Understanding roles

A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to principals, including users, groups, and service accounts, you grant roles to the principals.

This page describes the IAM roles that you can grant.

Prerequisite for this guide

Understand the basic concepts of IAM

Role types

There are three types of roles in IAM:

Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
Predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
Custom roles, which provide granular access according to a user-specified list of permissions.

To determine if a permission is included in a basic, predefined, or custom role, you can use one of the following methods:

Run the gcloud iam roles describe command to list the permissions in the role.
Call the roles.get() REST API method to list the permissions in the role.
For basic and predefined roles only: Search the permissions reference to see if the permission is granted by the role.
For predefined roles only: Search the predefined role descriptions on this page to see which permissions the role includes.

The sections below describe each role type and provide examples of how to use them.

Basic roles

There are several basic roles that existed prior to the introduction of IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role. They were originally known as "primitive roles."

The following table summarizes the permissions that the basic roles include across all Google Cloud services:

Basic role definitions

Name	Title	Permissions
`roles/viewer`	Viewer	Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
`roles/editor`	Editor	All viewer permissions, plus permissions for actions that modify state, such as changing existing resources. Note: The Editor role contains permissions to create and delete resources for most Google Cloud services. However, it does not contain permissions to perform all actions for all services. See the section above for more information on how to check if a role has the permissions that you need.
`roles/owner`	Owner	All Editor permissions and permissions for the following actions: Manage roles and permissions for a project and all resources within the project. Set up billing for a project. Note: Granting the Owner role at a resource level, such as a Pub/Sub topic, doesn't grant the Owner role on the parent project. Granting the Owner role at the organization level doesn't allow you to update the organization's metadata. However, it allows you to modify all projects and other resources under that organization. To grant the Owner role on a project to a user outside of your organization, you must use the Cloud Console, not the `gcloud` tool. If your project is not part of an organization, you must use the Cloud Console to grant the Owner role.

You can apply basic roles at the project or service resource levels by using the Cloud Console, the API, and the gcloud tool. See Granting, changing, and revoking access for instructions.

To see how to grant roles using the Cloud Console, see Granting, changing, and revoking access.

Predefined roles

In addition to the basic roles, IAM provides additional predefined roles that give granular access to specific Google Cloud resources and prevent unwanted access to other resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.

The following table lists these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the Google Cloud hierarchy. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.

Access Approval roles

Role	Permissions
Access Approval Approver ^Beta (`roles/accessapproval.approver`) Ability to view or act on access approval requests and view configuration	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
Access Approval Config Editor ^Beta (`roles/accessapproval.configEditor`) Ability update the Access Approval configuration	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
Access Approval Viewer ^Beta (`roles/accessapproval.viewer`) Ability to view access approval requests and configuration	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Access Context Manager roles

Role	Permissions
Cloud Access Binding Admin (`roles/accesscontextmanager.gcpAccessAdmin`) Create, edit, and change Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.*
Cloud Access Binding Reader (`roles/accesscontextmanager.gcpAccessReader`) Read access to Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.get accesscontextmanager.gcpUserAccessBindings.list
Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Full access to policies, access levels, and access zones	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.* accesscontextmanager.accessZones.* accesscontextmanager.policies.* accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Edit access to policies. Create, edit, and change access levels and access zones.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) Read access to policies, access levels, and access zones.	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`)	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Actions roles

Role	Permissions
Actions Admin (`roles/actions.Admin`) Access to edit and deploy an action	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Actions Viewer (`roles/actions.Viewer`) Access to view an action	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

AI Notebooks roles

Role	Permissions
Notebooks Admin (`roles/notebooks.admin`) Full access to Notebooks, all resources. Lowest-level resources where you can grant this role: Instance	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Admin (`roles/notebooks.legacyAdmin`) Full access to Notebooks all resources through compute API.	compute.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Viewer (`roles/notebooks.legacyViewer`) Read-only access to Notebooks all resources through compute API.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Runner (`roles/notebooks.runner`) Restricted access for running scheduled Notebooks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Viewer (`roles/notebooks.viewer`) Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role: Instance	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

