.list
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.list
compute.regionBackendServices.list
compute.regionHealthCheckServices.list
compute.regionNotificationEndpoints.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.list
compute.reservations.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.list
container.apiServices.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.csiDrivers.list
container.csiNodes.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpoints.list
container.events.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.secrets.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
datacatalog.categories.getIamPolicy
datacatalog.entries.getIamPolicy
datacatalog.entries.list
datacatalog.entryGroups.getIamPolicy
datacatalog.entryGroups.list
datacatalog.tagTemplates.getIamPolicy
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
dataflow.jobs.list
dataflow.messages.*
dataflow.snapshots.list
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.list
datafusion.operations.list
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
dataproc.agents.list
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
dataprocessing.featurecontrols.list
dataprocessing.groupcontrols.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.contexts.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.sessionEntityTypes.list
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.storedInfoTypes.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.resourceRecordSets.list
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
file.instances.list
file.locations.list
file.operations.list
file.snapshots.list
firebase.links.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrashlytics.issues.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
gameservices.gameServerClusters.list
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.list
gameservices.locations.list
gameservices.operations.list
gameservices.realms.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.operations.list
gkehub.locations.list
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.operations.list
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.list
healthcare.hl7V2Messages.list
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.list
healthcare.operations.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iap.tunnel.getIamPolicy
iap.tunnelInstances.getIamPolicy
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
identityplatform.workloadPoolProviders.list
identityplatform.workloadPools.list
lifesciences.operations.list
logging.buckets.list
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.list
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.locations.list
managedidentities.operations.list
memcache.instances.list
memcache.locations.list
memcache.operations.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.operations.list
ml.studies.getIamPolicy
ml.studies.list
ml.trials.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
netappcloudvolumes.activeDirectories.list
netappcloudvolumes.ipRanges.*
netappcloudvolumes.jobs.list
netappcloudvolumes.regions.*
netappcloudvolumes.serviceLevels.*
netappcloudvolumes.snapshots.list
netappcloudvolumes.volumes.list
networkmanagement.connectivitytests.getIamPolicy
networkmanagement.connectivitytests.list
networkmanagement.locations.list
networkmanagement.operations.list
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.list
notebooks.operations.list
osconfig.guestPolicies.list
osconfig.patchDeployments.list
osconfig.patchJobs.list
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.topics.getIamPolicy
pubsub.topics.list
recaptchaenterprise.keys.list
recommender.computeFirewallInsights.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceIdleResourceRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.list
recommender.iamPolicyInsights.list
recommender.iamPolicyRecommendations.list
recommender.locations.list
redis.instances.list
redis.locations.list
redis.operations.list
redisenterprisecloud.databases.list
redisenterprisecloud.subscriptions.list
remotebuildexecution.instances.list
remotebuildexecution.workerpools.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.configurations.list
run.locations.*
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
secretmanager.locations.list
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.versions.list
securitycenter.assets.list
securitycenter.findings.list
securitycenter.notificationconfig.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
serviceconsumermanagement.tenancyu.list
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.locations.list
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicenetworking.operations.list
serviceusage.apiKeys.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
spanner.backupOperations.list
spanner.backups.getIamPolicy
spanner.backups.list
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.hmacKeys.list
storage.objects.getIamPolicy
storage.objects.list
storagetransfer.jobs.list
storagetransfer.operations.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
vmmigration.deployments.list
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.list

Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot ^Beta

Roles roles

Role	Title	Description	Permissions	Lowest resource
`roles/iam.organizationRoleAdmin`	Organization Role Administrator	Provides access to administer all custom roles in the organization and the projects below it.	iam.roles.* resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Organization
`roles/iam.organizationRoleViewer`	Organization Role Viewer	Provides read access to all custom roles in the organization and the projects below it.	iam.roles.get iam.roles.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Project
`roles/iam.roleAdmin`	Role Administrator	Provides access to all custom roles in the project.	iam.roles.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy	Project
`roles/iam.roleViewer`	Role Viewer	Provides read access to all custom roles in the project.	iam.roles.get iam.roles.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy	Project

Service Accounts roles

Role	Title	Description	Permissions	Lowest resource
`roles/iam.serviceAccountAdmin`	Service Account Admin	Create and manage service accounts.	iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iam.serviceAccounts.update resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/iam.serviceAccountCreator`	Create Service Accounts	Access to create service accounts.	iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/iam.serviceAccountDeleter`	Delete Service Accounts	Access to delete service accounts.	iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
`roles/iam.serviceAccountKeyAdmin`	Service Account Key Admin	Create and manage (and rotate) service account keys.	iam.serviceAccountKeys.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/iam.serviceAccountTokenCreator`	Service Account Token Creator	Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/iam.serviceAccountUser`	Service Account User	Run operations as the service account.	iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list	Service Account
`roles/iam.workloadIdentityUser`	Workload Identity User	Impersonate service accounts from GKE Workloads	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.list

Cloud Life Sciences roles

Role	Title	Description	Permissions
`roles/lifesciences.admin`	Cloud Life Sciences Admin ^Beta	Full control of Cloud Life Sciences resources.	lifesciences.*
`roles/lifesciences.editor`	Cloud Life Sciences Editor ^Beta	Access to read and edit Cloud Life Sciences resources.	lifesciences.*
`roles/lifesciences.viewer`	Cloud Life Sciences Viewer ^Beta	Access to read Cloud Life Sciences resources.	lifesciences.operations.get lifesciences.operations.list
`roles/lifesciences.workflowsRunner`	Cloud Life Sciences Workflows Runner ^Beta	Full access to operate on Cloud Life Sciences workflows.	lifesciences.*

Logging roles

Role	Title	Description	Permissions	Lowest resource
`roles/logging.admin`	Logging Admin	Provides all permissions necessary to use all features of Stackdriver Logging.	logging.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/logging.configWriter`	Logs Configuration Writer	Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.	logging.buckets.* logging.cmekSettings.* logging.exclusions.* logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.* resourcemanager.projects.get resourcemanager.projects.list	Project
`roles/logging.logWriter`	Logs Writer	Provides the permissions to write log entries.	logging.logEntries.create	Project
`roles/logging.privateLogViewer`	Private Logs Viewer	Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.	logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.projects.get	Project
`roles/logging.viewer`	Logs Viewer	Provides access to view logs.	logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.projects.get	Project

