Stay organized with collections
Save and categorize content based on your preferences.
This page lists all basic and predefined roles for Identity and Access Management (IAM).
To learn more about IAM roles, see Roles and
permissions.
Basic roles
Basic roles are highly permissive roles that existed prior to the introduction
of IAM. You can use basic roles to grant principals broad
access to Google Cloud resources.
When you grant a basic role to a principal, the principal gets all of the
permissions in the basic role. They also get any permissions that services
provide to principals with basic roles—for example, permissions
gained through Cloud Storage
convenience values and BigQuery special
group membership.
The following table summarizes the permissions that the basic roles give users
across all Google Cloud services:
Basic roles
Permissions
Viewer
(roles/viewer)
Permissions for read-only actions that don't affect state, such as
viewing (but not modifying) existing resources or data.
For a list of permissions in the Viewer role, see the role details in
the Google Cloud console:
All viewer permissions, plus permissions for actions that
modify state, such as changing existing resources.
The permissions in the Editor role let you create and delete resources
for most Google Cloud services. However, the Editor role doesn't
contain permissions to perform all actions for all services. For more
information about how to check whether a role has the permissions that
you need, see Role
types.
For a list of permissions in the Editor role, see the role details in
the Google Cloud console:
Predefined roles give granular access to specific Google Cloud resources.
These roles are created and maintained by Google. Google automatically updates
their permissions as necessary, such as when Google Cloud adds new
features or services.
The following table lists all IAM predefined roles, organized by
service.
Read-only access to ApiGateway and related resources.
apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.get
serviceusage.services.list
Apigee roles
Permissions
Apigee Organization Admin
(roles/apigee.admin)
Full access to all apigee resource features
apigee.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Apigee Analytics Agent
(roles/apigee.analyticsAgent)
Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization
apigee.datalocation.get
apigee.environments.getDataLocation
apigee.runtimeconfigs.get
Apigee Analytics Editor
(roles/apigee.analyticsEditor)
Analytics editor for an Apigee Organization
apigee.datacollectors.*
apigee.datastores.*
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.*
apigee.hostqueries.*
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.projectorganizations.get
apigee.queries.*
apigee.reports.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Analytics Viewer
(roles/apigee.analyticsViewer)
Analytics viewer for an Apigee Organization
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datastores.get
apigee.datastores.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.projectorganizations.get
apigee.queries.get
apigee.queries.list
apigee.reports.get
apigee.reports.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee API Admin
(roles/apigee.apiAdminV2)
Full read/write access to all apigee API resources
apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.organizations.get
apigee.organizations.list
apigee.projectorganizations.get
apigee.proxies.*
apigee.proxyrevisions.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee API Reader
(roles/apigee.apiReaderV2)
Reader of apigee resources
apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.organizations.get
apigee.organizations.list
apigee.projectorganizations.get
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.sharedflowrevisions.deploy
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflowrevisions.undeploy
apigee.sharedflows.get
apigee.sharedflows.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Developer Admin
(roles/apigee.developerAdmin)
Developer admin of apigee resources
apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appgroupapps.*
apigee.appgroups.*
apigee.appkeys.*
apigee.apps.*
apigee.datacollectors.*
apigee.developerappattributes.*
apigee.developerapps.*
apigee.developerattributes.*
apigee.developerbalances.*
apigee.developermonetizationconfigs.*
apigee.developers.*
apigee.developersubscriptions.*
apigee.entitlements.get
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.projectorganizations.get
apigee.rateplans.get
apigee.rateplans.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Apigee Environment Admin
(roles/apigee.environmentAdmin)
Full read/write access to apigee environment resources, including deployments.
apigee.addonsconfig.*
apigee.archivedeployments.*
apigee.datacollectors.get
apigee.datacollectors.list
apigee.deployments.*
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.environments.setIamPolicy
apigee.environments.update
apigee.flowhooks.*
apigee.ingressconfigs.get
apigee.keystorealiases.*
apigee.keystores.*
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.maskconfigs.*
apigee.organizations.get
apigee.organizations.list
apigee.projectorganizations.get
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.references.*
apigee.resourcefiles.*
apigee.sharedflowrevisions.deploy
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflowrevisions.undeploy
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.*
apigee.traceconfig.*
apigee.traceconfigoverrides.*
apigee.tracesessions.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Apigee Monetization Admin
(roles/apigee.monetizationAdmin)
All permissions related to monetization
apigee.apiproducts.get
apigee.apiproducts.list
apigee.developerbalances.*
apigee.developermonetizationconfigs.*
apigee.developersubscriptions.*
apigee.entitlements.get
apigee.organizations.get
apigee.organizations.list
apigee.projectorganizations.get
apigee.rateplans.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Portal Admin
(roles/apigee.portalAdmin)
Portal admin for an Apigee Organization
apigee.entitlements.get
apigee.organizations.get
apigee.organizations.list
apigee.portals.*
apigee.projectorganizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Read-only Admin
(roles/apigee.readOnlyAdmin)
Viewer of all apigee resources
apigee.addonsconfig.get
apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appgroupapps.get
apigee.appgroupapps.list
apigee.appgroups.get
apigee.appgroups.list
apigee.appkeys.get
apigee.apps.*
apigee.archivedeployments.download
apigee.archivedeployments.get
apigee.archivedeployments.list
apigee.caches.list
apigee.canaryevaluations.get
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datalocation.get
apigee.datastores.get
apigee.datastores.list
apigee.deployments.get
apigee.deployments.list
apigee.developerappattributes.get
apigee.developerappattributes.list
apigee.developerapps.get
apigee.developerapps.list
apigee.developerattributes.get
apigee.developerattributes.list
apigee.developerbalances.get
apigee.developermonetizationconfigs.get
apigee.developers.get
apigee.developers.list
apigee.developersubscriptions.get
apigee.developersubscriptions.list
apigee.endpointattachments.get
apigee.endpointattachments.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getDataLocation
apigee.environments.getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.flowhooks.getSharedFlow
apigee.flowhooks.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hostsecurityreports.get
apigee.hostsecurityreports.list
apigee.hoststats.get
apigee.ingressconfigs.get
apigee.instanceattachments.get
apigee.instanceattachments.list
apigee.instances.get
apigee.instances.list
apigee.keystorealiases.get
apigee.keystorealiases.list
apigee.keystores.get
apigee.keystores.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.maskconfigs.get
apigee.nataddresses.get
apigee.nataddresses.list
apigee.operations.*
apigee.organizations.get
apigee.organizations.list
apigee.portals.get
apigee.portals.list
apigee.projectorganizations.get
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.queries.get
apigee.queries.list
apigee.rateplans.get
apigee.rateplans.list
apigee.references.get
apigee.references.list
apigee.reports.get
apigee.reports.list
apigee.resourcefiles.get
apigee.resourcefiles.list
apigee.runtimeconfigs.get
apigee.securityActions.get
apigee.securityActions.list
apigee.securityActionsConfig.get
apigee.securityFeedback.get
apigee.securityFeedback.list
apigee.securityIncidents.get
apigee.securityIncidents.list
apigee.securityProfileEnvironments.computeScore
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securitySettings.get
apigee.securityStats.*
apigee.securityreports.get
apigee.securityreports.list
apigee.setupcontexts.get
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.get
apigee.targetservers.list
apigee.traceconfig.get
apigee.traceconfigoverrides.get
apigee.traceconfigoverrides.list
apigee.tracesessions.get
apigee.tracesessions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Apigee Runtime Agent
(roles/apigee.runtimeAgent)
Curated set of permissions for a runtime agent to access Apigee Organization resources
apigee.canaryevaluations.*
apigee.entitlements.get
apigee.ingressconfigs.get
apigee.instances.reportStatus
apigee.operations.*
apigee.organizations.get
apigee.projectorganizations.get
apigee.runtimeconfigs.get
Apigee Security Admin
(roles/apigee.securityAdmin)
Security admin for an Apigee Organization
apigee.addonsconfig.get
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.*
apigee.organizations.get
apigee.organizations.list
apigee.projectorganizations.get
apigee.securityActions.*
apigee.securityActionsConfig.*
apigee.securityFeedback.*
apigee.securityIncidents.*
apigee.securityProfileEnvironments.*
apigee.securityProfiles.*
apigee.securitySettings.*
apigee.securityStats.*
apigee.securityreports.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Security Viewer
(roles/apigee.securityViewer)
Security viewer for an Apigee Organization
apigee.addonsconfig.get
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.envgroupattachments.list
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.get
apigee.hostsecurityreports.list
apigee.organizations.get
apigee.organizations.list
apigee.projectorganizations.get
apigee.securityActions.get
apigee.securityActions.list
apigee.securityActionsConfig.get
apigee.securityFeedback.get
apigee.securityFeedback.list
apigee.securityIncidents.get
apigee.securityIncidents.list
apigee.securityProfileEnvironments.computeScore
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securitySettings.get
apigee.securityStats.*
apigee.securityreports.get
apigee.securityreports.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Synchronizer Manager
(roles/apigee.synchronizerManager)
Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization
apigee.environments.get
apigee.environments.manageRuntime
apigee.ingressconfigs.get
Apigee Connect Admin
(roles/apigeeconnect.Admin)
Admin of Apigee Connect
apigeeconnect.connections.list
Apigee Connect Agent
(roles/apigeeconnect.Agent)
Ability to set up Apigee Connect agent between external clusters and Google.
apigeeconnect.endpoints.connect
Apigee Registry roles
Permissions
Cloud Apigee Registry Admin
Beta
(roles/apigeeregistry.admin)
Full access to Cloud Apigee Registry Registry and Runtime resources.
apigeeregistry.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Editor
Beta
(roles/apigeeregistry.editor)
Edit access to Cloud Apigee Registry Registry resources.
apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.apis.getIamPolicy
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.getIamPolicy
apigeeregistry.artifacts.list
apigeeregistry.artifacts.update
apigeeregistry.deployments.*
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.specs.getIamPolicy
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.versions.getIamPolicy
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Viewer
Beta
(roles/apigeeregistry.viewer)
Read-only access to Cloud Apigee Registry Registry resources.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.versions.get
apigeeregistry.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Worker
Beta
(roles/apigeeregistry.worker)
The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.artifacts.update
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.get
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine roles
Permissions
App Engine Admin
(roles/appengine.appAdmin)
Read/Write/Modify access to all application configuration and settings.
To deploy new versions, a principal must have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account, and the Cloud Build Editor
(roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.applications.update
appengine.instances.*
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Creator
(roles/appengine.appCreator)
Ability to create the App Engine resource for the project.
Lowest-level resources where you can grant this role:
Project
appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Viewer
(roles/appengine.appViewer)
Read-only access to all application configuration and settings.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Code Viewer
(roles/appengine.codeViewer)
Read-only access to all application configuration, settings, and deployed
source code.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Managed VM Debug Access
(roles/appengine.debugger)
Ability to read or manage v2 instances.
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.*
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Deployer
(roles/appengine.deployer)
Read-only access to all application configuration and settings.
To deploy new versions, you must also have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account, and the Cloud
Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Cannot modify existing versions other than deleting versions that are not receiving traffic.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.uploadArtifacts
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Memcache Data Admin
(roles/appengine.memcacheDataAdmin)
Can get, set, delete, and flush App Engine Memcache items.
appengine.applications.get
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Service Admin
(roles/appengine.serviceAdmin)
Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.delete
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Artifact Registry roles
Permissions
Artifact Registry Administrator
(roles/artifactregistry.admin)
Administrator access to create and manage repositories.
Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Backup and DR Compute Engine Operator
(roles/backupdr.computeEngineOperator)
Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.
compute.addresses.list
compute.addresses.use
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.machineTypes.*
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Mount User
(roles/backupdr.mountUser)
Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.
backupdr.locations.*
backupdr.managementServers.access
backupdr.managementServers.get
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.list
backupdr.managementServers.listDynamicProtection
backupdr.managementServers.manageApplications
backupdr.managementServers.manageClones
backupdr.managementServers.manageHosts
backupdr.managementServers.manageLiveClones
backupdr.managementServers.manageMirroring
backupdr.managementServers.manageMounts
backupdr.managementServers.manageWorkflows
backupdr.managementServers.refreshWorkflows
backupdr.managementServers.runWorkflows
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Restore User
(roles/backupdr.restoreUser)
Allows the user to restore or mount from a backup. This role cannot create a backup plan.
backupdr.locations.*
backupdr.managementServers.access
backupdr.managementServers.get
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.list
backupdr.managementServers.listDynamicProtection
backupdr.managementServers.manageApplications
backupdr.managementServers.manageClones
backupdr.managementServers.manageHosts
backupdr.managementServers.manageLiveClones
backupdr.managementServers.manageMigrations
backupdr.managementServers.manageMirroring
backupdr.managementServers.manageMounts
backupdr.managementServers.manageRestores
backupdr.managementServers.manageWorkflows
backupdr.managementServers.refreshWorkflows
backupdr.managementServers.runWorkflows
backupdr.managementServers.testFailOvers
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR User
(roles/backupdr.user)
Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.
backupdr.managementServers.access
backupdr.managementServers.backupAccess
backupdr.managementServers.get
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.listDynamicProtection
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewBackupServers
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR User V2
(roles/backupdr.userv2)
Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.
Provides read-only access to all Backup and DR resources.
backupdr.locations.*
backupdr.managementServers.access
backupdr.managementServers.backupAccess
backupdr.managementServers.get
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.listDynamicProtection
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewBackupServers
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE roles
Permissions
Backup for GKE Admin
(roles/gkebackup.admin)
Full access to all Backup for GKE resources.
gkebackup.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Backup Admin
(roles/gkebackup.backupAdmin)
Allows administrators to manage all BackupPlan and Backup resources.
gkebackup.backupPlans.*
gkebackup.backups.*
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.volumeBackups.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Delegated Backup Admin
(roles/gkebackup.delegatedBackupAdmin)
Allows administrators to manage Backup resources for specific BackupPlans
gkebackup.backupPlans.get
gkebackup.backups.*
gkebackup.volumeBackups.*
Backup for GKE Delegated Restore Admin
(roles/gkebackup.delegatedRestoreAdmin)
Allows administrators to manage Restore resources for specific RestorePlans
gkebackup.restorePlans.get
gkebackup.restores.*
gkebackup.volumeRestores.*
Backup for GKE Restore Admin
(roles/gkebackup.restoreAdmin)
Allows administrators to manage all RestorePlan and Restore resources.
gkebackup.backupPlans.get
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.backups.getBackupIndex
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.*
gkebackup.restores.*
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Viewer
(roles/gkebackup.viewer)
Read-only access to all Backup for GKE resources.