AI Platform roles

Role	Permissions
AI Platform Admin (`roles/ml.admin`) Provides full access to AI Platform resources, and its jobs, operations, models, and versions. Lowest-level resources where you can grant this role: Project	ml.* resourcemanager.projects.get
AI Platform Developer (`roles/ml.developer`) Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Lowest-level resources where you can grant this role: Project	ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.* ml.studies.* ml.trials.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get
AI Platform Job Owner (`roles/ml.jobOwner`) Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Lowest-level resources where you can grant this role: Job	ml.jobs.*
AI Platform Model Owner (`roles/ml.modelOwner`) Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Lowest-level resources where you can grant this role: Model	ml.models.* ml.versions.*
AI Platform Model User (`roles/ml.modelUser`) Provides permissions to read the model and its versions, and use them for prediction. Lowest-level resources where you can grant this role: Model	ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict
AI Platform Operation Owner (`roles/ml.operationOwner`) Provides full access to all permissions for a particular operation resource. Lowest-level resources where you can grant this role: Operation	ml.operations.*
AI Platform Viewer (`roles/ml.viewer`) Provides read-only access to AI Platform resources. Lowest-level resources where you can grant this role: Project	ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.* ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get

Android Management roles

Role	Permissions
Android Management User (`roles/androidmanagement.user`) Full access to manage devices.	androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Anthos Multi-cloud roles

Role	Permissions
Anthos Multi-cloud Admin (`roles/gkemulticloud.admin`) Admin access to Anthos Multi-cloud resources.	gkemulticloud.* resourcemanager.projects.get resourcemanager.projects.list
Anthos Multi-cloud Telemetry Writer (`roles/gkemulticloud.telemetryWriter`) Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.	logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create opsconfigmonitoring.resourceMetadata.write
Anthos Multi-cloud Viewer (`roles/gkemulticloud.viewer`) Viewer access to Anthos Multi-cloud resources.	gkemulticloud.awsClusters.generateAccessToken gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud.awsNodePools.list gkemulticloud.awsServerConfigs.* gkemulticloud.azureClients.get gkemulticloud.azureClients.list gkemulticloud.azureClusters.generateAccessToken gkemulticloud.azureClusters.get gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.get gkemulticloud.azureNodePools.list gkemulticloud.azureServerConfigs.* gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list

API Gateway roles

Role Permissions

Role	Permissions
ApiGateway Admin (`roles/apigateway.admin`) Full access to ApiGateway and related resources.	apigateway.* monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list
ApiGateway Viewer (`roles/apigateway.viewer`) Read-only access to ApiGateway and related resources.	apigateway.apiconfigs.get apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.* apigateway.operations.get apigateway.operations.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list

ApiGateway Admin
(roles/apigateway.admin)

Full access to ApiGateway and related resources.

apigateway.*
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

ApiGateway Viewer
(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

Apigee roles

Role	Permissions
Apigee Organization Admin (`roles/apigee.admin`) Full access to all apigee resource features	apigee.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Analytics Agent (`roles/apigee.analyticsAgent`) Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization	apigee.environments.getDataLocation apigee.runtimeconfigs.*
Apigee Analytics Editor (`roles/apigee.analyticsEditor`) Analytics editor for an Apigee Organization	apigee.datacollectors.* apigee.datastores.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.* apigee.hostqueries.* apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Analytics Viewer (`roles/apigee.analyticsViewer`) Analytics viewer for an Apigee Organization	apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list
Apigee API Admin (`roles/apigee.apiAdmin`) Full read/write access to all apigee API resources	apigee.apiproductattributes.* apigee.apiproducts.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.* apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.list
Apigee API Reader (`roles/apigee.apiReader`) Reader of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Developer Admin (`roles/apigee.developerAdmin`) Developer admin of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.apps.* apigee.datacollectors.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developers.* apigee.developersubscriptions.* apigee.environments.get apigee.environments.getStats apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.rateplans.get apigee.rateplans.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Environment Admin (`roles/apigee.environmentAdmin`) Full read/write access to apigee environment resources, including deployments.	apigee.archivedeployments.* apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.environments.update apigee.flowhooks.* apigee.ingressconfigs.* apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Monetization Admin (`roles/apigee.monetizationAdmin`) All permissions related to monetization	apigee.apiproducts.get apigee.apiproducts.list apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developersubscriptions.* apigee.organizations.get apigee.organizations.list apigee.rateplans.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Portal Admin (`roles/apigee.portalAdmin`) Portal admin for an Apigee Organization	apigee.organizations.get apigee.organizations.list apigee.portals.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Read-only Admin (`roles/apigee.readOnlyAdmin`) Viewer of all apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.archivedeployments.download apigee.archivedeployments.get apigee.archivedeployments.list apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee.developerappattributes.get apigee.developerappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developerbalances.get apigee.developermonetizationconfigs.get apigee.developers.get apigee.developers.list apigee.developersubscriptions.get apigee.developersubscriptions.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.hoststats.* apigee.ingressconfigs.* apigee.instanceattachments.get apigee.instanceattachments.list apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.operations.* apigee.organizations.get apigee.organizations.list apigee.portals.get apigee.portals.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.rateplans.get apigee.rateplans.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.runtimeconfigs.* apigee.securityreports.get apigee.securityreports.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Runtime Agent (`roles/apigee.runtimeAgent`) Curated set of permissions for a runtime agent to access Apigee Organization resources	apigee.canaryevaluations.* apigee.ingressconfigs.* apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.runtimeconfigs.*
Apigee Security Admin (`roles/apigee.securityAdmin`) Security admin for an Apigee Organization	apigee.hostsecurityreports.* apigee.securityreports.*
Apigee Security Viewer (`roles/apigee.securityViewer`) Security viewer for an Apigee Organization	apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.securityreports.get apigee.securityreports.list
Apigee Synchronizer Manager (`roles/apigee.synchronizerManager`) Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization	apigee.environments.get apigee.environments.manageRuntime apigee.ingressconfigs.*
Apigee Connect Admin (`roles/apigeeconnect.Admin`) Admin of Apigee Connect	apigeeconnect.connections.*
Apigee Connect Agent (`roles/apigeeconnect.Agent`) Ability to set up Apigee Connect agent between external clusters and Google.	apigeeconnect.endpoints.*