Cloud Managed Identities roles

Role	Title	Description	Permissions
`roles/managedidentities.admin`	Google Cloud Managed Identities Admin	Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.	managedidentities.* resourcemanager.projects.get resourcemanager.projects.list
`roles/managedidentities.domainAdmin`	Google Cloud Managed Identities Domain Admin	Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.	managedidentities.domains.attachTrust managedidentities.domains.delete managedidentities.domains.detachTrust managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.reconfigureTrust managedidentities.domains.resetpassword managedidentities.domains.update managedidentities.domains.validateTrust managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list resourcemanager.projects.get resourcemanager.projects.list
`roles/managedidentities.viewer`	Google Cloud Managed Identities Viewer	Read-only access to Google Cloud Managed Identities Domains and related resources.	managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list resourcemanager.projects.get resourcemanager.projects.list

Memorystore Memcache roles

Role	Title	Description	Permissions
`roles/memcache.admin`	Cloud Memorystore Memcached Admin ^Alpha	Full access to Memcached instances and related resources.	compute.networks.list memcache.* resourcemanager.projects.get resourcemanager.projects.list
`roles/memcache.editor`	Cloud Memorystore Memcached Editor ^Alpha	Read-Write access to Memcached instances and related resources.	memcache.instances.applyParameters memcache.instances.get memcache.instances.list memcache.instances.update memcache.instances.updateParameters memcache.locations.* memcache.operations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/memcache.viewer`	Cloud Memorystore Memcached Viewer ^Alpha	Read-only access to Memcached instances and related resources.	memcache.instances.get memcache.instances.list memcache.locations.* memcache.operations.get memcache.operations.list resourcemanager.projects.get resourcemanager.projects.list

Machine Learning Engine roles

Role	Title	Description	Permissions	Lowest resource
`roles/ml.admin`	ML Engine Admin	Provides full access to AI Platform resources, and its jobs, operations, models, and versions.	ml.* resourcemanager.projects.get	Project
`roles/ml.developer`	ML Engine Developer	Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.	ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get	Project
`roles/ml.jobOwner`	ML Engine Job Owner	Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.	ml.jobs.*	Job
`roles/ml.modelOwner`	ML Engine Model Owner	Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.	ml.models.* ml.versions.*	Model
`roles/ml.modelUser`	ML Engine Model User	Provides permissions to read the model and its versions, and use them for prediction.	ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict	Model
`roles/ml.operationOwner`	ML Engine Operation Owner	Provides full access to all permissions for a particular operation resource.	ml.operations.*	Operation
`roles/ml.viewer`	ML Engine Viewer	Provides read-only access to AI Platform resources.	ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.* ml.versions.get ml.versions.list resourcemanager.projects.get	Project

Monitoring roles

Role	Title	Description	Permissions	Lowest resource
`roles/monitoring.admin`	Monitoring Admin	Provides the same access as `roles/monitoring.editor`.	cloudnotifications.* monitoring.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.*	Project
`roles/monitoring.alertPolicyEditor`	Monitoring AlertPolicy Editor ^Beta	Read/write access to alerting policies.	monitoring.alertPolicies.*
`roles/monitoring.alertPolicyViewer`	Monitoring AlertPolicy Viewer ^Beta	Read-only access to alerting policies.	monitoring.alertPolicies.get monitoring.alertPolicies.list
`roles/monitoring.dashboardEditor`	Monitoring Dashboard Configuration Editor ^Beta	Read/write access to dashboard configurations.	monitoring.dashboards.*
`roles/monitoring.dashboardViewer`	Monitoring Dashboard Configuration Viewer ^Beta	Read-only access to dashboard configurations.	monitoring.dashboards.get monitoring.dashboards.list
`roles/monitoring.editor`	Monitoring Editor	Provides full access to information about all monitoring data and configurations.	cloudnotifications.* monitoring.alertPolicies.* monitoring.dashboards.* monitoring.groups.* monitoring.metricDescriptors.* monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify monitoring.publicWidgets.* monitoring.timeSeries.* monitoring.uptimeCheckConfigs.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.*	Project
`roles/monitoring.metricWriter`	Monitoring Metric Writer	Provides write-only access to metrics. This provides exactly the permissions needed by the Stackdriver agent and other systems that send metrics.	monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create	Project
`roles/monitoring.notificationChannelEditor`	Monitoring NotificationChannel Editor ^Beta	Read/write access to notification channels.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify
`roles/monitoring.notificationChannelViewer`	Monitoring NotificationChannel Viewer ^Beta	Read-only access to notification channels.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list
`roles/monitoring.uptimeCheckConfigEditor`	Monitoring Uptime Check Configuration Editor ^Beta	Read/write access to uptime check configurations.	monitoring.uptimeCheckConfigs.*
`roles/monitoring.uptimeCheckConfigViewer`	Monitoring Uptime Check Configuration Viewer ^Beta	Read-only access to uptime check configurations.	monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list
`roles/monitoring.viewer`	Monitoring Viewer	Provides read-only access to get and list information about all monitoring data and configurations.	cloudnotifications.* monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get	Project

Network Management roles

Role	Title	Description	Permissions	Lowest resource
`roles/networkmanagement.admin`	Network Management Admin	Full access to Cloud Network Management resources.	networkmanagement.* resourcemanager.projects.get resourcemanager.projects.list
`roles/networkmanagement.viewer`	Network Management Viewer	Read-only access to Cloud Network Management resources.	networkmanagement.connectivitytests.get networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.locations.* networkmanagement.operations.* resourcemanager.projects.get resourcemanager.projects.list