gkebackup.backupPlans.get
gkebackup.backupPlans.getIamPolicy
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.backups.getBackupIndex
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.get
gkebackup.restorePlans.getIamPolicy
gkebackup.restorePlans.list
gkebackup.restores.get
gkebackup.restores.list
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
Bare Metal Solution roles
Permissions
Bare Metal Solution Admin
(roles/baremetalsolution.admin)
Administrator of Bare Metal Solution resources
baremetalsolution.instancequotas.list
baremetalsolution.instances.*
baremetalsolution.luns.*
baremetalsolution.maintenanceevents.*
baremetalsolution.networkquotas.list
baremetalsolution.networks.*
baremetalsolution.nfsshares.*
baremetalsolution.operations.get
baremetalsolution.osimages.list
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
baremetalsolution.snapshotschedulepolicies.*
baremetalsolution.sshKeys.*
baremetalsolution.storageaggregatepools.list
baremetalsolution.volumequotas.list
baremetalsolution.volumes.*
baremetalsolution.volumesnapshots.*
resourcemanager.projects.get
resourcemanager.projects.list
Bare Metal Solution Editor
(roles/baremetalsolution.editor)
Editor of Bare Metal Solution resources
baremetalsolution.instancequotas.list
baremetalsolution.instances.*
baremetalsolution.luns.*
baremetalsolution.maintenanceevents.*
baremetalsolution.networkquotas.list
baremetalsolution.networks.*
baremetalsolution.nfsshares.*
baremetalsolution.operations.get
baremetalsolution.osimages.list
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
baremetalsolution.snapshotschedulepolicies.*
baremetalsolution.sshKeys.*
baremetalsolution.storageaggregatepools.list
baremetalsolution.volumequotas.list
baremetalsolution.volumes.*
baremetalsolution.volumesnapshots.*
resourcemanager.projects.get
resourcemanager.projects.list
Bare Metal Solution Instances Admin
(roles/baremetalsolution.instancesadmin)
Admin of Bare Metal Solution Instance resources
baremetalsolution.instances.*
baremetalsolution.operations.get
baremetalsolution.osimages.list
resourcemanager.projects.get
resourcemanager.projects.list
Bare Metal Solution Instances Viewer
(roles/baremetalsolution.instancesviewer)
Viewer of Bare Metal Solution Instance resources
baremetalsolution.instancequotas.list
baremetalsolution.instances.get
baremetalsolution.instances.list
baremetalsolution.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Luns Admin
(roles/baremetalsolution.lunsadmin)
Administrator of Bare Metal Solution Lun resources
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.operations.get
Luns Viewer
(roles/baremetalsolution.lunsviewer)
Viewer of Bare Metal Solution Lun resources
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.operations.get
Maintenance Events Admin
(roles/baremetalsolution.maintenanceeventsadmin)
Administrator of Bare Metal Solution maintenance events resources
baremetalsolution.maintenanceevents.*
Maintenance Events Editor
(roles/baremetalsolution.maintenanceeventseditor)
Editor of Bare Metal Solution maintenance events resources
baremetalsolution.maintenanceevents.*
Maintenance Events Viewer
(roles/baremetalsolution.maintenanceeventsviewer)
Viewer of Bare Metal Solution maintenance events resources
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list
Networks Admin
(roles/baremetalsolution.networksadmin)
Admin of Bare Metal Solution networks resources
baremetalsolution.networkquotas.list
baremetalsolution.networks.*
baremetalsolution.operations.get
NFS Shares Admin
(roles/baremetalsolution.nfssharesadmin)
Administrator of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.*
baremetalsolution.operations.get
NFS Shares Editor
(roles/baremetalsolution.nfsshareseditor)
Editor of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.*
baremetalsolution.operations.get
NFS Shares Viewer
(roles/baremetalsolution.nfssharesviewer)
Viewer of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.operations.get
OS Images Viewer
(roles/baremetalsolution.osimagesviewer)
Viewer of Bare Metal Solution OS images resources
baremetalsolution.osimages.list
Bare Metal Solution Procurements Admin
(roles/baremetalsolution.procurementsadmin)
Administrator of Bare Metal Solution Procurements
baremetalsolution.procurements.*
baremetalsolution.skus.list
Bare Metal Solution Procurements Editor
(roles/baremetalsolution.procurementseditor)
Editor of Bare Metal Solution Procurements
baremetalsolution.procurements.*
baremetalsolution.skus.list
Bare Metal Solution Procurements Viewer
(roles/baremetalsolution.procurementsviewer)
Viewer of Bare Metal Solution Procurements
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
Bare Metal Solution Storage Admin
(roles/baremetalsolution.storageadmin)
Administrator of Bare Metal Solution storage resources
baremetalsolution.luns.*
baremetalsolution.nfsshares.*
baremetalsolution.operations.get
baremetalsolution.snapshotschedulepolicies.*
baremetalsolution.storageaggregatepools.list
baremetalsolution.volumequotas.list
baremetalsolution.volumes.*
baremetalsolution.volumesnapshots.*
resourcemanager.projects.get
resourcemanager.projects.list
Bare Metal Solution Viewer
(roles/baremetalsolution.viewer)
Viewer of Bare Metal Solution resources
baremetalsolution.instancequotas.list
baremetalsolution.instances.get
baremetalsolution.instances.list
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.maintenanceevents.get
baremetalsolution.maintenanceevents.list
baremetalsolution.networkquotas.list
baremetalsolution.networks.get
baremetalsolution.networks.list
baremetalsolution.nfsshares.get
baremetalsolution.nfsshares.list
baremetalsolution.operations.get
baremetalsolution.osimages.list
baremetalsolution.procurements.get
baremetalsolution.procurements.list
baremetalsolution.skus.list
baremetalsolution.snapshotschedulepolicies.get
baremetalsolution.snapshotschedulepolicies.list
baremetalsolution.sshKeys.list
baremetalsolution.storageaggregatepools.list
baremetalsolution.volumequotas.list
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
resourcemanager.projects.get
resourcemanager.projects.list
Volume Admin
(roles/baremetalsolution.volumesadmin)
Administrator of Bare Metal Solution volume resources
baremetalsolution.operations.get
baremetalsolution.volumes.*
Volumes Editor
(roles/baremetalsolution.volumeseditor)
Editor of Bare Metal Solution volumes resources
baremetalsolution.operations.get
baremetalsolution.volumequotas.list
baremetalsolution.volumes.create
baremetalsolution.volumes.delete
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.volumes.rename
baremetalsolution.volumes.resize
baremetalsolution.volumes.update
Snapshots Admin
(roles/baremetalsolution.volumesnapshotsadmin)
Administrator of Bare Metal Solution snapshots resources
baremetalsolution.operations.get
baremetalsolution.volumesnapshots.*
Snapshots Editor
(roles/baremetalsolution.volumesnapshotseditor)
Editor of Bare Metal Solution snapshots resources
baremetalsolution.operations.get
baremetalsolution.volumesnapshots.create
baremetalsolution.volumesnapshots.delete
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
Snapshots Viewer
(roles/baremetalsolution.volumesnapshotsviewer)
Viewer of Bare Metal Solution snapshots resources
baremetalsolution.operations.get
baremetalsolution.volumesnapshots.get
baremetalsolution.volumesnapshots.list
Volumes Viewer
(roles/baremetalsolution.volumessviewer)
Viewer of Bare Metal Solution volumes resources
baremetalsolution.operations.get
baremetalsolution.volumes.get
baremetalsolution.volumes.list
BeyondCorp roles
Permissions
Cloud BeyondCorp Admin
Beta
(roles/beyondcorp.admin)
Full access to all Cloud BeyondCorp resources.
beyondcorp.appConnections.*
beyondcorp.appConnectors.*
beyondcorp.appGateways.*
beyondcorp.clientConnectorServices.create
beyondcorp.clientConnectorServices.delete
beyondcorp.clientConnectorServices.get
beyondcorp.clientConnectorServices.getIamPolicy
beyondcorp.clientConnectorServices.list
beyondcorp.clientConnectorServices.setIamPolicy
beyondcorp.clientConnectorServices.update
beyondcorp.clientGateways.*
beyondcorp.locations.*
beyondcorp.operations.*
beyondcorp.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Client Connector Admin
Beta
(roles/beyondcorp.clientConnectorAdmin)
Full access to all BeyondCorp Client Connector resources.
beyondcorp.clientConnectorServices.create
beyondcorp.clientConnectorServices.delete
beyondcorp.clientConnectorServices.get
beyondcorp.clientConnectorServices.getIamPolicy
beyondcorp.clientConnectorServices.list
beyondcorp.clientConnectorServices.setIamPolicy
beyondcorp.clientConnectorServices.update
beyondcorp.clientGateways.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Client Connector Service User
Beta
(roles/beyondcorp.clientConnectorServiceUser)
Access Client Connector Service
beyondcorp.clientConnectorServices.access
Cloud BeyondCorp Client Connector Viewer
Beta
(roles/beyondcorp.clientConnectorViewer)
Read-only access to all BeyondCorp Client Connector resources.
beyondcorp.clientConnectorServices.get
beyondcorp.clientConnectorServices.getIamPolicy
beyondcorp.clientConnectorServices.list
beyondcorp.clientGateways.get
beyondcorp.clientGateways.getIamPolicy
beyondcorp.clientGateways.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Partner Service Delegate Admin
Beta
(roles/beyondcorp.partnerServiceDelegateAdmin)
Delegates access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.
beyondcorp.operations.*
beyondcorp.partnerTenants.*
beyondcorp.proxyConfigs.*
resourcemanager.organizations.get
Cloud BeyondCorp Partner Service Delegate Viewer
Beta
(roles/beyondcorp.partnerServiceDelegateViewer)
Delegates read-only access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.
beyondcorp.partnerTenants.get
beyondcorp.partnerTenants.list
beyondcorp.proxyConfigs.get
beyondcorp.proxyConfigs.list
resourcemanager.organizations.get
Cloud BeyondCorp Subscription Admin
Beta
(roles/beyondcorp.subscriptionAdmin)
Full access to all BeyondCorp Subscription resources.
beyondcorp.subscriptions.*
resourcemanager.organizations.get
Cloud BeyondCorp Subscription Viewer
Beta
(roles/beyondcorp.subscriptionViewer)
Read-only access to all BeyondCorp Subscription resources.
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list
resourcemanager.organizations.get
Cloud BeyondCorp Viewer
Beta
(roles/beyondcorp.viewer)
Read-only access to all Cloud BeyondCorp resources.
beyondcorp.appConnections.get
beyondcorp.appConnections.getIamPolicy
beyondcorp.appConnections.list
beyondcorp.appConnectors.get
beyondcorp.appConnectors.getIamPolicy
beyondcorp.appConnectors.list
beyondcorp.appGateways.get
beyondcorp.appGateways.getIamPolicy
beyondcorp.appGateways.list
beyondcorp.clientConnectorServices.get
beyondcorp.clientConnectorServices.getIamPolicy
beyondcorp.clientConnectorServices.list
beyondcorp.clientGateways.get
beyondcorp.clientGateways.getIamPolicy
beyondcorp.clientGateways.list
beyondcorp.locations.*
beyondcorp.operations.get
beyondcorp.operations.list
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery roles
Permissions
BigQuery Admin
(roles/bigquery.admin)
Provides permissions to manage all resources within the project. Can manage
all data within the project, and can cancel jobs from other users running
within the project.
Lowest-level resources where you can grant this role:
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
Table
View
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Owner
(roles/bigquery.dataOwner)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
Table
View
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Viewer
(roles/bigquery.dataViewer)
When applied to a table or view, this role provides permissions to:
Read data and metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to list all of the resources in the
dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata
with applicable APIs and in queries.
When applied at the project or organization level, this role can also
enumerate all datasets in the project. Additional roles, however, are
necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
Table
View
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Filtered Data Viewer
(roles/bigquery.filteredDataViewer)
Access to view filtered table data defined by a row access policy
bigquery.rowAccessPolicies.getFilteredData
BigQuery Job User
(roles/bigquery.jobUser)
Provides permissions to run jobs, including queries, within the project.
Lowest-level resources where you can grant this role:
Project
bigquery.config.get
bigquery.jobs.create
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Metadata Viewer
(roles/bigquery.metadataViewer)
When applied to a table or view, this role provides permissions to:
Read metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
List tables and views in the dataset.
Read metadata from the dataset's tables and views.
When applied at the project or organization level, this role provides permissions to:
List all datasets and read metadata for all datasets in the project.
List all tables and views and read metadata for all tables and views
in the project.
Additional roles are necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
Table
View
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Read Session User
(roles/bigquery.readSessionUser)
Provides the ability to create and use read sessions.
Lowest-level resources where you can grant this role:
Project
bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Admin
(roles/bigquery.resourceAdmin)
Administers BigQuery workloads, including slot assignments, commitments, and reservations.
Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, and Notebook Runtime User.
aiplatform.notebookRuntimeTemplates.apply
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.getIamPolicy
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimes.assign
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.operations.list
bigquery.config.get
bigquery.jobs.create
bigquery.readsessions.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery User
(roles/bigquery.user)
When applied to a dataset, this role provides the ability to read the dataset's metadata and list
tables in the dataset.
When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner)
on these new datasets.
Lowest-level resources where you can grant this role:
Dataset
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
bigquerymigration.translation.translate
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
Masked Reader
(roles/bigquerydatapolicy.maskedReader)
Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns
bigquery.dataPolicies.maskedGet
Billing roles
Permissions
Billing Account Administrator
(roles/billing.admin)
Provides access to see and manage all aspects of billing accounts.
Lowest-level resources where you can grant this role:
Administers all Bigtable instances within a project, including the data stored within
tables. Can create new instances. Intended for project administrators.
Lowest-level resources where you can grant this role:
Table
bigtable.*
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable Reader
(roles/bigtable.reader)
Provides read-only access to the data stored within Bigtable tables. Intended for
data scientists, dashboard generators, and other data-analysis scenarios.
Lowest-level resources where you can grant this role:
Table
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable.authorizedViews.readRows
bigtable.authorizedViews.sampleRowKeys
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.instances.get
bigtable.instances.list
bigtable.instances.ping
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable User
(roles/bigtable.user)
Provides read-write access to the data stored within Bigtable tables. Intended for
application developers or service accounts.
Lowest-level resources where you can grant this role:
Table
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable.authorizedViews.mutateRows
bigtable.authorizedViews.readRows
bigtable.authorizedViews.sampleRowKeys
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.instances.get
bigtable.instances.list
bigtable.instances.ping
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable Viewer
(roles/bigtable.viewer)
Provides no data access. Intended as a minimal set of permissions to access
the Google Cloud console for Bigtable.
Lowest-level resources where you can grant this role:
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Provides read-only access to objects in all project buckets.
Lowest-level resources where you can grant this role:
Project
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Composer Shared VPC Agent
(roles/composer.sharedVpcAgent)
Role that should be assigned to Composer Agent service account in Shared VPC host project
compute.networkAttachments.create
compute.networkAttachments.delete
compute.networkAttachments.get
compute.networkAttachments.update
compute.networks.access
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.removePeering
compute.networks.updatePeering
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zones.*
dns.managedZones.get
dns.managedZones.list
dns.networks.targetWithPeeringZone
Composer User
(roles/composer.user)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Lowest-level resources where you can grant this role:
Project
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer.userworkloadsconfigmaps.get
composer.userworkloadsconfigmaps.list
composer.userworkloadssecrets.get
composer.userworkloadssecrets.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Composer Worker
(roles/composer.worker)
Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.
Lowest-level resources where you can grant this role:
Custom Connector is a global resource which creates custom connector within the given target project. This role grants Admin access to Custom Connector resources
connectors.customConnectorVersions.*
connectors.customConnectors.*
connectors.locations.*
Custom Connector Viewer
(roles/connectors.customConnectorViewer)
Custom Connector is a global resource which creates custom connector within the given target project. This role grants Read-only access to Custom Connector & Custom Connector Version resources.
connectors.customConnectorVersions.get
connectors.customConnectorVersions.getIamPolicy
connectors.customConnectorVersions.list
connectors.customConnectors.get
connectors.customConnectors.getIamPolicy
connectors.customConnectors.list
connectors.locations.*
Connectors Endpoint Attachment Admin
(roles/connectors.endpointAttachmentAdmin)
Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources.
connectors.endpointAttachments.*
connectors.locations.*
Connectors Endpoint Attachment Viewer
(roles/connectors.endpointAttachmentViewer)
Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources
connectors.endpointAttachments.get
connectors.endpointAttachments.getIamPolicy
connectors.endpointAttachments.list
connectors.locations.*
Connectors Event Subscriptions Admin
(roles/connectors.eventSubscriptionAdmin)
Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources
connectors.eventSubscriptions.*
Connectors Event Subscriptions Viewer
(roles/connectors.eventSubscriptionViewer)
Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources.
connectors.eventSubscriptions.get
connectors.eventSubscriptions.list
Connector Invoker
(roles/connectors.invoker)
Full Access to invoke all operations on Connections.
connectors.actions.*
connectors.connections.executeSqlQuery
connectors.entities.*
connectors.entityTypes.list
Connector Event Listener
(roles/connectors.listener)
Full Access to listen events by connections.
connectors.connections.listenEvent
Connectors Managed Zone Admin
(roles/connectors.managedZoneAdmin)
Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources
connectors.locations.*
connectors.managedZones.*
Connectors Managed Zone Viewer
(roles/connectors.managedZoneViewer)
Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources.
Read-only access to Cloud Data Fusion Instances. Use it on instance level along with the namespace grants to provide access to the specific namespace.
datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Admin
(roles/datafusion.admin)
Full access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
Project
datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Developer
Beta
(roles/datafusion.developer)
Access Cloud Data Fusion Instances, develop and run pipelines.