App Engine roles

Role	Permissions
App Engine Admin (`roles/appengine.appAdmin`) Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have the Service Account User (`roles/iam.serviceAccountUser`) role on the App Engine default service account, and the Cloud Build Editor (`roles/cloudbuild.builds.editor`) and Cloud Storage Object Admin (`roles/storage.objectAdmin`) roles on the project. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list
App Engine Creator (`roles/appengine.appCreator`) Ability to create the App Engine resource for the project. Lowest-level resources where you can grant this role: Project	appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list
App Engine Viewer (`roles/appengine.appViewer`) Read-only access to all application configuration and settings. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Code Viewer (`roles/appengine.codeViewer`) Read-only access to all application configuration, settings, and deployed source code. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Deployer (`roles/appengine.deployer`) Read-only access to all application configuration and settings. To deploy new versions, you must also have the Service Account User (`roles/iam.serviceAccountUser`) role on the App Engine default service account, and the Cloud Build Editor (`roles/cloudbuild.builds.editor`) and Cloud Storage Object Admin (`roles/storage.objectAdmin`) roles on the project. Cannot modify existing versions other than deleting versions that are not receiving traffic. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Service Admin (`roles/appengine.serviceAdmin`) Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list

Artifact Registry roles

Role	Permissions
Artifact Registry Administrator (`roles/artifactregistry.admin`) Administrator access to create and manage repositories.	artifactregistry.*
Artifact Registry Reader (`roles/artifactregistry.reader`) Access to read repository items.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
Artifact Registry Repository Administrator (`roles/artifactregistry.repoAdmin`) Access to manage artifacts in repositories.	artifactregistry.aptartifacts.* artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.* artifactregistry.yumartifacts.*
Artifact Registry Writer (`roles/artifactregistry.writer`) Access to read and write repository items.	artifactregistry.aptartifacts.* artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.*

Assured Workloads roles

Role	Permissions
Assured Workloads Administrator (`roles/assuredworkloads.admin`) Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Editor (`roles/assuredworkloads.editor`) Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Reader (`roles/assuredworkloads.reader`) Grants read access to all Assured Workloads resources and CRM resources - project/folder	assuredworkloads.operations.* assuredworkloads.workload.get assuredworkloads.workload.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

AutoML roles

Role	Permissions
AutoML Admin ^Beta (`roles/automl.admin`) Full access to all AutoML resources Lowest-level resources where you can grant this role: Dataset Model	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
AutoML Editor ^Beta (`roles/automl.editor`) Editor of all AutoML resources Lowest-level resources where you can grant this role: Dataset Model	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
AutoML Predictor ^Beta (`roles/automl.predictor`) Predict using models Lowest-level resources where you can grant this role: Model	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list
AutoML Viewer ^Beta (`roles/automl.viewer`) Viewer of all AutoML resources Lowest-level resources where you can grant this role: Dataset Model	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list

BigQuery roles

Role	Permissions
BigQuery Admin (`roles/bigquery.admin`) Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role: Project	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Connection Admin (`roles/bigquery.connectionAdmin`)	bigquery.connections.*
BigQuery Connection User (`roles/bigquery.connectionUser`)	bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
BigQuery Data Editor (`roles/bigquery.dataEditor`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Owner (`roles/bigquery.dataOwner`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Viewer (`roles/bigquery.dataViewer`) When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Filtered Data Viewer (`roles/bigquery.filteredDataViewer`) Access to view filtered table data defined by a row access policy	bigquery.rowAccessPolicies.getFilteredData
BigQuery Job User (`roles/bigquery.jobUser`) Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role: Project	bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list
BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Read Session User (`roles/bigquery.readSessionUser`) Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) Administer all BigQuery resources.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Editor (`roles/bigquery.resourceEditor`) Manage all BigQuery resources, but cannot make purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) View all BigQuery resources but cannot make changes or purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery User (`roles/bigquery.user`) When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (`roles/bigquery.dataOwner`) on these new datasets. Lowest-level resources where you can grant this role: Dataset	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list

