This page describes IAM roles and lists the
predefined roles that you can grant to your principals.
A role contains a set of permissions that allows you to perform specific actions on
Google Cloud resources.
To make permissions available to principals, including
users, groups, and service accounts, you grant roles to the principals.
Prerequisite for this guide
Role types
There are three types of roles in IAM:
Basic roles , which include the Owner, Editor, and Viewer roles that
existed prior to the introduction of IAM.
Predefined roles , which provide granular access for a specific service and
are managed by Google Cloud.
Custom roles , which provide granular access according to a user-specified
list of permissions.
To determine if a permission is included in a basic, predefined, or custom role,
you can use one of the following methods:
The sections below describe each role type and provide examples of how to use
them.
Basic roles
There are several basic roles that existed prior to the introduction of
IAM: Owner, Editor, and Viewer. These roles are concentric;
that is, the Owner role includes the permissions in the Editor role, and the
Editor role includes the permissions in the Viewer role. They were originally
known as "primitive roles."
Caution:
Basic roles include thousands of permissions across all Google Cloud services. In production
environments, do not grant basic roles unless there is no alternative. Instead, grant the most
limited predefined roles or
custom roles that meet your needs.
The following table summarizes the permissions that the basic roles include
across all Google Cloud services:
Basic role definitions
Name
Title
Permissions
roles/viewer
Viewer
Permissions for read-only actions that do not affect state, such as
viewing (but not modifying) existing resources or data.
roles/editor
Editor
All viewer permissions, plus permissions for actions that modify
state, such as changing existing resources.
Note:
The Editor role contains permissions to create and delete resources for
most Google Cloud services. However, it does not contain
permissions to perform all actions for all services. For more
information about how to check whether a role has the permissions that
you need, see
Role types on this page.
roles/owner
Owner
All Editor permissions and permissions for the following actions:
Manage roles and permissions for a project and all resources within
the project.
Set up billing for a project.
Note:
Granting the Owner role at a resource level, such as a
Pub/Sub topic, doesn't grant the Owner role on the
parent project.
Granting the Owner role at the organization level doesn't allow you
to update the organization's metadata. However, it allows you to
modify all projects and other resources under that organization.
To grant the Owner role on a project to a user outside of your
organization, you must use the Cloud console, not the
gcloud CLI. If your project is not part of an organization,
you must use the Cloud console to grant the Owner role.
You can apply basic roles at the project or service resource levels by using the
Cloud console, the API, and the gcloud CLI. See
Granting, changing, and revoking access for
instructions.
To see how to grant roles using the Cloud console, see
Granting, changing, and revoking access .
Predefined roles
Beta
Any Beta IAM roles described in this section might be
changed in backward-incompatible ways and are not recommended for production
use. They are not subject to any SLA or deprecation policy.
In addition to the basic roles, IAM provides additional
predefined roles that give granular access to specific Google Cloud
resources and prevent unwanted access to other resources. These roles are
created and maintained by Google. Google automatically updates their permissions
as necessary, such as when Google Cloud adds new features or services.
The following tables list these roles, their description, and the lowest-level
resource type where the roles can be set. A particular role can be granted to
this resource type, or in most cases any type above it in the
Google Cloud resource hierarchy .
You can grant multiple roles to the same user, at any level of the resource
hierarchy. For example, the same user can have the Compute Network Admin and
Logs Viewer roles on a project, and also have the Pub/Sub Publisher role on a
Pub/Sub topic within that project. To list the permissions contained in
a role, see
Getting the role metadata .
For help choosing the most appropriate predefined roles, see
Choose predefined roles .
Access Approval roles
Role
Permissions
Access Approval Approver
Beta
(roles/ accessapproval.approver
)
Ability to view or act on access approval requests and view configuration
accessapproval.requests.*
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Config Editor
Beta
(roles/ accessapproval.configEditor
)
Ability to update the Access Approval configuration
accessapproval.settings.*
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Viewer
Beta
(roles/ accessapproval.viewer
)
Ability to view access approval requests and configuration
accessapproval.requests.get
accessapproval.requests.list
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager roles
Role
Permissions
Cloud Access Binding Admin
(roles/ accesscontextmanager.gcpAccessAdmin
)
Create, edit, and change Cloud access bindings.
accesscontextmanager. gcpUserAccessBindings.*
Cloud Access Binding Reader
(roles/ accesscontextmanager.gcpAccessReader
)
Read access to Cloud access bindings.
accesscontextmanager. gcpUserAccessBindings. get
accesscontextmanager. gcpUserAccessBindings. list
Access Context Manager Admin
(roles/ accesscontextmanager.policyAdmin
)
Full access to policies, access levels, and access zones
accesscontextmanager.accessLevels.*
accesscontextmanager.accessPolicies.*
accesscontextmanager.accessZones.*
accesscontextmanager.policies.*
accesscontextmanager.servicePerimeters.*
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager Editor
(roles/ accesscontextmanager.policyEditor
)
Edit access to policies. Create, edit, and change access levels and access zones.
accesscontextmanager.accessLevels.*
accesscontextmanager. accessPolicies. create
accesscontextmanager. accessPolicies. delete
accesscontextmanager.accessPolicies.get
accesscontextmanager. accessPolicies. getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager. accessPolicies. update
accesscontextmanager.accessZones.*
accesscontextmanager.policies.create
accesscontextmanager.policies.delete
accesscontextmanager.policies.get
accesscontextmanager. policies. getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.update
accesscontextmanager.servicePerimeters.*
cloudasset.assets.searchAllResources
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager Reader
(roles/ accesscontextmanager.policyReader
)
Read access to policies, access levels, and access zones.
accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.get
accesscontextmanager. accessPolicies. getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.get
accesscontextmanager.accessZones.list
accesscontextmanager.policies.get
accesscontextmanager. policies. getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager. servicePerimeters. get
accesscontextmanager. servicePerimeters. list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
VPC Service Controls Troubleshooter Viewer
(roles/ accesscontextmanager.vpcScTroubleshooterViewer
)
accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.policies.get
accesscontextmanager. policies. getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager. servicePerimeters. get
accesscontextmanager. servicePerimeters. list
logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Actions roles
Role
Permissions
Actions Admin
(roles/ actions.Admin
)
Access to edit and deploy an action
actions.*
firebase.projects.get
firebase.projects.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Actions Viewer
(roles/ actions.Viewer
)
Access to view an action
actions.agent.get
actions.agentVersions.get
actions.agentVersions.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
AI Notebooks roles
Role
Permissions
AI Platform Admin
(roles/ ml.admin
)
Provides full access to AI Platform resources, and its jobs,
operations, models, and versions.
Lowest-level resources where you can grant this role:
ml.*
resourcemanager.projects.get
AI Platform Developer
(roles/ ml.developer
)
Provides ability to use AI Platform resources for creating models,
versions, jobs for training and prediction, and sending online prediction
requests.
Lowest-level resources where you can grant this role:
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.*
ml.studies.*
ml.trials.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get
AI Platform Job Owner
(roles/ ml.jobOwner
)
Provides full access to all permissions for a particular job resource. This
role is automatically granted to the user who creates the job.
Lowest-level resources where you can grant this role:
AI Platform Model Owner
(roles/ ml.modelOwner
)
Provides full access to the model and its versions. This role is
automatically granted to the user who creates the model.
Lowest-level resources where you can grant this role:
ml.models.*
ml.versions.*
AI Platform Model User
(roles/ ml.modelUser
)
Provides permissions to read the model and its versions, and use them for
prediction.
Lowest-level resources where you can grant this role:
ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict
AI Platform Operation Owner
(roles/ ml.operationOwner
)
Provides full access to all permissions for a particular operation resource.
Lowest-level resources where you can grant this role:
AI Platform Viewer
(roles/ ml.viewer
)
Provides read-only access to AI Platform resources.
Lowest-level resources where you can grant this role:
ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.*
ml.studies.get
ml.studies.getIamPolicy
ml.studies.list
ml.trials.get
ml.trials.list
ml.versions.get
ml.versions.list
resourcemanager.projects.get
Analytics Hub roles
Role
Permissions
Analytics Hub Admin
Beta
(roles/ analyticshub.admin
)
Administer Data Exchanges and Listings
analyticshub.dataExchanges.*
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.update
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Listing Admin
Beta
(roles/ analyticshub.listingAdmin
)
Grants full control over the Listing, including updating, deleting and setting ACLs
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.setIamPolicy
analyticshub.listings.update
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Publisher
Beta
(roles/ analyticshub.publisher
)
Can publish to Data Exchanges thus creating Listings
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.create
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Subscriber
Beta
(roles/ analyticshub.subscriber
)
Can browse Data Exchanges and subscribe to Listings
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
analyticshub.listings.subscribe
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Viewer
Beta
(roles/ analyticshub.viewer
)
Can browse Data Exchanges and Listings
analyticshub.dataExchanges.get
analyticshub.dataExchanges.getIamPolicy
analyticshub.dataExchanges.list
analyticshub.listings.get
analyticshub.listings.getIamPolicy
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list
Android Management roles
Role
Permissions
Android Management User
(roles/ androidmanagement.user
)
Full access to manage devices.
androidmanagement.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Anthos Multi-cloud roles
Role
Permissions
Anthos Multi-cloud Admin
(roles/ gkemulticloud.admin
)
Admin access to Anthos Multi-cloud resources.
gkemulticloud.*
resourcemanager.projects.get
resourcemanager.projects.list
Anthos Multi-cloud Telemetry Writer
(roles/ gkemulticloud.telemetryWriter
)
Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.create
opsconfigmonitoring. resourceMetadata. write
Anthos Multi-cloud Viewer
(roles/ gkemulticloud.viewer
)
Viewer access to Anthos Multi-cloud resources.
gkemulticloud. awsClusters. generateAccessToken
gkemulticloud.awsClusters.get
gkemulticloud.awsClusters.list
gkemulticloud.awsNodePools.get
gkemulticloud.awsNodePools.list
gkemulticloud.awsServerConfigs.*
gkemulticloud.azureClients.get
gkemulticloud.azureClients.list
gkemulticloud. azureClusters. generateAccessToken
gkemulticloud.azureClusters.get
gkemulticloud.azureClusters.list
gkemulticloud.azureNodePools.get
gkemulticloud.azureNodePools.list
gkemulticloud.azureServerConfigs.*
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
API Gateway roles
Role
Permissions
ApiGateway Admin
(roles/ apigateway.admin
)
Full access to ApiGateway and related resources.
apigateway.*
monitoring.metricDescriptors.list
monitoring. monitoredResourceDescriptors. get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list
ApiGateway Viewer
(roles/ apigateway.viewer
)
Read-only access to ApiGateway and related resources.
apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.metricDescriptors.list
monitoring. monitoredResourceDescriptors. get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list
Apigee roles
Apigee Registry roles
Role
Permissions
Cloud Apigee Registry Admin
Beta
(roles/ apigeeregistry.admin
)
Full access to Cloud Apigee Registry Registry and Runtime resources.
apigeeregistry.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Editor
Beta
(roles/ apigeeregistry.editor
)
Edit access to Cloud Apigee Registry Registry resources.
apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.update
apigeeregistry.deployments.*
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Viewer
Beta
(roles/ apigeeregistry.viewer
)
Read-only access to Cloud Apigee Registry Registry resources.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.versions.get
apigeeregistry.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Worker
Beta
(roles/ apigeeregistry.worker
)
The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.artifacts.update
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.get
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine roles
Role
Permissions
App Engine Admin
(roles/ appengine.appAdmin
)
Read/Write/Modify access to all application configuration and settings.
To deploy new versions, a principal must have the
Service Account User
(roles/iam.serviceAccountUser
) role on the App Engine
default service account , and the
Cloud Build Editor (roles/cloudbuild.builds.editor
) and Cloud Storage Object
Admin (roles/storage.objectAdmin
) roles on the project.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.applications.update
appengine.instances.*
appengine.operations.*
appengine.runtimes.*
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Creator
(roles/ appengine.appCreator
)
Ability to create the App Engine resource for the project.
Lowest-level resources where you can grant this role:
appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Viewer
(roles/ appengine.appViewer
)
Read-only access to all application configuration and settings.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Code Viewer
(roles/ appengine.codeViewer
)
Read-only access to all application configuration, settings, and deployed
source code.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Deployer
(roles/ appengine.deployer
)
Read-only access to all application configuration and settings.
To deploy new versions, you must also have the
Service Account User
(roles/iam.serviceAccountUser
) role on the App Engine
default service account , and the
Cloud Build Editor (roles/cloudbuild.builds.editor
) and Cloud Storage Object
Admin (roles/storage.objectAdmin
) roles on the project.
Cannot modify existing versions other than deleting versions that are not receiving traffic.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Service Admin
(roles/ appengine.serviceAdmin
)
Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.instances.*
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Artifact Registry roles
Role
Permissions
Artifact Registry Administrator
(roles/ artifactregistry.admin
)
Administrator access to create and manage repositories.
Artifact Registry Reader
(roles/ artifactregistry.reader
)
Access to read repository items.
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.locations.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. repositories. downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
Artifact Registry Repository Administrator
(roles/ artifactregistry.repoAdmin
)
Access to manage artifacts in repositories.
artifactregistry.aptartifacts.*
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.locations.*
artifactregistry.packages.*
artifactregistry. repositories. deleteArtifacts
artifactregistry. repositories. downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. uploadArtifacts
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.yumartifacts.*
Artifact Registry Writer
(roles/ artifactregistry.writer
)
Access to read and write repository items.
artifactregistry.aptartifacts.*
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.locations.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. repositories. downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.yumartifacts.*
Assured Workloads roles
Role
Permissions
Assured Workloads Administrator
(roles/ assuredworkloads.admin
)
Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration
assuredworkloads.*
logging.cmekSettings.update
orgpolicy.policy.*
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.create
resourcemanager.projects.get
resourcemanager.projects.list
Assured Workloads Editor
(roles/ assuredworkloads.editor
)
Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration
assuredworkloads.*
orgpolicy.policy.*
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.create
resourcemanager.projects.get
resourcemanager.projects.list
Assured Workloads Reader
(roles/ assuredworkloads.reader
)
Grants read access to all Assured Workloads resources and CRM resources - project/folder
assuredworkloads.operations.*
assuredworkloads.violations.*
assuredworkloads.workload.get
assuredworkloads.workload.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
AutoML roles
Role
Permissions
AutoML Admin
Beta
(roles/ automl.admin
)
Full access to all AutoML resources
Lowest-level resources where you can grant this role:
automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
AutoML Editor
Beta
(roles/ automl.editor
)
Editor of all AutoML resources
Lowest-level resources where you can grant this role:
automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
AutoML Predictor
Beta
(roles/ automl.predictor
)
Predict using models
Lowest-level resources where you can grant this role:
automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list
AutoML Viewer
Beta
(roles/ automl.viewer
)
Viewer of all AutoML resources
Lowest-level resources where you can grant this role:
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
Backup for GKE roles
Role
Permissions
Backup for GKE Admin
Beta
(roles/ gkebackup.admin
)
Full access to all Backup for GKE resources.
gkebackup.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Backup Admin
Beta
(roles/ gkebackup.backupAdmin
)
Allows administrators to manage all BackupPlan and Backup resources.
gkebackup.backupPlans.*
gkebackup.backups.*
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.volumeBackups.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Delegated Backup Admin
Beta
(roles/ gkebackup.delegatedBackupAdmin
)
Allows administrators to manage Backup resources for specific BackupPlans
gkebackup.backupPlans.get
gkebackup.backups.*
gkebackup.volumeBackups.*
Backup for GKE Delegated Restore Admin
Beta
(roles/ gkebackup.delegatedRestoreAdmin
)
Allows administrators to manage Restore resources for specific RestorePlans
gkebackup.restorePlans.get
gkebackup.restores.*
gkebackup.volumeRestores.*
Backup for GKE Restore Admin
Beta
(roles/ gkebackup.restoreAdmin
)
Allows administrators to manage all RestorePlan and Restore resources.
gkebackup.backupPlans.get
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.*
gkebackup.restores.*
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Viewer
Beta
(roles/ gkebackup.viewer
)
Read-only access to all Backup for GKE resources.
gkebackup.backupPlans.get
gkebackup.backupPlans.getIamPolicy
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.get
gkebackup.restorePlans.getIamPolicy
gkebackup.restorePlans.list
gkebackup.restores.get
gkebackup.restores.list
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery roles
Role
Permissions
BigQuery Admin
(roles/ bigquery.admin
)
Provides permissions to manage all resources within the project. Can manage
all data within the project, and can cancel jobs from other users running
within the project.