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
datafusion.pipelineConnections.get
datafusion.pipelineConnections.list
datafusion.pipelineConnections.use
datafusion.pipelines.*
datafusion.profiles.get
datafusion.profiles.list
datafusion.secureKeys.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Operator
Beta
(roles/datafusion.operator)
Access Cloud Data Fusion Instances, operate namespaces and related resources.
datafusion.artifacts.*
datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
datafusion.pipelineConnections.get
datafusion.pipelineConnections.list
datafusion.pipelineConnections.use
datafusion.pipelines.create
datafusion.pipelines.delete
datafusion.pipelines.execute
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.pipelines.update
datafusion.profiles.*
datafusion.secureKeys.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Runner
(roles/datafusion.runner)
Access to Cloud Data Fusion runtime resources.
datafusion.instances.runtime
Cloud Data Fusion Viewer
(roles/datafusion.viewer)
Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
Project
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
datafusion.pipelineConnections.get
datafusion.pipelineConnections.list
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.profiles.get
datafusion.profiles.list
datafusion.secureKeys.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Labeling roles
Permissions
Data Labeling Service Admin
Beta
(roles/datalabeling.admin)
Full access to all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service Editor
Beta
(roles/datalabeling.editor)
Editor of all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service Viewer
Beta
(roles/datalabeling.viewer)
Viewer of all Data Labeling resources
datalabeling.annotateddatasets.get
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.get
datalabeling.annotationspecsets.list
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Dataplex roles
Permissions
Dataplex Administrator
(roles/dataplex.admin)
Full access to all Dataplex resources.
cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.content.*
dataplex.dataAttributeBindings.*
dataplex.dataAttributes.*
dataplex.dataTaxonomies.*
dataplex.datascans.*
dataplex.entities.*
dataplex.environments.*
dataplex.lakeActions.list
dataplex.lakes.*
dataplex.locations.*
dataplex.operations.*
dataplex.partitions.*
dataplex.tasks.*
dataplex.zoneActions.list
dataplex.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Aspect Type Owner
(roles/dataplex.aspectTypeOwner)
Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.
dataplex.aspectTypes.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Aspect Type User
(roles/dataplex.aspectTypeUser)
Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Binding Administrator
(roles/dataplex.bindingAdmin)
Full access on DataAttribute Bindig resources.
dataplex.dataAttributeBindings.*
Dataplex Catalog Admin
Beta
(roles/dataplex.catalogAdmin)
Has full access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries.
dataplex.aspectTypes.*
dataplex.entries.*
dataplex.entryGroups.*
dataplex.entryTypes.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Catalog Editor
Beta
(roles/dataplex.catalogEditor)
Has write access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Cannot set IAM policies on resources
dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryGroups.update
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
dataplex.entryTypes.update
dataplex.entryTypes.use
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Catalog Viewer
Beta
(roles/dataplex.catalogViewer)
Has read access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Can view IAM policies on Catalog resources.
dataplex.aspectTypes.get
dataplex.aspectTypes.getIamPolicy
dataplex.aspectTypes.list
dataplex.entries.get
dataplex.entries.list
dataplex.entryGroups.get
dataplex.entryGroups.getIamPolicy
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex.entryTypes.getIamPolicy
dataplex.entryTypes.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Data Owner
(roles/dataplex.dataOwner)
Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.writeData
Dataplex Data Reader
(roles/dataplex.dataReader)
Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.readData
Dataplex DataScan Administrator
(roles/dataplex.dataScanAdmin)
Full access to DataScan resources.
dataplex.datascans.*
dataplex.operations.get
dataplex.operations.list
Dataplex DataScan Creator
(roles/dataplex.dataScanCreator)
Access to create new DataScan resources.
dataplex.datascans.create
dataplex.datascans.get
dataplex.datascans.list
dataplex.operations.get
Dataplex DataScan DataViewer
(roles/dataplex.dataScanDataViewer)
Read access to DataScan resources and additional contents.
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
Dataplex DataScan Editor
(roles/dataplex.dataScanEditor)
Write access to DataScan resources.
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.update
dataplex.operations.get
dataplex.operations.list
Dataplex DataScan Viewer
(roles/dataplex.dataScanViewer)
Read access to DataScan resources.
dataplex.datascans.get
dataplex.datascans.getIamPolicy
dataplex.datascans.list
Dataplex Data Writer
(roles/dataplex.dataWriter)
Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.writeData
Dataplex Developer
(roles/dataplex.developer)
Allows running data analytics workloads in a lake.
dataplex.content.*
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.list
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.update
Dataplex Editor
(roles/dataplex.editor)
Write access to Dataplex resources.
cloudasset.assets.analyzeIamPolicy
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.update
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.dataAttributeBindings.create
dataplex.dataAttributeBindings.delete
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributeBindings.update
dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataAttributes.update
dataplex.dataTaxonomies.configureDataAccess
dataplex.dataTaxonomies.configureResourceAccess
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.update
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.update
dataplex.operations.*
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.update
Dataplex Entry Group Owner
(roles/dataplex.entryGroupOwner)
Owns Entry Groups and Entries inside of them.
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.*
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Owner
(roles/dataplex.entryOwner)
Owns Metadata Entries.
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.get
dataplex.entryGroups.useContactsAspect
dataplex.entryGroups.useGenericAspect
dataplex.entryGroups.useGenericEntry
dataplex.entryGroups.useOverviewAspect
dataplex.entryGroups.useSchemaAspect
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Type Owner
(roles/dataplex.entryTypeOwner)
Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.
dataplex.entryTypes.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Type User
(roles/dataplex.entryTypeUser)
Grants access to use Entry Types to create/modify Entries of those types.
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Metadata Reader
(roles/dataplex.metadataReader)
Read only access to metadata.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.get
dataplex.entities.list
dataplex.partitions.get
dataplex.partitions.list
dataplex.zones.get
dataplex.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Metadata Writer
(roles/dataplex.metadataWriter)
Write and Read access to metadata.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.*
dataplex.partitions.*
dataplex.zones.get
dataplex.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Security Administrator
(roles/dataplex.securityAdmin)
Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.
dataplex.dataTaxonomies.configureDataAccess
dataplex.dataTaxonomies.configureResourceAccess
Dataplex Storage Data Owner
(roles/dataplex.storageDataOwner)
Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Dataplex Storage Data Reader
(roles/dataplex.storageDataReader)
Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
storage.buckets.get
storage.objects.get
storage.objects.list
Dataplex Storage Data Writer
(roles/dataplex.storageDataWriter)
Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.tables.updateData
storage.objects.create
storage.objects.delete
storage.objects.update
Dataplex Taxonomy Administrator
(roles/dataplex.taxonomyAdmin)
Full access to DataTaxonomy, DataAttribute resources.
dataplex.dataAttributes.*
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.setIamPolicy
dataplex.dataTaxonomies.update
Dataplex Taxonomy Viewer
(roles/dataplex.taxonomyViewer)
Read access on DataTaxonomy, DataAttribute resources.
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
Dataplex Viewer
(roles/dataplex.viewer)
Read access to Dataplex resources.
cloudasset.assets.analyzeIamPolicy
dataplex.assetActions.list
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.dataAttributeBindings.get
dataplex.dataAttributeBindings.getIamPolicy
dataplex.dataAttributeBindings.list
dataplex.dataAttributes.get
dataplex.dataAttributes.getIamPolicy
dataplex.dataAttributes.list
dataplex.dataTaxonomies.get
dataplex.dataTaxonomies.getIamPolicy
dataplex.dataTaxonomies.list
dataplex.datascans.get
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.environments.get
dataplex.environments.getIamPolicy
dataplex.environments.list
dataplex.lakeActions.list
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.operations.get
dataplex.operations.list
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.list
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
Cloud Debugger roles
Permissions
Cloud Debugger Agent
Beta
(roles/clouddebugger.agent)
Provides permissions to register the debug target, read active breakpoints,
and report breakpoint results.
Lowest-level resources where you can grant this role:
Service Account
clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create
Cloud Debugger User
Beta
(roles/clouddebugger.user)
Provides permissions to create, view, list, and delete breakpoints
(snapshots & logpoints) as well as list debug targets (debuggees).
Lowest-level resources where you can grant this role:
Project
clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
Cloud Deploy roles
Permissions
Cloud Deploy Admin
(roles/clouddeploy.admin)
Full control of Cloud Deploy resources.
clouddeploy.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Approver
(roles/clouddeploy.approver)
Permission to approve or reject rollouts.
clouddeploy.config.get
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.rollouts.approve
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Custom Target Type Admin
Beta
(roles/clouddeploy.customTargetTypeAdmin)
Permission to manage CustomTargetType resources
clouddeploy.config.get
clouddeploy.customTargetTypes.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Developer
(roles/clouddeploy.developer)
Permission to manage deployment configuration without permission to access operational resources, such as targets.
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.config.get
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.delete
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.update
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Runner
(roles/clouddeploy.jobRunner)
Permission to execute Cloud Deploy work without permission to deliver to a target.
clouddeploy.config.get
logging.logEntries.create
storage.objects.create
storage.objects.get
storage.objects.list
Cloud Deploy Operator
(roles/clouddeploy.operator)
Permission to manage deployment configuration.
clouddeploy.automationRuns.*
clouddeploy.automations.*
clouddeploy.config.get
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.list
clouddeploy.deliveryPipelines.create
clouddeploy.deliveryPipelines.delete
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.deliveryPipelines.update
clouddeploy.jobRuns.*
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.list
clouddeploy.rollouts.retryJob
clouddeploy.rollouts.rollback
clouddeploy.targets.create
clouddeploy.targets.delete
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
clouddeploy.targets.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Releaser
(roles/clouddeploy.releaser)
Permission to create Cloud Deploy releases and rollouts.
clouddeploy.config.get
clouddeploy.customTargetTypes.get
clouddeploy.deliveryPipelines.get
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.rollouts.rollback
clouddeploy.targets.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Viewer
(roles/clouddeploy.viewer)
Can view Cloud Deploy resources.
clouddeploy.automationRuns.get
clouddeploy.automationRuns.list
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.config.get
clouddeploy.customTargetTypes.get
clouddeploy.customTargetTypes.getIamPolicy
clouddeploy.customTargetTypes.list
clouddeploy.deliveryPipelines.get
clouddeploy.deliveryPipelines.getIamPolicy
clouddeploy.deliveryPipelines.list
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
clouddeploy.targets.getIamPolicy
clouddeploy.targets.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud DLP roles
Permissions
DLP Administrator
(roles/dlp.admin)
Administer DLP including jobs and templates.
dlp.analyzeRiskTemplates.*
dlp.charts.get
dlp.columnDataProfiles.*
dlp.connections.*
dlp.deidentifyTemplates.*
dlp.estimates.*
dlp.inspectFindings.list
dlp.inspectTemplates.*
dlp.jobTriggers.*
dlp.jobs.*
dlp.kms.encrypt
dlp.locations.*
dlp.projectDataProfiles.*
dlp.storedInfoTypes.*
dlp.subscriptions.*
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
DLP Analyze Risk Templates Editor
(roles/dlp.analyzeRiskTemplatesEditor)
Edit DLP analyze risk templates.
dlp.analyzeRiskTemplates.*
DLP Analyze Risk Templates Reader
(roles/dlp.analyzeRiskTemplatesReader)
Read DLP analyze risk templates.
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
DLP Column Data Profiles Reader
(roles/dlp.columnDataProfilesReader)
Read DLP column profiles.
dlp.columnDataProfiles.*
DLP Connections Admin
(roles/dlp.connectionsAdmin)
Manage DLP Connections.
dlp.connections.*
resourcemanager.projects.get
resourcemanager.projects.list
DLP Connections Viewer
(roles/dlp.connectionsReader)
View DLP Connections.
dlp.connections.get
dlp.connections.list
dlp.connections.search
DLP Data Profiles Admin
(roles/dlp.dataProfilesAdmin)
Manage DLP profiles.
dlp.charts.get
dlp.columnDataProfiles.*
dlp.projectDataProfiles.*
dlp.tableDataProfiles.*
DLP Data Profiles Reader
(roles/dlp.dataProfilesReader)
Read DLP profiles.
dlp.charts.get
dlp.columnDataProfiles.*
dlp.projectDataProfiles.*
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
DLP De-identify Templates Editor
(roles/dlp.deidentifyTemplatesEditor)
Edit DLP de-identify templates.
dlp.deidentifyTemplates.*
DLP De-identify Templates Reader
(roles/dlp.deidentifyTemplatesReader)
Read DLP de-identify templates.
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
DLP Cost Estimation
(roles/dlp.estimatesAdmin)
Manage DLP Cost Estimates.
dlp.estimates.*
DLP Inspect Findings Reader
(roles/dlp.inspectFindingsReader)
Read DLP stored findings.
dlp.inspectFindings.list
DLP Inspect Templates Editor
(roles/dlp.inspectTemplatesEditor)
Edit DLP inspect templates.
dlp.inspectTemplates.*
DLP Inspect Templates Reader
(roles/dlp.inspectTemplatesReader)
Read DLP inspect templates.
dlp.inspectTemplates.get
dlp.inspectTemplates.list
DLP Job Triggers Editor
(roles/dlp.jobTriggersEditor)
Edit job triggers configurations.
dlp.jobTriggers.*
DLP Job Triggers Reader
(roles/dlp.jobTriggersReader)
Read job triggers.
dlp.jobTriggers.get
dlp.jobTriggers.list
DLP Jobs Editor
(roles/dlp.jobsEditor)
Edit and create jobs
dlp.jobs.*
dlp.kms.encrypt
DLP Jobs Reader
(roles/dlp.jobsReader)
Read jobs
dlp.jobs.get
dlp.jobs.list
DLP Organization Data Profiles Driver
(roles/dlp.orgdriver)
Permissions needed by the DLP service account to generate data profiles within an organization or folder.
Lowest-level resources where you can grant this role:
Folder
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.translation.translate
cloudasset.assets.*
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
datacatalog.categories.fineGrainedGet
datacatalog.entries.updateTag
datacatalog.entryGroups.updateTag
datacatalog.tagTemplates.create
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dlp.analyzeRiskTemplates.*
dlp.charts.get
dlp.columnDataProfiles.*
dlp.connections.*
dlp.deidentifyTemplates.*
dlp.estimates.*
dlp.inspectFindings.list
dlp.inspectTemplates.*
dlp.jobTriggers.*
dlp.jobs.*
dlp.kms.encrypt
dlp.locations.*
dlp.projectDataProfiles.*
dlp.storedInfoTypes.*
dlp.subscriptions.*
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
pubsub.topics.updateTag
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
DLP Project Data Profiles Reader
(roles/dlp.projectDataProfilesReader)
Read DLP project profiles.
dlp.projectDataProfiles.*
DLP Project Data Profiles Driver
(roles/dlp.projectdriver)
Permissions needed by the DLP service account to generate data profiles within a project.
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.models.*
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.translation.translate
cloudasset.assets.*
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
datacatalog.categories.fineGrainedGet
datacatalog.entries.updateTag
datacatalog.entryGroups.updateTag
datacatalog.tagTemplates.create
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dlp.analyzeRiskTemplates.*
dlp.charts.get
dlp.columnDataProfiles.*
dlp.connections.*
dlp.deidentifyTemplates.*
dlp.estimates.*
dlp.inspectFindings.list
dlp.inspectTemplates.*
dlp.jobTriggers.*
dlp.jobs.*
dlp.kms.encrypt
dlp.locations.*
dlp.projectDataProfiles.*
dlp.storedInfoTypes.*
dlp.subscriptions.*
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
pubsub.topics.updateTag
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
DLP Reader
(roles/dlp.reader)
Read DLP entities, such as jobs and templates.
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectFindings.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.locations.*
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor
(roles/dlp.storedInfoTypesEditor)
Edit DLP stored info types.
dlp.storedInfoTypes.*
DLP Stored InfoTypes Reader
(roles/dlp.storedInfoTypesReader)
Read DLP stored info types.
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Subscription Admin
(roles/dlp.subscriptionsAdmin)
Manage DLP subscriptions.
dlp.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
DLP Subscription Viewer
(roles/dlp.subscriptionsReader)
View DLP subscriptions.
dlp.subscriptions.get
dlp.subscriptions.list
DLP Table Data Profiles Admin
(roles/dlp.tableDataProfilesAdmin)
Manage DLP table profiles.
dlp.tableDataProfiles.*
DLP Table Data Profiles Reader
(roles/dlp.tableDataProfilesReader)
Read DLP table profiles.