AI Notebooks roles

Role	Title	Description	Permissions	Lowest resource
`roles/notebooks.admin`	Notebooks Admin ^Beta	Full access to Notebooks, all resources.	notebooks.* resourcemanager.projects.get resourcemanager.projects.list	Instance
`roles/notebooks.viewer`	Notebooks Viewer ^Beta	Read-only access to Notebooks, all resources.	notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.instances.get notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list resourcemanager.projects.get resourcemanager.projects.list	Instance

Ops Config Monitoring roles

Role	Title	Description	Permissions	Lowest resource
`roles/opsconfigmonitoring.resourceMetadata.writer`	Ops Config Monitoring Resource Metadata Writer ^Beta	Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.	opsconfigmonitoring.*

Organization Policy roles

Role	Title	Description	Permissions	Lowest resource
`roles/axt.admin`	Access Transparency Admin	Enable Access Transparency for Organization	axt.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
`roles/orgpolicy.policyAdmin`	Organization Policy Administrator	Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.	orgpolicy.*	Organization
`roles/orgpolicy.policyViewer`	Organization Policy Viewer	Provides access to view Organization Policies on resources.	orgpolicy.policy.get	Organization

Other roles

roles/dataprocessing.admin Data Processing Controls Resource Admin ^Beta Data processing controls admin who can fully manage data processing controls settings and view all datasource data.

dataprocessing.*

roles/dataprocessing.iamAccessHistoryExporter Data Processing IAM Access History Exporter ^Beta Data Processing exporter who can export IAM access history using bigquery.

roles/firebasecrash.symbolMappingsAdmin Firebase Crash Symbol Uploader Full read/write access to symbol mapping file resources for Firebase Crash Reporting.

firebase.clients.get
resourcemanager.projects.get

roles/identityplatform.admin Identity Platform Admin ^Beta Full access to Identity Platform resources.

identityplatform.*

roles/identityplatform.viewer Identity Platform Viewer ^Beta Read access to Identity Platform resources.

identityplatform.workloadPoolProviders.get
identityplatform.workloadPoolProviders.list
identityplatform.workloadPools.get
identityplatform.workloadPools.list

roles/identitytoolkit.admin Identity Toolkit Admin Full access to Identity Toolkit resources.

firebaseauth.*

roles/identitytoolkit.viewer Identity Toolkit Viewer Read access to Identity Toolkit resources.

firebaseauth.configs.get
firebaseauth.users.get

roles/mobilecrashreporting.symbolMappingsAdmin Firebase Crash Symbol Uploader (Deprecated) Full read/write access to symbol mapping file resources for Firebase Crash Reporting.Deprecated in favor of firebasecrash.symbolMappingsAdmin

firebase.clients.get
resourcemanager.projects.get

roles/remotebuildexecution.actionCacheWriter Remote Build Execution Action Cache Writer ^Beta Remote Build Execution Action Cache Writer

remotebuildexecution.actions.set
remotebuildexecution.blobs.create

roles/remotebuildexecution.artifactAdmin Remote Build Execution Artifact Admin ^Beta Remote Build Execution Artifact Admin

remotebuildexecution.actions.create
remotebuildexecution.actions.delete
remotebuildexecution.actions.get
remotebuildexecution.blobs.*
remotebuildexecution.logstreams.*

roles/remotebuildexecution.artifactCreator Remote Build Execution Artifact Creator ^Beta Remote Build Execution Artifact Creator

remotebuildexecution.actions.create
remotebuildexecution.actions.get
remotebuildexecution.blobs.*
remotebuildexecution.logstreams.*

roles/remotebuildexecution.artifactViewer Remote Build Execution Artifact Viewer ^Beta Remote Build Execution Artifact Viewer

remotebuildexecution.actions.get
remotebuildexecution.blobs.get
remotebuildexecution.logstreams.get

roles/remotebuildexecution.configurationAdmin Remote Build Execution Configuration Admin ^Beta Remote Build Execution Configuration Admin

remotebuildexecution.instances.*
remotebuildexecution.workerpools.*

roles/remotebuildexecution.configurationViewer Remote Build Execution Configuration Viewer ^Beta Remote Build Execution Configuration Viewer

remotebuildexecution.instances.get
remotebuildexecution.instances.list
remotebuildexecution.workerpools.get
remotebuildexecution.workerpools.list

roles/remotebuildexecution.logstreamWriter Remote Build Execution Logstream Writer ^Beta Remote Build Execution Logstream Writer

remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.update

roles/remotebuildexecution.reservationAdmin Remote Build Execution Reservation Admin ^Beta Remote Build Execution Reservation Admin

remotebuildexecution.actions.create
remotebuildexecution.actions.delete
remotebuildexecution.actions.get

roles/remotebuildexecution.worker Remote Build Execution Worker ^Beta Remote Build Execution Worker

remotebuildexecution.actions.update
remotebuildexecution.blobs.*
remotebuildexecution.botsessions.*
remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.update

roles/resourcemanager.organizationCreator Organization Creator Access to create and list organizations.

roles/runtimeconfig.admin Cloud RuntimeConfig Admin Full access to RuntimeConfig resources.

runtimeconfig.*

roles/subscribewithgoogledeveloper.developer Subscribe with Google Developer ^Beta Access DevTools for Subscribe with Google

resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper.*

Third-party Partner roles

Role	Title	Description	Permissions
`roles/netappcloudvolumes.admin`	NetApp Cloud Volumes Admin ^Beta	This role is managed by NetApp, not Google.	netappcloudvolumes.* resourcemanager.projects.get resourcemanager.projects.list
`roles/netappcloudvolumes.viewer`	NetApp Cloud Volumes Viewer ^Beta	This role is managed by NetApp, not Google.	netappcloudvolumes.activeDirectories.get netappcloudvolumes.activeDirectories.list netappcloudvolumes.ipRanges.* netappcloudvolumes.jobs.* netappcloudvolumes.regions.* netappcloudvolumes.serviceLevels.* netappcloudvolumes.snapshots.get netappcloudvolumes.snapshots.list netappcloudvolumes.volumes.get netappcloudvolumes.volumes.list resourcemanager.projects.get resourcemanager.projects.list
`roles/redisenterprisecloud.admin`	Redis Enterprise Cloud Admin ^Beta	This role is managed by Redis Labs, not Google.	redisenterprisecloud.* resourcemanager.projects.get resourcemanager.projects.list
`roles/redisenterprisecloud.viewer`	Redis Enterprise Cloud Viewer ^Beta	This role is managed by Redis Labs, not Google.	redisenterprisecloud.databases.get redisenterprisecloud.databases.list redisenterprisecloud.subscriptions.get redisenterprisecloud.subscriptions.list resourcemanager.projects.get resourcemanager.projects.list