Lowest-level resources where you can grant this role:
Datasets
Row access policies
Tables
Views
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.*
bigquery.reservations.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery. rowAccessPolicies. overrideTimeTravelRestrictions
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration.translation.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Connection Admin
(roles/ bigquery.connectionAdmin
)
BigQuery Connection User
(roles/ bigquery.connectionUser
)
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.use
BigQuery Data Editor
(roles/ bigquery.dataEditor
)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Owner
(roles/ bigquery.dataOwner
)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Viewer
(roles/ bigquery.dataViewer
)
When applied to a table or view, this role provides permissions to:
Read data and metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Read data and metadata from the dataset's tables.
When applied at the project or organization level, this role can also
enumerate all datasets in the project. Additional roles, however, are
necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Filtered Data Viewer
(roles/ bigquery.filteredDataViewer
)
Access to view filtered table data defined by a row access policy
bigquery. rowAccessPolicies. getFilteredData
BigQuery Job User
(roles/ bigquery.jobUser
)
Provides permissions to run jobs, including queries, within the project.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.jobs.create
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Metadata Viewer
(roles/ bigquery.metadataViewer
)
When applied to a table or view, this role provides permissions to:
Read metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
List tables and views in the dataset.
Read metadata from the dataset's tables and views.
When applied at the project or organization level, this role provides permissions to:
List all datasets and read metadata for all datasets in the project.
List all tables and views and read metadata for all tables and views
in the project.
Additional roles are necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Read Session User
(roles/ bigquery.readSessionUser
)
Access to create and use read sessions
bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Admin
(roles/ bigquery.resourceAdmin
)
Administer all BigQuery resources.
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.reservationAssignments.*
bigquery.reservations.*
recommender. bigqueryCapacityCommitmentsInsights.*
recommender. bigqueryCapacityCommitmentsRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Editor
(roles/ bigquery.resourceEditor
)
Manage all BigQuery resources, but cannot make purchasing decisions.
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.reservationAssignments.*
bigquery.reservations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Viewer
(roles/ bigquery.resourceViewer
)
View all BigQuery resources but cannot make changes or purchasing decisions.
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery User
(roles/ bigquery.user
)
When applied to a dataset, this role provides the ability to read the dataset's metadata and list
tables in the dataset.
When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner
)
on these new datasets.
Lowest-level resources where you can grant this role:
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
bigquerymigration.translation.*
resourcemanager.projects.get
resourcemanager.projects.list
Masked Reader
Beta
(roles/ bigquerydatapolicy.maskedReader
)
Maksed read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns
bigquery.dataPolicies.maskedGet
Billing roles
Role
Permissions
Billing Account Administrator
(roles/ billing.admin
)
Provides access to see and manage all aspects of billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.close
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getPricing
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.move
billing.accounts.redeemPromotion
billing.accounts.removeFromOrganization
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing.accounts.updatePaymentInfo
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.credits.*
billing.resourceAssociations.*
billing.subscriptions.*
cloudnotifications.*
commerceoffercatalog.*
consumerprocurement.accounts.*
consumerprocurement.orderAttributions.*
consumerprocurement.orders.*
dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.groupcontrols.get
dataprocessing.groupcontrols.list
logging.logEntries.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
recommender. commitmentUtilizationInsights.*
recommender.costInsights.*
recommender. spendBasedCommitmentInsights.*
recommender. spendBasedCommitmentRecommendations.*
recommender. usageCommitmentRecommendations.*
resourcemanager. projects. createBillingAssignment
resourcemanager. projects. deleteBillingAssignment
Billing Account Costs Manager
(roles/ billing.costsManager
)
Manage budgets for a billing account, and view, analyze, and export cost information of a billing
account.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.resourceAssociations.list
recommender.costInsights.*
Billing Account Creator
(roles/ billing.creator
)
Provides access to create billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.create
resourcemanager.organizations.get
Project Billing Manager
(roles/ billing.projectManager
)
When granted in conjunction with the Billing Account User role, provides access to assign a
project's billing account or disable its billing.