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
DLP User
(roles/dlp.user)
Inspect, Redact, and De-identify Content
dlp.kms.encrypt
dlp.locations.*
serviceusage.services.use
Cloud Domains roles
Permissions
Cloud Domains Admin
(roles/domains.admin)
Full access to Cloud Domains Registrations and related resources.
domains.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Domains Viewer
(roles/domains.viewer)
Read-only access to Cloud Domains Registrations and related resources.
domains.locations.*
domains.operations.get
domains.operations.list
domains.registrations.get
domains.registrations.getIamPolicy
domains.registrations.list
domains.registrations.listEffectiveTags
domains.registrations.listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Filestore roles
Permissions
Cloud Filestore Editor
Beta
(roles/file.editor)
Read-write access to Filestore instances and related resources.
file.*
Cloud Filestore Viewer
Beta
(roles/file.viewer)
Read-only access to Filestore instances and related resources.
file.backups.get
file.backups.list
file.backups.listEffectiveTags
file.backups.listTagBindings
file.instances.get
file.instances.list
file.instances.listEffectiveTags
file.instances.listTagBindings
file.locations.*
file.operations.get
file.operations.list
file.snapshots.listEffectiveTags
file.snapshots.listTagBindings
Cloud Financial Services roles
Permissions
Financial Services Admin
(roles/financialservices.admin)
Full access to all Financial Services API resources.
financialservices.*
resourcemanager.projects.get
resourcemanager.projects.list
Financial Services Viewer
(roles/financialservices.viewer)
View access to all Financial Services API resources.
Create, delete, update, read and list annotations.
healthcare.annotationStores.get
healthcare.annotationStores.list
healthcare.annotations.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Reader
(roles/healthcare.annotationReader)
Read and list annotations in an Annotation store.
healthcare.annotationStores.get
healthcare.annotationStores.list
healthcare.annotations.get
healthcare.annotations.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Administrator
(roles/healthcare.annotationStoreAdmin)
Administer Annotation stores.
healthcare.annotationStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Store Viewer
(roles/healthcare.annotationStoreViewer)
List Annotation Stores in a dataset.
healthcare.annotationStores.get
healthcare.annotationStores.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Editor
(roles/healthcare.attributeDefinitionEditor)
Edit AttributeDefinition objects.
healthcare.attributeDefinitions.*
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Reader
(roles/healthcare.attributeDefinitionReader)
Read AttributeDefinition objects in a consent store.
healthcare.attributeDefinitions.get
healthcare.attributeDefinitions.list
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Administrator
(roles/healthcare.consentArtifactAdmin)
Administer ConsentArtifact objects.
healthcare.consentArtifacts.*
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Editor
(roles/healthcare.consentArtifactEditor)
Edit ConsentArtifact objects.
healthcare.consentArtifacts.create
healthcare.consentArtifacts.get
healthcare.consentArtifacts.list
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Reader
(roles/healthcare.consentArtifactReader)
Read ConsentArtifact objects in a consent store.
healthcare.consentArtifacts.get
healthcare.consentArtifacts.list
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Editor
(roles/healthcare.consentEditor)
Edit Consent objects.
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.consents.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Reader
(roles/healthcare.consentReader)
Read Consent objects in a consent store.
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.consents.get
healthcare.consents.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Store Administrator
(roles/healthcare.consentStoreAdmin)
Administer Consent stores.
healthcare.consentStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Store Viewer
(roles/healthcare.consentStoreViewer)
List Consent Stores in a dataset.
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Dataset Administrator
(roles/healthcare.datasetAdmin)
Administer Healthcare Datasets.
healthcare.datasets.*
healthcare.locations.*
healthcare.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Dataset Viewer
(roles/healthcare.datasetViewer)
List the Healthcare Datasets in a project.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Editor
(roles/healthcare.dicomEditor)
Edit DICOM images individually and in bulk.
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.dicomWebWrite
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Store Administrator
(roles/healthcare.dicomStoreAdmin)
Administer DICOM stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare.dicomStores.deidentify
healthcare.dicomStores.delete
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.get
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.dicomStores.setIamPolicy
healthcare.dicomStores.update
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Store Viewer
(roles/healthcare.dicomStoreViewer)
List DICOM Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Viewer
(roles/healthcare.dicomViewer)
Retrieve DICOM images from a DICOM store.
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Resource Editor
(roles/healthcare.fhirResourceEditor)
Create, delete, update, read and search FHIR resources.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.create
healthcare.fhirResources.delete
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare.fhirResources.translateConceptMap
healthcare.fhirResources.update
healthcare.fhirStores.executeBundle
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Resource Reader
(roles/healthcare.fhirResourceReader)
Read and search FHIR resources.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare.fhirResources.translateConceptMap
healthcare.fhirStores.executeBundle
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Store Administrator
(roles/healthcare.fhirStoreAdmin)
Administer FHIR resource stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.purge
healthcare.fhirStores.applyConsents
healthcare.fhirStores.configureSearch
healthcare.fhirStores.create
healthcare.fhirStores.deidentify
healthcare.fhirStores.delete
healthcare.fhirStores.explainDataAccess
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.rollback
healthcare.fhirStores.setIamPolicy
healthcare.fhirStores.update
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Store Viewer
(roles/healthcare.fhirStoreViewer)
List FHIR Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Consumer
(roles/healthcare.hl7V2Consumer)
List and read HL7v2 messages, update message labels, and publish new messages.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.create
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare.hl7V2Messages.update
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Editor
(roles/healthcare.hl7V2Editor)
Read, write, and delete access to HL7v2 messages.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Ingest
(roles/healthcare.hl7V2Ingest)
Ingest HL7v2 messages received from a source network.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.ingest
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Store Administrator
(roles/healthcare.hl7V2StoreAdmin)
Administer HL7v2 Stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Store Viewer
(roles/healthcare.hl7V2StoreViewer)
View HL7v2 Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare NLP Service Viewer
Beta
(roles/healthcare.nlpServiceViewer)
Extract and analyze medical entities from a given text.
healthcare.locations.*
healthcare.nlpservice.analyzeEntities
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare User Data Mapping Editor
(roles/healthcare.userDataMappingEditor)
Edit UserDataMapping objects.
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
healthcare.userDataMappings.*
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare User Data Mapping Reader
(roles/healthcare.userDataMappingReader)
Read UserDataMapping objects in a consent store.
healthcare.consentStores.checkDataAccess
healthcare.consentStores.evaluateUserConsents
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.consentStores.queryAccessibleData
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
healthcare.userDataMappings.get
healthcare.userDataMappings.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud IAP roles
Permissions
IAP Policy Admin
(roles/iap.admin)
Provides full access to Identity-Aware Proxy resources.
iap.tunnel.*
iap.tunnelDestGroups.getIamPolicy
iap.tunnelDestGroups.setIamPolicy
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
iap.tunnelLocations.*
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
IAP-secured Web App User
(roles/iap.httpsResourceAccessor)
Provides permission to access HTTPS resources which use Identity-Aware Proxy.
iap.webServiceVersions.accessViaIAP
IAP-secured Resource Remediator User
Beta
(roles/iap.remediatorUser)
Remediate IAP resource
iap.tunnelDestGroups.remediate
iap.tunnelinstances.remediate
iap.webServiceVersions.remediate
IAP Settings Admin
(roles/iap.settingsAdmin)
Administrator of IAP Settings.
iap.projects.*
iap.web.getSettings
iap.web.updateSettings
iap.webServiceVersions.getSettings
iap.webServiceVersions.updateSettings
iap.webServices.getSettings
iap.webServices.updateSettings
iap.webTypes.getSettings
iap.webTypes.updateSettings
IAP-secured Tunnel Destination Group Editor
(roles/iap.tunnelDestGroupEditor)
Edit Tunnel Destination Group resources which use Identity-Aware Proxy
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.list
iap.tunnelDestGroups.update
IAP-secured Tunnel Destination Group Viewer
(roles/iap.tunnelDestGroupViewer)
View Tunnel Destination Group resources which use Identity-Aware Proxy
iap.tunnelDestGroups.get
iap.tunnelDestGroups.list
IAP-secured Tunnel User
(roles/iap.tunnelResourceAccessor)
Access Tunnel resources which use Identity-Aware Proxy
iap.tunnelDestGroups.accessViaIAP
iap.tunnelInstances.accessViaIAP
Cloud IDS roles
Permissions
Cloud IDS Admin
Beta
(roles/ids.admin)
Full access to Cloud IDS all resources.
ids.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud IDS Viewer
Beta
(roles/ids.viewer)
Read-only access to Cloud IDS all resources.
ids.endpoints.get
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.locations.*
ids.operations.get
ids.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud IoT roles
Permissions
Cloud IoT Admin
(roles/cloudiot.admin)
Full control of all Cloud IoT resources and permissions.
cloudiot.*
cloudiottoken.*
Cloud IoT Device Controller
(roles/cloudiot.deviceController)
Access to update the device configuration, but not to create or delete devices.
cloudiot.devices.get
cloudiot.devices.list
cloudiot.devices.sendCommand
cloudiot.devices.updateConfig
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
Cloud IoT Editor
(roles/cloudiot.editor)
Read-write access to all Cloud IoT resources.
cloudiot.devices.*
cloudiot.registries.create
cloudiot.registries.delete
cloudiot.registries.get
cloudiot.registries.list
cloudiot.registries.update
cloudiottoken.*
Cloud IoT Provisioner
(roles/cloudiot.provisioner)
Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry.
cloudiot.devices.*
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
Cloud IoT Viewer
(roles/cloudiot.viewer)
Read-only access to all Cloud IoT resources.
cloudiot.devices.get
cloudiot.devices.list
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
Cloud KMS roles
Permissions
Cloud KMS Admin
(roles/cloudkms.admin)
Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations.
Lowest-level resources where you can grant this role:
Note that a Cloud Scheduler Admin (or any custom role with the permission
cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the
project.
appengine.applications.get
cloudscheduler.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Scheduler Job Runner
(roles/cloudscheduler.jobRunner)
Access to run jobs.
appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.run
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Scheduler Viewer
(roles/cloudscheduler.viewer)
Get and list access to jobs, executions, and locations.
appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Security Scanner roles
Permissions
Web Security Scanner Editor
(roles/cloudsecurityscanner.editor)
Full access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Web Security Scanner Runner
(roles/cloudsecurityscanner.runner)
Read access to Scan and ScanRun, plus the ability to start scans
Lowest-level resources where you can grant this role:
Project
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
Web Security Scanner Viewer
(roles/cloudsecurityscanner.viewer)
Read access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
Project
cloudsecurityscanner.crawledurls.list
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Services roles
Permissions
Service Broker Admin
(roles/servicebroker.admin)
Full access to ServiceBroker resources.
servicebroker.*
Service Broker Operator
(roles/servicebroker.operator)
Operational access to the ServiceBroker resources.
servicebroker.bindingoperations.*
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.list
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.list
servicebroker.instanceoperations.*
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.list
servicebroker.instances.update
Cloud Spanner roles
Permissions
Cloud Spanner Admin
(roles/spanner.admin)
Has complete access to all Spanner
resources in a Google Cloud project. A principal with this role can:
Grant and revoke permissions to other principals for all Spanner resources in the project.
Allocate and delete chargeable Spanner resources.
Issue get/list/modify operations on Cloud Spanner resources.
Read from and write to all Cloud Spanner databases in the project.
Fetch project metadata.
Lowest-level resources where you can grant this role:
Project
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.*
Cloud Spanner Backup Admin
(roles/spanner.backupAdmin)
A principal with this role can:
Create, view, update, and delete backups.
View and manage a backup's allow policy.
This role cannot restore a database from a backup.
Lowest-level resources where you can grant this role:
Instance
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backupOperations.*
spanner.backups.copy
spanner.backups.create
spanner.backups.delete
spanner.backups.get
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner.backups.update
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instances.createTagBinding
spanner.instances.deleteTagBinding
spanner.instances.get
spanner.instances.list
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
Cloud Spanner Backup Writer
(roles/spanner.backupWriter)
This role is intended to be used by scripts that automate backup creation.
A principal with this role can create backups, but cannot update or delete them.
Lowest-level resources where you can grant this role:
Instance
spanner.backupOperations.get
spanner.backupOperations.list
spanner.backups.copy
spanner.backups.create
spanner.backups.get
spanner.backups.list
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instances.get
Cloud Spanner Database Admin
(roles/spanner.databaseAdmin)
A principal with this role can:
Get/list all Spanner instances in the project.
Create/list/drop databases in an instance.
Grant/revoke access to databases in the project.
Read from and write to all Cloud Spanner databases in the project.
Lowest-level resources where you can grant this role:
Lowest-level resources where you can grant this role:
Database
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.partitionQuery
spanner.databases.partitionRead
spanner.databases.read
spanner.databases.select
spanner.instances.get
spanner.sessions.*
Cloud Spanner Database Role User
(roles/spanner.databaseRoleUser)
In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.
spanner.databaseRoles.use
Cloud Spanner Database User
(roles/spanner.databaseUser)
A principal with this role can:
Read from and write to the Spanner database.
Execute SQL queries on the database, including DML and Partitioned DML.
View and update schema for the database.
Lowest-level resources where you can grant this role:
Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions.
spanner.databaseRoles.list
spanner.databases.useRoleBasedAccess
Cloud Spanner Restore Admin
(roles/spanner.restoreAdmin)
A principal with this role can restore databases from backups.
If you need to restore a backup to a different instance, apply this
role at the project level or to both instances. This role cannot create backups.
Lowest-level resources where you can grant this role:
Instance
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backups.get
spanner.backups.list
spanner.backups.restoreDatabase
spanner.databaseOperations.cancel
spanner.databaseOperations.get
spanner.databaseOperations.list
spanner.databases.create
spanner.databases.get
spanner.databases.list
spanner.instances.createTagBinding
spanner.instances.deleteTagBinding
spanner.instances.get
spanner.instances.list
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
Cloud Spanner Viewer
(roles/spanner.viewer)
A principal with this role can:
View all Spanner instances (but cannot modify instances).
View all Spanner databases (but cannot modify or read from databases).
For example, you can combine this role with the roles/spanner.databaseUser role to
grant a user with access to a specific database, but only view access to other instances and
databases.
This role is recommended at the Google Cloud project level for users interacting with Cloud
Spanner resources in the Google Cloud console.
Lowest-level resources where you can grant this role:
Project
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.list
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instances.get
spanner.instances.list
spanner.instances.listEffectiveTags
spanner.instances.listTagBindings
Cloud SQL roles
Permissions
Cloud SQL Admin
(roles/cloudsql.admin)
Provides full control of Cloud SQL resources.
Lowest-level resources where you can grant this role:
When applied to an individual bucket, control applies only to
the specified bucket and objects within the bucket.
Lowest-level resources where you can grant this role:
Bucket
firebase.projects.get
orgpolicy.policy.get
recommender.iamPolicyInsights.*
recommender.iamPolicyRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
Storage Folder Admin
(roles/storage.folderAdmin)
Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
Storage HMAC Key Admin
(roles/storage.hmacKeyAdmin)
Full control of Cloud Storage HMAC keys.
firebase.projects.get
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.hmacKeys.*
Storage Insights Collector Service
(roles/storage.insightsCollectorService)
Read-only access to Cloud Storage Inventory metadata for Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.buckets.getObjectInsights
Storage Object Admin
(roles/storage.objectAdmin)
Grants full control of objects, including listing, creating, viewing,
and deleting objects.
Lowest-level resources where you can grant this role:
Bucket
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Storage Object Creator
(roles/storage.objectCreator)
Allows users to create objects. Does not give permission to view,
delete, or overwrite objects.
Lowest-level resources where you can grant this role:
Bucket
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.managedFolders.create
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.listParts
storage.objects.create
Storage Object User
(roles/storage.objectUser)
Access to create, read, update and delete objects and multipart uploads in GCS.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.restore
storage.objects.update
Storage Object Viewer
(roles/storage.objectViewer)
Grants access to view objects and their metadata, excluding ACLs. Can
also list the objects in a bucket.
