When an identity calls a Google Cloud API, Cloud Identity and Access Management requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.
This page describes the Cloud IAM roles that you can grant to identities to access Cloud Platform resources.
Prerequisite for this guide
- Understand the basic concepts of Cloud IAM
Role types
There are three types of roles in Cloud IAM:
- Primitive roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud IAM
- Predefined roles, which provide granular access for a specific service and are managed by Google Cloud
- Custom roles, which provide granular access according to a user-specified list of permissions
To determine if one or more permissions are included in a primitive, predefined, or custom role, you can use one of the following methods:
- The
gcloud iam roles describecommand - The
roles.get()API
The sections below describe each role type and provide examples of how to use them.
Primitive roles
There are three roles that existed prior to the introduction of Cloud IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role.
The following table summarizes the permissions that the primitive roles include across all Google Cloud services:
Primitive role definitions
| Name | Title | Permissions |
|---|---|---|
roles/viewer |
Viewer | Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data. |
roles/editor |
Editor |
All viewer permissions, plus permissions for actions that modify
state, such as changing existing resources.
Note:
While the
roles/editor role contains permissions to create
and delete resources for most Google Cloud services, some services
do not include these permissions. See the
section above for more information on how to
check if a role has the permissions that you need.
|
roles/owner |
Owner |
All editor permissions and permissions for the following actions:
Note:
|
You can apply primitive roles at the project or service resource levels by using
Cloud Console, the
API and the
gcloud command-line tool.
Invitation flow
You cannot grant the owner role to a member for a project using the
Cloud IAM API or the gcloud command-line tool. You can only add
owners to a project using the Cloud Console. An invitation will be sent
to the member via email and the member must accept the invitation to be made an
owner of the project.
Note that invitation emails aren't sent in the following cases:
- when you're granting a role other than the owner.
- when an organization member adds another member of their organization as an owner of a project within that organization.
Predefined roles
In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.
The following table lists these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the Google Cloud hierarchy. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.
Access Approval roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Access Approval Approver Beta | Ability to view or act on access approval requests and view configuration |
accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Access Approval Config Editor Beta | Ability update the Access Approval configuration |
accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Access Approval Viewer Beta | Ability to view access approval requests and configuration |
accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Access Context Manager Admin | Full access to policies, access levels, and access zones |
accesscontextmanager.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Access Context Manager Editor | Edit access to policies. Create, edit, and change access levels and access zones. |
accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Access Context Manager Reader | Read access to policies, access levels, and access zones. |
accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list |
Actions roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Actions Admin | Access to edit and deploy an action |
actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Actions Viewer | Access to view an action |
actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list |
Android Management roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Android Management User | Full access to manage devices. |
androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Apigee roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Apigee Organization Admin Beta | Full access to all apigee resource features |
apigee.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
|
roles/ |
Apigee Analytics Agent Beta | Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization |
apigee.environments.getDataLocation |
|
roles/ |
Apigee Analytics Editor Beta | Analytics editor for an Apigee Organization |
apigee.environments.get apigee.environments.getStats apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Apigee Analytics Viewer Beta | Analytics viewer for an Apigee Organization |
apigee.environments.getStats apigee.organizations.get apigee.organizations.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Apigee API Creator Beta | Creator of apigee resources |
apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.* apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemaps.* apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.delete apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.update apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Apigee Deployer Beta | Deployer of apigee resources |
apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.apps.* apigee.deployments.* apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.flowhooks.* apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.* apigee.sharedflows.* apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
|
roles/ |
Apigee Developer Admin Beta | Developer admin of apigee resources |
apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developers.* apigee.environments.get apigee.environments.getStats apigee.organizations.get apigee.organizations.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
|
roles/ |
Apigee Read-only Admin Beta | Viewer of all apigee resources |
apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.deployments.get apigee.deployments.list apigee.developerappattributes.get apigee.developerappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developers.get apigee.developers.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
|
roles/ |
Apigee Synchronizer Manager Beta | Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization |
apigee.environments.get apigee.environments.manageRuntime |
App Engine roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
App Engine Admin | Read/Write/Modify access to all application configuration and settings. |
appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
App Engine Viewer | Read-only access to all application configuration and settings. |
appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
App Engine Code Viewer | Read-only access to all application configuration, settings, and deployed source code. |
appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
App Engine Deployer |
Read-only access to all application configuration and settings.
Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic. Note: The App Engine Deployer ( roles/appengine.deployer) role
alone grants adequate permission to deploy using the App Engine Admin API. To use
other App Engine tooling, like gcloud commands, you must also have the
Compute Storage Admin (roles/compute.storageAdmin) and Cloud
Build Editor (cloudbuild.builds.editor) roles.
|
appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
App Engine Service Admin |
Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version. |
appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list |
Project |
Artifact Registry roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Artifact Registry Administrator Beta | Administrator access to create and manage repositories. |
artifactregistry.* |
|
roles/ |
Artifact Registry Reader Beta | Access to read repository items. |
artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list |
|
roles/ |
Artifact Registry Repository Administrator Beta | Access to manage artifacts in repositories. |
artifactregistry.files.* artifactregistry.packages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.* |
|
roles/ |
Artifact Registry Writer Beta | Access to read and write repository items. |
artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list |
AutoML roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
AutoML Admin Beta | Full access to all AutoML resources |
automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list |
Dataset/Model |
roles/ |
AutoML Editor Beta | Editor of all AutoML resources |
automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list |
Dataset/Model |
roles/ |
AutoML Predictor Beta | Predict using models |
automl.models.predict resourcemanager.projects.get resourcemanager.projects.list |
Model |
roles/ |
AutoML Viewer Beta | Viewer of all AutoML resources |
automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list |
Dataset/Model |
BigQuery roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
BigQuery Admin | Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. |
bigquery.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
BigQuery Connection Admin Beta |
bigquery.connections.* |
||
roles/ |
BigQuery Connection User Beta |
bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use |
||
roles/ |
BigQuery Data Editor |
When applied to a dataset, dataEditor provides permissions to:
When applied at the project or organization level, this role can also create new datasets. |
bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.delete bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list |
Dataset |
roles/ |
BigQuery Data Owner |
When applied to a dataset, dataOwner provides permissions to:
When applied at the project or organization level, this role can also create new datasets. |
bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list |
Dataset |
roles/ |
BigQuery Data Viewer |
When applied to a dataset, dataViewer provides permissions to:
When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. |
bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list |
Dataset |
roles/ |
BigQuery Job User | Provides permissions to run jobs, including queries, within the project. This role can check the existence of all jobs, enumerate their own jobs, and cancel their own jobs. |
bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
BigQuery Metadata Viewer |
When applied at the project or organization level, metadataViewer provides permissions to:
Additional roles are necessary to allow the running of jobs. |
bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
BigQuery Read Session User Beta | Access to create and use read sessions |
bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
BigQuery User |
Provides permissions to run jobs, including queries, within the project. The
user role can enumerate their own jobs, cancel their own jobs, and enumerate
datasets within a project. Additionally, allows the creation of new datasets
within the project; the creator is granted the
bigquery.dataOwner role for these new datasets.
|
bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get resourcemanager.projects.get resourcemanager.projects.list |
Project |
Cloud Bigtable roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Bigtable Administrator | Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. |
bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get |
Instance |
roles/ |
Bigtable Reader | Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. |
bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get |
Instance |
roles/ |
Bigtable User | Provides read-write access to the data stored within tables. Intended for application developers or service accounts. |
bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get |
Instance |
roles/ |
Bigtable Viewer | Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Bigtable. |
bigtable.appProfiles.get bigtable.appProfiles.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get |
Instance |
Billing roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Billing Account Administrator | Provides access to see and manage all aspects of billing accounts. |
billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment |
Billing Account |
roles/ |
Billing Account Creator | Provides access to create billing accounts. |
billing.accounts.create resourcemanager.organizations.get |
Project |
roles/ |
Project Billing Manager | Provides access to assign a project's billing account or disable its billing. |
resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment |
Project |
roles/ |
Billing Account User | Provides access to associate projects with billing accounts. |
billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create |
Billing Account |
roles/ |
Billing Account Viewer | View billing account cost information and transactions. |
billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list |
Organization
Billing Account |
Binary Authorization roles
Hangouts Chat roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Chat Bots Owner | Can view and modify bot configurations |
chat.* |
|
roles/ |
Chat Bots Viewer | Can view bot configurations |
chat.bots.get |
Cloud Asset roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Asset Owner | Full access to cloud assets metadata |
cloudasset.* |
|
roles/ |
Cloud Asset Viewer | Read only access to cloud assets metadata |
cloudasset.assets.* |
Cloud Build roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Build Service Account | Can perform builds |
cloudbuild.* logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
|
roles/ |
Cloud Build Editor | Provides access to create and cancel builds. |
cloudbuild.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Cloud Build Viewer | Provides access to view builds. |
cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list |
Project |
Cloud Data Fusion roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Data Fusion Admin Beta | Full access to Cloud Data Fusion Instances and related resources. |
datafusion.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Cloud Data Fusion Viewer Beta | Read-only access to Cloud Data Fusion Instances and related resources. |
datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Project |
Stackdriver Debugger roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Stackdriver Debugger Agent Beta | Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. |
clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create |
Service Account |
roles/ |
Stackdriver Debugger User Beta | Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). |
clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list |
Project |
Cloud Functions roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Functions Admin Beta | Full access to functions, operations and locations. |
cloudfunctions.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Cloud Functions Developer Beta | Read and write access to all functions-related resources. |
cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Cloud Functions Invoker Beta | Ability to invoke HTTP functions with restricted access. |
cloudfunctions.functions.invoke |
|
roles/ |
Cloud Functions Viewer Beta | Read-only access to functions and locations. |
cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud IAP roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
IAP Policy Admin | Provides full access to Identity-Aware Proxy resources. |
iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy |
Project |
roles/ |
IAP-secured Web App User | Provides permission to access HTTPS resources which use Identity-Aware Proxy. |
iap.webServiceVersions.accessViaIAP |
Project |
roles/ |
IAP Settings Admin | Administrator of IAP Settings. |
iap.projects.* iap.web.getSettings iap.web.updateSettings iap.webServiceVersions.getSettings iap.webServiceVersions.updateSettings iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings |
|
roles/ |
IAP-secured Tunnel User | Access Tunnel resources which use Identity-Aware Proxy |
iap.tunnelInstances.accessViaIAP |
Cloud IoT roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud IoT Admin | Full control of all Cloud IoT resources and permissions. |
cloudiot.* cloudiottoken.* |
Device |
roles/ |
Cloud IoT Device Controller | Access to update the configuration of devices, but not to create or delete devices. |
cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get |
Device |
roles/ |
Cloud IoT Editor | Read-write access to all Cloud IoT resources. |
cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.* |
Device |
roles/ |
Cloud IoT Provisioner | Access to create and delete devices from registries, but not to modify the registries. |
cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get |
Device |
roles/ |
Cloud IoT Viewer | Read-only access to all Cloud IoT resources. |
cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get |
Device |
Cloud Talent Solution roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Admin | Access to Cloud Job Discovery Self-Service Tools |
cloudjobdiscovery.tools.* iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Job Editor | Write access to all Cloud Job Discovery data. |
cloudjobdiscovery.companies.* cloudjobdiscovery.events.* cloudjobdiscovery.jobs.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Job Viewer | Read access to all Cloud Job Discovery data. |
cloudjobdiscovery.companies.get cloudjobdiscovery.companies.list cloudjobdiscovery.jobs.get cloudjobdiscovery.jobs.search resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Profile Editor | Write access to all profile data in Cloud Talent Solution. |
cloudjobdiscovery.events.* cloudjobdiscovery.profiles.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Profile Viewer | Read access to all profile data in Cloud Talent Solution. |
cloudjobdiscovery.profiles.get cloudjobdiscovery.profiles.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list |
Cloud KMS roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud KMS Admin | Provides full access to Cloud KMS resources, except encrypt and decrypt operations. |
cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeys.* cloudkms.importJobs.* cloudkms.keyRings.* resourcemanager.projects.get |
CryptoKey |
roles/ |
Cloud KMS CryptoKey Decrypter | Provides ability to use Cloud KMS resources for decrypt operations only. |
cloudkms.cryptoKeyVersions.useToDecrypt resourcemanager.projects.get |
CryptoKey |
roles/ |
Cloud KMS CryptoKey Encrypter | Provides ability to use Cloud KMS resources for encrypt operations only. |
cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get |
CryptoKey |
roles/ |
Cloud KMS CryptoKey Encrypter/Decrypter | Provides ability to use Cloud KMS resources for encrypt and decrypt operations only. |
cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt resourcemanager.projects.get |
CryptoKey |
roles/ |
Cloud KMS Importer | Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations |
cloudkms.importJobs.create cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.importJobs.useToImport resourcemanager.projects.get |
|
roles/ |
Cloud KMS CryptoKey Public Key Viewer | Enables GetPublicKey operations |
cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get |
|
roles/ |
Cloud KMS CryptoKey Signer | Enables the AsymmetricSign operation |
cloudkms.cryptoKeyVersions.useToSign resourcemanager.projects.get |
|
roles/ |
Cloud KMS CryptoKey Signer/Verifier | Enables AsymmetricSign, and GetPublicKey operations |
cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.viewPublicKey resourcemanager.projects.get |
Cloud Migration roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Velostrata Manager Beta | Ability to create and manage Compute VMs to run Velostrata Infrastructure |
cloudmigration.* compute.addresses.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.updateNetworkInterface compute.instances.updateShieldedInstanceConfig compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.* gkehub.endpoints.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update |
|
roles/ |
Velostrata Storage Access Beta | Ability to access migration storage |
storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
|
roles/ |
Velostrata Manager Connection Agent Beta | Ability to set up connection between Velostrata Manager and Google |
cloudmigration.* gkehub.endpoints.* |
|
roles/ |
VM Migration Administrator Beta | Ability to view and edit all VM Migration objects |
vmmigration.* |
|
roles/ |
VM Migration Viewer Beta | Ability to view all VM Migration objects |
vmmigration.deployments.get vmmigration.deployments.list |
Cloud Private Catalog roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Catalog Consumer Beta | Can browse catalogs in the target resource context. |
cloudprivatecatalog.* |
|
roles/ |
Catalog Admin Beta | Can manage catalog and view its associations. |
cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get |
|
roles/ |
Catalog Manager Beta | Can manage associations between a catalog and a target resource. |
cloudprivatecatalog.* cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogs.get cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get |
Stackdriver Profiler roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Stackdriver Profiler Agent Beta | Stackdriver Profiler agents are allowed to register and provide the profiling data. |
cloudprofiler.profiles.create cloudprofiler.profiles.update |
|
roles/ |
Stackdriver Profiler User Beta | Stackdriver Profiler users are allowed to query and view the profiling data. |
cloudprofiler.profiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud Scheduler roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Scheduler Admin Beta | Full access to jobs and executions. |
appengine.applications.get cloudscheduler.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
|
roles/ |
Cloud Scheduler Job Runner Beta | Access to run jobs. |
appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.run resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
|
roles/ |
Cloud Scheduler Viewer Beta | Get and list access to jobs, executions, and locations. |
appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.list cloudscheduler.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Cloud Security Scanner roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Web Security Scanner Editor | Full access to all Cloud Security Scanner resources |
appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Web Security Scanner Runner | Read access to Scan and ScanRun, plus the ability to start scans |
cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run |
|
roles/ |
Web Security Scanner Viewer | Read access to all Cloud Security Scanner resources |
cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud Services roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Service Broker Admin Beta | Full access to ServiceBroker resources. |
servicebroker.* |
|
roles/ |
Service Broker Operator Beta | Operational access to the ServiceBroker resources. |
servicebroker.bindingoperations.* servicebroker.bindings.create servicebroker.bindings.delete servicebroker.bindings.get servicebroker.bindings.list servicebroker.catalogs.create servicebroker.catalogs.delete servicebroker.catalogs.get servicebroker.catalogs.list servicebroker.instanceoperations.* servicebroker.instances.create servicebroker.instances.delete servicebroker.instances.get servicebroker.instances.list servicebroker.instances.update |
Cloud SQL roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud SQL Admin | Provides full control of Cloud SQL resources. |
cloudsql.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Project |
roles/ |
Cloud SQL Client | Provides connectivity access to Cloud SQL instances. |
cloudsql.instances.connect cloudsql.instances.get |
Project |
roles/ |
Cloud SQL Editor | Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. |
cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.instances.restart cloudsql.instances.rotateServerCa cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Project |
roles/ |
Cloud SQL Viewer | Provides read-only access to Cloud SQL resources. |
cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Project |
Cloud Tasks roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Tasks Admin Beta | Full access to queues and tasks. |
cloudtasks.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Cloud Tasks Enqueuer Beta | Access to create tasks. |
cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Cloud Tasks Queue Admin Beta | Admin access to queues. |
cloudtasks.locations.* cloudtasks.queues.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Cloud Tasks Task Deleter Beta | Access to delete tasks. |
cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Cloud Tasks Task Runner Beta | Access to run tasks. |
cloudtasks.tasks.fullView cloudtasks.tasks.run resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Cloud Tasks Viewer Beta | Get and list access to tasks, queues, and locations. |
cloudtasks.locations.* cloudtasks.queues.get cloudtasks.queues.list cloudtasks.tasks.fullView cloudtasks.tasks.get cloudtasks.tasks.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Trace roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Trace Admin | Provides full access to the Trace console and read-write access to traces. |
cloudtrace.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Cloud Trace Agent | For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace. |
cloudtrace.traces.patch |
Project |
roles/ |
Cloud Trace User | Provides full access to the Trace console and read access to traces. |
cloudtrace.insights.* cloudtrace.stats.* cloudtrace.tasks.* cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list |
Project |
Cloud Translation roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Translation API Admin | Full access to all Cloud Translation resources |
automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Cloud Translation API Editor | Editor of all Cloud Translation resources |
automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Cloud Translation API User | User of Cloud Translation and AutoML models |
automl.models.get automl.models.predict cloudtranslate.generalModels.* cloudtranslate.glossaries.batchPredict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict cloudtranslate.languageDetectionModels.* cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Cloud Translation API Viewer | Viewer of all Translation resources |
automl.models.get cloudtranslate.generalModels.get cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list |
Codelab API Keys roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Codelab ApiKeys Admin Beta | Full access to API keys |
resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Codelab API Keys Editor Beta | This role can view and edit all properties of API keys. |
resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Codelab API Keys Viewer Beta | This role can view all properties except change history of API keys. |
resourcemanager.projects.get resourcemanager.projects.list |
Cloud Composer roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Composer Administrator | Provides full control of Cloud Composer resources. |
composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Project |
roles/ |
Environment and Storage Object Administrator | Provides full control of Cloud Composer resources and of the objects in all project buckets. |
composer.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.* |
Project |
roles/ |
Environment User and Storage Object Viewer | Provides the permissions nessesary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. |
composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list |
Project |
roles/ |
Composer User | Provides the permissions necessary to list and get Cloud Composer environments and operations. |
composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Project |
roles/ |
Composer Worker | Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. |
cloudbuild.* container.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.* |
Project |
Compute Engine roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Compute Admin |
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
|
compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta |
roles/ |
Compute Image User |
Permission to list and read images without having other permissions on the
image. Granting the |
compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
ImageBeta |
roles/ |
Compute Instance Admin (beta) |
Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VMBETA settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances. |
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Disk, image, instance, instanceTemplate, snapshot Beta |
roles/ |
Compute Instance Admin (v1) |
Full control of Compute Engine instances, instance groups, disks, snapshots, and images.
Read access to all Compute Engine networking resources.
If you grant a user this role only at an instance level, then that user cannot create new instances. |
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Compute Load Balancer Admin Beta |
Permissions to create, modify, and delete load balancers and associate resources.
For example, if your company has a load balancing team that manages load
balancers, SSL certificates for load balancers, SSL policies, and other
load balancing resources, and a separate networking team that manages
the rest of the networking resources, then grant the load balancing
team's group the |
compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute Network Admin |
Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant the networking team's group the
|
compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.externalVpnGateways.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.instances.use compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.machineTypes.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.projects.get compute.regionBackendServices.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute Network User |
Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project. |
compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.externalVpnGateways.get compute.externalVpnGateways.list compute.externalVpnGateways.use compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Project |
roles/ |
Compute Network Viewer |
Read-only access to all networking resources
For example, if you have software that inspects your network
configuration, you could grant that software's service account the
|
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute Organization Security Policy Admin Beta | Full control of Compute Engine Organization Security Policies. |
compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Compute Organization Security Policy User Beta | View or use Compute Engine Security Policies to associate with the organization or folders. |
compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Compute Organization Resource Admin Beta | Full control of Compute Engine Security Policy associations to the organization or folders. |
compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Compute OS Admin Login |
Access to log in to a Compute Engine instance as an administrator user. |
compute.instances.get compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute OS Login |
Access to log in to a Compute Engine instance as a standard user. |
compute.instances.get compute.instances.list compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute OS Login External User |
Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH. |
compute.oslogin.* |
Organization |
roles/ |
Compute packet mirroring admin | Specify resources to be mirrored. |
compute.networks.mirror compute.projects.get compute.subnetworks.mirror resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Compute packet mirroring user | Use Compute Engine packet mirrorings. |
compute.packetMirrorings.* compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Compute Security Admin |
Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VMBETA settings.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant the security team's group the
|
compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.list compute.networks.updatePolicy compute.packetMirrorings.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute Storage Admin |
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and
you don't want them to have the editor role on the project, then grant
their account the |
compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Disk, image, snapshot Beta |
roles/ |
Compute Viewer |
Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks. |
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta |
roles/ |
Compute Shared VPC Admin |
Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. This role can only be granted on the organization by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host
project. The Shared VPC Admin is responsible for granting the |
compute.globalOperations.get compute.globalOperations.list compute.organizations.* compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
Organization |
Kubernetes Engine roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Kubernetes Engine Admin | Provides access to full management of Container Clusters and their Kubernetes API objects. |
container.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Kubernetes Engine Cluster Admin | Provides access to management of Container Clusters. |
container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.operations.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Kubernetes Engine Cluster Viewer | Read-only access to Kubernetes Clusters. |
container.clusters.get container.clusters.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Kubernetes Engine Developer | Provides full access to Kubernetes API objects inside Container Clusters. |
container.apiServices.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpoints.* container.events.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.limitRanges.* container.localSubjectAccessReviews.* container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Kubernetes Engine Host Service Agent User | Use access of the Kubernetes Engine Host Service Agent. |
compute.firewalls.get container.hostServiceAgent.* |
|
roles/ |
Kubernetes Engine Viewer | Provides read-only access to GKE resources. |
container.apiServices.get container.apiServices.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getStatus container.deployments.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.limitRanges.get container.limitRanges.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
Container Analysis roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Container Analysis Admin Alpha | Access to all resources. |
resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Container Analysis Notes Attacher Alpha | Can attach occurrences to notes |
|
|
roles/ |
Container Analysis Notes Editor Alpha | Can edit container analysis notes |
resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Container Analysis Notes Viewer Alpha | Can view container analysis notes |
resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Container Analysis Occurrences Editor Alpha | Can edit container analysis occurrences |
resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Container Analysis Occurrences Viewer Alpha | Can view container analysis occurrences |
resourcemanager.projects.get resourcemanager.projects.list |
Data Catalog roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Data Catalog Admin Beta | Full access to all DataCatalog resources |
bigquery.datasets.get bigquery.datasets.updateTag bigquery.models.getMetadata bigquery.models.updateTag bigquery.tables.get bigquery.tables.updateTag datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.* datacatalog.entryGroups.* datacatalog.tagTemplates.* datacatalog.taxonomies.* pubsub.topics.get pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Policy Tag Admin Beta | Manage taxonomies |
datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.taxonomies.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Fine-Grained Reader Beta | Read access to sub-resources tagged by a policy tag, for example, BigQuery columns |
datacatalog.categories.fineGrainedGet |
|
roles/ |
DataCatalog EntryGroup Creator Beta | Can create new entryGroups |
datacatalog.entryGroups.create datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
DataCatalog entryGroup Owner Beta | Full access to entryGroups |
datacatalog.entries.* datacatalog.entryGroups.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
DataCatalog entry Owner Beta | Full access to entries |
datacatalog.entries.* datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
DataCatalog Entry Viewer Beta | Read access to entries |
datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Data Catalog Tag Editor Beta | Gives permission to modify tags on a GCP assets (BigQuery, Pub/Sub etc). |
bigquery.datasets.updateTag bigquery.models.updateTag bigquery.tables.updateTag datacatalog.entries.updateTag pubsub.topics.updateTag |
|
roles/ |
Data Catalog TagTemplate Creator Beta | Can create new tag templates |
datacatalog.tagTemplates.create datacatalog.tagTemplates.get |
|
roles/ |
Data Catalog TagTemplate Owner Beta | Full acess to tag templates |
datacatalog.tagTemplates.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Data Catalog TagTemplate User Beta | Can use tag templates to tag resources |
datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Data Catalog TagTemplate Viewer Beta | Read access to templates and tags created using the templates |
datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Data Catalog Viewer Beta | View resources in DataCatalog |
bigquery.datasets.get bigquery.models.getMetadata bigquery.tables.get datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.taxonomies.get datacatalog.taxonomies.list pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.list |
Dataflow roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Dataflow Admin | Minimal role for creating and managing dataflow jobs. |
compute.machineTypes.get dataflow.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list |
|
roles/ |
Dataflow Developer | Provides the permissions necessary to execute and manipulate Dataflow jobs. |
dataflow.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Dataflow Viewer | Provides read-only access to all Dataflow-related resources. |
dataflow.jobs.get dataflow.jobs.list dataflow.messages.* dataflow.metrics.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Dataflow Worker | Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline. |
compute.instanceGroupManagers.update compute.instances.delete compute.instances.setDiskAutoDelete dataflow.jobs.get logging.logEntries.create storage.objects.create storage.objects.get |
Project |
Cloud Data Labeling roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
DataLabeling Service Admin Beta | Full access to all DataLabeling resources |
datalabeling.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
DataLabeling Service Editor Beta | Editor of all DataLabeling resources |
datalabeling.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
DataLabeling Service Viewer Beta | Viewer of all DataLabeling resources |
datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Dataprep roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Dataprep User Beta | Use of Dataprep. |
dataprep.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Dataproc roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Dataproc Administrator | Full control of Dataproc resources. |
compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.* dataproc.clusters.* dataproc.jobs.* dataproc.operations.* dataproc.workflowTemplates.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Dataproc Editor | Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects and zones. |
compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Dataproc Viewer | Provides read-only access to Dataproc resources. |
compute.machineTypes.get compute.regions.* compute.zones.get dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.clusters.get dataproc.clusters.list dataproc.jobs.get dataproc.jobs.list dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.get dataproc.workflowTemplates.list resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Dataproc Worker | Worker access to Dataproc. Intended for service accounts. |
dataproc.agents.* dataproc.tasks.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create storage.buckets.get storage.objects.* |
Datastore roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Datastore Import Export Admin | Provides full access to manage imports and exports. |
appengine.applications.get datastore.databases.export datastore.databases.import datastore.operations.cancel datastore.operations.get datastore.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Cloud Datastore Index Admin | Provides full access to manage index definitions. |
appengine.applications.get datastore.indexes.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Cloud Datastore Owner | Provides full access to Datastore resources. |
appengine.applications.get datastore.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Cloud Datastore User | Provides read/write access to data in a Datastore database. |
appengine.applications.get datastore.databases.get datastore.entities.* datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Cloud Datastore Viewer | Provides read access to Datastore resources. |
appengine.applications.get datastore.databases.get datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
Deployment Manager roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Deployment Manager Editor | Provides the permissions necessary to create and manage deployments. |
deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Project |
roles/ |
Deployment Manager Type Editor | Provides read and write access to all Type Registry resources. |
deploymentmanager.compositeTypes.* deploymentmanager.operations.get deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get |
Project |
roles/ |
Deployment Manager Type Viewer | Provides read-only access to all Type Registry resources. |
deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get |
Project |
roles/ |
Deployment Manager Viewer | Provides read-only access to all Deployment Manager-related resources. |
deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Project |
Dialogflow roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Dialogflow API Admin |
Full access to Dialogflow (API only) resources. Use the roles/owner or roles/editor primitive role for access to both API and Dialogflow console (commonly needed to create an agent from the Dialogflow console).
|
dialogflow.* resourcemanager.projects.get |
Project |
roles/ |
Dialogflow API Client | Client access to Dialogflow (API only) resources. This grants permission to detect intent and read/write session properties (contexts, session entity types, etc.). |
dialogflow.contexts.* dialogflow.sessionEntityTypes.* dialogflow.sessions.* |
Project |
roles/ |
Dialogflow Console Agent Editor | Can edit agent in Dialogflow Console |
actions.agentVersions.create dialogflow.* resourcemanager.projects.get |
|
roles/ |
Dialogflow API Reader |
Read access to Dialogflow (API only) resources. Cannot detect intent. Use the roles/viewer primitive role for similar access to both API and Dialogflow console.
|
dialogflow.agents.export dialogflow.agents.get dialogflow.agents.search dialogflow.contexts.get dialogflow.contexts.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.operations.* dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list resourcemanager.projects.get |
Project |
Cloud DLP roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
DLP Administrator | Administer DLP including jobs and templates. |
dlp.* serviceusage.services.use |
|
roles/ |
DLP Analyze Risk Templates Editor | Edit DLP analyze risk templates. |
dlp.analyzeRiskTemplates.* |
|
roles/ |
DLP Analyze Risk Templates Reader | Read DLP analyze risk templates. |
dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list |
|
roles/ |
DLP De-identify Templates Editor | Edit DLP de-identify templates. |
dlp.deidentifyTemplates.* |
|
roles/ |
DLP De-identify Templates Reader | Read DLP de-identify templates. |
dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list |
|
roles/ |
DLP Inspect Templates Editor | Edit DLP inspect templates. |
dlp.inspectTemplates.* |
|
roles/ |
DLP Inspect Templates Reader | Read DLP inspect templates. |
dlp.inspectTemplates.get dlp.inspectTemplates.list |
|
roles/ |
DLP Job Triggers Editor | Edit job triggers configurations. |
dlp.jobTriggers.* |
|
roles/ |
DLP Job Triggers Reader | Read job triggers. |
dlp.jobTriggers.get dlp.jobTriggers.list |
|
roles/ |
DLP Jobs Editor | Edit and create jobs |
dlp.jobs.* dlp.kms.* |
|
roles/ |
DLP Jobs Reader | Read jobs |
dlp.jobs.get dlp.jobs.list |
|
roles/ |
DLP Reader | Read DLP entities, such as jobs and templates. |
dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.storedInfoTypes.get dlp.storedInfoTypes.list |
|
roles/ |
DLP Stored InfoTypes Editor | Edit DLP stored info types. |
dlp.storedInfoTypes.* |
|
roles/ |
DLP Stored InfoTypes Reader | Read DLP stored info types. |
dlp.storedInfoTypes.get dlp.storedInfoTypes.list |
|
roles/ |
DLP User | Inspect, Redact, and De-identify Content |
dlp.kms.* serviceusage.services.use |
DNS roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
DNS Administrator | Provides read-write access to all Cloud DNS resources. |
compute.networks.get compute.networks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
DNS Peer | Access to target networks with DNS peering zones |
dns.networks.targetWithPeeringZone |
|
roles/ |
DNS Reader | Provides read-only access to all Cloud DNS resources. |
compute.networks.get dns.changes.get dns.changes.list dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list dns.projects.* dns.resourceRecordSets.list resourcemanager.projects.get resourcemanager.projects.list |
Project |
Endpoints roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Endpoints Portal Admin Beta | Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the GCP Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page. |
endpoints.* resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get |
Project |
Error Reporting roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Error Reporting Admin Beta | Provides full access to Error Reporting data. |
cloudnotifications.* errorreporting.* |
Project |
roles/ |
Error Reporting User Beta | Provides the permissions to read and write Error Reporting data, except for sending new error events. |
cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.delete errorreporting.errorEvents.list errorreporting.groupMetadata.* errorreporting.groups.* |
Project |
roles/ |
Error Reporting Viewer Beta | Provides read-only access to Error Reporting data. |
cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groupMetadata.get errorreporting.groups.* |
Project |
roles/ |
Errors Writer Beta | Provides the permissions to send error events to Error Reporting. |
errorreporting.errorEvents.create |
Service Account |
Cloud Filestore roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Filestore Editor Beta | Read-write access to Filestore instances and related resources. |
file.* |
|
roles/ |
Cloud Filestore Viewer Beta | Read-only access to Filestore instances and related resources. |
file.instances.get file.instances.list file.locations.* file.operations.get file.operations.list file.snapshots.get file.snapshots.list |
Firebase roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Firebase Admin | Full access to Firebase products. |
appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.delete clientauthconfig.clients.get clientauthconfig.clients.list clientauthconfig.clients.update cloudconfig.* cloudfunctions.* cloudmessaging.* cloudnotifications.* cloudtestservice.* cloudtoolresults.* datastore.* errorreporting.groups.* firebase.* firebaseabt.* firebaseanalytics.* firebaseappdistro.* firebaseauth.* firebasecrash.* firebasecrashlytics.* firebasedatabase.* firebasedynamiclinks.* firebaseextensions.* firebasehosting.* firebaseinappmessaging.* firebaseml.* firebasenotifications.* firebaseperformance.* firebasepredictions.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.* |
|
roles/ |
Firebase Analytics Admin | Full access to Google Analytics for Firebase. |
cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
|
roles/ |
Firebase Analytics Viewer | Read access to Google Analytics for Firebase. |
cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
|
roles/ |
Firebase Develop Admin | Full access to Firebase Develop products and Analytics. |
appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.get clientauthconfig.clients.list cloudfunctions.* cloudnotifications.* datastore.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseauth.* firebasedatabase.* firebaseextensions.configs.list firebasehosting.* firebaseml.* firebaserules.* logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.* |