Lowest-level resources where you can grant this role:
resourcemanager. projects. createBillingAssignment
resourcemanager. projects. deleteBillingAssignment
Billing Account User
(roles/ billing.user
)
When granted in conjunction with the Project Owner role or Project Billing Manager role, provides
access to associate projects with billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.*
billing.resourceAssociations.create
Billing Account Viewer
(roles/ billing.viewer
)
View billing account cost and pricing information, transactions, and billing and commitment
recommendations.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getPricing
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.budgets.get
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.get
billing.subscriptions.list
commerceoffercatalog.*
consumerprocurement.accounts.get
consumerprocurement.accounts.list
consumerprocurement. orderAttributions. get
consumerprocurement. orderAttributions. list
consumerprocurement.orders.get
consumerprocurement.orders.list
dataprocessing.datasources.get
dataprocessing.datasources.list
dataprocessing.groupcontrols.get
dataprocessing.groupcontrols.list
recommender. commitmentUtilizationInsights. get
recommender. commitmentUtilizationInsights. list
recommender.costInsights.get
recommender.costInsights.list
recommender. spendBasedCommitmentInsights. get
recommender. spendBasedCommitmentInsights. list
recommender. spendBasedCommitmentRecommendations. get
recommender. spendBasedCommitmentRecommendations. list
recommender. usageCommitmentRecommendations. get
recommender. usageCommitmentRecommendations. list
Binary Authorization roles
Role
Permissions
Binary Authorization Attestor Admin
(roles/ binaryauthorization.attestorsAdmin
)
Administrator of Binary Authorization Attestors
binaryauthorization.attestors.*
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Editor
(roles/ binaryauthorization.attestorsEditor
)
Editor of Binary Authorization Attestors
binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.update
binaryauthorization. attestors. verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Image Verifier
(roles/ binaryauthorization.attestorsVerifier
)
Caller of Binary Authorization Attestors VerifyImageAttested
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization. attestors. verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Viewer
(roles/ binaryauthorization.attestorsViewer
)
Viewer of Binary Authorization Attestors
binaryauthorization.attestors.get
binaryauthorization.attestors.list
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Administrator
(roles/ binaryauthorization.policyAdmin
)
Administrator of Binary Authorization Policy
binaryauthorization. continuousValidationConfig.*
binaryauthorization.platformPolicies.*
binaryauthorization.policy.*
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Editor
(roles/ binaryauthorization.policyEditor
)
Editor of Binary Authorization Policy
binaryauthorization. continuousValidationConfig. get
binaryauthorization. continuousValidationConfig. update
binaryauthorization.platformPolicies.*
binaryauthorization. policy. evaluatePolicy
binaryauthorization.policy.get
binaryauthorization.policy.update
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Evaluator
Beta
(roles/ binaryauthorization.policyEvaluator
)
Evaluator of Binary Authorization Policy
binaryauthorization. platformPolicies. evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization. platformPolicies. list
binaryauthorization. policy. evaluatePolicy
binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Viewer
(roles/ binaryauthorization.policyViewer
)
Viewer of Binary Authorization Policy
binaryauthorization. continuousValidationConfig. get
binaryauthorization.platformPolicies.get
binaryauthorization. platformPolicies. list
binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
CA Service roles
Role
Permissions
CA Service Admin
(roles/ privateca.admin
)
Full access to all CA Service resources.
privateca.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
CA Service Auditor
(roles/ privateca.auditor
)
Read-only access to all CA Service resources.
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateAuthorities.get
privateca. certificateAuthorities. getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateRevocationLists.get
privateca. certificateRevocationLists. getIamPolicy
privateca. certificateRevocationLists. list
privateca.certificateTemplates.get
privateca. certificateTemplates. getIamPolicy
privateca.certificateTemplates.list
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
CA Service Operation Manager
(roles/ privateca.caManager
)
Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.
privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.update
privateca.certificateAuthorities.create
privateca.certificateAuthorities.delete
privateca.certificateAuthorities.get
privateca. certificateAuthorities. getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateAuthorities.update
privateca.certificateRevocationLists.get
privateca. certificateRevocationLists. getIamPolicy
privateca. certificateRevocationLists. list
privateca. certificateRevocationLists. update
privateca.certificateTemplates.create
privateca.certificateTemplates.delete
privateca.certificateTemplates.get
privateca. certificateTemplates. getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.update
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.certificates.update
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.create
privateca.reusableConfigs.delete
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
privateca.reusableConfigs.update
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
CA Service Certificate Manager
(roles/ privateca.certificateManager
)
Create certificates and read-only access for CA Service resources.
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateAuthorities.get
privateca. certificateAuthorities. getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateRevocationLists.get
privateca. certificateRevocationLists. getIamPolicy
privateca. certificateRevocationLists. list
privateca.certificateTemplates.get
privateca. certificateTemplates. getIamPolicy
privateca.certificateTemplates.list
privateca.certificates.create
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
CA Service Certificate Requester
(roles/ privateca.certificateRequester
)
Request certificates from CA Service.
privateca.certificates.create
CA Service Certificate Template User
(roles/ privateca.templateUser
)
Read, list and use certificate templates.
privateca.certificateTemplates.get
privateca.certificateTemplates.list
privateca.certificateTemplates.use
CA Service Workload Certificate Requester
(roles/ privateca.workloadCertificateRequester
)
Request certificates from CA Service with caller's identity.
privateca.certificates.createForSelf
Certificate Manager roles
Role
Permissions
Certificate Manager Editor
Beta
(roles/ certificatemanager.editor
)
Edit access to Certificate Manager all resources.
certificatemanager.certmapentries.create
certificatemanager.certmapentries.get
certificatemanager. certmapentries. getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager. dnsauthorizations. create
certificatemanager.dnsauthorizations.get
certificatemanager. dnsauthorizations. getIamPolicy
certificatemanager. dnsauthorizations. list
certificatemanager. dnsauthorizations. update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.*
certificatemanager.operations.get
certificatemanager.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Manager Owner
Beta
(roles/ certificatemanager.owner
)
Full access to Certificate Manager all resources.
certificatemanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Manager Viewer
Beta
(roles/ certificatemanager.viewer
)
Read-only access to Certificate Manager all resources.
certificatemanager.certmapentries.get
certificatemanager. certmapentries. getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.dnsauthorizations.get
certificatemanager. dnsauthorizations. getIamPolicy
certificatemanager. dnsauthorizations. list
certificatemanager.locations.*
certificatemanager.operations.get
certificatemanager.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Asset roles
Role
Permissions
Cloud Asset Owner
(roles/ cloudasset.owner
)
Full access to cloud assets metadata
cloudasset.*
recommender.cloudAssetInsights.*
recommender.locations.*
Cloud Asset Viewer
(roles/ cloudasset.viewer
)
Read only access to cloud assets metadata
cloudasset.assets.*
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
Cloud Bigtable roles
Role
Permissions
Bigtable Administrator
(roles/ bigtable.admin
)
Administers all instances within a project, including the data stored within
tables. Can create new instances. Intended for project administrators.
Lowest-level resources where you can grant this role:
bigtable.*
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Bigtable Reader
(roles/ bigtable.reader
)
Provides read-only access to the data stored within tables. Intended for
data scientists, dashboard generators, and other data-analysis scenarios.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.keyvisualizer.*
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Bigtable User
(roles/ bigtable.user
)
Provides read-write access to the data stored within tables. Intended for
application developers or service accounts.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.keyvisualizer.*
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Bigtable Viewer
(roles/ bigtable.viewer
)
Provides no data access. Intended as a minimal set of permissions to access
the Cloud console for Bigtable.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Cloud Build roles
Role
Permissions
Cloud Build Approver
(roles/ cloudbuild.builds.approver
)
Can approve or reject pending builds.
cloudbuild.builds.approve
cloudbuild.builds.get
cloudbuild.builds.list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Service Account
(roles/ cloudbuild.builds.builder
)
Provides access to perform builds.
artifactregistry.aptartifacts.*
artifactregistry.dockerimages.*
artifactregistry.files.*
artifactregistry.locations.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry. repositories. downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.list
artifactregistry. repositories. listEffectiveTags
artifactregistry. repositories. listTagBindings
artifactregistry. repositories. uploadArtifacts
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.yumartifacts.*
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
logging.logEntries.create
logging.logEntries.list
logging.privateLogEntries.*
logging.views.access
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Build Editor
(roles/ cloudbuild.builds.editor
)
Provides access to create and cancel builds.
Lowest-level resources where you can grant this role:
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Viewer
(roles/ cloudbuild.builds.viewer
)
Provides access to view builds.
Lowest-level resources where you can grant this role:
cloudbuild.builds.get
cloudbuild.builds.list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Editor
(roles/ cloudbuild.integrationsEditor
)
Can update Integrations
cloudbuild.integrations.get
cloudbuild.integrations.list
cloudbuild.integrations.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Owner
(roles/ cloudbuild.integrationsOwner
)
Can create/delete Integrations
cloudbuild.integrations.*
compute.firewalls.create
compute.firewalls.get
compute.firewalls.list
compute.networks.get
compute.networks.updatePolicy
compute.regions.get
compute.subnetworks.get
compute.subnetworks.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Viewer
(roles/ cloudbuild.integrationsViewer
)
Can view Integrations
cloudbuild.integrations.get
cloudbuild.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build WorkerPool Editor
(roles/ cloudbuild.workerPoolEditor
)
Can update and view WorkerPools
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build WorkerPool Owner
(roles/ cloudbuild.workerPoolOwner
)
Can create, delete, update, and view WorkerPools
cloudbuild.workerpools.create
cloudbuild.workerpools.delete
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build WorkerPool User
(roles/ cloudbuild.workerPoolUser
)
Can run builds in the WorkerPool
cloudbuild.workerpools.use
Cloud Build WorkerPool Viewer
(roles/ cloudbuild.workerPoolViewer
)
Can view WorkerPools
cloudbuild.workerpools.get
cloudbuild.workerpools.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Composer roles
Role
Permissions
Cloud Composer v2 API Service Agent Extension
(roles/ composer.ServiceAgentV2Ext
)
Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy
Composer Administrator
(roles/ composer.admin
)
Provides full control of Cloud Composer resources.
Lowest-level resources where you can grant this role:
composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Environment and Storage Object Administrator
(roles/ composer.environmentAndStorageObjectAdmin
)
Provides full control of Cloud Composer resources and of the objects in all project buckets.
Lowest-level resources where you can grant this role:
composer.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.multipartUploads.*
storage.objects.*
Environment User and Storage Object Viewer
(roles/ composer.environmentAndStorageObjectViewer
)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Provides read-only access to objects in all project buckets.
Lowest-level resources where you can grant this role:
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.*
composer.operations.get
composer.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list
Composer Shared VPC Agent
(roles/ composer.sharedVpcAgent
)
Role that should be assigned to Composer Agent service account in Shared VPC host project
compute.networks.access
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.removePeering
compute.networks.updatePeering
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zones.*
Composer User
(roles/ composer.user
)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Lowest-level resources where you can grant this role:
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.*
composer.operations.get
composer.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Composer Worker
(roles/ composer.worker
)
Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.