Lowest-level resources where you can grant this role:
Bucket
resourcemanager.projects.get
resourcemanager.projects.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Storage Transfer Admin
(roles/storagetransfer.admin)
Create, update and manage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.*
Storage Transfer Agent
(roles/storagetransfer.transferAgent)
Perform transfers from an agent.
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
storagetransfer.agentpools.report
storagetransfer.operations.assign
storagetransfer.operations.get
storagetransfer.operations.report
Storage Transfer User
(roles/storagetransfer.user)
Create and update storage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.agentpools.create
storagetransfer.agentpools.get
storagetransfer.agentpools.list
storagetransfer.agentpools.report
storagetransfer.agentpools.update
storagetransfer.jobs.create
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.run
storagetransfer.jobs.update
storagetransfer.operations.*
storagetransfer.projects.getServiceAccount
Storage Transfer Viewer
(roles/storagetransfer.viewer)
Read access to storage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.agentpools.get
storagetransfer.agentpools.list
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.operations.get
storagetransfer.operations.list
storagetransfer.projects.getServiceAccount
Cloud Storage Legacy roles
Permissions
Storage Legacy Bucket Owner
(roles/storage.legacyBucketOwner)
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding allow policies, when
listing; and read and edit bucket metadata, including allow policies.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs.
Lowest-level resources where you can grant this role:
Bucket
storage.bucketOperations.*
storage.buckets.createTagBinding
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.update
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.restore
storage.objects.setRetention
Storage Legacy Bucket Reader
(roles/storage.legacyBucketReader)
Grants permission to list a bucket's contents and read bucket metadata,
excluding allow policies. Also grants permission to read object metadata,
excluding allow policies, when listing objects.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs.
Lowest-level resources where you can grant this role:
Bucket
storage.buckets.get
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.list
storage.objects.list
Storage Legacy Bucket Writer
(roles/storage.legacyBucketWriter)
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding allow policies, when
listing; and read bucket metadata, excluding allow policies.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs.
Lowest-level resources where you can grant this role:
Bucket
storage.buckets.get
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.restore
storage.objects.setRetention
Storage Legacy Object Owner
(roles/storage.legacyObjectOwner)
Grants permission to view and edit objects and their metadata, including
ACLs.
Lowest-level resources where you can grant this role:
Bucket
storage.objects.get
storage.objects.getIamPolicy
storage.objects.overrideUnlockedRetention
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
Storage Legacy Object Reader
(roles/storage.legacyObjectReader)
Grants permission to view objects and their metadata, excluding ACLs.
Lowest-level resources where you can grant this role:
Bucket
storage.objects.get
Cloud Talent Solution roles
Permissions
Admin
(roles/cloudjobdiscovery.admin)
Access to Cloud Talent Solution Self-Service Tools.
cloudjobdiscovery.tools.access
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Job Editor
(roles/cloudjobdiscovery.jobsEditor)
Write access to all job data in Cloud Talent Solution.
cloudjobdiscovery.companies.*
cloudjobdiscovery.events.create
cloudjobdiscovery.jobs.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
Job Viewer
(roles/cloudjobdiscovery.jobsViewer)
Read access to all job data in Cloud Talent Solution.
cloudjobdiscovery.companies.get
cloudjobdiscovery.companies.list
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
Profile Editor
(roles/cloudjobdiscovery.profilesEditor)
Write access to all profile data in Cloud Talent Solution.
cloudjobdiscovery.events.create
cloudjobdiscovery.profiles.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
Profile Viewer
(roles/cloudjobdiscovery.profilesViewer)
Read access to all profile data in Cloud Talent Solution.
cloudjobdiscovery.profiles.get
cloudjobdiscovery.profiles.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks roles
Permissions
Cloud Tasks Admin
Beta
(roles/cloudtasks.admin)
Full access to queues and tasks.
cloudtasks.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Enqueuer
Beta
(roles/cloudtasks.enqueuer)
Access to create tasks.
cloudtasks.tasks.create
cloudtasks.tasks.fullView
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Queue Admin
Beta
(roles/cloudtasks.queueAdmin)
Admin access to queues.
cloudtasks.locations.*
cloudtasks.queues.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Task Deleter
Beta
(roles/cloudtasks.taskDeleter)
Access to delete tasks.
cloudtasks.tasks.delete
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Task Runner
Beta
(roles/cloudtasks.taskRunner)
Access to run tasks.
cloudtasks.tasks.fullView
cloudtasks.tasks.run
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Viewer
Beta
(roles/cloudtasks.viewer)
Get and list access to tasks, queues, and locations.
cloudtasks.cmekConfig.get
cloudtasks.locations.*
cloudtasks.queues.get
cloudtasks.queues.list
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud TPU roles
Permissions
TPU Admin
(roles/tpu.admin)
Full access to TPU nodes and related resources.
resourcemanager.projects.get
resourcemanager.projects.list
tpu.*
TPU Viewer
(roles/tpu.viewer)
Read-only access to TPU nodes and related resources.
resourcemanager.projects.get
resourcemanager.projects.list
tpu.acceleratortypes.*
tpu.locations.*
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
tpu.runtimeversions.*
tpu.tensorflowversions.*
TPU Shared VPC Agent
(roles/tpu.xpnAgent)
Can use shared VPC network (XPN) for the TPU VMs.
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.globalOperations.get
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
Cloud Trace roles
Permissions
Cloud Trace Admin
(roles/cloudtrace.admin)
Provides full access to the Trace console and read-write access to traces.
Lowest-level resources where you can grant this role:
Project
cloudtrace.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Trace Agent
(roles/cloudtrace.agent)
For service accounts. Provides ability to write traces by sending the data
to Stackdriver Trace.
Lowest-level resources where you can grant this role:
Project
cloudtrace.traces.patch
Cloud Trace User
(roles/cloudtrace.user)
Provides full access to the Trace console and read access to traces.
Lowest-level resources where you can grant this role:
Project
cloudtrace.insights.*
cloudtrace.stats.get
cloudtrace.tasks.*
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation roles
Permissions
Cloud Translation API Admin
(roles/cloudtranslate.admin)
Full access to all Cloud Translation resources
automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API Editor
(roles/cloudtranslate.editor)
Editor of all Cloud Translation resources
automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API User
(roles/cloudtranslate.user)
User of Cloud Translation and AutoML models
automl.models.get
automl.models.predict
cloudtranslate.adaptiveMtDatasets.get
cloudtranslate.adaptiveMtDatasets.list
cloudtranslate.adaptiveMtDatasets.predict
cloudtranslate.adaptiveMtFiles.get
cloudtranslate.adaptiveMtFiles.list
cloudtranslate.adaptiveMtSentences.list
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.datasets.get
cloudtranslate.datasets.list
cloudtranslate.generalModels.*
cloudtranslate.glossaries.batchDocPredict
cloudtranslate.glossaries.batchPredict
cloudtranslate.glossaries.docPredict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
cloudtranslate.glossaryentries.get
cloudtranslate.glossaryentries.list
cloudtranslate.languageDetectionModels.predict
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API Viewer
(roles/cloudtranslate.viewer)
Viewer of all Translation resources
automl.models.get
cloudtranslate.adaptiveMtDatasets.get
cloudtranslate.adaptiveMtDatasets.list
cloudtranslate.adaptiveMtFiles.get
cloudtranslate.adaptiveMtFiles.list
cloudtranslate.adaptiveMtSentences.list
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.datasets.get
cloudtranslate.datasets.list
cloudtranslate.generalModels.get
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaryentries.get
cloudtranslate.glossaryentries.list
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Workstations roles
Permissions
Cloud Workstations Admin
(roles/workstations.admin)
Grants CRUD access to all Workstation resources.
compute.acceleratorTypes.*
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
workstations.operations.get
workstations.workstationClusters.*
workstations.workstationConfigs.*
workstations.workstations.create
workstations.workstations.delete
workstations.workstations.get
workstations.workstations.getIamPolicy
workstations.workstations.list
workstations.workstations.setIamPolicy
workstations.workstations.start
workstations.workstations.stop
workstations.workstations.update
Cloud Workstations Network Admin
(roles/workstations.networkAdmin)
Grants ability to connect a Workstation Cluster to a shared VPC network.
compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.globalOperations.get
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
Cloud Workstations Operation Viewer
(roles/workstations.operationViewer)
Grants ability to view Cloud Workstations API operations.
workstations.operations.get
Cloud Workstations User
(roles/workstations.user)
Grants runtime access to Workstation resources.
workstations.operations.get
workstations.workstations.delete
workstations.workstations.get
workstations.workstations.start
workstations.workstations.stop
workstations.workstations.update
workstations.workstations.use
Cloud Workstations Creator
(roles/workstations.workstationCreator)
Grants ability to create Workstation resources.
resourcemanager.projects.get
resourcemanager.projects.list
workstations.operations.get
workstations.workstationClusters.get
workstations.workstationClusters.list
workstations.workstationConfigs.get
workstations.workstations.create
Compute Engine roles
Permissions
Compute Admin
(roles/compute.admin)
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Node group
Node template
Snapshot Beta
compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Future Reservation Admin
Beta
(roles/compute.futureReservationAdmin)
compute.acceleratorTypes.list
compute.futureReservations.cancel
compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.list
compute.futureReservations.update
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.reservations.create
compute.zones.list
Compute Future Reservation User
Beta
(roles/compute.futureReservationUser)
compute.acceleratorTypes.list
compute.futureReservations.create
compute.futureReservations.delete
compute.futureReservations.get
compute.futureReservations.list
compute.futureReservations.update
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.reservations.create
compute.zones.list
Compute Future Reservation Viewer
Beta
(roles/compute.futureReservationViewer)
compute.acceleratorTypes.list
compute.futureReservations.get
compute.futureReservations.list
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.zones.list
Compute Image User
(roles/compute.imageUser)
Permission to list and read images without having other permissions on the image. Granting this role
at the project level gives users the ability to list all images in the project and create resources,
such as instances and persistent disks, based on images in the project.
Lowest-level resources where you can grant this role:
ImageBeta
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Instance Admin (beta)
(roles/compute.instanceAdmin)
Permissions to create, modify, and delete virtual machine instances.
This includes permissions to create, modify, and delete disks, and also to
configure Shielded VM
settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
For example, if your company has someone who manages groups of virtual
machine instances but does not manage network or security settings and
does not manage instances that run as service accounts, you can grant this
role on the organization, folder, or project that contains the instances,
or you can grant it on individual instances.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Snapshot Beta
compute.acceleratorTypes.*
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.get
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.listEffectiveTags
compute.networks.listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionNetworkEndpointGroups.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.useReadOnly
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.listEffectiveTags
compute.subnetworks.listTagBindings
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.targetPools.listEffectiveTags
compute.targetPools.listTagBindings
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Instance Admin (v1)
(roles/compute.instanceAdmin.v1)
Full control of Compute Engine instances, instance groups, disks, snapshots, and images.
Read access to all Compute Engine networking resources.
If you grant a user this role only at an instance level, then that user cannot create new instances.
Permissions to create, modify, and delete load balancers and associate
resources.
For example, if your company has a load balancing team that manages load
balancers, SSL certificates for load balancers, SSL policies, and other
load balancing resources, and a separate networking team that manages
the rest of the networking resources, then grant this role to the load
balancing team's group.
Lowest-level resources where you can grant this role:
InstanceBeta
certificatemanager.certmaps.get
certificatemanager.certmaps.list
certificatemanager.certmaps.use
compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listTagBindings
compute.instances.use
compute.instances.useReadOnly
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.listEffectiveTags
compute.networks.listTagBindings
compute.networks.use
compute.projects.get
compute.regionBackendServices.*
compute.regionHealthCheckServices.*
compute.regionHealthChecks.*
compute.regionNetworkEndpointGroups.*
compute.regionNotificationEndpoints.*
compute.regionOperations.get
compute.regionOperations.list
compute.regionSecurityPolicies.get
compute.regionSecurityPolicies.list
compute.regionSecurityPolicies.listEffectiveTags
compute.regionSecurityPolicies.listTagBindings
compute.regionSecurityPolicies.use
compute.regionSslCertificates.*
compute.regionSslPolicies.*
compute.regionTargetHttpProxies.*
compute.regionTargetHttpsProxies.*
compute.regionTargetTcpProxies.*
compute.regionUrlMaps.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.listEffectiveTags
compute.securityPolicies.listTagBindings
compute.securityPolicies.use
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.listEffectiveTags
compute.subnetworks.listTagBindings
compute.subnetworks.use
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
compute.zoneOperations.get
compute.zoneOperations.list
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.use
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Load Balancer Services User
(roles/compute.loadBalancerServiceUser)
Permissions to use services from a load balancer in other projects.
compute.backendServices.get
compute.backendServices.list
compute.backendServices.listEffectiveTags
compute.backendServices.listTagBindings
compute.backendServices.use
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionBackendServices.listEffectiveTags
compute.regionBackendServices.listTagBindings
compute.regionBackendServices.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Network Admin
(roles/compute.networkAdmin)
Permissions to create, modify, and delete networking resources,
except for firewall rules and SSL certificates. The network admin role
allows read-only access to firewall rules, SSL certificates, and instances
(to view their ephemeral IP addresses). The network admin role does not
allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the networking team's group.
Or, if you have a combined team that manages both security and networking,
then grant this role as well as the roles/compute.securityAdmin role to the combined team's group.
Lowest-level resources where you can grant this role:
Once granted, service owners can use VPC networks and subnets that belong
to the host project. For example, a network user can create a VM instance
that belongs to a host project network but they cannot delete or create
new networks in the host project.
Lowest-level resources where you can grant this role:
Project
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.useInternal
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.firewalls.get
compute.firewalls.list
compute.firewalls.listEffectiveTags
compute.firewalls.listTagBindings
compute.instanceSettings.get
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnectRemoteLocations.*
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networkAttachments.get
compute.networkAttachments.list
compute.networks.access
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listEffectiveTags
compute.networks.listPeeringRoutes
compute.networks.listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.routers.listRoutePolicies
compute.routes.get
compute.routes.list
compute.routes.listEffectiveTags
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.listEffectiveTags
compute.subnetworks.listTagBindings
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
networkconnectivity.internalRanges.get
networkconnectivity.internalRanges.list
networkconnectivity.locations.*
networkconnectivity.operations.get
networkconnectivity.operations.list
networkconnectivity.policyBasedRoutes.get
networkconnectivity.policyBasedRoutes.list
networksecurity.addressGroups.get
networksecurity.addressGroups.list
networksecurity.addressGroups.use
networksecurity.authorizationPolicies.get
networksecurity.authorizationPolicies.list
networksecurity.authorizationPolicies.use
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.use
networksecurity.firewallEndpointAssociations.get
networksecurity.firewallEndpointAssociations.list
networksecurity.firewallEndpoints.get
networksecurity.firewallEndpoints.list
networksecurity.firewallEndpoints.use
networksecurity.gatewaySecurityPolicies.get
networksecurity.gatewaySecurityPolicies.list
networksecurity.gatewaySecurityPolicies.use
networksecurity.gatewaySecurityPolicyRules.get
networksecurity.gatewaySecurityPolicyRules.list
networksecurity.gatewaySecurityPolicyRules.use
networksecurity.locations.*
networksecurity.operations.get
networksecurity.operations.list
networksecurity.securityProfileGroups.get
networksecurity.securityProfileGroups.list
networksecurity.securityProfileGroups.use
networksecurity.securityProfiles.get
networksecurity.securityProfiles.list
networksecurity.securityProfiles.use
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.use
networksecurity.tlsInspectionPolicies.get
networksecurity.tlsInspectionPolicies.list
networksecurity.tlsInspectionPolicies.use
networksecurity.urlLists.get
networksecurity.urlLists.list
networksecurity.urlLists.use
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.list
networkservices.endpointConfigSelectors.use
networkservices.endpointPolicies.get
networkservices.endpointPolicies.list
networkservices.endpointPolicies.use
networkservices.gateways.get
networkservices.gateways.list
networkservices.gateways.use
networkservices.grpcRoutes.get
networkservices.grpcRoutes.list
networkservices.grpcRoutes.use
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpFilters.use
networkservices.httpRoutes.get
networkservices.httpRoutes.list
networkservices.httpRoutes.use
networkservices.httpfilters.get
networkservices.httpfilters.list
networkservices.httpfilters.use
networkservices.lbRouteExtensions.get
networkservices.lbRouteExtensions.list
networkservices.lbTrafficExtensions.get
networkservices.lbTrafficExtensions.list
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.use
networkservices.operations.get
networkservices.operations.list
networkservices.serviceBindings.get
networkservices.serviceBindings.list
networkservices.serviceLbPolicies.get
networkservices.serviceLbPolicies.list
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tcpRoutes.use
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.tlsRoutes.use
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Network Viewer
(roles/compute.networkViewer)
Read-only access to all networking resources
For example, if you have software that inspects your network
configuration, you could grant this role to that software's
service account.