Billing roles

Role	Permissions
Billing Account Administrator (`roles/billing.admin`) Provides access to see and manage all aspects of billing accounts. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* commerceoffercatalog.* consumerprocurement.accounts.* consumerprocurement.orders.* dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* recommender.commitmentUtilizationInsights.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment
Billing Account Costs Manager (`roles/billing.costsManager`) Can view and export cost information of billing accounts.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.updateUsageExportSpec billing.budgets.* billing.resourceAssociations.list
Billing Account Creator (`roles/billing.creator`) Provides access to create billing accounts. Lowest-level resources where you can grant this role: Organization	billing.accounts.create resourcemanager.organizations.get
Project Billing Manager (`roles/billing.projectManager`) Provides access to assign a project's billing account or disable its billing. Lowest-level resources where you can grant this role: Project	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment
Billing Account User (`roles/billing.user`) Provides access to associate projects with billing accounts. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create
Billing Account Viewer (`roles/billing.viewer`) View billing account cost information and transactions. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list commerceoffercatalog.* consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list

Binary Authorization roles

Role	Permissions
Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Administrator of Binary Authorization Attestors	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Editor of Binary Authorization Attestors	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Caller of Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Viewer (`roles/binaryauthorization.attestorsViewer`) Viewer of Binary Authorization Attestors	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Administrator of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.* binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Editor of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.continuousValidationConfig.update binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Viewer of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

CA Service roles

Role	Permissions
CA Service Admin (`roles/privateca.admin`) Full access to all CA Service resources.	privateca.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Auditor (`roles/privateca.auditor`) Read-only access to all CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Operation Manager (`roles/privateca.caManager`) Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.	privateca.caPools.create privateca.caPools.delete privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.update privateca.certificateAuthorities.create privateca.certificateAuthorities.delete privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.update privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.update privateca.certificateTemplates.create privateca.certificateTemplates.delete privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificateTemplates.update privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.update privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.create privateca.reusableConfigs.delete privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.update resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Certificate Manager (`roles/privateca.certificateManager`) Create certificates and read-only access for CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.create privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Certificate Requester (`roles/privateca.certificateRequester`) Request certificates from CA Service.	privateca.certificates.create
CA Service Certificate Template User (`roles/privateca.templateUser`) Read, list and use certificate templates.	privateca.certificateTemplates.get privateca.certificateTemplates.list privateca.certificateTemplates.use
CA Service Workload Certificate Requester (`roles/privateca.workloadCertificateRequester`) Request certificates from CA Service with caller's identity.	privateca.certificates.createForSelf

Cloud Asset roles

Role	Permissions
Cloud Asset Owner (`roles/cloudasset.owner`) Full access to cloud assets metadata	cloudasset.* recommender.cloudAssetInsights.* recommender.locations.*
Cloud Asset Viewer (`roles/cloudasset.viewer`) Read only access to cloud assets metadata	cloudasset.assets.* recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.*

Cloud Bigtable roles

Role	Permissions
Bigtable Administrator (`roles/bigtable.admin`) Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. Lowest-level resources where you can grant this role: Table	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable Reader (`roles/bigtable.reader`) Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable User (`roles/bigtable.user`) Provides read-write access to the data stored within tables. Intended for application developers or service accounts. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable Viewer (`roles/bigtable.viewer`) Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Bigtable. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get

Cloud Build roles

Role	Permissions
Cloud Build Approver (`roles/cloudbuild.builds.approver`) Can approve or reject pending builds.	cloudbuild.builds.approve cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Provides access to perform builds.	artifactregistry.aptartifacts.* artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Build Editor (`roles/cloudbuild.builds.editor`) Provides access to create and cancel builds. Lowest-level resources where you can grant this role: Project	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Provides access to view builds. Lowest-level resources where you can grant this role: Project	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Editor (`roles/cloudbuild.integrationsEditor`) Can update Integrations	resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Owner (`roles/cloudbuild.integrationsOwner`) Can create/delete Integrations	compute.firewalls.create compute.firewalls.get compute.firewalls.list compute.networks.get compute.networks.updatePolicy compute.regions.get compute.subnetworks.get compute.subnetworks.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Viewer (`roles/cloudbuild.integrationsViewer`) Can view Integrations	resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool Editor (`roles/cloudbuild.workerPoolEditor`) Can update and view WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool Owner (`roles/cloudbuild.workerPoolOwner`) Can create, delete, update, and view WorkerPools	cloudbuild.workerpools.create cloudbuild.workerpools.delete cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool User (`roles/cloudbuild.workerPoolUser`) Can run builds in the WorkerPool	cloudbuild.workerpools.use
Cloud Build WorkerPool Viewer (`roles/cloudbuild.workerPoolViewer`) Can view WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Composer roles

