When an identity calls a Google Cloud Platform API, Cloud Identity and Access Management requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.
This page describes the Cloud IAM roles that you can grant to identities to access Cloud Platform resources.
Prerequisite for this guide
- Understand the basic concepts of Cloud IAM
Role types
There are three types of roles in Cloud IAM:
- Primitive roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud IAM
- Predefined roles, which provide granular access for a specific service and are managed by GCP
- Custom roles, which provide granular access according to a user-specified list of permissions
To determine if one or more permissions are included in a primitive, predefined, or custom role, you can use one of the following methods:
- The
gcloud iam roles describecommand - The
roles.get()API
The sections below describe each role type and provide examples of how to use them.
Primitive roles
There are three roles that existed prior to the introduction of Cloud IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role.
The following table summarizes the permissions that the primitive roles include across all GCP services:
Primitive role definitions
| Name | Title | Permissions |
|---|---|---|
roles/viewer |
Viewer | Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data. |
roles/editor |
Editor |
All viewer permissions, plus permissions for actions that modify
state, such as changing existing resources.
Note:
While the
roles/editor role contains permissions to create
and delete resources for most GCP services, some services
(such as Cloud Source Repositories and Stackdriver) do
not include these permissions. See the section above
for more information on how to check if a role has the permissions that
you need.
|
roles/owner |
Owner |
All editor permissions and permissions for the following actions:
Note:
|
You can apply primitive roles at the project or service resource levels by using
GCP Console, the
API and the
gcloud command-line tool.
Invitation flow
You cannot grant the owner role to a member for a project using the
Cloud IAM API or the gcloud command-line tool. You can only add
owners to a project using the GCP Console. An invitation will be sent
to the member via email and the member must accept the invitation to be made an
owner of the project.
Note that invitation emails aren't sent in the following cases:
- when you're granting a role other than the owner.
- when an organization member adds another member of their organization as an owner of a project within that organization.
Predefined roles
In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.
The following table lists these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the GCP hierarchy. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.
Access Approval roles
Android Management roles
App Engine roles
AutoML roles
BigQuery roles
Cloud Bigtable roles
Billing roles
Cloud Asset roles
| Role | Title | Description | Permissions | Lowest Resource |
|---|---|---|---|---|
roles/ |
Cloud Asset Viewer | Read only access to cloud assets metadata |
cloudasset.* |
Cloud Build roles
Cloud Data Fusion roles
Stackdriver Debugger roles
Cloud Functions roles
Cloud IAP roles
Cloud IoT roles
Cloud Talent Solution roles
Cloud KMS roles
Cloud Migration roles
Cloud Private Catalog roles
Stackdriver Profiler roles
Cloud Scheduler roles
Cloud Security Scanner roles
Cloud Services roles
Cloud SQL roles
Cloud Tasks roles
Cloud Trace roles
Cloud Translation roles
Codelab API Keys roles
Cloud Composer roles
Compute Engine roles
| Role | Title | Description | Permissions | Lowest Resource |
|---|---|---|---|---|
roles/ |
Compute Admin |
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
|
compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta |
roles/ |
Compute Image User |
Permission to list and read images without having other permissions on the
image. Granting the |
compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
ImageBeta |
roles/ |
Compute Instance Admin (beta) |
Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VMBETA settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances. |
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Disk, image, instance, instanceTemplate, snapshot Beta |
roles/ |
Compute Instance Admin (v1) |
Full control of Compute Engine instances, instance groups, disks, snapshots, and images.
Read access to all Compute Engine networking resources.
If you grant a user this role only at an instance level, then that user cannot create new instances. |
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
|
roles/ |
Compute Load Balancer Admin Beta |
Permissions to create, modify, and delete load balancers and associate resources.