Project roles

Role	Title	Description	Permissions	Lowest resource
`roles/browser`	Browser	Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project.	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list	Project

Proximity Beacon roles

Role	Title	Description	Permissions
`roles/proximitybeacon.attachmentEditor`	Beacon Attachment Editor	Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.	proximitybeacon.attachments.* proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.namespaces.list resourcemanager.projects.get resourcemanager.projects.list
`roles/proximitybeacon.attachmentPublisher`	Beacon Attachment Publisher	Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.	proximitybeacon.beacons.attach proximitybeacon.beacons.get proximitybeacon.beacons.list resourcemanager.projects.get resourcemanager.projects.list
`roles/proximitybeacon.attachmentViewer`	Beacon Attachment Viewer	Can view all attachments under a namespace; no beacon or namespace permissions.	proximitybeacon.attachments.get proximitybeacon.attachments.list resourcemanager.projects.get resourcemanager.projects.list
`roles/proximitybeacon.beaconEditor`	Beacon Editor	Necessary access to register, modify, and view beacons; no attachment or namespace permissions.	proximitybeacon.beacons.create proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.beacons.update resourcemanager.projects.get resourcemanager.projects.list

Pub/Sub roles

Role	Title	Description	Permissions	Lowest resource
`roles/pubsub.admin`	Pub/Sub Admin	Provides full access to topics and subscriptions.	pubsub.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Topic
`roles/pubsub.editor`	Pub/Sub Editor	Provides access to modify topics and subscriptions, and access to publish and consume messages.	pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Topic
`roles/pubsub.publisher`	Pub/Sub Publisher	Provides access to publish messages to a topic.	pubsub.topics.publish	Topic
`roles/pubsub.subscriber`	Pub/Sub Subscriber	Provides access to consume messages from a subscription and to attach subscriptions to a topic.	pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription	Topic
`roles/pubsub.viewer`	Pub/Sub Viewer	Provides access to view topics and subscriptions.	pubsub.snapshots.get pubsub.snapshots.list pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.get pubsub.topics.list resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Topic

reCAPTCHA Enterprise roles

Role	Title	Description	Permissions
`roles/recaptchaenterprise.admin`	reCAPTCHA Enterprise Admin ^Beta	Access to view and modify reCAPTCHA Enterprise keys	recaptchaenterprise.keys.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recaptchaenterprise.agent`	reCAPTCHA Enterprise Agent ^Beta	Access to create and annotate reCAPTCHA Enterprise assessments	recaptchaenterprise.assessments.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recaptchaenterprise.viewer`	reCAPTCHA Enterprise Viewer ^Beta	Access to view reCAPTCHA Enterprise keys	recaptchaenterprise.keys.get recaptchaenterprise.keys.list resourcemanager.projects.get resourcemanager.projects.list

Recommendations AI roles

Role	Title	Description	Permissions
`roles/automlrecommendations.admin`	Recommendations AI Admin ^Beta	Full access to all Recommendations AI resources.	automlrecommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/automlrecommendations.adminViewer`	Recommendations AI Admin Viewer ^Beta	Viewer of all Recommendations AI resources.	automlrecommendations.apiKeys.list automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/automlrecommendations.editor`	Recommendations AI Editor ^Beta	Editor of all Recommendations AI resources.	automlrecommendations.apiKeys.create automlrecommendations.apiKeys.list automlrecommendations.catalogItems.* automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.create automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/automlrecommendations.viewer`	Recommendations AI Viewer ^Beta	Viewer of all Recommendations AI resources.	automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list

Recommender roles

Role	Title	Description	Permissions
`roles/recommender.computeAdmin`	Compute Recommender Admin	Admin of Compute recommendations.	recommender.computeInstanceGroupManagerMachineTypeRecommendations.* recommender.computeInstanceIdleResourceRecommendations.* recommender.computeInstanceMachineTypeRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.computeViewer`	Compute Recommender Viewer	Viewer of Compute recommendations.	recommender.computeInstanceGroupManagerMachineTypeRecommendations.get recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceIdleResourceRecommendations.get recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.get recommender.computeInstanceMachineTypeRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.firewallAdmin`	Firewall Recommender Admin ^Alpha	Admin of Firewall insights and recommendations.	recommender.computeFirewallInsights.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.firewallViewer`	Firewall Recommender Viewer ^Alpha	Viewer of Firewall insights and recommendations.	recommender.computeFirewallInsights.get recommender.computeFirewallInsights.list resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.iamAdmin`	IAM Recommender Admin	Admin of IAM policy recommendations.	recommender.iamPolicyInsights.* recommender.iamPolicyRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
`roles/recommender.iamViewer`	IAM Recommender Viewer	Reviewer of IAM policy recommendations.	recommender.iamPolicyInsights.get recommender.iamPolicyInsights.list recommender.iamPolicyRecommendations.get recommender.iamPolicyRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list

Memorystore Redis roles

Role	Title	Description	Permissions	Lowest resource
`roles/redis.admin`	Cloud Memorystore Redis Admin ^Beta	Full control for all Memorystore resources.	compute.networks.list redis.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use	Instance
`roles/redis.editor`	Cloud Memorystore Redis Editor ^Beta	Manage Memorystore instances. Can't create or delete instances.	compute.networks.list redis.instances.failover redis.instances.get redis.instances.list redis.instances.update redis.locations.* redis.operations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use	Instance
`roles/redis.viewer`	Cloud Memorystore Redis Viewer ^Beta	Read-only access to all Memorystore resources.	redis.instances.get redis.instances.list redis.locations.* redis.operations.get redis.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use	Instance