Role	Permissions
Cloud Composer v2 API Service Agent Extension (`roles/composer.ServiceAgentV2Ext`) Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.	iam.serviceAccounts.getIamPolicy iam.serviceAccounts.setIamPolicy
Composer Administrator (`roles/composer.admin`) Provides full control of Cloud Composer resources. Lowest-level resources where you can grant this role: Project	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Provides full control of Cloud Composer resources and of the objects in all project buckets. Lowest-level resources where you can grant this role: Project	composer.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.*
Environment User and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. Lowest-level resources where you can grant this role: Project	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list
Composer Shared VPC Agent (`roles/composer.sharedVpcAgent`) Role that should be assigned to Composer Agent service account in Shared VPC host project	compute.networks.access compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.*
Composer User (`roles/composer.user`) Provides the permissions necessary to list and get Cloud Composer environments and operations. Lowest-level resources where you can grant this role: Project	composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Composer Worker (`roles/composer.worker`) Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. Lowest-level resources where you can grant this role: Project	artifactregistry.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use composer.environments.get container.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.*

Cloud Connectors roles

Role Permissions

Role	Permissions
Connector Admin (`roles/connectors.admin`) Full access to all resources of Connectors Service.	connectors.* resourcemanager.projects.get resourcemanager.projects.list
Connectors Viewer (`roles/connectors.viewer`) Read-only access to Connectors all resources.	connectors.connections.get connectors.connections.getConnectionSchemaMetadata connectors.connections.getIamPolicy connectors.connections.getRuntimeActionSchema connectors.connections.getRuntimeEntitySchema connectors.connections.list connectors.connectors.* connectors.locations.* connectors.operations.get connectors.operations.list connectors.providers.* connectors.runtimeconfig.* connectors.versions.* resourcemanager.projects.get resourcemanager.projects.list

Connector Admin
(roles/connectors.admin)

Full access to all resources of Connectors Service.

connectors.*
resourcemanager.projects.get
resourcemanager.projects.list

Connectors Viewer
(roles/connectors.viewer)

Read-only access to Connectors all resources.

connectors.connections.get
connectors.connections.getConnectionSchemaMetadata
connectors.connections.getIamPolicy
connectors.connections.getRuntimeActionSchema
connectors.connections.getRuntimeEntitySchema
connectors.connections.list
connectors.connectors.*
connectors.locations.*
connectors.operations.get
connectors.operations.list
connectors.providers.*
connectors.runtimeconfig.*
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion roles

Role Permissions

Role	Permissions
Cloud Data Fusion Admin ^Beta (`roles/datafusion.admin`) Full access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role: Project	datafusion.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Data Fusion Runner ^Beta (`roles/datafusion.runner`) Access to Cloud Data Fusion runtime resources.	datafusion.instances.runtime
Cloud Data Fusion Viewer ^Beta (`roles/datafusion.viewer`) Read-only access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role: Project	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.runtime datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Data Fusion Admin ^Beta
(roles/datafusion.admin)

Full access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

Project

datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion Runner ^Beta
(roles/datafusion.runner)

Access to Cloud Data Fusion runtime resources.

datafusion.instances.runtime

Cloud Data Fusion Viewer ^Beta
(roles/datafusion.viewer)

Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

Project

datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.runtime
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Labeling roles

Role	Permissions
Data Labeling Service Admin ^Beta (`roles/datalabeling.admin`) Full access to all Data Labeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Editor ^Beta (`roles/datalabeling.editor`) Editor of all Data Labeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Viewer ^Beta (`roles/datalabeling.viewer`) Viewer of all Data Labeling resources	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Debugger roles

Role Permissions

Role	Permissions
Cloud Debugger Agent ^Beta (`roles/clouddebugger.agent`) Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. Lowest-level resources where you can grant this role: Service Account	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create
Cloud Debugger User ^Beta (`roles/clouddebugger.user`) Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). Lowest-level resources where you can grant this role: Project	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list

Cloud Debugger Agent ^Beta
(roles/clouddebugger.agent)

Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.