For example, if your company has a load balancing team that manages load
balancers, SSL certificates for load balancers, SSL policies, and other
load balancing resources, and a separate networking team that manages
the rest of the networking resources, then grant the load balancing
team's group the |
compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute Network Admin |
Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant the networking team's group the
|
compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.instances.use compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.projects.get compute.regionBackendServices.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute Network User |
Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project. |
compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Project |
roles/ |
Compute Network Viewer |
Read-only access to all networking resources
For example, if you have software that inspects your network
configuration, you could grant that software's service account the
|
compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.networks.get compute.networks.list compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute OS Admin Login |
Access to log in to a Compute Engine instance as an administrator user. |
compute.instances.get compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute OS Login |
Access to log in to a Compute Engine instance as a standard user. |
compute.instances.get compute.instances.list compute.instances.osLogin compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute OS Login External User |
Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH. |
compute.oslogin.* |
Organization |
roles/ |
Compute Security Admin |
Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VMBETA settings.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant the security team's group the
|
compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.list compute.networks.updatePolicy compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
InstanceBeta |
roles/ |
Compute Storage Admin |
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and
you don't want them to have the editor role on the project, then grant
their account the |
compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Disk, image, snapshot Beta |
roles/ |
Compute Viewer |
Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks. |
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.list compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta |
roles/ |
Compute Shared VPC Admin |
Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. This role can only be granted on the organization by an organization admin.
Google Cloud Platform recommends that the Shared VPC Admin be the owner of the shared VPC host
project. The Shared VPC Admin is responsible for granting the |
compute.globalOperations.get compute.globalOperations.list compute.organizations.* compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list |
Organization |
Kubernetes Engine roles
Container Analysis roles
Data Catalog roles
Dataflow roles
Cloud Data Labeling roles
Dataprep roles
Dataproc roles
Datastore roles
Deployment Manager roles
Dialogflow roles
| Role | Title | Description | Permissions | Lowest Resource |
|---|---|---|---|---|
roles/ |
Dialogflow API Admin |
Full access to Dialogflow (API only) resources. Use the roles/owner or roles/editor primitive role for access to both API and Dialogflow console (commonly needed to create an agent from the Dialogflow console).
|
dialogflow.* resourcemanager.projects.get |
Project |
roles/ |
Dialogflow API Client | Client access to Dialogflow (API only) resources. This grants permission to detect intent and read/write session properties (contexts, session entity types, etc.). |
dialogflow.contexts.* dialogflow.sessionEntityTypes.* dialogflow.sessions.* |
Project |
roles/ |
Dialogflow Console Agent Editor | Can edit agent in Dialogflow Console |
dialogflow.* resourcemanager.projects.get |
|
roles/ |
Dialogflow API Reader |
Read access to Dialogflow (API only) resources. Cannot detect intent. Use the roles/viewer primitive role for similar access to both API and Dialogflow console.
|
dialogflow.agents.export dialogflow.agents.get dialogflow.agents.search dialogflow.contexts.get dialogflow.contexts.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.intents.get dialogflow.intents.list dialogflow.operations.* dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list resourcemanager.projects.get |
Project |
Cloud DLP roles
DNS roles
Endpoints roles
Error Reporting roles
Cloud Filestore roles
Firebase roles
Firebase Crash Reporting roles
Genomics roles
Cloud Healthcare roles
IAM roles
Roles roles
Service Accounts roles
Logging roles
Cloud Managed Identities roles
Machine Learning Engine roles
Monitoring roles
Organization Policy roles
Other roles
Project roles
Proximity Beacon roles
Pub/Sub roles
Recommendations AI roles
Recommender roles
Memorystore Redis roles
Resource Manager roles
Cloud Run roles
Security Center roles
Service Consumer Management roles
Service Management roles
Service Networking roles
| Role | Title | Description | Permissions | Lowest Resource |
|---|---|---|---|---|
roles/ |
Service Networking Admin Beta | Full control of service networking with projects. |
servicenetworking.* |
Service Usage roles
Source roles
Cloud Spanner roles
Stackdriver roles
Storage roles
Storage Legacy roles
| Role | Title | Description | Permissions | Lowest Resource |
|---|---|---|---|---|
roles/ |
Storage Legacy Bucket Owner |
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding Cloud IAM
policies, when listing; and read and edit bucket metadata, including
Cloud IAM policies.
Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs. |
storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.list |
Bucket |
roles/ |
Storage Legacy Bucket Reader |
Grants permission to list a bucket's contents and read bucket metadata,
excluding Cloud IAM policies. Also grants permission to read
object metadata, excluding Cloud IAM policies, when listing
objects.
Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs. |
storage.buckets.get storage.objects.list |
Bucket |
roles/ |
Storage Legacy Bucket Writer |
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding Cloud IAM
policies, when listing; and read bucket metadata, excluding
Cloud IAM policies.
Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs. |
storage.buckets.get storage.objects.create storage.objects.delete storage.objects.list |
Bucket |
roles/ |
Storage Legacy Object Owner | Grants permission to view and edit objects and their metadata, including ACLs. |
storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update |
Bucket |
roles/ |
Storage Legacy Object Reader | Grants permission to view objects and their metadata, excluding ACLs. |
storage.objects.get |
Bucket |
Support roles
| Role | Title | Description | Permissions | Lowest Resource |
|---|---|---|---|---|
roles/ |
Support Account Administrator | Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information. |
cloudsupport.* |
Organization |
roles/ |
Support Account Viewer | Read-only access to details of a support account. This does not allow viewing cases. |
cloudsupport.accounts.get cloudsupport.accounts.getUserRoles cloudsupport.accounts.list |
Organization |
Cloud Threat Detection roles
Cloud TPU roles
Serverless VPC Access roles
Custom roles
In addition to the predefined roles, Cloud IAM also provides the ability to create customized Cloud IAM roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding Custom Roles and Creating and Managing Custom Roles for more information.
Product-specific Cloud IAM documentation
Product-specific Cloud IAM documentation explains more about the predefined roles offered by each product. Read the following pages to learn more about the predefined roles.
| Documentation | Description |
|---|---|
| Cloud IAM for App Engine | Explains Cloud IAM roles for App Engine |
| Cloud IAM for BigQuery | Explains Cloud IAM roles for BigQuery |
| Cloud IAM for Cloud Bigtable | Explains Cloud IAM roles for Cloud Bigtable |
| Cloud IAM for Cloud Billing API | Explains Cloud IAM roles and permissions for Cloud Billing API |
| Cloud IAM for Cloud Dataflow | Explains Cloud IAM roles for Cloud Dataflow |
| Cloud IAM for Cloud Dataproc | Explains Cloud IAM roles and permissions for Cloud Dataproc |
| Cloud IAM for Cloud Datastore | Explains Cloud IAM roles and permissions for Cloud Datastore |
| Cloud IAM for Cloud DNS | Explains Cloud IAM roles and permissions for Cloud DNS |
| Cloud IAM for Cloud KMS | Explains Cloud IAM roles and permissions for Cloud KMS |
| Cloud IAM for AI Platform | Explains Cloud IAM roles and permissions for AI Platform |
| Cloud IAM for Cloud Pub/Sub | Explains Cloud IAM roles for Cloud Pub/Sub |
| Cloud IAM for Cloud Spanner | Explains Cloud IAM roles and permissions for Cloud Spanner |
| Cloud IAM for Cloud SQL | Explains Cloud IAM roles for Cloud SQL |
| Cloud IAM for Cloud Storage | Explains Cloud IAM roles for Cloud Storage |
| Cloud IAM for Compute Engine | Explains Cloud IAM roles for Compute Engine |
| Cloud IAM for GKE | Explains Cloud IAM roles and permissions for GKE |
| Cloud IAM for Deployment Manager | Explains Cloud IAM roles and permissions for Deployment Manager |
| Cloud IAM for Organizations | Explains Cloud IAM roles for Organization. |
| Cloud IAM for Folders | Explains Cloud IAM roles for folders. |
| Cloud IAM for Projects | Explains Cloud IAM roles for projects. |
| Cloud IAM for Service Management | Explains Cloud IAM roles and permissions for Service Management |
| Cloud IAM for Stackdriver Debugger | Explains Cloud IAM roles for Debugger |
| Cloud IAM for Stackdriver Logging | Explains Cloud IAM roles for Logging |
| Cloud IAM for Stackdriver Monitoring | Explains Cloud IAM roles for Monitoring |
| Cloud IAM for Stackdriver Trace | Explains Cloud IAM roles and permissions for Trace |
What's next
- Learn how to grant Cloud IAM roles to users.
- Learn about Custom Roles