Resource Manager roles

Role	Title	Description	Permissions	Lowest resource
`roles/resourcemanager.folderAdmin`	Folder Admin	Provides all available permissions for working with folders.	orgpolicy.policy.get resourcemanager.folders.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.move resourcemanager.projects.setIamPolicy	Folder
`roles/resourcemanager.folderCreator`	Folder Creator	Provides permissions needed to browse the hierarchy and create folders.	orgpolicy.policy.get resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list	Folder
`roles/resourcemanager.folderEditor`	Folder Editor	Provides permission to modify folders as well as to view a folder's Cloud IAM policy.	orgpolicy.policy.get resourcemanager.folders.delete resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.undelete resourcemanager.folders.update resourcemanager.projects.get resourcemanager.projects.list	Folder
`roles/resourcemanager.folderIamAdmin`	Folder IAM Admin	Provides permissions to administer Cloud IAM policies on folders.	resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.setIamPolicy	Folder
`roles/resourcemanager.folderMover`	Folder Mover	Provides permission to move projects and folders into and out of a parent Organization or folder.	resourcemanager.folders.move resourcemanager.projects.move	Folder
`roles/resourcemanager.folderViewer`	Folder Viewer	Provides permission to get a folder and list the folders and projects below a resource.	orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list	Folder
`roles/resourcemanager.lienModifier`	Project Lien Modifier	Provides access to modify Liens on projects.	resourcemanager.projects.updateLiens	Project
`roles/resourcemanager.organizationAdmin`	Organization Administrator	Access to administer all resources belonging to the organization.	orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.organizations.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy
`roles/resourcemanager.organizationViewer`	Organization Viewer	Provides access to view an organization.	resourcemanager.organizations.get	Organization
`roles/resourcemanager.projectCreator`	Project Creator	Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.	resourcemanager.organizations.get resourcemanager.projects.create	Folder
`roles/resourcemanager.projectDeleter`	Project Deleter	Provides access to delete GCP projects.	resourcemanager.projects.delete	Folder
`roles/resourcemanager.projectIamAdmin`	Project IAM Admin	Provides permissions to administer Cloud IAM policies on projects.	resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy	Project
`roles/resourcemanager.projectMover`	Project Mover	Provides access to update and move projects.	resourcemanager.projects.get resourcemanager.projects.move resourcemanager.projects.update	Project

Cloud Run roles

Role	Title	Description	Permissions	Lowest resource
`roles/run.admin`	Cloud Run Admin ^Beta	Full control over all Cloud Run resources.	resourcemanager.projects.get resourcemanager.projects.list run.*	Cloud Run service
`roles/run.invoker`	Cloud Run Invoker ^Beta	Can invoke a Cloud Run service.	run.routes.invoke	Cloud Run service
`roles/run.viewer`	Cloud Run Viewer ^Beta	Can view the state of all Cloud Run resources, including IAM policies.	resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list	Cloud Run service

Secret Manager roles

Role	Title	Description	Permissions	Lowest resource
`roles/secretmanager.admin`	Secret Manager Admin	Full access to administer Secret Manager resources.	resourcemanager.projects.get resourcemanager.projects.list secretmanager.*	Secret
`roles/secretmanager.secretAccessor`	Secret Manager Secret Accessor	Allows accessing the payload of secrets.	resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.access	Secret
`roles/secretmanager.viewer`	Secret Manager Viewer	Allows viewing metadata of all Secret Manager resources	resourcemanager.projects.get resourcemanager.projects.list secretmanager.locations.* secretmanager.secrets.get secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.versions.get secretmanager.versions.list	Secret

Security Center roles

Role	Title	Description	Permissions	Lowest resource
`roles/securitycenter.admin`	Security Center Admin	Admin(super user) access to security center	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organization
`roles/securitycenter.adminEditor`	Security Center Admin Editor	Admin Read-write access to security center	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organization
`roles/securitycenter.adminViewer`	Security Center Admin Viewer	Admin Read access to security center	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.sources.get securitycenter.sources.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Organization
`roles/securitycenter.assetSecurityMarksWriter`	Security Center Asset Security Marks Writer	Write access to asset security marks	securitycenter.assetsecuritymarks.*	Organization
`roles/securitycenter.assetsDiscoveryRunner`	Security Center Assets Discovery Runner	Run asset discovery access to assets	securitycenter.assets.runDiscovery	Organization
`roles/securitycenter.assetsViewer`	Security Center Assets Viewer	Read access to assets	resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames	Organization
`roles/securitycenter.findingSecurityMarksWriter`	Security Center Finding Security Marks Writer	Write access to finding security marks	securitycenter.findingsecuritymarks.*	Organization
`roles/securitycenter.findingsEditor`	Security Center Findings Editor	Read-write access to findings	resourcemanager.organizations.get securitycenter.findings.* securitycenter.sources.get securitycenter.sources.list	Organization
`roles/securitycenter.findingsStateSetter`	Security Center Findings State Setter	Set state access to findings	securitycenter.findings.setState	Organization
`roles/securitycenter.findingsViewer`	Security Center Findings Viewer	Read access to findings	resourcemanager.organizations.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.sources.get securitycenter.sources.list	Organization
`roles/securitycenter.notificationConfigEditor`	Security Center Notification Configurations Editor	Write access to notification configurations	securitycenter.notificationconfig.*
`roles/securitycenter.notificationConfigViewer`	Security Center Notification Configurations Viewer	Read access to notification configurations	securitycenter.notificationconfig.get securitycenter.notificationconfig.list
`roles/securitycenter.sourcesAdmin`	Security Center Sources Admin	Admin access to sources	resourcemanager.organizations.get securitycenter.sources.*	Organization
`roles/securitycenter.sourcesEditor`	Security Center Sources Editor	Read-write access to sources	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update	Organization
`roles/securitycenter.sourcesViewer`	Security Center Sources Viewer	Read access to sources	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list	Organization