Lowest-level resources where you can grant this role:

Service Account

clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create

Cloud Debugger User ^Beta
(roles/clouddebugger.user)

Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

Lowest-level resources where you can grant this role:

Project

clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list

Cloud Deploy roles

Role	Permissions
Cloud Deploy Admin ^Beta (`roles/clouddeploy.admin`) Full control of Cloud Deploy resources.	clouddeploy.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Approver ^Beta (`roles/clouddeploy.approver`) Permission to approve or reject rollouts.	clouddeploy.locations.* clouddeploy.operations.* clouddeploy.rollouts.approve clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Developer ^Beta (`roles/clouddeploy.developer`) Permission to manage deployment configuration without permission to access operational resources, such as targets.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Runner ^Beta (`roles/clouddeploy.jobRunner`) Permission to execute Cloud Deploy work without permission to deliver to a target.	logging.logEntries.create storage.objects.create storage.objects.get storage.objects.list
Cloud Deploy Operator ^Beta (`roles/clouddeploy.operator`) Permission to manage deployment configuration.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.create clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list clouddeploy.targets.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Releaser ^Beta (`roles/clouddeploy.releaser`) Permission to create Cloud Deploy releases and rollouts.	clouddeploy.deliveryPipelines.get clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.create clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Viewer ^Beta (`roles/clouddeploy.viewer`) Can view Cloud Deploy resources.	clouddeploy.config.* clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.locations.* clouddeploy.operations.get clouddeploy.operations.list clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list resourcemanager.projects.get resourcemanager.projects.list

Cloud DLP roles

Role	Permissions
DLP Administrator (`roles/dlp.admin`) Administer DLP including jobs and templates.	dlp.* serviceusage.services.use
DLP Analyze Risk Templates Editor (`roles/dlp.analyzeRiskTemplatesEditor`) Edit DLP analyze risk templates.	dlp.analyzeRiskTemplates.*
DLP Analyze Risk Templates Reader (`roles/dlp.analyzeRiskTemplatesReader`) Read DLP analyze risk templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
DLP Column Data Profiles Reader (`roles/dlp.columnDataProfilesReader`) Read DLP column profiles.	dlp.columnDataProfiles.*
DLP Data Profiles Reader (`roles/dlp.dataProfilesReader`) Read DLP profiles.	dlp.columnDataProfiles.* dlp.projectDataProfiles.* dlp.tableDataProfiles.*
DLP De-identify Templates Editor (`roles/dlp.deidentifyTemplatesEditor`) Edit DLP de-identify templates.	dlp.deidentifyTemplates.*
DLP De-identify Templates Reader (`roles/dlp.deidentifyTemplatesReader`) Read DLP de-identify templates.	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
DLP Cost Estimation (`roles/dlp.estimatesAdmin`) Manage DLP Cost Estimates.	dlp.estimates.*
DLP Inspect Findings Reader (`roles/dlp.inspectFindingsReader`) Read DLP stored findings.	dlp.inspectFindings.*
DLP Inspect Templates Editor (`roles/dlp.inspectTemplatesEditor`) Edit DLP inspect templates.	dlp.inspectTemplates.*
DLP Inspect Templates Reader (`roles/dlp.inspectTemplatesReader`) Read DLP inspect templates.	dlp.inspectTemplates.get dlp.inspectTemplates.list
DLP Job Triggers Editor (`roles/dlp.jobTriggersEditor`) Edit job triggers configurations.	dlp.jobTriggers.*
DLP Job Triggers Reader (`roles/dlp.jobTriggersReader`) Read job triggers.	dlp.jobTriggers.get dlp.jobTriggers.list
DLP Jobs Editor (`roles/dlp.jobsEditor`) Edit and create jobs	dlp.jobs.* dlp.kms.*
DLP Jobs Reader (`roles/dlp.jobsReader`) Read jobs	dlp.jobs.get dlp.jobs.list
DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) Permissions needed by the DLP service account to generate data profiles within an organization or folder.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP Project Data Profiles Reader (`roles/dlp.projectDataProfilesReader`) Read DLP project profiles.	dlp.projectDataProfiles.*
DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Permissions needed by the DLP service account to generate data profiles within a project.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP Reader (`roles/dlp.reader`) Read DLP entities, such as jobs and templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.* dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.storedInfoTypes.get dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor (`roles/dlp.storedInfoTypesEditor`) Edit DLP stored info types.	dlp.storedInfoTypes.*
DLP Stored InfoTypes Reader (`roles/dlp.storedInfoTypesReader`) Read DLP stored info types.	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
DLP Table Data Profiles Reader (`roles/dlp.tableDataProfilesReader`) Read DLP table profiles.	dlp.tableDataProfiles.*
DLP User (`roles/dlp.user`) Inspect, Redact, and De-identify Content	dlp.kms.* serviceusage.services.use