|
roles/ |
Firebase Develop Viewer | Read access to Firebase Develop products and Analytics. |
automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseauth.configs.get firebaseauth.users.get firebasedatabase.instances.get firebasedatabase.instances.list firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list |
|
roles/ |
Firebase Grow Admin | Full access to Firebase Grow products and Analytics. |
clientauthconfig.clients.get clientauthconfig.clients.list cloudconfig.* cloudmessaging.* cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.* firebaseanalytics.* firebasedynamiclinks.* firebaseextensions.configs.list firebaseinappmessaging.* firebasenotifications.* firebasepredictions.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Firebase Grow Viewer | Read access to Firebase Grow products and Analytics. |
cloudconfig.configs.get cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebasenotifications.messages.get firebasenotifications.messages.list firebasepredictions.predictions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Firebase Quality Admin | Full access to Firebase Quality products and Analytics. |
cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.* firebaseappdistro.* firebasecrash.* firebasecrashlytics.* firebaseextensions.configs.list firebaseperformance.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Firebase Quality Viewer | Read access to Firebase Quality products and Analytics. |
cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebaseextensions.configs.list firebaseperformance.data.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Firebase Viewer | Read-only access to Firebase products. |
automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudconfig.configs.get cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudnotifications.* cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list datastore.databases.get datastore.databases.getIamPolicy datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* firebase.billingPlans.get firebase.clients.get firebase.links.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebaseauth.configs.get firebaseauth.users.get firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebasedatabase.instances.get firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebasenotifications.messages.get firebasenotifications.messages.list firebaseperformance.data.* firebasepredictions.predictions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list logging.logEntries.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list |
Firebase Products roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Firebase Remote Config Admin | Full access to Firebase Remote Config resources. |
cloudconfig.* firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Remote Config Viewer | Read access to Firebase Remote Config resources. |
cloudconfig.configs.get firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Test Lab Admin | Full access to all Test Lab features |
cloudtestservice.* cloudtoolresults.* firebase.billingPlans.get firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.get storage.buckets.update storage.objects.create storage.objects.get storage.objects.list |
|
roles/ |
Firebase Test Lab Viewer | Read access to Test Lab features |
cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list firebase.clients.get firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list |
|
roles/ |
Firebase A/B Testing Admin Beta | Full read/write access to Firebase A/B Testing resources. |
firebase.clients.get firebase.projects.get firebaseabt.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase A/B Testing Viewer Beta | Read-only access to Firebase A/B Testing resources. |
firebase.clients.get firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase App Distribution Admin Beta | Full read/write access to Firebase App Distribution resources. |
firebase.clients.get firebase.projects.get firebaseappdistro.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase App Distribution Viewer Beta | Read-only access to Firebase App Distribution resources. |
firebase.clients.get firebase.projects.get firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Authentication Admin | Full read/write access to Firebase Authentication resources. |
firebase.clients.get firebase.projects.get firebaseauth.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Authentication Viewer | Read-only access to Firebase Authentication resources. |
firebase.clients.get firebase.projects.get firebaseauth.configs.get firebaseauth.users.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Crashlytics Admin | Full read/write access to Firebase Crashlytics resources. |
firebase.clients.get firebase.projects.get firebasecrashlytics.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Crashlytics Viewer | Read-only access to Firebase Crashlytics resources. |
firebase.clients.get firebase.projects.get firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Realtime Database Admin | Full read/write access to Firebase Realtime Database resources. |
firebase.clients.get firebase.projects.get firebasedatabase.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Realtime Database Viewer | Read-only access to Firebase Realtime Database resources. |
firebase.clients.get firebase.projects.get firebasedatabase.instances.get firebasedatabase.instances.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Dynamic Links Admin | Full read/write access to Firebase Dynamic Links resources. |
firebase.clients.get firebase.projects.get firebasedynamiclinks.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Dynamic Links Viewer | Read-only access to Firebase Dynamic Links resources. |
firebase.clients.get firebase.projects.get firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Hosting Admin | Full read/write access to Firebase Hosting resources. |
firebase.clients.get firebase.projects.get firebasehosting.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Hosting Viewer | Read-only access to Firebase Hosting resources. |
firebase.clients.get firebase.projects.get firebasehosting.sites.get firebasehosting.sites.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase In-App Messaging Admin Beta | Full read/write access to Firebase In-App Messaging resources. |
firebase.clients.get firebase.projects.get firebaseinappmessaging.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase In-App Messaging Viewer Beta | Read-only access to Firebase In-App Messaging resources. |
firebase.clients.get firebase.projects.get firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase ML Kit Admin Beta | Full read/write access to Firebase ML Kit resources. |
firebase.clients.get firebase.projects.get firebaseml.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase ML Kit Viewer Beta | Read-only access to Firebase ML Kit resources. |
firebase.clients.get firebase.projects.get firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Cloud Messaging Admin | Full read/write access to Firebase Cloud Messaging resources. |
firebase.clients.get firebase.projects.get firebasenotifications.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Cloud Messaging Viewer | Read-only access to Firebase Cloud Messaging resources. |
firebase.clients.get firebase.projects.get firebasenotifications.messages.get firebasenotifications.messages.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Performance Reporting Admin | Full access to firebaseperformance resources. |
firebase.clients.get firebase.projects.get firebaseperformance.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Performance Reporting Viewer | Read-only access to firebaseperformance resources. |
firebase.clients.get firebase.projects.get firebaseperformance.data.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Predictions Admin | Full read/write access to Firebase Predictions resources. |
firebase.clients.get firebase.projects.get firebasepredictions.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Predictions Viewer | Read-only access to Firebase Predictions resources. |
firebase.clients.get firebase.projects.get firebasepredictions.predictions.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Rules Admin | Full management of Firebase Rules. |
firebaserules.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Firebase Rules Viewer | Read-only access on all resources with the ability to test Rulesets. |
firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Game Services roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Game Services API Admin Alpha | Full access to Game Services API and related resources. |
gameservices.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Game Services API Viewer Alpha | Read-only access to Game Services API and related resources. |
gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list |
Genomics roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Genomics Admin | Full access to genomics datasets and operations. |
genomics.* |
|
roles/ |
Genomics Editor | Access to read and edit genomics datasets and operations. |
genomics.datasets.create genomics.datasets.delete genomics.datasets.get genomics.datasets.list genomics.datasets.update genomics.operations.* |
|
roles/ |
Genomics Pipelines Runner | Full access to operate on genomics pipelines. |
genomics.operations.* |
|
roles/ |
Genomics Viewer | Access to view genomics datasets and operations. |
genomics.datasets.get genomics.datasets.list genomics.operations.get genomics.operations.list |
GKE Hub roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
GKE Hub Admin Beta | Full access to GKE Hubs and related resources. |
gkehub.locations.* gkehub.memberships.* gkehub.operations.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
GKE Hub Connection Agent Beta | Ability to set up GKE Connect between external clusters and Google. |
gkehub.endpoints.* |
|
roles/ |
GKE Hub Viewer Beta | Read-only access to GKE Hubs and related resources. |
gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Healthcare roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Healthcare Annotation Editor Beta | Create, delete, update, read and list annotations. |
healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare Annotation Reader Beta | Read and list annotations in an Annotation store. |
healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare Annotation Administrator Beta | Administer Annotation stores. |
healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare Annotation Store Viewer Beta | List Annotation Stores in a dataset. |
healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare Dataset Administrator Beta | Administer Healthcare Datasets. |
healthcare.datasets.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare Dataset Viewer Beta | List the Healthcare Datasets in a project. |
healthcare.datasets.get healthcare.datasets.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare DICOM Editor Beta | Edit DICOM images individually and in bulk. |
healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare DICOM Store Administrator Beta | Administer DICOM stores. |
healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare DICOM Store Viewer Beta | List DICOM Stores in a dataset. |
healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare DICOM Viewer Beta | Retrieve DICOM images from a DICOM store. |
healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare FHIR Resource Editor Beta | Create, delete, update, read and search FHIR resources. |
healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.update healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare FHIR Resource Reader Beta | Read and search FHIR resources. |
healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare FHIR Store Administrator Beta | Administer FHIR resource stores. |
healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare.fhirStores.create healthcare.fhirStores.delete healthcare.fhirStores.export healthcare.fhirStores.get healthcare.fhirStores.getIamPolicy healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.fhirStores.update healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare FHIR Store Viewer Beta | List FHIR Stores in a dataset. |
healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare HL7v2 Message Consumer Beta | List and read HL7v2 messages, update message labels, and publish new messages. |
healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.create healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare.hl7V2Messages.update healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare HL7v2 Message Editor Beta | Read, write, and delete access to HL7v2 messages. |
healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare HL7v2 Message Ingest Beta | Ingest HL7v2 messages received from a source network. |
healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.ingest healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare HL7v2 Store Administrator Beta | Administer HL7v2 Stores. |
healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Healthcare HL7v2 Store Viewer Beta | View HL7v2 Stores in a dataset. |
healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
IAM roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Security Admin | Security admin role, with permissions to get and set any IAM policy. |
accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.setIamPolicy accesscontextmanager.accessZones.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.setIamPolicy accesscontextmanager.servicePerimeters.list actions.agentVersions.list apigee.apiproductattributes.list apigee.apiproducts.list apigee.apps.list apigee.deployments.list apigee.developerappattributes.list apigee.developerapps.list apigee.developerattributes.list apigee.developers.list apigee.environments.getIamPolicy apigee.environments.list apigee.environments.setIamPolicy apigee.flowhooks.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemaps.list apigee.organizations.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.sharedflowrevisions.list apigee.sharedflows.list apigee.targetservers.list apigee.tracesessions.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list artifactregistry.files.list artifactregistry.packages.list artifactregistry.repositories.getIamPolicy artifactregistry.repositories.list artifactregistry.repositories.setIamPolicy artifactregistry.tags.list artifactregistry.versions.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.datasets.setIamPolicy automl.examples.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.locations.setIamPolicy automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.models.setIamPolicy automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.* bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.setIamPolicy bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy bigquery.jobs.list bigquery.models.list bigquery.routines.list bigquery.savedqueries.list bigquery.tables.list bigtable.appProfiles.list bigtable.clusters.list bigtable.instances.getIamPolicy bigtable.instances.list bigtable.instances.setIamPolicy bigtable.locations.* bigtable.tables.getIamPolicy bigtable.tables.list bigtable.tables.setIamPolicy billing.accounts.getIamPolicy billing.accounts.list billing.accounts.setIamPolicy billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.list binaryauthorization.attestors.getIamPolicy binaryauthorization.attestors.list binaryauthorization.attestors.setIamPolicy binaryauthorization.policy.getIamPolicy binaryauthorization.policy.setIamPolicy clientauthconfig.brands.list clientauthconfig.clients.list cloudasset.feeds.list cloudbuild.builds.list clouddebugger.breakpoints.list clouddebugger.debuggees.list cloudfunctions.functions.getIamPolicy cloudfunctions.functions.list cloudfunctions.functions.setIamPolicy cloudfunctions.locations.* cloudfunctions.operations.list cloudiot.devices.list cloudiot.registries.getIamPolicy cloudiot.registries.list cloudiot.registries.setIamPolicy cloudjobdiscovery.companies.list cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.cryptoKeys.setIamPolicy cloudkms.importJobs.getIamPolicy cloudkms.importJobs.list cloudkms.importJobs.setIamPolicy cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudkms.keyRings.setIamPolicy cloudnotifications.