Service Consumer Management roles

Role	Title	Description	Permissions	Lowest resource
`roles/serviceconsumermanagement.tenancyUnitsAdmin`	Admin of Tenancy Units ^Beta	Administrate tenancy units	serviceconsumermanagement.tenancyu.*
`roles/serviceconsumermanagement.tenancyUnitsViewer`	Viewer of Tenancy Units ^Beta	View tenancy units	serviceconsumermanagement.tenancyu.list

Service Directory roles

Role	Title	Description	Permissions
`roles/servicedirectory.admin`	Service Directory Admin ^Beta	Full control of all Service Directory resources and permissions.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.*
`roles/servicedirectory.editor`	Service Directory Editor ^Beta	Edit Service Directory resources.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.create servicedirectory.endpoints.delete servicedirectory.endpoints.get servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.endpoints.update servicedirectory.locations.* servicedirectory.namespaces.associatePrivateZone servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.namespaces.update servicedirectory.services.create servicedirectory.services.delete servicedirectory.services.get servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.resolve servicedirectory.services.update
`roles/servicedirectory.viewer`	Service Directory Viewer ^Beta	View Service Directory resources.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.get servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.locations.* servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.services.get servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.resolve

Service Management roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudasset.serviceAgent`	Cloud Asset Service Agent ^Alpha	Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.	bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.delete bigquery.tables.get bigquery.tables.updateData pubsub.topics.publish storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.objects.create storage.objects.delete storage.objects.get
`roles/cloudbuild.serviceAgent`	Cloud Build Service Agent ^Alpha	Gives Cloud Build service account access to managed resources.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list cloudbuild.* compute.firewalls.get compute.firewalls.list compute.networks.get compute.subnetworks.get iam.serviceAccounts.getAccessToken logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
`roles/cloudfunctions.serviceAgent`	Cloud Functions Service Agent ^Alpha	Gives Cloud Functions service account access to managed resources.	clientauthconfig.clients.list cloudbuild.* cloudfunctions.functions.invoke compute.globalOperations.get compute.networks.access firebasedatabase.instances.get firebasedatabase.instances.update iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob pubsub.subscriptions.* pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.get remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.disable serviceusage.services.enable storage.buckets.create storage.buckets.get storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use
`roles/cloudscheduler.serviceAgent`	Cloud Scheduler Service Agent ^Alpha	Grants Cloud Scheduler Service Account access to manage resources.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.logEntries.create pubsub.topics.publish
`roles/cloudtasks.serviceAgent`	Cloud Tasks Service Agent ^Alpha	Grants Cloud Tasks Service Account access to manage resources.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.logEntries.create
`roles/datafusion.serviceAgent`	Cloud Data Fusion API Service Agent ^Alpha	Gives Cloud Data Fusion service account access to Service Networking, Dataproc, Cloud Storage, BigQuery, Spanner, and Bigtable resources.	bigquery.datasets.* bigquery.jobs.create bigquery.models.* bigquery.routines.* bigquery.tables.* bigtable.* compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.update compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update firebase.projects.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.list spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instanceConfigs.* spanner.instances.get spanner.instances.list spanner.sessions.* storage.buckets.* storage.objects.*
`roles/dataproc.serviceAgent`	Dataproc Service Agent ^Alpha	Gives Dataproc Service Account access to service accounts, compute resources, and storage resources. Includes access to service accounts.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.firewalls.get compute.firewalls.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.use dataproc.clusters.* dataproc.jobs.* firebase.projects.get iam.serviceAccounts.actAs resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.*
`roles/serverless.serviceAgent`	Cloud Run Service Agent ^Alpha	Gives Cloud Run service account access to managed resources.	artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.routes.invoke storage.objects.get storage.objects.list
`roles/servicemanagement.admin`	Service Management Administrator	Full control of Google Service Management resources.	monitoring.timeSeries.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list serviceconsumermanagement.* servicemanagement.services.* serviceusage.quotas.get serviceusage.services.get
`roles/servicemanagement.configEditor`	Service Config Editor	Access to update the service config and create rollouts.	servicemanagement.services.get servicemanagement.services.update
`roles/servicemanagement.quotaAdmin`	Quota Administrator ^Beta	Provides access to administer service quotas.	monitoring.timeSeries.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list servicemanagement.consumerSettings.* serviceusage.quotas.* serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list	Project
`roles/servicemanagement.quotaViewer`	Quota Viewer ^Beta	Provides access to view service quotas.	monitoring.timeSeries.list servicemanagement.consumerSettings.get servicemanagement.consumerSettings.getIamPolicy servicemanagement.consumerSettings.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list	Project
`roles/servicemanagement.serviceConsumer`	Service Consumer	Can enable the service.	servicemanagement.services.bind
`roles/servicemanagement.serviceController`	Service Controller	Runtime control of checking and reporting usage of a service.	servicemanagement.services.check servicemanagement.services.get servicemanagement.services.quota servicemanagement.services.report	Project

Service Networking roles

Role	Title	Description	Permissions	Lowest resource
`roles/servicenetworking.networksAdmin`	Service Networking Admin ^Beta	Full control of service networking with projects.	servicenetworking.*

Service Usage roles

Role	Title	Description	Permissions
`roles/serviceusage.apiKeysAdmin`	API Keys Admin ^Beta	Ability to create, delete, update, get and list API keys for a project.	serviceusage.apiKeys.* serviceusage.operations.get
`roles/serviceusage.apiKeysViewer`	API Keys Viewer ^Beta	Ability to get and list API keys for a project.	serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list
`roles/serviceusage.serviceUsageAdmin`	Service Usage Admin ^Beta	Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.operations.* serviceusage.quotas.* serviceusage.services.*
`roles/serviceusage.serviceUsageConsumer`	Service Usage Consumer ^Beta	Ability to inspect service states and operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
`roles/serviceusage.serviceUsageViewer`	Service Usage Viewer ^Beta	Ability to inspect service states and operations for a consumer project.	monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Source roles