Lowest-level resources where you can grant this role:
artifactregistry.*
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
composer.environments.get
container.*
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
logging.logEntries.create
logging.logEntries.list
logging.privateLogEntries.*
logging.views.access
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring. monitoredResourceDescriptors.*
monitoring.timeSeries.*
orgpolicy.policy.get
pubsub.schemas.attach
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.multipartUploads.*
storage.objects.*
Cloud Connectors roles
Role
Permissions
Connector Admin
(roles/ connectors.admin
)
Full access to all resources of Connectors Service.
connectors.*
resourcemanager.projects.get
resourcemanager.projects.list
Connectors Viewer
(roles/ connectors.viewer
)
Read-only access to Connectors all resources.
connectors.connections.get
connectors. connections. getConnectionSchemaMetadata
connectors.connections.getIamPolicy
connectors. connections. getRuntimeActionSchema
connectors. connections. getRuntimeEntitySchema
connectors.connections.list
connectors.connectors.*
connectors.locations.*
connectors.operations.get
connectors.operations.list
connectors.providers.*
connectors.runtimeconfig.*
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion roles
Role
Permissions
Cloud Data Fusion Admin
Beta
(roles/ datafusion.admin
)
Full access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Runner
Beta
(roles/ datafusion.runner
)
Access to Cloud Data Fusion runtime resources.
datafusion.instances.runtime
Cloud Data Fusion Viewer
Beta
(roles/ datafusion.viewer
)
Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.runtime
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Labeling roles
Role
Permissions
Data Labeling Service Admin
Beta
(roles/ datalabeling.admin
)
Full access to all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service Editor
Beta
(roles/ datalabeling.editor
)
Editor of all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service Viewer
Beta
(roles/ datalabeling.viewer
)
Viewer of all Data Labeling resources
datalabeling.annotateddatasets.get
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.get
datalabeling.annotationspecsets.list
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Dataplex roles
Cloud Debugger roles
Role
Permissions
Cloud Debugger Agent
Beta
(roles/ clouddebugger.agent
)
Provides permissions to register the debug target, read active breakpoints,
and report breakpoint results.
Lowest-level resources where you can grant this role:
clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create
Cloud Debugger User
Beta
(roles/ clouddebugger.user
)
Provides permissions to create, view, list, and delete breakpoints
(snapshots & logpoints) as well as list debug targets (debuggees).
Lowest-level resources where you can grant this role:
clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
Cloud Deploy roles
Role
Permissions
Cloud Deploy Admin
Beta
(roles/ clouddeploy.admin
)
Full control of Cloud Deploy resources.
clouddeploy.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Approver
Beta
(roles/ clouddeploy.approver
)
Permission to approve or reject rollouts.
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.rollouts.approve
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Developer
Beta
(roles/ clouddeploy.developer
)
Permission to manage deployment configuration without permission to access operational resources, such as targets.
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.get
clouddeploy. deliveryPipelines. getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.update
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Runner
Beta
(roles/ clouddeploy.jobRunner
)
Permission to execute Cloud Deploy work without permission to deliver to a target.
logging.logEntries.create
storage.objects.create
storage.objects.get
storage.objects.list
Cloud Deploy Operator
Beta
(roles/ clouddeploy.operator
)
Permission to manage deployment configuration.
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.get
clouddeploy. deliveryPipelines. getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.update
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.create
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Releaser
Beta
(roles/ clouddeploy.releaser
)
Permission to create Cloud Deploy releases and rollouts.
clouddeploy.deliveryPipelines.get
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Viewer
Beta
(roles/ clouddeploy.viewer
)
Can view Cloud Deploy resources.
clouddeploy.config.*
clouddeploy.deliveryPipelines.get
clouddeploy. deliveryPipelines. getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.locations.*
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud DLP roles
Role
Permissions
DLP Administrator
(roles/ dlp.admin
)
Administer DLP including jobs and templates.
dlp.*
serviceusage.services.use
DLP Analyze Risk Templates Editor
(roles/ dlp.analyzeRiskTemplatesEditor
)
Edit DLP analyze risk templates.
dlp.analyzeRiskTemplates.*
DLP Analyze Risk Templates Reader
(roles/ dlp.analyzeRiskTemplatesReader
)
Read DLP analyze risk templates.
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
DLP Column Data Profiles Reader
(roles/ dlp.columnDataProfilesReader
)
Read DLP column profiles.
DLP Data Profiles Reader
(roles/ dlp.dataProfilesReader
)
Read DLP profiles.
dlp.columnDataProfiles.*
dlp.projectDataProfiles.*
dlp.tableDataProfiles.*
DLP De-identify Templates Editor
(roles/ dlp.deidentifyTemplatesEditor
)
Edit DLP de-identify templates.
dlp.deidentifyTemplates.*
DLP De-identify Templates Reader
(roles/ dlp.deidentifyTemplatesReader
)
Read DLP de-identify templates.
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
DLP Cost Estimation
(roles/ dlp.estimatesAdmin
)
Manage DLP Cost Estimates.
DLP Inspect Findings Reader
(roles/ dlp.inspectFindingsReader
)
Read DLP stored findings.
DLP Inspect Templates Editor
(roles/ dlp.inspectTemplatesEditor
)
Edit DLP inspect templates.
DLP Inspect Templates Reader
(roles/ dlp.inspectTemplatesReader
)
Read DLP inspect templates.
dlp.inspectTemplates.get
dlp.inspectTemplates.list
DLP Job Triggers Editor
(roles/ dlp.jobTriggersEditor
)
Edit job triggers configurations.