* cloudprivatecatalogproducer.associations.list cloudprivatecatalogproducer.catalogs.getIamPolicy cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.catalogs.setIamPolicy cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.list cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.list cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport.accounts.getIamPolicy cloudsupport.accounts.list cloudsupport.accounts.setIamPolicy cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.queues.setIamPolicy cloudtasks.tasks.list cloudtoolresults.executions.list cloudtoolresults.histories.list cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate.glossaries.list cloudtranslate.locations.list cloudtranslate.operations.list composer.environments.list composer.imageversions.* composer.operations.list compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute.backendBuckets.list compute.backendServices.list compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.disks.setIamPolicy compute.externalVpnGateways.list compute.firewalls.list compute.forwardingRules.list compute.globalAddresses.list compute.globalForwardingRules.list compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.images.setIamPolicy compute.instanceGroupManagers.list compute.instanceGroups.list compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instanceTemplates.setIamPolicy compute.instances.getIamPolicy compute.instances.list compute.instances.setIamPolicy compute.interconnectAttachments.list compute.interconnectLocations.list compute.interconnects.list compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenseCodes.setIamPolicy compute.licenses.getIamPolicy compute.licenses.list compute.licenses.setIamPolicy compute.machineTypes.list compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.maintenancePolicies.setIamPolicy compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.setIamPolicy compute.networks.list compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeGroups.setIamPolicy compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTemplates.setIamPolicy compute.nodeTypes.list compute.regionBackendServices.list compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionOperations.setIamPolicy compute.regions.list compute.reservations.list compute.resourcePolicies.list compute.routers.list compute.routes.list compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.securityPolicies.setIamPolicy compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.setIamPolicy compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.setIamPolicy compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zoneOperations.setIamPolicy compute.zones.list container.apiServices.list container.backendConfigs.list container.bindings.list container.certificateSigningRequests.list container.clusterRoleBindings.list container.clusterRoles.list container.clusters.list container.componentStatuses.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.csiDrivers.list container.csiNodes.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpoints.list container.events.list container.horizontalPodAutoscalers.list container.ingresses.list container.initializerConfigurations.list container.jobs.list container.limitRanges.list container.localSubjectAccessReviews.list container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container.persistentVolumeClaims.list container.persistentVolumes.list container.petSets.list container.podDisruptionBudgets.list container.podPresets.list container.podSecurityPolicies.list container.podTemplates.list container.pods.list container.replicaSets.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.runtimeClasses.list container.scheduledJobs.list container.secrets.list container.selfSubjectAccessReviews.list container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.subjectAccessReviews.list container.thirdPartyObjects.list container.thirdPartyResources.list datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.getIamPolicy datacatalog.entries.list datacatalog.entries.setIamPolicy datacatalog.entryGroups.getIamPolicy datacatalog.entryGroups.setIamPolicy datacatalog.tagTemplates.getIamPolicy datacatalog.tagTemplates.setIamPolicy datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.list datacatalog.taxonomies.setIamPolicy dataflow.jobs.list dataflow.messages.* datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.setIamPolicy datafusion.locations.list datafusion.operations.list datalabeling.annotateddatasets.list datalabeling.annotationspecsets.list datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list dataproc.agents.list dataproc.autoscalingPolicies.getIamPolicy dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.setIamPolicy dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.clusters.setIamPolicy dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.jobs.setIamPolicy dataproc.operations.getIamPolicy dataproc.operations.list dataproc.operations.setIamPolicy dataproc.workflowTemplates.getIamPolicy dataproc.workflowTemplates.list dataproc.workflowTemplates.setIamPolicy dataprocessing.featurecontrols.list datastore.databases.getIamPolicy datastore.databases.list datastore.databases.setIamPolicy datastore.entities.list datastore.indexes.list datastore.locations.list datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.namespaces.setIamPolicy datastore.operations.list datastore.statistics.list deploymentmanager.compositeTypes.list deploymentmanager.deployments.getIamPolicy deploymentmanager.deployments.list deploymentmanager.deployments.setIamPolicy deploymentmanager.manifests.list deploymentmanager.operations.list deploymentmanager.resources.list deploymentmanager.typeProviders.list deploymentmanager.types.list dialogflow.contexts.list dialogflow.documents.list dialogflow.entityTypes.list dialogflow.intents.list dialogflow.knowledgeBases.list dialogflow.sessionEntityTypes.list dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.list dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.storedInfoTypes.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.list dns.policies.getIamPolicy dns.policies.list dns.policies.setIamPolicy dns.resourceRecordSets.list errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groups.* file.instances.list file.locations.list file.operations.list file.snapshots.list firebase.links.list firebaseabt.experiments.list firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrashlytics.issues.list firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.list firebasedynamiclinks.links.list firebaseextensions.configs.list firebasehosting.sites.list firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.list firebaseml.models.list firebaseml.modelversions.list firebasenotifications.messages.list firebasepredictions.predictions.list firebaserules.releases.list firebaserules.rulesets.list gameservices.gameServerClusters.list gameservices.gameServerConfigs.list gameservices.gameServerDeployments.list gameservices.locations.list gameservices.operations.list gameservices.realms.list genomics.datasets.getIamPolicy genomics.datasets.list genomics.datasets.setIamPolicy genomics.operations.list gkehub.locations.list gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.memberships.setIamPolicy gkehub.operations.list healthcare.datasets.getIamPolicy healthcare.datasets.list healthcare.datasets.setIamPolicy healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.fhirStores.getIamPolicy healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.hl7V2Messages.list healthcare.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.list healthcare.hl7V2Stores.setIamPolicy healthcare.operations.list iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy lifesciences.operations.list logging.exclusions.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.sinks.list managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.domains.setIamPolicy managedidentities.locations.list managedidentities.operations.list ml.jobs.getIamPolicy ml.jobs.list ml.jobs.setIamPolicy ml.locations.list ml.models.getIamPolicy ml.models.list ml.models.setIamPolicy ml.operations.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.list monitoring.publicWidgets.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.list netappcloudvolumes.activeDirectories.list netappcloudvolumes.ipRanges.* netappcloudvolumes.jobs.list netappcloudvolumes.regions.* netappcloudvolumes.serviceLevels.* netappcloudvolumes.snapshots.list netappcloudvolumes.volumes.list networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.connectivitytests.setIamPolicy networkmanagement.locations.list networkmanagement.operations.list notebooks.environments.getIamPolicy notebooks.environments.list notebooks.environments.setIamPolicy notebooks.instances.getIamPolicy notebooks.instances.list notebooks.instances.setIamPolicy notebooks.locations.list notebooks.operations.list proximitybeacon.attachments.list proximitybeacon.beacons.getIamPolicy proximitybeacon.beacons.list proximitybeacon.beacons.setIamPolicy proximitybeacon.namespaces.getIamPolicy proximitybeacon.namespaces.list proximitybeacon.namespaces.setIamPolicy pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.snapshots.setIamPolicy pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list pubsub.subscriptions.setIamPolicy pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceMachineTypeRecommendations.list recommender.iamPolicyRecommendations.list recommender.locations.list redis.instances.list redis.locations.list redis.operations.list redisenterprisecloud.databases.list redisenterprisecloud.subscriptions.list remotebuildexecution.instances.list remotebuildexecution.workerpools.list resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.organizations.getIamPolicy resourcemanager.organizations.setIamPolicy resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy run.configurations.list run.locations.* run.revisions.list run.routes.list run.services.getIamPolicy run.services.list run.services.setIamPolicy runtimeconfig.configs.getIamPolicy runtimeconfig.configs.list runtimeconfig.configs.setIamPolicy runtimeconfig.operations.list runtimeconfig.variables.getIamPolicy runtimeconfig.variables.list runtimeconfig.variables.setIamPolicy runtimeconfig.waiters.getIamPolicy runtimeconfig.waiters.list runtimeconfig.waiters.setIamPolicy secretmanager.locations.list secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.secrets.setIamPolicy secretmanager.versions.list securitycenter.assets.list securitycenter.findings.list securitycenter.notificationconfig.list securitycenter.sources.getIamPolicy securitycenter.sources.list securitycenter.sources.setIamPolicy servicebroker.bindingoperations.list servicebroker.bindings.getIamPolicy servicebroker.bindings.list servicebroker.bindings.setIamPolicy servicebroker.catalogs.getIamPolicy servicebroker.catalogs.list servicebroker.catalogs.setIamPolicy servicebroker.instanceoperations.list servicebroker.instances.getIamPolicy servicebroker.instances.list servicebroker.instances.setIamPolicy serviceconsumermanagement.tenancyu.list servicemanagement.consumerSettings.getIamPolicy servicemanagement.consumerSettings.list servicemanagement.consumerSettings.setIamPolicy servicemanagement.services.getIamPolicy servicemanagement.services.list servicemanagement.services.setIamPolicy servicenetworking.operations.list serviceusage.apiKeys.list serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list source.repos.setIamPolicy spanner.databaseOperations.list spanner.databases.getIamPolicy spanner.databases.list spanner.databases.setIamPolicy spanner.instanceConfigs.list spanner.instanceOperations.list spanner.instances.getIamPolicy spanner.instances.list spanner.instances.setIamPolicy spanner.sessions.list storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy storage.hmacKeys.list storage.objects.getIamPolicy storage.objects.list storage.objects.setIamPolicy storagetransfer.jobs.list storagetransfer.operations.list tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.tensorflowversions.list vmmigration.deployments.list vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.list |
|
roles/ |
Security Reviewer | Provides permissions to list all resources and Cloud IAM policies on them. |
accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.list actions.agentVersions.list apigee.apiproductattributes.list apigee.apiproducts.list apigee.apps.list apigee.deployments.list apigee.developerappattributes.list apigee.developerapps.list apigee.developerattributes.list apigee.developers.list apigee.environments.getIamPolicy apigee.environments.list apigee.flowhooks.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemaps.list apigee.organizations.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.sharedflowrevisions.list apigee.sharedflows.list apigee.targetservers.list apigee.tracesessions.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list artifactregistry.files.list artifactregistry.packages.list artifactregistry.repositories.getIamPolicy artifactregistry.repositories.list artifactregistry.tags.list artifactregistry.versions.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.examples.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.* bigquery.connections.getIamPolicy bigquery.connections.list bigquery.datasets.getIamPolicy bigquery.jobs.list bigquery.models.list bigquery.routines.list bigquery.savedqueries.list bigquery.tables.list bigtable.appProfiles.list bigtable.clusters.list bigtable.instances.getIamPolicy bigtable.instances.list bigtable.locations.* bigtable.tables.getIamPolicy bigtable.tables.list billing.accounts.getIamPolicy billing.accounts.list billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.list binaryauthorization.attestors.getIamPolicy binaryauthorization.attestors.list binaryauthorization.policy.getIamPolicy clientauthconfig.brands.list clientauthconfig.clients.list cloudasset.feeds.list cloudbuild.builds.list clouddebugger.breakpoints.list clouddebugger.debuggees.list cloudfunctions.functions.getIamPolicy cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.list cloudiot.devices.list cloudiot.registries.getIamPolicy cloudiot.registries.list cloudjobdiscovery.companies.list cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.importJobs.getIamPolicy cloudkms.importJobs.list cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudnotifications.* cloudprivatecatalogproducer.associations.list cloudprivatecatalogproducer.catalogs.getIamPolicy cloudprivatecatalogproducer.catalogs.list cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.list cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.list cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport.accounts.getIamPolicy cloudsupport.accounts.list cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.tasks.list cloudtoolresults.executions.list cloudtoolresults.histories.list cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate.glossaries.list cloudtranslate.locations.list cloudtranslate.operations.list composer.environments.list composer.imageversions.* composer.operations.list compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute.backendBuckets.list compute.backendServices.list compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.list compute.firewalls.list compute.forwardingRules.list compute.globalAddresses.list compute.globalForwardingRules.list compute.globalOperations.getIamPolicy compute.globalOperations.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.list compute.instanceGroups.list compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.getIamPolicy compute.instances.list compute.interconnectAttachments.list compute.interconnectLocations.list compute.interconnects.list compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.getIamPolicy compute.licenses.list compute.machineTypes.list compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.list compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.list compute.regionBackendServices.list compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.list compute.reservations.list compute.resourcePolicies.list compute.routers.list compute.routes.list compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.list container.apiServices.list container.backendConfigs.list container.bindings.list container.certificateSigningRequests.list container.clusterRoleBindings.list container.clusterRoles.list container.clusters.list container.componentStatuses.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.csiDrivers.list container.csiNodes.