Role	Title	Description	Permissions	Lowest resource
`roles/source.admin`	Source Repository Administrator	Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies.	source.*	Repository
`roles/source.reader`	Source Repository Reader	Provides permissions to list, clone, fetch, and browse repositories.	source.repos.get source.repos.list	Repository
`roles/source.writer`	Source Repository Writer	Provides permissions to list, clone, fetch, browse, and update repositories.	source.repos.get source.repos.list source.repos.update	Repository

Cloud Spanner roles

Role	Title	Description	Permissions	Lowest resource
`roles/spanner.admin`	Cloud Spanner Admin	Recommended to grant at the project level. Has complete access to all Cloud Spanner resources in a Google Cloud project. A member with this role can: Grant and revoke permissions to other members for all Cloud Spanner resources in the project. Allocate and delete chargeable Cloud Spanner resources. Issue get/list/modify operations on Cloud Spanner resources. Read from and write to all Cloud Spanner databases in the project. Fetch project metadata.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.*	Project
`roles/spanner.backupAdmin`	Cloud Spanner Backup Admin	Administrator role to manage Cloud Spanner backups. Does not include permissions to restore from Cloud Spanner backups.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.backupOperations.* spanner.backups.create spanner.backups.delete spanner.backups.get spanner.backups.getIamPolicy spanner.backups.list spanner.backups.setIamPolicy spanner.backups.update spanner.databases.createBackup spanner.databases.get spanner.databases.list spanner.instances.get spanner.instances.list
`roles/spanner.backupWriter`	Cloud Spanner Backup Writer	Role with limited permissions to create and manage Cloud Spanner backups. Does not have permission to modify backups.	spanner.backupOperations.get spanner.backupOperations.list spanner.backups.create spanner.backups.get spanner.backups.list spanner.databases.createBackup spanner.databases.get spanner.databases.list spanner.instances.get
`roles/spanner.databaseAdmin`	Cloud Spanner Database Admin	Recommended to grant at the project level. A member with this role can: Get/list all Cloud Spanner instances in project. Create/list/drop databases in the instance on which it is granted. Grant/revoke access to databases in the project. Read from and write to all Cloud Spanner databases in the project.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.create spanner.databases.drop spanner.databases.get spanner.databases.getDdl spanner.databases.getIamPolicy spanner.databases.list spanner.databases.read spanner.databases.select spanner.databases.setIamPolicy spanner.databases.update spanner.databases.updateDdl spanner.databases.write spanner.instances.get spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.*	Project
`roles/spanner.databaseReader`	Cloud Spanner Database Reader	Recommended to grant at the database level. A member with this role can: Read from the Cloud Spanner database. Execute SQL queries on the database. View schema for the database.	spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.read spanner.databases.select spanner.instances.get spanner.sessions.*	Database
`roles/spanner.databaseUser`	Cloud Spanner Database User	Recommended to grant at the database level. A member with this role can: Read from and write to the Cloud Spanner database. Execute SQL queries on the database, including DML and Partitioned DML. View and update schema for the database.	spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instances.get spanner.sessions.*	Database
`roles/spanner.restoreAdmin`	Cloud Spanner Restore Admin	Administrator role to restore Cloud Spanner databases from Cloud Spanner backups.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.backups.get spanner.backups.list spanner.backups.restoreDatabase spanner.databaseOperations.cancel spanner.databaseOperations.get spanner.databaseOperations.list spanner.databases.create spanner.databases.get spanner.databases.list spanner.instances.get spanner.instances.list
`roles/spanner.viewer`	Cloud Spanner Viewer	Recommended to grant at the project level. A member with this role can: View all Cloud Spanner instances (but cannot modify instances). View all Cloud Spanner databases (but cannot modify databases and cannot read from databases). For example, you can combine this role with the `roles/spanner.databaseUser` role to grant a user with access to a specific database, but only view access to other instances and databases. This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud Console.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databases.list spanner.instanceConfigs.* spanner.instances.get spanner.instances.list	Project

Stackdriver roles

Role	Title	Description	Permissions
`roles/stackdriver.accounts.editor`	Stackdriver Accounts Editor	Read/write access to manage Stackdriver account structure.	resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.projects.*
`roles/stackdriver.accounts.viewer`	Stackdriver Accounts Viewer	Read-only access to get and list information about Stackdriver account structure.	resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
`roles/stackdriver.resourceMaintenanceWindow.editor`	Stackdriver Resource Maintenance Window Editor	Read/write access to manage Stackdriver resource maintenance windows.
`roles/stackdriver.resourceMaintenanceWindow.viewer`	Stackdriver Resource Maintenance Window Viewer	Read-only access to information about Stackdriver resource maintenance windows.
`roles/stackdriver.resourceMetadata.writer`	Stackdriver Resource Metadata Writer ^Beta	Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.	stackdriver.resourceMetadata.*

Storage roles

Role	Title	Description	Permissions	Lowest resource
`roles/storage.admin`	Storage Admin	Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.	firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.* storage.objects.*	Bucket
`roles/storage.hmacKeyAdmin`	Storage HMAC Key Admin	Full control of Cloud Storage HMAC keys.	firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.hmacKeys.*
`roles/storage.objectAdmin`	Storage Object Admin	Grants full control of objects, including listing, creating, viewing, and deleting objects.	resourcemanager.projects.get resourcemanager.projects.list storage.objects.*	Bucket
`roles/storage.objectCreator`	Storage Object Creator	Allows users to create objects. Does not give permission to view, delete, or overwrite objects.	resourcemanager.projects.get resourcemanager.projects.list storage.objects.create	Bucket
`roles/storage.objectViewer`	Storage Object Viewer	Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.	resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list	Bucket
`roles/storagetransfer.admin`	Storage Transfer Admin	Create, update and manage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.*
`roles/storagetransfer.user`	Storage Transfer User	Create and update storage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.jobs.create storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.jobs.update storagetransfer.operations.* storagetransfer.projects.*
`roles/storagetransfer.viewer`	Storage Transfer Viewer	Read access to storage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.operations.get storagetransfer.operations.list storagetransfer.projects.*