Lowest-level resources where you can grant this role:
Full control of Compute Engine Organization Firewall Policies.
compute.firewallPolicies.cloneRules
compute.firewallPolicies.create
compute.firewallPolicies.createTagBinding
compute.firewallPolicies.delete
compute.firewallPolicies.deleteTagBinding
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.listEffectiveTags
compute.firewallPolicies.listTagBindings
compute.firewallPolicies.move
compute.firewallPolicies.setIamPolicy
compute.firewallPolicies.update
compute.firewallPolicies.use
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.regionFirewallPolicies.*
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Firewall Policy User
(roles/compute.orgFirewallPolicyUser)
View or use Compute Engine Firewall Policies to associate with the organization or folders.
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.listEffectiveTags
compute.firewallPolicies.listTagBindings
compute.firewallPolicies.use
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.projects.get
compute.regionFirewallPolicies.get
compute.regionFirewallPolicies.list
compute.regionFirewallPolicies.listEffectiveTags
compute.regionFirewallPolicies.listTagBindings
compute.regionFirewallPolicies.use
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Security Policy Admin
(roles/compute.orgSecurityPolicyAdmin)
Full control of Compute Engine Organization Security Policies.
compute.firewallPolicies.*
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.securityPolicies.addAssociation
compute.securityPolicies.copyRules
compute.securityPolicies.create
compute.securityPolicies.createTagBinding
compute.securityPolicies.delete
compute.securityPolicies.deleteTagBinding
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.securityPolicies.listEffectiveTags
compute.securityPolicies.listTagBindings
compute.securityPolicies.move
compute.securityPolicies.removeAssociation
compute.securityPolicies.setIamPolicy
compute.securityPolicies.update
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Security Policy User
(roles/compute.orgSecurityPolicyUser)
View or use Compute Engine Security Policies to associate with the organization or folders.
compute.firewallPolicies.addAssociation
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.firewallPolicies.listEffectiveTags
compute.firewallPolicies.listTagBindings
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.use
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.securityPolicies.addAssociation
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.listEffectiveTags
compute.securityPolicies.listTagBindings
compute.securityPolicies.removeAssociation
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Resource Admin
(roles/compute.orgSecurityResourceAdmin)
Full control of Compute Engine Firewall Policy associations to the organization or folders.
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.organizations.listAssociations
compute.organizations.setFirewallPolicy
compute.organizations.setSecurityPolicy
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Admin Login
(roles/compute.osAdminLogin)
Access to log in to a Compute Engine instance as an administrator
user.
Lowest-level resources where you can grant this role:
InstanceBeta
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceSettings.get
compute.instances.get
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Login
(roles/compute.osLogin)
Access to log in to a Compute Engine instance as a standard user.
Lowest-level resources where you can grant this role:
InstanceBeta
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instanceSettings.get
compute.instances.get
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listTagBindings
compute.instances.osLogin
compute.projects.get
compute.snapshots.listEffectiveTags
compute.snapshots.listTagBindings
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Login External User
(roles/compute.osLoginExternalUser)
Available only at the organization level.
Access for an external user to set OS Login information associated with
this organization. This role does not grant access to instances. External
users must be granted one of the required
OS Login roles
in order to allow access to instances using SSH.
Lowest-level resources where you can grant this role:
Organization
compute.oslogin.updateExternalUser
Compute packet mirroring admin
(roles/compute.packetMirroringAdmin)
Specify resources to be mirrored.
compute.instances.updateSecurity
compute.networks.mirror
compute.projects.get
compute.subnetworks.mirror
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute packet mirroring user
(roles/compute.packetMirroringUser)
Use Compute Engine packet mirrorings.
compute.packetMirrorings.*
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Public IP Admin
(roles/compute.publicIpAdmin)
Full control of public IP address management for Compute Engine.
compute.addresses.*
compute.globalAddresses.*
compute.globalPublicDelegatedPrefixes.*
compute.publicAdvertisedPrefixes.*
compute.publicDelegatedPrefixes.*
resourcemanager.projects.get
resourcemanager.projects.list
Compute Security Admin
(roles/compute.securityAdmin)
Permissions to create, modify, and delete firewall rules and SSL
certificates, and also to
configure Shielded VM
settings.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the security team's group.
Lowest-level resources where you can grant this role:
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and
you don't want them to have the editor role on the project, then grant
this role to their account on the project.
Lowest-level resources where you can grant this role:
Disk
Image
Snapshot Beta
compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.instanceSettings.get
compute.instantSnapshots.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.storagePools.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Viewer
(roles/compute.viewer)
Read-only access to get and list Compute Engine resources, without
being able to read the data stored on them.
For example, an account with this role could inventory all of the disks in
a project, but it could not read any of the data on those disks.
Lowest-level resources where you can grant this role:
Permissions to administer shared VPC host projects,
specifically enabling the host projects and associating shared VPC service projects to the host
project's network.
At the organization level, this role can only be granted by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
(roles/compute.networkUser) to service owners, and the shared VPC host project owner
controls the project itself. Managing the project is easier if a single principal (individual or
group) can fulfill both roles.
Lowest-level resources where you can grant this role:
Can view all Container Analysis Occurrences attached to a Note.
containeranalysis.notes.get
containeranalysis.notes.listOccurrences
Container Analysis Notes Viewer
(roles/containeranalysis.notes.viewer)
Can view Container Analysis Notes.
containeranalysis.notes.get
containeranalysis.notes.list
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences Editor
(roles/containeranalysis.occurrences.editor)
Can edit Container Analysis Occurrences.
containeranalysis.occurrences.create
containeranalysis.occurrences.delete
containeranalysis.occurrences.get
containeranalysis.occurrences.list
containeranalysis.occurrences.update
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences Viewer
(roles/containeranalysis.occurrences.viewer)
Can view Container Analysis Occurrences.
containeranalysis.occurrences.get
containeranalysis.occurrences.list
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog roles
Permissions
Data Catalog Admin
(roles/datacatalog.admin)
Full access to all DataCatalog resources
bigquery.connections.get
bigquery.connections.updateTag
bigquery.datasets.get
bigquery.datasets.updateTag
bigquery.models.getMetadata
bigquery.models.updateTag
bigquery.routines.get
bigquery.routines.updateTag
bigquery.tables.get
bigquery.tables.updateTag
datacatalog.catalogs.searchAll
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.entries.*
datacatalog.entryGroups.*
datacatalog.operations.list
datacatalog.relationships.*
datacatalog.tagTemplates.*
datacatalog.taxonomies.*
pubsub.topics.get
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
Policy Tag Admin
(roles/datacatalog.categoryAdmin)
Manage taxonomies
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.taxonomies.*
resourcemanager.projects.get
resourcemanager.projects.list
Fine-Grained Reader
(roles/datacatalog.categoryFineGrainedReader)
Read access to sub-resources tagged by a policy tag, for example, BigQuery columns
datacatalog.categories.fineGrainedGet
DataCatalog Data Steward
Beta
(roles/datacatalog.dataSteward)
Can update overview and data steward fields
datacatalog.entries.get
datacatalog.entries.list
datacatalog.entries.updateContacts
datacatalog.entries.updateOverview
datacatalog.entryGroups.get
datacatalog.relationships.list
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog EntryGroup Creator
(roles/datacatalog.entryGroupCreator)
Can create new entryGroups
datacatalog.entryGroups.create
datacatalog.entryGroups.get
datacatalog.entryGroups.list
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog EntryGroup Owner
(roles/datacatalog.entryGroupOwner)
Full access to entryGroups
datacatalog.entries.*
datacatalog.entryGroups.*
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Entry Owner
(roles/datacatalog.entryOwner)
Full access to entries
datacatalog.entries.*
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Entry Viewer
(roles/datacatalog.entryViewer)
Read access to entries
datacatalog.entries.get
datacatalog.entries.list
datacatalog.entryGroups.get
datacatalog.relationships.list
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Glossary Owner
Beta
(roles/datacatalog.glossaryOwner)
Full access to glossaries
datacatalog.entries.*
datacatalog.relationships.*
DataCatalog Glossary User
Beta
(roles/datacatalog.glossaryUser)
Can view glossaries and associate terms to entries
datacatalog.entries.get
datacatalog.entries.list
datacatalog.relationships.*
DataCatalog Search Admin
Beta
(roles/datacatalog.searchAdmin)
Can search all metadata for a project/org in DataCatalog
datacatalog.catalogs.searchAll
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog Tag Editor
(roles/datacatalog.tagEditor)
Access to modify metadata tags for entries, as well as BigQuery and
Pub/Sub data assets
bigquery.connections.updateTag
bigquery.datasets.updateTag
bigquery.models.updateTag
bigquery.routines.updateTag
bigquery.tables.updateTag
datacatalog.entries.updateTag
datacatalog.entryGroups.updateTag
pubsub.topics.updateTag
Data Catalog TagTemplate Creator
(roles/datacatalog.tagTemplateCreator)
Access to create new tag templates
datacatalog.tagTemplates.create
datacatalog.tagTemplates.get
Data Catalog TagTemplate Owner
(roles/datacatalog.tagTemplateOwner)
Full access to tag templates
datacatalog.tagTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog TagTemplate User
(roles/datacatalog.tagTemplateUser)
Access to apply a tag template to an entry (to modify tags, see Data Catalog Tag Editor)
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.use
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog TagTemplate Viewer
(roles/datacatalog.tagTemplateViewer)
Read access to templates and tags created using the templates
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog Viewer
(roles/datacatalog.viewer)
Provides metadata read access to catalogued Google Cloud assets for BigQuery
and Pub/Sub
bigquery.connections.get
bigquery.datasets.get
bigquery.models.getMetadata
bigquery.routines.get
bigquery.tables.get
datacatalog.entries.get
datacatalog.entries.list
datacatalog.entryGroups.get
datacatalog.entryGroups.list
datacatalog.operations.list
datacatalog.relationships.list
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.taxonomies.get
datacatalog.taxonomies.list
pubsub.topics.get
resourcemanager.projects.get
resourcemanager.projects.list
Data Connectors roles
Permissions
Connector Admin
Beta
(roles/dataconnectors.connectorAdmin)
Full access to Data Connectors.
dataconnectors.*
resourcemanager.projects.get
resourcemanager.projects.list
Connector User
Beta
(roles/dataconnectors.connectorUser)
Access to use Data Connectors.
dataconnectors.connectors.get
dataconnectors.connectors.getIamPolicy
dataconnectors.connectors.list
dataconnectors.connectors.use
Data Migration roles
Permissions
Database Migration Admin
(roles/datamigration.admin)
Full access to all resources of Database Migration.
cloudaicompanion.entitlements.get
datamigration.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Pipelines roles
Permissions
Data pipelines Admin
(roles/datapipelines.admin)
Administrator of Data pipelines resources
datapipelines.*
resourcemanager.projects.get
resourcemanager.projects.list
Data pipelines Invoker
(roles/datapipelines.invoker)
Invoker of Data pipelines jobs
datapipelines.pipelines.run
resourcemanager.projects.get
resourcemanager.projects.list
Data pipelines Viewer
(roles/datapipelines.viewer)
Viewer of Data pipelines resources
datapipelines.jobs.list
datapipelines.pipelines.get
datapipelines.pipelines.list
resourcemanager.projects.get
resourcemanager.projects.list
Data Studio roles
Permissions
Data Studio Admin
Beta
(roles/datastudio.admin)
Data Studio Admin
datastudio.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Studio Workspace Content Manager
Beta
(roles/datastudio.contentManager)
Content Manager of a Data Studio resource
datastudio.datasources.get
datastudio.datasources.getIamPolicy
datastudio.datasources.move
datastudio.datasources.restoreTrash
datastudio.datasources.search
datastudio.datasources.settingsShare
datastudio.datasources.share
datastudio.datasources.trash
datastudio.datasources.update
datastudio.reports.get
datastudio.reports.getIamPolicy
datastudio.reports.move
datastudio.reports.restoreTrash
datastudio.reports.search
datastudio.reports.settingsShare
datastudio.reports.share
datastudio.reports.trash
datastudio.reports.update
datastudio.workspaces.createUnder
datastudio.workspaces.get
datastudio.workspaces.getIamPolicy
datastudio.workspaces.moveIn
datastudio.workspaces.search
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
Data Studio Workspace Contributor
Beta
(roles/datastudio.contributor)
Contributor of a Data Studio resource
datastudio.datasources.get
datastudio.datasources.getIamPolicy
datastudio.datasources.restoreTrash
datastudio.datasources.search
datastudio.datasources.settingsShare
datastudio.datasources.share
datastudio.datasources.update
datastudio.reports.get
datastudio.reports.getIamPolicy
datastudio.reports.restoreTrash
datastudio.reports.search
datastudio.reports.settingsShare
datastudio.reports.share
datastudio.reports.update
datastudio.workspaces.createUnder
datastudio.workspaces.get
datastudio.workspaces.getIamPolicy
datastudio.workspaces.moveIn
datastudio.workspaces.search
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
Data Studio Asset Editor
Beta
(roles/datastudio.editor)
Editor of a Data Studio resource
datastudio.datasources.get
datastudio.datasources.getIamPolicy
datastudio.datasources.search
datastudio.datasources.update
datastudio.reports.get
datastudio.reports.getIamPolicy
datastudio.reports.search
datastudio.reports.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
Data Studio Workspace Manager
Beta
(roles/datastudio.manager)
Manager of a Data Studio resource
datastudio.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
Data Studio Asset Viewer
Beta
(roles/datastudio.viewer)
Viewer of a Data Studio resource
datastudio.datasources.get
datastudio.datasources.search
datastudio.reports.get
datastudio.reports.search
resourcemanager.projects.get
Looker Studio Pro Manager
Beta
(roles/lookerstudio.proManager)
Looker Studio Pro Manager
lookerstudio.pro.manage
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.projects.updateLiens
Dataflow roles
Permissions
Dataflow Admin
(roles/dataflow.admin)
Minimal role for creating and managing dataflow jobs.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
compute.machineTypes.get
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
recommender.dataflowDiagnosticsInsights.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Dataflow Developer
(roles/dataflow.developer)
Provides the permissions necessary to execute and manipulate
Dataflow jobs.
Lowest-level resources where you can grant this role:
Project
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
recommender.dataflowDiagnosticsInsights.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Viewer
(roles/dataflow.viewer)
Provides read-only access to all Dataflow-related
resources.
Lowest-level resources where you can grant this role:
Project
dataflow.jobs.get
dataflow.jobs.list
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.get
dataflow.snapshots.list
recommender.dataflowDiagnosticsInsights.get
recommender.dataflowDiagnosticsInsights.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Worker
(roles/dataflow.worker)
Provides the permissions necessary for a Compute Engine service
account to execute work units for a Dataflow pipeline.
Lowest-level resources where you can grant this role:
Project
autoscaling.sites.readRecommendations
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
compute.instanceGroupManagers.update
compute.instances.delete
compute.instances.setDiskAutoDelete
dataflow.jobs.get
dataflow.shuffle.*
dataflow.streamingWorkItems.*
dataflow.workItems.*
logging.logEntries.create
logging.logEntries.route
monitoring.timeSeries.create
storage.buckets.get
storage.objects.create
storage.objects.get
Dataform roles
Permissions
Dataform Admin
(roles/dataform.admin)
Full access to all Dataform resources.
dataform.*
resourcemanager.projects.get
resourcemanager.projects.list
Code Creator
Beta
(roles/dataform.codeCreator)
Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
Code Editor
Beta
(roles/dataform.codeEditor)
Edit access code resources.
dataform.locations.*
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.writeFile
resourcemanager.projects.get
resourcemanager.projects.list
Code Owner
Beta
(roles/dataform.codeOwner)
Full access to code resources.
dataform.locations.*
dataform.repositories.*
dataform.workspaces.*
resourcemanager.projects.get
resourcemanager.projects.list
Code Viewer
Beta
(roles/dataform.codeViewer)
Read-only access to all code resources.
dataform.locations.*
dataform.repositories.computeAccessTokenStatus
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.list
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.searchFiles
resourcemanager.projects.get
resourcemanager.projects.list
Dataform Editor
(roles/dataform.editor)
Edit access to Workspaces and Read-only access to Repositories.
dataform.compilationResults.*
dataform.locations.*
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.repositories.computeAccessTokenStatus
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowInvocations.*
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.writeFile
resourcemanager.projects.get
resourcemanager.projects.list
Dataform Viewer
(roles/dataform.viewer)
Read-only access to all Dataform resources.