DLP Job Triggers Reader
(roles/ dlp.jobTriggersReader
)
Read job triggers.
dlp.jobTriggers.get
dlp.jobTriggers.list
DLP Jobs Editor
(roles/ dlp.jobsEditor
)
Edit and create jobs
DLP Jobs Reader
(roles/ dlp.jobsReader
)
Read jobs
dlp.jobs.get
dlp.jobs.list
DLP Organization Data Profiles Driver
(roles/ dlp.orgdriver
)
Permissions needed by the DLP service account to generate data profiles within an organization or folder.
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.translation.*
cloudasset.assets.*
datacatalog.categories.fineGrainedGet
datacatalog.entries.updateTag
datacatalog.tagTemplates.create
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.use
dlp.*
pubsub.topics.updateTag
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
DLP Project Data Profiles Reader
(roles/ dlp.projectDataProfilesReader
)
Read DLP project profiles.
dlp.projectDataProfiles.*
DLP Project Data Profiles Driver
(roles/ dlp.projectdriver
)
Permissions needed by the DLP service account to generate data profiles within a project.
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.translation.*
cloudasset.assets.*
datacatalog.categories.fineGrainedGet
datacatalog.entries.updateTag
datacatalog.tagTemplates.create
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.use
dlp.*
pubsub.topics.updateTag
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
DLP Reader
(roles/ dlp.reader
)
Read DLP entities, such as jobs and templates.
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectFindings.*
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.locations.*
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor
(roles/ dlp.storedInfoTypesEditor
)
Edit DLP stored info types.
DLP Stored InfoTypes Reader
(roles/ dlp.storedInfoTypesReader
)
Read DLP stored info types.
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Table Data Profiles Reader
(roles/ dlp.tableDataProfilesReader
)
Read DLP table profiles.
DLP User
(roles/ dlp.user
)
Inspect, Redact, and De-identify Content
dlp.kms.*
dlp.locations.*
serviceusage.services.use
Cloud Domains roles
Role
Permissions
Cloud Domains Admin
(roles/ domains.admin
)
Full access to Cloud Domains Registrations and related resources.
domains.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Domains Viewer
(roles/ domains.viewer
)
Read-only access to Cloud Domains Registrations and related resources.
domains.locations.*
domains.operations.get
domains.operations.list
domains.registrations.get
domains.registrations.getIamPolicy
domains.registrations.list
domains.registrations.listEffectiveTags
domains.registrations.listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Filestore roles
Role
Permissions
Cloud Filestore Editor
Beta
(roles/ file.editor
)
Read-write access to Filestore instances and related resources.
Cloud Filestore Viewer
Beta
(roles/ file.viewer
)
Read-only access to Filestore instances and related resources.
file.backups.get
file.backups.list
file.backups.listEffectiveTags
file.backups.listTagBindings
file.instances.get
file.instances.list
file.instances.listEffectiveTags
file.instances.listTagBindings
file.locations.*
file.operations.get
file.operations.list
file.snapshots.listEffectiveTags
file.snapshots.listTagBindings
Cloud Functions roles
Cloud Game Services roles
Role
Permissions
Game Services API Admin
(roles/ gameservices.admin
)
Full access to Game Services API and related resources.
gameservices.*
resourcemanager.projects.get
resourcemanager.projects.list
Game Services API Viewer
(roles/ gameservices.viewer
)
Read-only access to Game Services API and related resources.
gameservices.gameServerClusters.get
gameservices.gameServerClusters.list
gameservices.gameServerConfigs.get
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.get
gameservices.gameServerDeployments.list
gameservices.locations.*
gameservices.operations.get
gameservices.operations.list
gameservices.realms.get
gameservices.realms.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Healthcare roles
Role
Permissions
Healthcare Annotation Editor
(roles/ healthcare.annotationEditor
)
Create, delete, update, read and list annotations.
healthcare.annotationStores.get
healthcare.annotationStores.list
healthcare.annotations.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Reader
(roles/ healthcare.annotationReader
)
Read and list annotations in an Annotation store.
healthcare.annotationStores.get
healthcare.annotationStores.list
healthcare.annotations.get
healthcare.annotations.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Administrator
(roles/ healthcare.annotationStoreAdmin
)
Administer Annotation stores.
healthcare.annotationStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Store Viewer
(roles/ healthcare.annotationStoreViewer
)
List Annotation Stores in a dataset.
healthcare.annotationStores.get
healthcare.annotationStores.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Editor
(roles/ healthcare.attributeDefinitionEditor
)
Edit AttributeDefinition objects.
healthcare.attributeDefinitions.*
healthcare.consentStores.checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Reader
(roles/ healthcare.attributeDefinitionReader
)
Read AttributeDefinition objects in a consent store.
healthcare.attributeDefinitions.get
healthcare.attributeDefinitions.list
healthcare.consentStores.checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Administrator
(roles/ healthcare.consentArtifactAdmin
)
Administer ConsentArtifact objects.
healthcare.consentArtifacts.*
healthcare.consentStores.checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Editor
(roles/ healthcare.consentArtifactEditor
)
Edit ConsentArtifact objects.
healthcare.consentArtifacts.create
healthcare.consentArtifacts.get
healthcare.consentArtifacts.list
healthcare.consentStores.checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Reader
(roles/ healthcare.consentArtifactReader
)
Read ConsentArtifact objects in a consent store.
healthcare.consentArtifacts.get
healthcare.consentArtifacts.list
healthcare.consentStores.checkDataAccess
healthcare. consentStores. evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare. consentStores. queryAccessibleData
healthcare.datasets.get