Storage Legacy roles

Role	Title	Description	Permissions	Lowest resource
`roles/storage.legacyBucketOwner`	Storage Legacy Bucket Owner	Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read and edit bucket metadata, including Cloud IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.	storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.list	Bucket
`roles/storage.legacyBucketReader`	Storage Legacy Bucket Reader	Grants permission to list a bucket's contents and read bucket metadata, excluding Cloud IAM policies. Also grants permission to read object metadata, excluding Cloud IAM policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.	storage.buckets.get storage.objects.list	Bucket
`roles/storage.legacyBucketWriter`	Storage Legacy Bucket Writer	Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read bucket metadata, excluding Cloud IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.	storage.buckets.get storage.objects.create storage.objects.delete storage.objects.list	Bucket
`roles/storage.legacyObjectOwner`	Storage Legacy Object Owner	Grants permission to view and edit objects and their metadata, including ACLs.	storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update	Bucket
`roles/storage.legacyObjectReader`	Storage Legacy Object Reader	Grants permission to view objects and their metadata, excluding ACLs.	storage.objects.get	Bucket

Support roles

Role	Title	Description	Permissions	Lowest resource
`roles/cloudsupport.admin`	Support Account Administrator	Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information.	cloudsupport.accounts.* cloudsupport.operations.* cloudsupport.properties.*	Organization
`roles/cloudsupport.techSupportEditor`	Tech Support Editor	Full read-write access to technical support cases (Premium Customer Care only).	cloudsupport.properties.* cloudsupport.techCases.* resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudsupport.techSupportViewer`	Tech Support Viewer	Read-only access to technical support cases (Premium Customer Care only).	cloudsupport.properties.* cloudsupport.techCases.get cloudsupport.techCases.list resourcemanager.projects.get resourcemanager.projects.list
`roles/cloudsupport.viewer`	Support Account Viewer	Read-only access to details of a support account. This does not allow viewing cases.	cloudsupport.accounts.get cloudsupport.accounts.getUserRoles cloudsupport.accounts.list cloudsupport.properties.*	Organization

Cloud Threat Detection roles

Role	Title	Description	Permissions	Lowest resource
`roles/threatdetection.editor`	Threat Detection Settings Editor ^Beta	Read-write access to all Threat Detection settings	threatdetection.*	Organization
`roles/threatdetection.viewer`	Threat Detection Settings Viewer ^Beta	Read access to all Threat Detection settings	threatdetection.detectorSettings.get threatdetection.sinkSettings.get threatdetection.sourceSettings.get	Organization

Cloud TPU roles

Role	Title	Description	Permissions	Lowest resource
`roles/tpu.admin`	TPU Admin	Full access to TPU nodes and related resources.	resourcemanager.projects.get resourcemanager.projects.list tpu.*
`roles/tpu.viewer`	TPU Viewer	Read-only access to TPU nodes and related resources.	resourcemanager.projects.get resourcemanager.projects.list tpu.acceleratortypes.* tpu.locations.* tpu.nodes.get tpu.nodes.list tpu.operations.* tpu.tensorflowversions.*

Serverless VPC Access roles

Role	Title	Description	Permissions
`roles/vpaccess.user`	Serverless VPC Access User	User of Serverless VPC Access connectors	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.connectors.use vpcaccess.locations.* vpcaccess.operations.*
`roles/vpaccess.viewer`	Serverless VPC Access Viewer	Viewer of all Serverless VPC Access resources	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.*
`roles/vpcaccess.admin`	Serverless VPC Access Admin	Full access to all Serverless VPC Access resources	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.*

Custom roles

In addition to the predefined roles, Cloud IAM also provides the ability to create customized Cloud IAM roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding Custom Roles and Creating and Managing Custom Roles for more information.

Product-specific Cloud IAM documentation

Product-specific Cloud IAM documentation explains more about the predefined roles offered by each product. Read the following pages to learn more about the predefined roles.

Documentation	Description
Cloud IAM for App Engine	Explains Cloud IAM roles for App Engine
Cloud IAM for BigQuery	Explains Cloud IAM roles for BigQuery
Cloud IAM for Bigtable	Explains Cloud IAM roles for Bigtable
Cloud IAM for Cloud Billing API	Explains Cloud IAM roles and permissions for Cloud Billing API
Cloud IAM for Dataflow	Explains Cloud IAM roles for Dataflow
Cloud IAM for Dataproc	Explains Cloud IAM roles and permissions for Dataproc
Cloud IAM for Datastore	Explains Cloud IAM roles and permissions for Datastore
Cloud IAM for Cloud DNS	Explains Cloud IAM roles and permissions for Cloud DNS
Cloud IAM for Cloud KMS	Explains Cloud IAM roles and permissions for Cloud KMS
Cloud IAM for AI Platform	Explains Cloud IAM roles and permissions for AI Platform
Cloud IAM for Pub/Sub	Explains Cloud IAM roles for Pub/Sub
Cloud IAM for Spanner	Explains Cloud IAM roles and permissions for Spanner
Cloud IAM for Cloud SQL	Explains Cloud IAM roles for Cloud SQL
Cloud IAM for Cloud Storage	Explains Cloud IAM roles for Cloud Storage
Cloud IAM for Compute Engine	Explains Cloud IAM roles for Compute Engine
Cloud IAM for GKE	Explains Cloud IAM roles and permissions for GKE
Cloud IAM for Deployment Manager	Explains Cloud IAM roles and permissions for Deployment Manager
Cloud IAM for Organizations	Explains Cloud IAM roles for Organization.
Cloud IAM for Folders	Explains Cloud IAM roles for folders.
Cloud IAM for Projects	Explains Cloud IAM roles for projects.
Cloud IAM for Service Management	Explains Cloud IAM roles and permissions for Service Management
Cloud IAM for Cloud Debugger	Explains Cloud IAM roles for Debugger
Cloud IAM for Cloud Logging	Explains Cloud IAM roles for Logging
Cloud IAM for Cloud Monitoring	Explains Cloud IAM roles for Monitoring
Cloud IAM for Cloud Trace	Explains Cloud IAM roles and permissions for Trace

What's next

Learn how to grant Cloud IAM roles to users.
Learn about Custom Roles