Cloud Domains roles

Role	Permissions
Cloud Domains Admin (`roles/domains.admin`) Full access to Cloud Domains Registrations and related resources.	domains.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Domains Viewer (`roles/domains.viewer`) Read-only access to Cloud Domains Registrations and related resources.	domains.locations.* domains.operations.get domains.operations.list domains.registrations.get domains.registrations.getIamPolicy domains.registrations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Filestore roles

Role	Permissions
Cloud Filestore Editor ^Beta (`roles/file.editor`) Read-write access to Filestore instances and related resources.	file.*
Cloud Filestore Viewer ^Beta (`roles/file.viewer`) Read-only access to Filestore instances and related resources.	file.backups.get file.backups.list file.instances.get file.instances.list file.locations.* file.operations.get file.operations.list

Cloud Functions roles

Role	Permissions
Cloud Functions Admin (`roles/cloudfunctions.admin`) Full access to functions, operations and locations.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.* eventarc.* recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Functions Developer (`roles/cloudfunctions.developer`) Read and write access to all functions-related resources.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* eventarc.locations.* eventarc.operations.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.update serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Functions Invoker (`roles/cloudfunctions.invoker`) Ability to invoke HTTP functions with restricted access.	cloudfunctions.functions.invoke
Cloud Functions Viewer (`roles/cloudfunctions.viewer`) Read-only access to functions and locations.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Game Services roles

Role Permissions

Role	Permissions
Game Services API Admin (`roles/gameservices.admin`) Full access to Game Services API and related resources.	gameservices.* resourcemanager.projects.get resourcemanager.projects.list
Game Services API Viewer (`roles/gameservices.viewer`) Read-only access to Game Services API and related resources.	gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list

Game Services API Admin
(roles/gameservices.admin)

Full access to Game Services API and related resources.

gameservices.*
resourcemanager.projects.get
resourcemanager.projects.list

Game Services API Viewer
(roles/gameservices.viewer)

Read-only access to Game Services API and related resources.

gameservices.gameServerClusters.get
gameservices.gameServerClusters.list
gameservices.gameServerConfigs.get
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.get
gameservices.gameServerDeployments.list
gameservices.locations.*
gameservices.operations.get
gameservices.operations.list
gameservices.realms.get
gameservices.realms.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Healthcare roles

Role	Permissions
Healthcare Annotation Editor (`roles/healthcare.annotationEditor`) Create, delete, update, read and list annotations.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Reader (`roles/healthcare.annotationReader`) Read and list annotations in an Annotation store.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.get healthcare.annotations.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Administrator (`roles/healthcare.annotationStoreAdmin`) Administer Annotation stores.	healthcare.annotationStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Store Viewer (`roles/healthcare.annotationStoreViewer`) List Annotation Stores in a dataset.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Attribute Definition Editor (`roles/healthcare.attributeDefinitionEditor`) Edit AttributeDefinition objects.	healthcare.attributeDefinitions.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Attribute Definition Reader (`roles/healthcare.attributeDefinitionReader`) Read AttributeDefinition objects in a consent store.	healthcare.attributeDefinitions.get healthcare.attributeDefinitions.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Administrator (`roles/healthcare.consentArtifactAdmin`) Administer ConsentArtifact objects.	healthcare.consentArtifacts.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Editor (`roles/healthcare.consentArtifactEditor`) Edit ConsentArtifact objects.	healthcare.consentArtifacts.create healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Reader (`roles/healthcare.consentArtifactReader`) Read ConsentArtifact objects in a consent store.	healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Editor (`roles/healthcare.consentEditor`) Edit Consent objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Reader (`roles/healthcare.consentReader`) Read Consent objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.get healthcare.consents.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Store Administrator (`roles/healthcare.consentStoreAdmin`) Administer Consent stores.	healthcare.consentStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Store Viewer (`roles/healthcare.consentStoreViewer`) List Consent Stores in a dataset.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Dataset Administrator (`roles/healthcare.datasetAdmin`) Administer Healthcare Datasets.	healthcare.datasets.* healthcare.locations.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list
Healthcare Dataset Viewer (`roles/healthcare.datasetViewer`) List the Healthcare Datasets in a project.	healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Editor (`roles/healthcare.dicomEditor`) Edit DICOM images individually and in bulk.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Store Administrator (`roles/healthcare.dicomStoreAdmin`) Administer DICOM stores.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.deidentify healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Store Viewer (`roles/healthcare.dicomStoreViewer`) List DICOM Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Viewer (`roles/healthcare.dicomViewer`) Retrieve DICOM images from a DICOM store.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Resource Editor (`roles/healthcare.fhirResourceEditor`) Create, delete, update, read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.translateConceptMap healthcare.fhirResources.update healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Resource Reader (`roles/healthcare.fhirResourceReader`) Read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare.fhirResources.translateConceptMap healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Store Administrator (`roles/healthcare.fhirStoreAdmin`) Administer FHIR resource stores.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare.fhirStores.configureSearch healthcare.fhirStores.create healthcare.fhirStores.deidentify healthcare.fhirStores.delete healthcare.fhirStores.export healthcare.fhirStores.get healthcare.fhirStores.getIamPolicy healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.fhirStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Store Viewer (`roles/healthcare.fhirStoreViewer`) List FHIR Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Message Consumer (`roles/healthcare.hl7V2Consumer`) List and read HL7v2 messages, update message labels, and publish new messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.create healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare.hl7V2Messages.update healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Message Editor (`roles/healthcare.hl7V2Editor`) Read, write, and delete access to HL7v2 messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Message Ingest (`roles/healthcare.hl7V2Ingest`) Ingest HL7v2 messages received from a source network.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.ingest healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Store Administrator (`roles/healthcare.hl7V2StoreAdmin`) Administer HL7v2 Stores.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Store Viewer (`roles/healthcare.hl7V2StoreViewer`) View HL7v2 Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare NLP Service Viewer ^Beta (`roles/healthcare.nlpServiceViewer`) Extract and analyze medical entities from a given text.	healthcare.locations.* resourcemanager.projects.get resourcemanager.projects.list
Healthcare User Data Mapping Editor (`roles/healthcare.userDataMappingEditor`) Edit UserDataMapping objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.* resourcemanager.projects.get resourcemanager.projects.list
Healthcare User Data Mapping Reader (`roles/healthcare.userDataMappingReader`) Read UserDataMapping objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.get healthcare.userDataMappings.list resourcemanager.projects.get resourcemanager.projects.list