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpoints.list container.events.list container.horizontalPodAutoscalers.list container.ingresses.list container.initializerConfigurations.list container.jobs.list container.limitRanges.list container.localSubjectAccessReviews.list container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container.persistentVolumeClaims.list container.persistentVolumes.list container.petSets.list container.podDisruptionBudgets.list container.podPresets.list container.podSecurityPolicies.list container.podTemplates.list container.pods.list container.replicaSets.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.runtimeClasses.list container.scheduledJobs.list container.secrets.list container.selfSubjectAccessReviews.list container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.subjectAccessReviews.list container.thirdPartyObjects.list container.thirdPartyResources.list datacatalog.categories.getIamPolicy datacatalog.entries.getIamPolicy datacatalog.entries.list datacatalog.entryGroups.getIamPolicy datacatalog.tagTemplates.getIamPolicy datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.list dataflow.jobs.list dataflow.messages.* datafusion.instances.getIamPolicy datafusion.instances.list datafusion.locations.list datafusion.operations.list datalabeling.annotateddatasets.list datalabeling.annotationspecsets.list datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list dataproc.agents.list dataproc.autoscalingPolicies.getIamPolicy dataproc.autoscalingPolicies.list dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.operations.getIamPolicy dataproc.operations.list dataproc.workflowTemplates.getIamPolicy dataproc.workflowTemplates.list dataprocessing.featurecontrols.list datastore.databases.getIamPolicy datastore.databases.list datastore.entities.list datastore.indexes.list datastore.locations.list datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.operations.list datastore.statistics.list deploymentmanager.compositeTypes.list deploymentmanager.deployments.getIamPolicy deploymentmanager.deployments.list deploymentmanager.manifests.list deploymentmanager.operations.list deploymentmanager.resources.list deploymentmanager.typeProviders.list deploymentmanager.types.list dialogflow.contexts.list dialogflow.documents.list dialogflow.entityTypes.list dialogflow.intents.list dialogflow.knowledgeBases.list dialogflow.sessionEntityTypes.list dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.list dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.storedInfoTypes.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.list dns.policies.getIamPolicy dns.policies.list dns.resourceRecordSets.list errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groups.* file.instances.list file.locations.list file.operations.list file.snapshots.list firebase.links.list firebaseabt.experiments.list firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrashlytics.issues.list firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.list firebasedynamiclinks.links.list firebaseextensions.configs.list firebasehosting.sites.list firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.list firebaseml.models.list firebaseml.modelversions.list firebasenotifications.messages.list firebasepredictions.predictions.list firebaserules.releases.list firebaserules.rulesets.list gameservices.gameServerClusters.list gameservices.gameServerConfigs.list gameservices.gameServerDeployments.list gameservices.locations.list gameservices.operations.list gameservices.realms.list genomics.datasets.getIamPolicy genomics.datasets.list genomics.operations.list gkehub.locations.list gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.list healthcare.datasets.getIamPolicy healthcare.datasets.list healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.fhirStores.getIamPolicy healthcare.fhirStores.list healthcare.hl7V2Messages.list healthcare.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.list healthcare.operations.list iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iap.tunnel.getIamPolicy iap.tunnelInstances.getIamPolicy iap.tunnelZones.getIamPolicy iap.web.getIamPolicy iap.webServiceVersions.getIamPolicy iap.webServices.getIamPolicy iap.webTypes.getIamPolicy lifesciences.operations.list logging.exclusions.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.sinks.list managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.locations.list managedidentities.operations.list ml.jobs.getIamPolicy ml.jobs.list ml.locations.list ml.models.getIamPolicy ml.models.list ml.operations.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.list monitoring.publicWidgets.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.list netappcloudvolumes.activeDirectories.list netappcloudvolumes.ipRanges.* netappcloudvolumes.jobs.list netappcloudvolumes.regions.* netappcloudvolumes.serviceLevels.* netappcloudvolumes.snapshots.list netappcloudvolumes.volumes.list networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.locations.list networkmanagement.operations.list notebooks.environments.getIamPolicy notebooks.environments.list notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.list notebooks.operations.list proximitybeacon.attachments.list proximitybeacon.beacons.getIamPolicy proximitybeacon.beacons.list proximitybeacon.namespaces.getIamPolicy proximitybeacon.namespaces.list pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list pubsub.topics.getIamPolicy pubsub.topics.list recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceMachineTypeRecommendations.list recommender.iamPolicyRecommendations.list recommender.locations.list redis.instances.list redis.locations.list redis.operations.list redisenterprisecloud.databases.list redisenterprisecloud.subscriptions.list remotebuildexecution.instances.list remotebuildexecution.workerpools.list resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.organizations.getIamPolicy resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.configurations.list run.locations.* run.revisions.list run.routes.list run.services.getIamPolicy run.services.list runtimeconfig.configs.getIamPolicy runtimeconfig.configs.list runtimeconfig.operations.list runtimeconfig.variables.getIamPolicy runtimeconfig.variables.list runtimeconfig.waiters.getIamPolicy runtimeconfig.waiters.list secretmanager.locations.list secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.versions.list securitycenter.assets.list securitycenter.findings.list securitycenter.notificationconfig.list securitycenter.sources.getIamPolicy securitycenter.sources.list servicebroker.bindingoperations.list servicebroker.bindings.getIamPolicy servicebroker.bindings.list servicebroker.catalogs.getIamPolicy servicebroker.catalogs.list servicebroker.instanceoperations.list servicebroker.instances.getIamPolicy servicebroker.instances.list serviceconsumermanagement.tenancyu.list servicemanagement.consumerSettings.getIamPolicy servicemanagement.consumerSettings.list servicemanagement.services.getIamPolicy servicemanagement.services.list servicenetworking.operations.list serviceusage.apiKeys.list serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list spanner.databaseOperations.list spanner.databases.getIamPolicy spanner.databases.list spanner.instanceConfigs.list spanner.instanceOperations.list spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.list storage.buckets.getIamPolicy storage.buckets.list storage.hmacKeys.list storage.objects.getIamPolicy storage.objects.list storagetransfer.jobs.list storagetransfer.operations.list tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.tensorflowversions.list vmmigration.deployments.list vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.list |
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta |
Roles roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Organization Role Administrator | Provides access to administer all custom roles in the organization and the projects below it. |
iam.roles.* resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
Organization |
roles/ |
Organization Role Viewer | Provides read access to all custom roles in the organization and the projects below it. |
iam.roles.get iam.roles.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
Project |
roles/ |
Role Administrator | Provides access to all custom roles in the project. |
iam.roles.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy |
Project |
roles/ |
Role Viewer | Provides read access to all custom roles in the project. |
iam.roles.get iam.roles.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy |
Project |
Service Accounts roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Service Account Admin | Create and manage service accounts. |
iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iam.serviceAccounts.update resourcemanager.projects.get resourcemanager.projects.list |
Service Account |
roles/ |
Create Service Accounts | Access to create service accounts. |
iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Delete Service Accounts | Access to delete service accounts. |
iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Service Account Key Admin | Create and manage (and rotate) service account keys. |
iam.serviceAccountKeys.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
Service Account |
roles/ |
Service Account Token Creator | Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). |
iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt resourcemanager.projects.get resourcemanager.projects.list |
Service Account |
roles/ |
Service Account User | Run operations as the service account. |
iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
Service Account |
roles/ |
Workload Identity User | Impersonate service accounts from GKE Workloads |
iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.list |
Cloud Life Sciences roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Life Sciences Admin Beta | Full control of Cloud Life Sciences resources. |
lifesciences.* |
|
roles/ |
Cloud Life Sciences Editor Beta | Access to read and edit Cloud Life Sciences resources. |
lifesciences.* |
|
roles/ |
Cloud Life Sciences Viewer Beta | Access to read Cloud Life Sciences resources. |
lifesciences.operations.get lifesciences.operations.list |
|
roles/ |
Cloud Life Sciences Workflows Runner Beta | Full access to operate on Cloud Life Sciences workflows. |
lifesciences.* |
Logging roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Logging Admin | Provides all permissions necessary to use all features of Stackdriver Logging. |
logging.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Logs Configuration Writer | Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. |
logging.cmekSettings.* logging.exclusions.* logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.* resourcemanager.projects.get resourcemanager.projects.list |
Project |
roles/ |
Logs Writer | Provides the permissions to write log entries. |
logging.logEntries.create |
Project |
roles/ |
Private Logs Viewer | Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. |
logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.projects.get |
Project |
roles/ |
Logs Viewer | Provides access to view logs. |
logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.projects.get |
Project |
Cloud Managed Identities roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Google Cloud Managed Identities Admin | Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level. |
managedidentities.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Google Cloud Managed Identities Domain Admin | Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level. |
managedidentities.domains.attachTrust managedidentities.domains.delete managedidentities.domains.detachTrust managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.reconfigureTrust managedidentities.domains.resetpassword managedidentities.domains.update managedidentities.domains.validateTrust managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Google Cloud Managed Identities Viewer | Read-only access to Google Cloud Managed Identities Domains and related resources. |
managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Machine Learning Engine roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
ML Engine Admin | Provides full access to AI Platform resources, and its jobs, operations, models, and versions. |
ml.* resourcemanager.projects.get |
Project |
roles/ |
ML Engine Developer | Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. |
ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get |
Project |
roles/ |
ML Engine Job Owner | Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. |
ml.jobs.* |
Job |
roles/ |
ML Engine Model Owner | Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. |
ml.models.* ml.versions.* |
Model |
roles/ |
ML Engine Model User | Provides permissions to read the model and its versions, and use them for prediction. |
ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict |
Model |
roles/ |
ML Engine Operation Owner | Provides full access to all permissions for a particular operation resource. |
ml.operations.* |
Operation |
roles/ |
ML Engine Viewer | Provides read-only access to AI Platform resources. |
ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.* ml.versions.get ml.versions.list resourcemanager.projects.get |
Project |
Monitoring roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Monitoring Admin |
Provides the same access as roles/monitoring.editor.
|
cloudnotifications.* monitoring.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.* |
Project |
roles/ |
Monitoring AlertPolicy Editor Beta | Read/write access to alerting policies. |
monitoring.alertPolicies.* |
|
roles/ |
Monitoring AlertPolicy Viewer Beta | Read-only access to alerting policies. |
monitoring.alertPolicies.get monitoring.alertPolicies.list |
|
roles/ |
Monitoring Dashboard Configuration Editor Beta | Read/write access to dashboard configurations. |
monitoring.dashboards.* |
|
roles/ |
Monitoring Dashboard Configuration Viewer Beta | Read-only access to dashboard configurations. |
monitoring.dashboards.get monitoring.dashboards.list |
|
roles/ |
Monitoring Editor | Provides full access to information about all monitoring data and configurations. |
cloudnotifications.* monitoring.alertPolicies.* monitoring.dashboards.* monitoring.groups.* monitoring.metricDescriptors.* monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify monitoring.publicWidgets.* monitoring.timeSeries.* monitoring.uptimeCheckConfigs.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.* |
Project |
roles/ |
Monitoring Metric Writer | Provides write-only access to metrics. This provides exactly the permissions needed by the Stackdriver agent and other systems that send metrics. |
monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create |
Project |
roles/ |
Monitoring NotificationChannel Editor Beta | Read/write access to notification channels. |
monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify |
|
roles/ |
Monitoring NotificationChannel Viewer Beta | Read-only access to notification channels. |
monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list |
|
roles/ |
Monitoring Uptime Check Configuration Editor Beta | Read/write access to uptime check configurations. |
monitoring.uptimeCheckConfigs.* |
|
roles/ |
Monitoring Uptime Check Configuration Viewer Beta | Read-only access to uptime check configurations. |
monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list |
|
roles/ |
Monitoring Viewer | Provides read-only access to get and list information about all monitoring data and configurations. |
cloudnotifications.* monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get |
Project |
Network Management roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Network Management Admin Beta | Full access to Cloud Network Management resources. |
networkmanagement.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Network Management Viewer Beta | Read-only access to Cloud Network Management resources. |
networkmanagement.connectivitytests.get networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.locations.* networkmanagement.operations.* resourcemanager.projects.get resourcemanager.projects.list |
AI Notebooks roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Notebooks Admin Beta | Full access to Notebooks, all resources. |
notebooks.* resourcemanager.projects.get resourcemanager.projects.list |