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.locations.*
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.repositories.computeAccessTokenStatus
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.list
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.searchFiles
resourcemanager.projects.get
resourcemanager.projects.list
Dataprep roles
Permissions
Dataprep User
Beta
(roles/dataprep.projects.user)
Use of Dataprep.
dataprep.projects.use
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Dataproc roles
Permissions
Dataproc Administrator
(roles/dataproc.admin)
Full control of Dataproc resources.
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.autoscalingPolicies.*
dataproc.batches.*
dataproc.clusters.*
dataproc.jobs.*
dataproc.nodeGroups.*
dataproc.operations.*
dataproc.sessionTemplates.*
dataproc.sessions.*
dataproc.workflowTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Editor
(roles/dataproc.editor)
Provides the permissions necessary for viewing the resources required to
manage Dataproc, including machine types, networks, projects,
and zones.
Lowest-level resources where you can grant this role:
Cluster
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.update
dataproc.autoscalingPolicies.use
dataproc.batches.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.nodeGroups.*
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.update
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Hub Agent
(roles/dataproc.hubAgent)
Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.
compute.instances.get
compute.instances.setMetadata
compute.instances.setTags
compute.zoneOperations.get
compute.zones.list
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.use
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.create
logging.logEntries.list
logging.logEntries.route
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.get
storage.objects.list
Dataproc Viewer
(roles/dataproc.viewer)
Provides read-only access to Dataproc resources.
Lowest-level resources where you can grant this role:
Cluster
compute.machineTypes.get
compute.regions.*
compute.zones.*
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.list
dataproc.batches.get
dataproc.batches.list
dataproc.clusters.get
dataproc.clusters.list
dataproc.jobs.get
dataproc.jobs.list
dataproc.nodeGroups.get
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessions.get
dataproc.sessions.list
dataproc.workflowTemplates.get
dataproc.workflowTemplates.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Worker
(roles/dataproc.worker)
Provides worker access to Dataproc resources. Intended for service accounts.
dataproc.agents.*
dataproc.tasks.*
logging.logEntries.create
logging.logEntries.route
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
storage.buckets.get
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Dataproc Metastore roles
Permissions
Dataproc Metastore Admin
(roles/metastore.admin)
Full access to all Dataproc Metastore resources.
metastore.backups.*
metastore.federations.*
metastore.imports.*
metastore.locations.*
metastore.migrations.*
metastore.operations.*
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.restore
metastore.services.setIamPolicy
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Metastore Editor
(roles/metastore.editor)
Read and write access to all Dataproc Metastore resources.
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.list
metastore.federations.update
metastore.imports.*
metastore.locations.*
metastore.migrations.*
metastore.operations.*
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.restore
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list
Metastore Federation Accessor
(roles/metastore.federationAccessor)
Access to the Metastore Federation resource.
metastore.federations.use
Dataproc Metastore Metadata Editor
(roles/metastore.metadataEditor)
Access to read and modify the metadata of databases and tables under those databases.
metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.databases.update
metastore.services.get
metastore.services.use
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.update
Dataproc Metastore Metadata Mutate Admin
(roles/metastore.metadataMutateAdmin)
Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.
metastore.services.mutateMetadata
Dataproc Metastore Metadata Operator
(roles/metastore.metadataOperator)
Read-only access to Dataproc Metastore resources with additional metadata operations permission.
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.imports.*
metastore.locations.*
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.restore
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Metastore Data Owner
(roles/metastore.metadataOwner)
Full access to the metadata of databases and tables under those databases.
metastore.databases.*
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
metastore.services.use
metastore.tables.*
Dataproc Metastore Metadata Query Admin
(roles/metastore.metadataQueryAdmin)
Access to query metadata from a Dataproc Metastore service's underlying metadata store.
metastore.services.queryMetadata
Dataproc Metastore Metadata User
(roles/metastore.metadataUser)
Access to the Dataproc Metastore gRPC endpoint
metastore.databases.get
metastore.databases.list
metastore.services.get
metastore.services.use
Dataproc Metastore Metadata Viewer
(roles/metastore.metadataViewer)
Access to read the metadata of databases and tables under those databases
metastore.databases.get
metastore.databases.getIamPolicy
metastore.databases.list
metastore.services.get
metastore.services.use
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
Dataproc Metastore Managed Migration Admin
Beta
(roles/metastore.migrationAdmin)
Access to Dataproc Metastore Managed Migration resources and workflow.
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
compute.autoscalers.create
compute.autoscalers.delete
compute.disks.create
compute.disks.delete
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.use
compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.use
compute.instanceGroups.delete
compute.instanceGroups.use
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.useReadOnly
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setMetadata
compute.machineTypes.list
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.use
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.useReadOnly
compute.serviceAttachments.create
compute.serviceAttachments.delete
compute.subnetworks.get
compute.subnetworks.use
compute.zones.list
datastream.connectionProfiles.create
datastream.connectionProfiles.delete
datastream.operations.get
datastream.privateConnections.create
datastream.privateConnections.delete
datastream.streams.create
datastream.streams.delete
datastream.streams.get
datastream.streams.update
Dataproc Metastore Viewer
(roles/metastore.user)
Read-only access to all Dataproc Metastore resources.
metastore.backups.get
metastore.backups.list
metastore.federations.get
metastore.federations.getIamPolicy
metastore.federations.list
metastore.imports.get
metastore.imports.list
metastore.locations.*
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.services.getIamPolicy
metastore.services.list
resourcemanager.projects.get
resourcemanager.projects.list
Datastore roles
Permissions
Cloud Datastore Backup Schedules Admin
(roles/datastore.backupSchedulesAdmin)
Manage backup schedules in Cloud Datastore.
datastore.backupSchedules.*
datastore.databases.getMetadata
datastore.databases.list
Cloud Datastore Backup Schedules Viewer
(roles/datastore.backupSchedulesViewer)
Read access to backup schedules in Cloud Datastore.
datastore.backupSchedules.get
datastore.backupSchedules.list
Cloud Datastore Backups Admin
(roles/datastore.backupsAdmin)
Read/Write access to metadata about backups in Cloud Datastore but restore is not allowed.
datastore.backups.delete
datastore.backups.get
datastore.backups.list
Cloud Datastore Backups Viewer
(roles/datastore.backupsViewer)
Read access to metadata about backups in Cloud Datastore.
datastore.backups.get
datastore.backups.list
Cloud Datastore Import Export Admin
(roles/datastore.importExportAdmin)
Provides full access to manage imports and exports.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
datastore.databases.export
datastore.databases.getMetadata
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Index Admin
(roles/datastore.indexAdmin)
Provides full access to manage index definitions.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
datastore.databases.getMetadata
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Key Visualizer Viewer
(roles/datastore.keyVisualizerViewer)
Full access to Key Visualizer scans.
datastore.databases.getMetadata
datastore.keyVisualizerScans.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Owner
(roles/datastore.owner)
Provides full access to Datastore resources.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Restore Admin
(roles/datastore.restoreAdmin)
Restore into Cloud Datastore Databases from Cloud Datastore Backups.
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase
datastore.databases.create
datastore.databases.getMetadata
datastore.databases.list
datastore.operations.get
datastore.operations.list
Cloud Datastore User
(roles/datastore.user)
Provides read/write access to data in a Datastore database.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
datastore.databases.get
datastore.databases.getMetadata
datastore.databases.list
datastore.entities.*
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Viewer
(roles/datastore.viewer)
Provides read access to Datastore resources.
Lowest-level resources where you can grant this role:
Allows the Kubernetes Engine service account in the host project to configure shared network
resources for cluster management. Also gives access to inspect the firewall rules in the host
project.
compute.firewalls.get
container.hostServiceAgent.use
dns.networks.bindDNSResponsePolicy
dns.networks.bindPrivateDNSPolicy
dns.networks.bindPrivateDNSZone
dns.responsePolicies.*
dns.responsePolicyRules.*
Kubernetes Engine Viewer
(roles/container.viewer)
Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects.
Lowest-level resources where you can grant this role:
Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.
opsconfigmonitoring.resourceMetadata.write
Organization Policy roles
Permissions
Access Transparency Admin
(roles/axt.admin)
Enable Access Transparency for Organization
Lowest-level resources where you can grant this role:
Project
axt.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
Organization Policy Administrator
(roles/orgpolicy.policyAdmin)
Provides access to define what restrictions an organization wants to place
on the configuration of cloud resources by setting Organization Policies.
Lowest-level resources where you can grant this role:
Organization
orgpolicy.*
policysimulator.orgPolicyViolations.list
policysimulator.orgPolicyViolationsPreviews.*
Organization Policy Viewer
(roles/orgpolicy.policyViewer)
Provides access to view Organization Policies on resources.
Lowest-level resources where you can grant this role:
Project
orgpolicy.constraints.list
orgpolicy.customConstraints.get
orgpolicy.customConstraints.list
orgpolicy.policies.list
orgpolicy.policy.get
Other roles
Permissions
Advisory Notifications Admin
(roles/advisorynotifications.admin)
Grants write access to settings in Advisory Notifications
advisorynotifications.*
resourcemanager.organizations.get
resourcemanager.projects.get
Advisory Notifications Viewer
(roles/advisorynotifications.viewer)
Grants view access in Advisory Notifications
advisorynotifications.notifications.*
advisorynotifications.settings.get
resourcemanager.organizations.get
resourcemanager.projects.get
Cloud API Hub Admin
Beta
(roles/apihub.admin)
Full access to Cloud API Hub Registry and Runtime resources.
apihub.*
resourcemanager.projects.get
resourcemanager.projects.list
API hub attribute admin
Beta
(roles/apihub.attributeAdmin)
API hub attribute admin
apihub.attributes.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API Hub Editor
Beta
(roles/apihub.editor)
Edit access to Cloud API Hub Registry resources.
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.*
apihub.apis.*
apihub.attributes.get
apihub.attributes.list
apihub.definitions.*
apihub.dependencies.*
apihub.deployments.*
apihub.externalApis.*
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.llmEnablements.*
apihub.locations.searchResources
apihub.plugins.get
apihub.plugins.list
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.specs.*
apihub.styleGuides.*
apihub.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
API hub plugin admin
Beta
(roles/apihub.pluginAdmin)
API hub plugin admin
apihub.plugins.*
apihub.specs.lint
apihub.styleGuides.*
resourcemanager.projects.get
resourcemanager.projects.list
API hub all permissions related to provisioning
Beta
(roles/apihub.provisioningAdmin)
API hub all permissions related to provisioning
apihub.apiHubInstances.*
apihub.hostProjectRegistrations.*
apihub.runTimeProjectAttachments.*
resourcemanager.projects.get
resourcemanager.projects.list
API hub all resource viewer
Beta
(roles/apihub.viewer)
This role can view all resources in API hub
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apis.get
apihub.apis.list
apihub.attributes.get
apihub.attributes.list
apihub.definitions.get
apihub.definitions.list
apihub.dependencies.get
apihub.dependencies.list
apihub.deployments.get
apihub.deployments.list
apihub.externalApis.get
apihub.externalApis.list
apihub.hostProjectRegistrations.get
apihub.hostProjectRegistrations.list
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.locations.searchResources
apihub.plugins.get
apihub.plugins.list
apihub.runTimeProjectAttachments.get
apihub.runTimeProjectAttachments.list
apihub.specs.get
apihub.specs.list
apihub.styleGuides.get
apihub.versions.get
apihub.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Admin
(roles/apphub.admin)
Full access to App Hub resources.
apphub.*
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Editor
(roles/apphub.editor)
Edit access to App Hub resources.
apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.list
apphub.applications.update
apphub.discoveredServices.*
apphub.discoveredWorkloads.*
apphub.locations.*
apphub.operations.*
apphub.serviceProjectAttachments.lookup
apphub.services.*
apphub.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Viewer
(roles/apphub.viewer)
View access to App Hub resources.
apphub.applications.get
apphub.applications.list
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredWorkloads.get
apphub.discoveredWorkloads.list
apphub.locations.*
apphub.operations.get
apphub.operations.list
apphub.serviceProjectAttachments.lookup
apphub.services.get
apphub.services.list
apphub.workloads.get
apphub.workloads.list
resourcemanager.projects.get
resourcemanager.projects.list
Appliance troubleshooting commands approver
Beta
(roles/applianceactivation.approver)
Grants access to approve commands to run on appliances
applianceactivation.rttCommands.approve
applianceactivation.rttCommands.get
resourcemanager.projects.get
resourcemanager.projects.list
On-appliance troubleshooting client
Beta
(roles/applianceactivation.client)
Grants access to read commands for an appliance and send its result.
applianceactivation.rttCommands.get
applianceactivation.rttCommands.sendResult
Appliance troubleshooter
Beta
(roles/applianceactivation.troubleshooter)
Grants access to send new commands to run on appliances and view the outputs
applianceactivation.rttCommands.create
applianceactivation.rttCommands.get
applianceactivation.rttCommands.list
resourcemanager.projects.get
resourcemanager.projects.list
Assured OSS Admin
(roles/assuredoss.admin)
Access to use Assured OSS and manage configuration.
Access to read recommendations from autoscaling site
autoscaling.sites.readRecommendations
Autoscaling Site Admin
Beta
(roles/autoscaling.sitesAdmin)
Full access to all autoscaling site features
autoscaling.*
resourcemanager.projects.get
resourcemanager.projects.list
Autoscaling State Writer
Beta
(roles/autoscaling.stateWriter)
Access to write state for autoscaling site
autoscaling.sites.writeState
Batch Agent Reporter
Beta
(roles/batch.agentReporter)
Reporter of Batch agent states.
batch.states.report
Batch Job Editor
Beta
(roles/batch.jobsEditor)
Editor of Batch Jobs
batch.jobs.*
batch.locations.*
batch.operations.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch Job Viewer
Beta
(roles/batch.jobsViewer)
Viewer of Batch Jobs, Task Groups and Tasks
batch.jobs.get
batch.jobs.list
batch.locations.*
batch.operations.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
BigLake Admin
(roles/biglake.admin)
Provides full access to all BigLake resources.
biglake.*
resourcemanager.projects.get
resourcemanager.projects.list
BigLake Viewer
(roles/biglake.viewer)
Provides read-only access to all BigLake resources.
biglake.catalogs.get
biglake.catalogs.list
biglake.databases.get
biglake.databases.list
biglake.locks.list
biglake.tables.get
biglake.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
MigrationWorkflow Editor
(roles/bigquerymigration.editor)
Editor of EDW migration workflows.
bigquerymigration.locations.*
bigquerymigration.subtasks.get
bigquerymigration.subtasks.list
bigquerymigration.workflows.create
bigquerymigration.workflows.delete
bigquerymigration.workflows.get
bigquerymigration.workflows.list
bigquerymigration.workflows.update
Task Orchestrator
(roles/bigquerymigration.orchestrator)
Orchestrator of EDW migration tasks.
bigquerymigration.subtasks.create
bigquerymigration.taskTypes.orchestrateTask
bigquerymigration.workflows.orchestrateTask
storage.objects.list
Migration Translation User
(roles/bigquerymigration.translationUser)
User of EDW migration interactive SQL translation service.
bigquerymigration.translation.translate
MigrationWorkflow Viewer
(roles/bigquerymigration.viewer)
Viewer of EDW migration MigrationWorkflow.
bigquerymigration.locations.*
bigquerymigration.subtasks.get
bigquerymigration.subtasks.list
bigquerymigration.workflows.get
bigquerymigration.workflows.list
Task Worker
(roles/bigquerymigration.worker)
Worker that executes EDW migration subtasks.