Cloud IAP roles

Role	Permissions
IAP Policy Admin (`roles/iap.admin`) Provides full access to Identity-Aware Proxy resources. Lowest-level resources where you can grant this role: Project	iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy
IAP-secured Web App User (`roles/iap.httpsResourceAccessor`) Provides permission to access HTTPS resources which use Identity-Aware Proxy.	iap.webServiceVersions.accessViaIAP
IAP Settings Admin (`roles/iap.settingsAdmin`) Administrator of IAP Settings.	iap.projects.* iap.web.getSettings iap.web.updateSettings iap.webServiceVersions.getSettings iap.webServiceVersions.updateSettings iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings
IAP-secured Tunnel User (`roles/iap.tunnelResourceAccessor`) Access Tunnel resources which use Identity-Aware Proxy	iap.tunnelInstances.accessViaIAP

Cloud IoT roles

Role	Permissions
Cloud IoT Admin (`roles/cloudiot.admin`) Full control of all Cloud IoT resources and permissions. Lowest-level resources where you can grant this role: Device	cloudiot.* cloudiottoken.*
Cloud IoT Device Controller (`roles/cloudiot.deviceController`) Access to update the device configuration, but not to create or delete devices. Lowest-level resources where you can grant this role: Device	cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get
Cloud IoT Editor (`roles/cloudiot.editor`) Read-write access to all Cloud IoT resources. Lowest-level resources where you can grant this role: Device	cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.*
Cloud IoT Provisioner (`roles/cloudiot.provisioner`) Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry. Lowest-level resources where you can grant this role: Device	cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get
Cloud IoT Viewer (`roles/cloudiot.viewer`) Read-only access to all Cloud IoT resources. Lowest-level resources where you can grant this role: Device	cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get

Cloud KMS roles

Role Permissions

Role	Permissions
Cloud KMS Admin (`roles/cloudkms.admin`) Provides full access to Cloud KMS resources, except encrypt and decrypt operations. Lowest-level resources where you can grant this role: CryptoKey	cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeyVersions.useToDecryptViaDelegation cloudkms.cryptoKeyVersions.useToEncryptViaDelegation cloudkms.cryptoKeys.* cloudkms.importJobs.* cloudkms.keyRings.* cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get

Cloud KMS Admin
(roles/cloudkms.admin)

Provides full access to Cloud KMS resources, except encrypt and decrypt operations.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeyVersions.destroy
cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.restore
cloudkms.cryptoKeyVersions.update
cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
cloudkms.cryptoKeys.*
cloudkms.importJobs.*
cloudkms.keyRings.*
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get