Instance |
roles/ |
Notebooks Viewer Beta | Read-only access to Notebooks, all resources. |
notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.instances.get notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Instance |
Ops Config Monitoring roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Ops Config Monitoring Resource Metadata Writer Alpha | Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata. |
opsconfigmonitoring.* |
Organization Policy roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Access Transparency Admin | Enable Access Transparency for Organization |
axt.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Organization Policy Administrator | Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies. |
orgpolicy.* |
Organization |
roles/ |
Organization Policy Viewer | Provides access to view Organization Policies on resources. |
orgpolicy.policy.get |
Organization |
Other roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Data Processing Controls Resource Admin Beta | Data processing controls admin who can fully manage data processing controls settings and view all datasource data. |
dataprocessing.* |
|
roles/ |
Data Processing IAM Access History Exporter Beta | Data Processing exporter who can export IAM access history using bigquery. |
dataprocessing.iamaccesshistory.* |
|
roles/ |
Firebase Crash Symbol Uploader | Full read/write access to symbol mapping file resources for Firebase Crash Reporting. |
firebase.clients.get resourcemanager.projects.get |
|
roles/ |
Identity Toolkit Admin | Full access to Identity Toolkit resources. |
firebaseauth.* |
|
roles/ |
Identity Toolkit Viewer | Read access to Identity Toolkit resources. |
firebaseauth.configs.get firebaseauth.users.get |
|
roles/ |
Firebase Crash Symbol Uploader (Deprecated) | Full read/write access to symbol mapping file resources for Firebase Crash Reporting.Deprecated in favor of firebasecrash.symbolMappingsAdmin |
firebase.clients.get resourcemanager.projects.get |
|
roles/ |
Remote Build Execution Action Cache Writer Beta | Remote Build Execution Action Cache Writer |
remotebuildexecution.actions.set remotebuildexecution.blobs.create |
|
roles/ |
Remote Build Execution Artifact Admin Beta | Remote Build Execution Artifact Admin |
remotebuildexecution.actions.create remotebuildexecution.actions.delete remotebuildexecution.actions.get remotebuildexecution.blobs.* remotebuildexecution.logstreams.* |
|
roles/ |
Remote Build Execution Artifact Creator Beta | Remote Build Execution Artifact Creator |
remotebuildexecution.actions.create remotebuildexecution.actions.get remotebuildexecution.blobs.* remotebuildexecution.logstreams.* |
|
roles/ |
Remote Build Execution Artifact Viewer Beta | Remote Build Execution Artifact Viewer |
remotebuildexecution.actions.get remotebuildexecution.blobs.get remotebuildexecution.logstreams.get |
|
roles/ |
Remote Build Execution Configuration Admin Beta | Remote Build Execution Configuration Admin |
remotebuildexecution.instances.* remotebuildexecution.workerpools.* |
|
roles/ |
Remote Build Execution Configuration Viewer Beta | Remote Build Execution Configuration Viewer |
remotebuildexecution.instances.get remotebuildexecution.instances.list remotebuildexecution.workerpools.get remotebuildexecution.workerpools.list |
|
roles/ |
Remote Build Execution Logstream Writer Beta | Remote Build Execution Logstream Writer |
remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update |
|
roles/ |
Remote Build Execution Reservation Admin Beta | Remote Build Execution Reservation Admin |
remotebuildexecution.actions.create remotebuildexecution.actions.delete remotebuildexecution.actions.get |
|
roles/ |
Remote Build Execution Worker Beta | Remote Build Execution Worker |
remotebuildexecution.actions.update remotebuildexecution.blobs.* remotebuildexecution.botsessions.* remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update |
|
roles/ |
Organization Creator | Access to create and list organizations. |
|
|
roles/ |
Cloud RuntimeConfig Admin | Full access to RuntimeConfig resources. |
runtimeconfig.* |
|
roles/ |
Subscribe with Google Developer Beta | Access DevTools for Subscribe with Google |
resourcemanager.projects.get resourcemanager.projects.list subscribewithgoogledeveloper.* |
Third-party Partner roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
NetApp Cloud Volumes Admin Beta | This role is managed by NetApp, not Google. |
netappcloudvolumes.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
NetApp Cloud Volumes Viewer Beta | This role is managed by NetApp, not Google. |
netappcloudvolumes.activeDirectories.get netappcloudvolumes.activeDirectories.list netappcloudvolumes.ipRanges.* netappcloudvolumes.jobs.* netappcloudvolumes.regions.* netappcloudvolumes.serviceLevels.* netappcloudvolumes.snapshots.get netappcloudvolumes.snapshots.list netappcloudvolumes.volumes.get netappcloudvolumes.volumes.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Redis Enterprise Cloud Admin Beta | This role is managed by Redis Labs, not Google. |
redisenterprisecloud.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Redis Enterprise Cloud Viewer Beta | This role is managed by Redis Labs, not Google. |
redisenterprisecloud.databases.get redisenterprisecloud.databases.list redisenterprisecloud.subscriptions.get redisenterprisecloud.subscriptions.list resourcemanager.projects.get resourcemanager.projects.list |
Project roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Browser | Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project. |
resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
Project |
Proximity Beacon roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Beacon Attachment Editor | Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces. |
proximitybeacon.attachments.* proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.namespaces.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Beacon Attachment Publisher | Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project. |
proximitybeacon.beacons.attach proximitybeacon.beacons.get proximitybeacon.beacons.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Beacon Attachment Viewer | Can view all attachments under a namespace; no beacon or namespace permissions. |
proximitybeacon.attachments.get proximitybeacon.attachments.list resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Beacon Editor | Necessary access to register, modify, and view beacons; no attachment or namespace permissions. |
proximitybeacon.beacons.create proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.beacons.update resourcemanager.projects.get resourcemanager.projects.list |
Pub/Sub roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Pub/Sub Admin | Provides full access to topics and subscriptions. |
pubsub.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Topic |
roles/ |
Pub/Sub Editor | Provides access to modify topics and subscriptions, and access to publish and consume messages. |
pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Topic |
roles/ |
Pub/Sub Publisher | Provides access to publish messages to a topic. |
pubsub.topics.publish |
Topic |
roles/ |
Pub/Sub Subscriber | Provides access to consume messages from a subscription and to attach subscriptions to a topic. |
pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription |
Topic |
roles/ |
Pub/Sub Viewer | Provides access to view topics and subscriptions. |
pubsub.snapshots.get pubsub.snapshots.list pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.get pubsub.topics.list resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Topic |
Recommendations AI roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Recommendations AI Admin Beta | Full access to all Recommendations AI resources. |
automlrecommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
|
roles/ |
Recommendations AI Admin Viewer Beta | Viewer of all Recommendations AI resources. |
automlrecommendations.apiKeys.list automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
|
roles/ |
Recommendations AI Editor Beta | Editor of all Recommendations AI resources. |
automlrecommendations.apiKeys.create automlrecommendations.apiKeys.list automlrecommendations.catalogItems.* automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.create automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
|
roles/ |
Recommendations AI Viewer Beta | Viewer of all Recommendations AI resources. |
automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Recommender roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Compute Recommender Admin | Admin of Compute recommendations. |
recommender.computeInstanceGroupManagerMachineTypeRecommendations.* recommender.computeInstanceMachineTypeRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
Compute Recommender Viewer | Viewer of Compute recommendations. |
recommender.computeInstanceGroupManagerMachineTypeRecommendations.get recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceMachineTypeRecommendations.get recommender.computeInstanceMachineTypeRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
IAM Recommender Admin | Admin of IAM policy recommendations. |
recommender.iamPolicyRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
|
roles/ |
IAM Recommender Viewer | Reviewer of IAM policy recommendations. |
recommender.iamPolicyRecommendations.get recommender.iamPolicyRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Memorystore Redis roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Memorystore Redis Admin Beta | Full control for all Memorystore resources. |
compute.networks.list redis.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Instance |
roles/ |
Cloud Memorystore Redis Editor Beta | Manage Memorystore instances. Can't create or delete instances. |
compute.networks.list redis.instances.get redis.instances.list redis.instances.update redis.locations.* redis.operations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Instance |
roles/ |
Cloud Memorystore Redis Viewer Beta | Read-only access to all Memorystore resources. |
redis.instances.get redis.instances.list redis.locations.* redis.operations.get redis.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Instance |
Resource Manager roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Folder Admin | Provides all available permissions for working with folders. |
orgpolicy.policy.get resourcemanager.folders.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.move resourcemanager.projects.setIamPolicy |
Folder |
roles/ |
Folder Creator | Provides permissions needed to browse the hierarchy and create folders. |
orgpolicy.policy.get resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list |
Folder |
roles/ |
Folder Editor | Provides permission to modify folders as well as to view a folder's Cloud IAM policy. |
orgpolicy.policy.get resourcemanager.folders.delete resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.undelete resourcemanager.folders.update resourcemanager.projects.get resourcemanager.projects.list |
Folder |
roles/ |
Folder IAM Admin | Provides permissions to administer Cloud IAM policies on folders. |
resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.setIamPolicy |
Folder |
roles/ |
Folder Mover | Provides permission to move projects and folders into and out of a parent Organization or folder. |
resourcemanager.folders.move resourcemanager.projects.move |
Folder |
roles/ |
Folder Viewer | Provides permission to get a folder and list the folders and projects below a resource. |
orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list |
Folder |
roles/ |
Project Lien Modifier | Provides access to modify Liens on projects. |
resourcemanager.projects.updateLiens |
Project |
roles/ |
Organization Administrator | Access to administer all resources belonging to the organization. |
orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.organizations.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy |
|
roles/ |
Organization Viewer | Provides access to view an organization. |
resourcemanager.organizations.get |
Organization |
roles/ |
Project Creator | Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project. |
resourcemanager.organizations.get resourcemanager.projects.create |
Folder |
roles/ |
Project Deleter | Provides access to delete GCP projects. |
resourcemanager.projects.delete |
Folder |
roles/ |
Project IAM Admin | Provides permissions to administer Cloud IAM policies on projects. |
resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy |
Project |
roles/ |
Project Mover | Provides access to update and move projects. |
resourcemanager.projects.get resourcemanager.projects.move resourcemanager.projects.update |
Project |
Cloud Run roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Run Admin Beta | Full control over all Cloud Run resources. |
resourcemanager.projects.get resourcemanager.projects.list run.* |
Cloud Run service |
roles/ |
Cloud Run Invoker Beta | Can invoke a Cloud Run service. |
run.routes.invoke |
Cloud Run service |
roles/ |
Cloud Run Viewer Beta | Can view the state of all Cloud Run resources, including IAM policies. |
resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list |
Cloud Run service |
Secret Manager roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Secret Manager Admin Beta | Full access to administrate Cloud Secrets resources. |
resourcemanager.projects.get resourcemanager.projects.list secretmanager.* |
Secret |
roles/ |
Secret Manager Secret Accessor Beta | Allows accessing the payload of secrets. |
secretmanager.versions.access |
Secret |
roles/ |
Secret Manager Viewer Beta | Allows viewing metadata of all Cloud Secrets resources |
resourcemanager.projects.get resourcemanager.projects.list secretmanager.locations.* secretmanager.secrets.get secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.versions.get secretmanager.versions.list |
Secret |
Security Center roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Security Center Admin | Admin(super user) access to security center |
resourcemanager.organizations.get securitycenter.* |
Organization |
roles/ |
Security Center Admin Editor | Admin Read-write access to security center |
resourcemanager.organizations.get securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.notificationconfig.* securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update |
Organization |
roles/ |
Security Center Admin Viewer | Admin Read access to security center |
resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.sources.get securitycenter.sources.list |
Organization |
roles/ |
Security Center Asset Security Marks Writer | Write access to asset security marks |
securitycenter.assetsecuritymarks.* |
Organization |
roles/ |
Security Center Assets Discovery Runner | Run asset discovery access to assets |
securitycenter.assets.runDiscovery |
Organization |
roles/ |
Security Center Assets Viewer | Read access to assets |
resourcemanager.organizations.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames |
Organization |
roles/ |
Security Center Finding Security Marks Writer | Write access to finding security marks |
securitycenter.findingsecuritymarks.* |
Organization |
roles/ |
Security Center Findings Editor | Read-write access to findings |
resourcemanager.organizations.get securitycenter.findings.* securitycenter.sources.get securitycenter.sources.list |
Organization |
roles/ |
Security Center Findings State Setter | Set state access to findings |
securitycenter.findings.setState |
Organization |
roles/ |
Security Center Findings Viewer | Read access to findings |
resourcemanager.organizations.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.sources.get securitycenter.sources.list |
Organization |
roles/ |
Security Center Notification Configurations Editor | Write access to notification configurations |
securitycenter.notificationconfig.* |
|
roles/ |
Security Center Notification Configurations Viewer | Read access to notification configurations |
securitycenter.notificationconfig.get securitycenter.notificationconfig.list |
|
roles/ |
Security Center Sources Admin | Admin access to sources |
resourcemanager.organizations.get securitycenter.sources.* |
Organization |
roles/ |
Security Center Sources Editor | Read-write access to sources |
resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update |
Organization |
roles/ |
Security Center Sources Viewer | Read access to sources |
resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list |
Organization |
Service Consumer Management roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Admin of Tenancy Units Beta | Administrate tenancy units |
serviceconsumermanagement.tenancyu.* |
|
roles/ |
Viewer of Tenancy Units Beta | View tenancy units |
serviceconsumermanagement.tenancyu.list |
Service Management roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Asset Service Agent Alpha | Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed. |
bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.delete bigquery.tables.get bigquery.tables.updateData pubsub.topics.publish storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.objects.create storage.objects.delete storage.objects.get |
|
roles/ |
Cloud Build Service Agent Alpha | Gives Cloud Build service account access to managed resources. |
cloudbuild.* compute.firewalls.get compute.firewalls.list compute.networks.get compute.subnetworks.get logging.logEntries.create pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
|
roles/ |
Cloud Functions Service Agent Alpha | Gives Cloud Functions service account access to managed resources. |
clientauthconfig.clients.list cloudfunctions.functions.invoke firebasedatabase.instances.get firebasedatabase.instances.update iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob pubsub.subscriptions.* pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy serviceusage.quotas.get serviceusage.services.disable serviceusage.services.enable storage.buckets.get storage.buckets.update |
|
roles/ |
Cloud Scheduler Service Agent Alpha | Grants Cloud Scheduler Service Account access to manage resources. |
iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.logEntries.create pubsub.topics.publish |
|
roles/ |
Cloud Tasks Service Agent Alpha | Grants Cloud Tasks Service Account access to manage resources. |
iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.logEntries.create |
|
roles/ |
Cloud Data Fusion API Service Agent Alpha | Gives Cloud Data Fusion service account access to Service Networking, Dataproc, Cloud Storage, BigQuery, Spanner, and Bigtable resources. |
bigquery.datasets.* bigquery.jobs.create bigquery.models.* bigquery.routines.* bigquery.tables.* bigtable.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.update compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update firebase.projects.get monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.list spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instanceConfigs.* spanner.instances.get spanner.instances.list spanner.sessions.* storage.buckets.* storage.objects.* |
|
roles/ |
Dataproc Service Agent Alpha | Gives Dataproc Service Account access to service accounts, compute resources, and storage resources. Includes access to service accounts. |
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.firewalls.get compute.firewalls.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.use dataproc.clusters.* dataproc.jobs.* firebase.projects.get iam.serviceAccounts.actAs resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.objects.* |
|
roles/ |
Cloud Run Service Agent Alpha | Gives Cloud Run service account access to managed resources. |
clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.routes.invoke storage.objects.get storage.objects.list |
|
roles/ |
Service Management Administrator | Full control of Google Service Management resources. |
monitoring.timeSeries.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list serviceconsumermanagement.* servicemanagement.services.* serviceusage.quotas.get serviceusage.services.get |
|
roles/ |
Service Config Editor | Access to update the service config and create rollouts. |
servicemanagement.services.get servicemanagement.services.update |
|
roles/ |
Quota Administrator Beta | Provides access to administer service quotas. |
monitoring.timeSeries.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list servicemanagement.consumerSettings.* serviceusage.quotas.* serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list |
Project |
roles/ |
Quota Viewer Beta | Provides access to view service quotas. |
monitoring.timeSeries.list servicemanagement.consumerSettings.get servicemanagement.consumerSettings.getIamPolicy servicemanagement.consumerSettings.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Project |
roles/ |
Service Consumer | Can enable the service. |
servicemanagement.services.bind |
|
roles/ |
Service Controller | Runtime control of checking and reporting usage of a service. |
servicemanagement.services.check servicemanagement.services.get servicemanagement.services.quota servicemanagement.services.report |
Project |
Service Networking roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Service Networking Admin Beta | Full control of service networking with projects. |
servicenetworking.* |
Service Usage roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
API Keys Admin Beta | Ability to create, delete, update, get and list API keys for a project. |
serviceusage.apiKeys.* serviceusage.operations.get |
|
roles/ |
API Keys Viewer Beta | Ability to get and list API keys for a project. |
serviceusage.apiKeys.get serviceusage.apiKeys.getProjectForKey serviceusage.apiKeys.list |
|
roles/ |
Service Usage Admin Beta | Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project. |
monitoring.timeSeries.list serviceusage.operations.* serviceusage.quotas.* serviceusage.services.* |
|
roles/ |
Service Usage Consumer Beta | Ability to inspect service states and operations, and consume quota and billing for a consumer project. |
monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use |
|
roles/ |
Service Usage Viewer Beta | Ability to inspect service states and operations for a consumer project. |
monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Source roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Source Repository Administrator | Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies. |
source.* |
Repository |
roles/ |
Source Repository Reader | Provides permissions to list, clone, fetch, and browse repositories. |
source.repos.get source.repos.list |
Repository |
roles/ |
Source Repository Writer | Provides permissions to list, clone, fetch, browse, and update repositories. |
source.repos.get source.repos.list source.repos.update |
Repository |
Cloud Spanner roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Spanner Admin | Permission to grant and revoke permissions to other principals, allocate and delete chargeable resources, issue get/list/modify operations on resources, read from and write to databases, and fetch project metadata. |
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.* |
Project |
roles/ |
Cloud Spanner Database Admin | Permission to get/list all Spanner resources in a project, create/list/drop databases, grant/revoke access to project databases, and read from and write to all Spanner databases in the project. |
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databaseOperations.* spanner.databases.* spanner.instances.get spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.* |
Project |
roles/ |
Cloud Spanner Database Reader | Permission to read from the Spanner database, execute SQL queries on the database, and view the schema. |
spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.read spanner.databases.select spanner.instances.get spanner.sessions.* |
Database |
roles/ |
Cloud Spanner Database User | Permission to read from and write to the Spanner database, execute SQL queries on the database, and view and update the schema. |
spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instances.get spanner.sessions.* |
Database |
roles/ |
Cloud Spanner Viewer | Permission to view all Spanner instances and databases, but not modify or read from them. |
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databases.list spanner.instanceConfigs.* spanner.instances.get spanner.instances.list |
Project |
Stackdriver roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Stackdriver Accounts Editor | Read/write access to manage Stackdriver account structure. |
resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.projects.* |
|
roles/ |
Stackdriver Accounts Viewer | Read-only access to get and list information about Stackdriver account structure. |
resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get |
|
roles/ |
Stackdriver Resource Maintenance Window Editor | Read/write access to manage Stackdriver resource maintenance windows. |
|
|
roles/ |
Stackdriver Resource Maintenance Window Viewer | Read-only access to information about Stackdriver resource maintenance windows. |
|
|
roles/ |
Stackdriver Resource Metadata Writer Beta | Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata. |
stackdriver.resourceMetadata.* |
Storage roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Storage Admin |
Grants full control of objects and buckets.
When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. |
firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.* storage.objects.* |
Bucket |
roles/ |
Storage HMAC Key Admin | Full control of Cloud Storage HMAC keys. |
firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.hmacKeys.* |
|
roles/ |
Storage Object Admin | Grants full control of objects, including listing, creating, viewing, and deleting objects. |
resourcemanager.projects.get resourcemanager.projects.list storage.objects.* |
Bucket |
roles/ |
Storage Object Creator | Allows users to create objects. Does not give permission to view, delete, or overwrite objects. |
resourcemanager.projects.get resourcemanager.projects.list storage.objects.create |
Bucket |
roles/ |
Storage Object Viewer | Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket. |
resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list |
Bucket |
roles/ |
Storage Transfer Admin | Create, update and manage transfer jobs and operations. |
resourcemanager.projects.get resourcemanager.projects.list storagetransfer.* |
|
roles/ |
Storage Transfer User | Create and update storage transfer jobs and operations. |
resourcemanager.projects.get resourcemanager.projects.list storagetransfer.jobs.create storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.jobs.update storagetransfer.operations.* storagetransfer.projects.* |
|
roles/ |
Storage Transfer Viewer | Read access to storage transfer jobs and operations. |
resourcemanager.projects.get resourcemanager.projects.list storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.operations.get storagetransfer.operations.list storagetransfer.projects.* |
Storage Legacy roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Storage Legacy Bucket Owner |
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding Cloud IAM
policies, when listing; and read and edit bucket metadata, including
Cloud IAM policies.
Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs. |
storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.list |
Bucket |
roles/ |
Storage Legacy Bucket Reader |
Grants permission to list a bucket's contents and read bucket metadata,
excluding Cloud IAM policies. Also grants permission to read
object metadata, excluding Cloud IAM policies, when listing
objects.
Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs. |
storage.buckets.get storage.objects.list |
Bucket |
roles/ |
Storage Legacy Bucket Writer |
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding Cloud IAM
policies, when listing; and read bucket metadata, excluding
Cloud IAM policies.
Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs. |
storage.buckets.get storage.objects.create storage.objects.delete storage.objects.list |
Bucket |
roles/ |
Storage Legacy Object Owner | Grants permission to view and edit objects and their metadata, including ACLs. |
storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update |
Bucket |
roles/ |
Storage Legacy Object Reader | Grants permission to view objects and their metadata, excluding ACLs. |
storage.objects.get |
Bucket |
Support roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Support Account Administrator | Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information. |
cloudsupport.* |
Organization |
roles/ |
Support Account Viewer | Read-only access to details of a support account. This does not allow viewing cases. |
cloudsupport.accounts.get cloudsupport.accounts.getUserRoles cloudsupport.accounts.list |
Organization |
Cloud Threat Detection roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Threat Detection Settings Editor Beta | Read-write access to all Threat Detection settings |
threatdetection.* |
Organization |
roles/ |
Threat Detection Settings Viewer Beta | Read access to all Threat Detection settings |
threatdetection.detectorSettings.get threatdetection.sinkSettings.get threatdetection.sourceSettings.get |
Organization |
Cloud TPU roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
TPU Admin | Full access to TPU nodes and related resources. |
resourcemanager.projects.get resourcemanager.projects.list tpu.* |
|
roles/ |
TPU Viewer | Read-only access to TPU nodes and related resources. |
resourcemanager.projects.get resourcemanager.projects.list tpu.acceleratortypes.* tpu.locations.* tpu.nodes.get tpu.nodes.list tpu.operations.* tpu.tensorflowversions.* |
Serverless VPC Access roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Serverless VPC Access User | User of Serverless VPC Access connectors |
resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.connectors.use vpcaccess.locations.* vpcaccess.operations.* |
|
roles/ |
Serverless VPC Access Viewer | Viewer of all Serverless VPC Access resources |
resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.* |
|
roles/ |
Serverless VPC Access Admin | Full access to all Serverless VPC Access resources |
resourcemanager.projects.get resourcemanager.projects.list vpcaccess.* |
Custom roles
In addition to the predefined roles, Cloud IAM also provides the ability to create customized Cloud IAM roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding Custom Roles and Creating and Managing Custom Roles for more information.
Product-specific Cloud IAM documentation
Product-specific Cloud IAM documentation explains more about the predefined roles offered by each product. Read the following pages to learn more about the predefined roles.
| Documentation | Description |
|---|---|
| Cloud IAM for App Engine | Explains Cloud IAM roles for App Engine |
| Cloud IAM for BigQuery | Explains Cloud IAM roles for BigQuery |
| Cloud IAM for Bigtable | Explains Cloud IAM roles for Bigtable |
| Cloud IAM for Cloud Billing API | Explains Cloud IAM roles and permissions for Cloud Billing API |
| Cloud IAM for Dataflow | Explains Cloud IAM roles for Dataflow |
| Cloud IAM for Dataproc | Explains Cloud IAM roles and permissions for Dataproc |
| Cloud IAM for Datastore | Explains Cloud IAM roles and permissions for Datastore |
| Cloud IAM for Cloud DNS | Explains Cloud IAM roles and permissions for Cloud DNS |
| Cloud IAM for Cloud KMS | Explains Cloud IAM roles and permissions for Cloud KMS |
| Cloud IAM for AI Platform | Explains Cloud IAM roles and permissions for AI Platform |
| Cloud IAM for Pub/Sub | Explains Cloud IAM roles for Pub/Sub |
| Cloud IAM for Spanner | Explains Cloud IAM roles and permissions for Spanner |
| Cloud IAM for Cloud SQL | Explains Cloud IAM roles for Cloud SQL |
| Cloud IAM for Cloud Storage | Explains Cloud IAM roles for Cloud Storage |
| Cloud IAM for Compute Engine | Explains Cloud IAM roles for Compute Engine |
| Cloud IAM for GKE | Explains Cloud IAM roles and permissions for GKE |
| Cloud IAM for Deployment Manager | Explains Cloud IAM roles and permissions for Deployment Manager |
| Cloud IAM for Organizations | Explains Cloud IAM roles for Organization. |
| Cloud IAM for Folders | Explains Cloud IAM roles for folders. |
| Cloud IAM for Projects | Explains Cloud IAM roles for projects. |
| Cloud IAM for Service Management | Explains Cloud IAM roles and permissions for Service Management |
| Cloud IAM for Stackdriver Debugger | Explains Cloud IAM roles for Debugger |
| Cloud IAM for Stackdriver Logging | Explains Cloud IAM roles for Logging |
| Cloud IAM for Stackdriver Monitoring | Explains Cloud IAM roles for Monitoring |
| Cloud IAM for Stackdriver Trace | Explains Cloud IAM roles and permissions for Trace |
What's next
- Learn how to grant Cloud IAM roles to users.
- Learn about Custom Roles