bigquerymigration.subtaskTypes.executeTask
bigquerymigration.subtasks.executeTask
storage.objects.create
storage.objects.get
storage.objects.list
Carbon Footprint Viewer
(roles/billing.carbonViewer)
billing.accounts.get
billing.accounts.getCarbonInformation
billing.accounts.list
Blockchain Node Engine Admin
(roles/blockchainnodeengine.admin)
Full access to Blockchain Node Engine resources.
blockchainnodeengine.*
resourcemanager.projects.get
resourcemanager.projects.list
Blockchain Node Engine Viewer
(roles/blockchainnodeengine.viewer)
Read-only access to Blockchain Node Engine resources.
blockchainnodeengine.blockchainNodes.get
blockchainnodeengine.blockchainNodes.list
blockchainnodeengine.locations.*
blockchainnodeengine.operations.get
blockchainnodeengine.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Capacity Planner Usage Viewer
Beta
(roles/capacityplanner.viewer)
Read-only access to Capacity Planner usage resources
capacityplanner.*
cloudquotas.quotas.get
monitoring.timeSeries.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Care Studio Patients Viewer
(roles/carestudio.viewer)
This role can view all properties of Patients.
carestudio.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle Service Admin
(roles/chroniclesm.admin)
Admins can view and modify Chronicle service details.
chroniclesm.*
Chronicle Service Viewer
(roles/chroniclesm.viewer)
Viewers can see Chronicle service details but not change them.
chroniclesm.gcpAssociations.get
chroniclesm.gcpSettings.get
Location reader
Beta
(roles/cloud.locationReader)
Read and enumerate locations available for resource creation.
cloud.*
Cloud AI Companion User
Beta
(roles/cloudaicompanion.user)
A user who can receive assistance from Cloud AI Companion
cloudaicompanion.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Controls Partner Admin
(roles/cloudcontrolspartner.admin)
Full access to Cloud Controls Partner resources.
cloudcontrolspartner.accessapprovalrequests.list
cloudcontrolspartner.customers.list
cloudcontrolspartner.ekmconnections.get
cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.partnerpermissions.get
cloudcontrolspartner.partners.get
cloudcontrolspartner.platformcontrols.get
cloudcontrolspartner.violations.list
cloudcontrolspartner.workloads.list
Cloud Controls Partner Editor
(roles/cloudcontrolspartner.editor)
Editor access to Cloud Controls Partner resources.
cloudcontrolspartner.*
Cloud Controls Partner Inspectability Reader
(roles/cloudcontrolspartner.inspectabilityReader)
Readonly access to Cloud Controls Partner inspectability resources.
cloudcontrolspartner.customers.*
cloudcontrolspartner.inspectabilityevents.get
cloudcontrolspartner.platformcontrols.get
Cloud Controls Partner Monitoring Reader
(roles/cloudcontrolspartner.monitoringReader)
Read-only access to Cloud Controls Partner monitoring resources.
cloudcontrolspartner.customers.*
cloudcontrolspartner.violations.*
cloudcontrolspartner.workloads.*
Cloud Controls Partner Reader
(roles/cloudcontrolspartner.reader)
Read-only access to Cloud Controls Partner resources.
cloudcontrolspartner.*
Cloud Optimization AI Admin
(roles/cloudoptimization.admin)
Administrator of Cloud Optimization AI resources
cloudoptimization.*
Cloud Optimization AI Editor
(roles/cloudoptimization.editor)
Editor of Cloud Optimization AI resources
cloudoptimization.*
Cloud Optimization AI Viewer
(roles/cloudoptimization.viewer)
Viewer of Cloud Optimization AI resources
cloudoptimization.operations.get
Cloud Quotas Admin
Beta
(roles/cloudquotas.admin)
Full access to Cloud Quotas resources.
cloudquotas.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Quotas Viewer
Beta
(roles/cloudquotas.viewer)
Readonly access to Cloud Quotas resources.
cloudquotas.quotas.get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Agreement Publishing Admin
Beta
(roles/commerceagreementpublishing.admin)
Admin of Commerce Agreement Publishing service
commerceagreementpublishing.*
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Agreement Publishing Viewer
Beta
(roles/commerceagreementpublishing.viewer)
Viewer of Commerce Agreement Publishing service
commerceagreementpublishing.agreements.get
commerceagreementpublishing.agreements.list
commerceagreementpublishing.documents.get
commerceagreementpublishing.documents.list
resourcemanager.projects.get
resourcemanager.projects.list
Confidential Space Workload User
(roles/confidentialcomputing.workloadUser)
Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.
confidentialcomputing.*
logging.logEntries.create
Contact Center AI Platform Admin
(roles/contactcenteraiplatform.admin)
Full access to Contact Center AI Platform resources.
contactcenteraiplatform.*
resourcemanager.projects.get
resourcemanager.projects.list
Contact Center AI Platform Viewer
(roles/contactcenteraiplatform.viewer)
Read-only access to Contact Center AI Platform resources.
contactcenteraiplatform.contactCenters.get
contactcenteraiplatform.contactCenters.list
contactcenteraiplatform.locations.*
contactcenteraiplatform.operations.get
contactcenteraiplatform.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Contact Center AI Insights editor
(roles/contactcenterinsights.editor)
Grants read and write access to all Contact Center AI Insights resources.
contactcenterinsights.*
Contact Center AI Insights viewer
(roles/contactcenterinsights.viewer)
Grants read access to all Contact Center AI Insights resources.
contactcenterinsights.analyses.get
contactcenterinsights.analyses.list
contactcenterinsights.conversations.get
contactcenterinsights.conversations.list
contactcenterinsights.faqEntries.get
contactcenterinsights.faqEntries.list
contactcenterinsights.faqModels.get
contactcenterinsights.faqModels.list
contactcenterinsights.issueModels.get
contactcenterinsights.issueModels.list
contactcenterinsights.issues.get
contactcenterinsights.issues.list
contactcenterinsights.operations.*
contactcenterinsights.phraseMatchers.get
contactcenterinsights.phraseMatchers.list
contactcenterinsights.settings.get
contactcenterinsights.views.get
contactcenterinsights.views.list
GKE Security Posture Viewer
Beta
(roles/containersecurity.viewer)
Read-only access to GKE Security Posture resources.
container.clusters.list
containersecurity.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Admin
(roles/contentwarehouse.admin)
Grants full access to all the resources in Content Warehouse
contentwarehouse.corpora.*
contentwarehouse.dataExportJobs.*
contentwarehouse.documentSchemas.*
contentwarehouse.documents.*
contentwarehouse.locations.*
contentwarehouse.operations.get
contentwarehouse.rawDocuments.*
contentwarehouse.ruleSets.*
contentwarehouse.synonymSets.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Document Admin
(roles/contentwarehouse.documentAdmin)
Grants full access to the document resource in Content Warehouse
contentwarehouse.documentSchemas.get
contentwarehouse.documents.create
contentwarehouse.documents.delete
contentwarehouse.documents.get
contentwarehouse.documents.getIamPolicy
contentwarehouse.documents.setIamPolicy
contentwarehouse.documents.update
contentwarehouse.links.*
contentwarehouse.locations.getStatus
contentwarehouse.rawDocuments.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse document creator
(roles/contentwarehouse.documentCreator)
Grants access to create document in Content Warehouse
contentwarehouse.documentSchemas.get
contentwarehouse.documentSchemas.list
contentwarehouse.documents.create
contentwarehouse.locations.getStatus
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Document Editor
(roles/contentwarehouse.documentEditor)
Grants access to update document resource in Content Warehouse
contentwarehouse.documentSchemas.get
contentwarehouse.documents.get
contentwarehouse.documents.getIamPolicy
contentwarehouse.documents.update
contentwarehouse.links.*
contentwarehouse.locations.getStatus
contentwarehouse.rawDocuments.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse document schema viewer
(roles/contentwarehouse.documentSchemaViewer)
Grants access to view the document schemas in Content Warehouse
contentwarehouse.documentSchemas.get
contentwarehouse.documentSchemas.list
contentwarehouse.locations.getStatus
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Viewer
(roles/contentwarehouse.documentViewer)
Grants access to view all the resources in Content Warehouse
contentwarehouse.documentSchemas.get
contentwarehouse.documents.get
contentwarehouse.documents.getIamPolicy
contentwarehouse.links.get
contentwarehouse.locations.getStatus
contentwarehouse.rawDocuments.download
resourcemanager.projects.get
resourcemanager.projects.list
Events Service viewer
Beta
(roles/databaseinsights.eventsViewer)
Viewer role for Events Service data
databaseinsights.aggregatedEvents.query
databaseinsights.clusterEvents.query
databaseinsights.instanceEvents.query
Database Insights monitoring viewer
Beta
(roles/databaseinsights.monitoringViewer)
Viewer role for Database Insights monitoring data
databaseinsights.activeQueries.fetch
databaseinsights.activitySummary.fetch
databaseinsights.aggregatedStats.query
databaseinsights.locations.*
databaseinsights.timeSeries.query
databaseinsights.workloadRecommendations.fetch
resourcemanager.projects.get
resourcemanager.projects.list
Database Insights performing operations
Beta
(roles/databaseinsights.operationsAdmin)
Admin role for performing Database Insights operations
databaseinsights.activeQuery.terminate
Database Insights recommendation viewer
Beta
(roles/databaseinsights.recommendationViewer)
Viewer role for Database Insights recommendation data
databaseinsights.locations.*
databaseinsights.recommendations.query
databaseinsights.resourceRecommendations.query
databaseinsights.workloadRecommendations.fetch
resourcemanager.projects.get
resourcemanager.projects.list
Database Insights viewer
Beta
(roles/databaseinsights.viewer)
Viewer role for Database Insights data
databaseinsights.activeQueries.fetch
databaseinsights.activitySummary.fetch
databaseinsights.aggregatedStats.query
databaseinsights.locations.*
databaseinsights.recommendations.query
databaseinsights.resourceRecommendations.query
databaseinsights.timeSeries.query
databaseinsights.workloadRecommendations.fetch
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Administrator
(roles/datalineage.admin)
Grants full access to all resources in Data Lineage API
datalineage.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Editor
(roles/datalineage.editor)
Grants edit access to all resources in Data Lineage API
datalineage.events.*
datalineage.locations.searchLinks
datalineage.operations.get
datalineage.processes.create
datalineage.processes.get
datalineage.processes.list
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.list
datalineage.runs.update
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Events Producer
(roles/datalineage.producer)
Grants access to creating all resources in Data Lineage API
datalineage.events.create
datalineage.processes.create
datalineage.processes.get
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.update
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Viewer
(roles/datalineage.viewer)
Grants read access to all resources in Data Lineage API
datalineage.events.get
datalineage.events.list
datalineage.locations.searchLinks
datalineage.processes.get
datalineage.processes.list
datalineage.runs.get
datalineage.runs.list
resourcemanager.projects.get
resourcemanager.projects.list
Data Processing Controls Resource Admin
(roles/dataprocessing.admin)
Data processing controls admin who can fully manage data processing controls settings and view all datasource data.
billing.accounts.get
billing.accounts.list
dataprocessing.*
Data Processing Controls Data Source Manager
(roles/dataprocessing.dataSourceManager)
Data processing controls data source manager who can get, list, and update the underlying data.
dataprocessing.datasources.list
dataprocessing.datasources.update
Discovery Engine Admin
(roles/discoveryengine.admin)
Grants full access to all discoveryengine resources.
discoveryengine.*
Discovery Engine Editor
(roles/discoveryengine.editor)
Grants read and write access to all discovery engine resources.
discoveryengine.analytics.*
discoveryengine.branches.*
discoveryengine.cmekConfigs.get
discoveryengine.cmekConfigs.list
discoveryengine.collections.get
discoveryengine.collections.list
discoveryengine.completionConfigs.get
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.conversations.*
discoveryengine.dataStores.completeQuery
discoveryengine.dataStores.get
discoveryengine.dataStores.list
discoveryengine.documentProcessingConfigs.get
discoveryengine.documents.create
discoveryengine.documents.delete
discoveryengine.documents.get
discoveryengine.documents.import
discoveryengine.documents.list
discoveryengine.documents.update
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.models.*
discoveryengine.operations.*
discoveryengine.projects.get
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.schemas.preview
discoveryengine.schemas.validate
discoveryengine.servingConfigs.get
discoveryengine.servingConfigs.list
discoveryengine.servingConfigs.recommend
discoveryengine.servingConfigs.search
discoveryengine.siteSearchEngines.get
discoveryengine.targetSites.get
discoveryengine.targetSites.list
discoveryengine.userEvents.create
discoveryengine.userEvents.fetchStats
discoveryengine.userEvents.import
discoveryengine.widgetConfigs.*
Discovery Engine Viewer
(roles/discoveryengine.viewer)
Grants read access to all discovery engine resources.
discoveryengine.analytics.*
discoveryengine.branches.*
discoveryengine.cmekConfigs.get
discoveryengine.cmekConfigs.list
discoveryengine.collections.get
discoveryengine.collections.list
discoveryengine.completionConfigs.get
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.conversations.converse
discoveryengine.conversations.get
discoveryengine.conversations.list
discoveryengine.dataStores.completeQuery
discoveryengine.dataStores.get
discoveryengine.dataStores.list
discoveryengine.documentProcessingConfigs.get
discoveryengine.documents.get
discoveryengine.documents.list
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.models.get
discoveryengine.models.list
discoveryengine.operations.*
discoveryengine.projects.get
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.schemas.preview
discoveryengine.schemas.validate
discoveryengine.servingConfigs.get
discoveryengine.servingConfigs.list
discoveryengine.servingConfigs.recommend
discoveryengine.servingConfigs.search
discoveryengine.siteSearchEngines.get
discoveryengine.targetSites.get
discoveryengine.targetSites.list
discoveryengine.userEvents.fetchStats
discoveryengine.widgetConfigs.get
Enterprise Purchasing Admin
Beta
(roles/enterprisepurchasing.admin)
Full access to Enterprise Purchasing resources.
enterprisepurchasing.*
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Editor
Beta
(roles/enterprisepurchasing.editor)
Edit access to Enterprise Purchasing resources.
enterprisepurchasing.gcveCuds.get
enterprisepurchasing.gcveCuds.list
enterprisepurchasing.gcveNodePricingInfo.list
enterprisepurchasing.locations.*
enterprisepurchasing.operations.get
enterprisepurchasing.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Viewer
Beta
(roles/enterprisepurchasing.viewer)
Readonly access to Enterprise Purchasing resources.
enterprisepurchasing.gcveCuds.get
enterprisepurchasing.gcveCuds.list
enterprisepurchasing.gcveNodePricingInfo.list
enterprisepurchasing.locations.*
enterprisepurchasing.operations.get
enterprisepurchasing.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Essential Contacts Admin
(roles/essentialcontacts.admin)
Full access to all essential contacts
essentialcontacts.*
Essential Contacts Viewer
(roles/essentialcontacts.viewer)
Viewer for all essential contacts
essentialcontacts.contacts.get
essentialcontacts.contacts.list
Firebase Cloud Messaging API Admin
Beta
(roles/firebasecloudmessaging.admin)
Full read/write access to Firebase Cloud Messaging API resources.
cloudmessaging.messages.create
fcmdata.deliverydata.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Crash Symbol Uploader
(roles/firebasecrash.symbolMappingsAdmin)
Full read/write access to symbol mapping file resources for Firebase Crash Reporting.
firebase.clients.get
firebase.clients.list
resourcemanager.projects.get
GDC Hardware Management Admin
Beta
(roles/gdchardwaremanagement.admin)
Full access to GDC Hardware Management resources.
gdchardwaremanagement.*
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Operator
Beta
(roles/gdchardwaremanagement.operator)
Create, read, and update access to GDC Hardware Management resources that support those operations. Also grants delete access to HardwareGroup resource.
gdchardwaremanagement.changeLogEntries.*
gdchardwaremanagement.comments.*
gdchardwaremanagement.hardware.*
gdchardwaremanagement.hardwareGroups.*
gdchardwaremanagement.locations.*
gdchardwaremanagement.operations.get
gdchardwaremanagement.operations.list
gdchardwaremanagement.orders.create
gdchardwaremanagement.orders.get
gdchardwaremanagement.orders.list
gdchardwaremanagement.orders.update
gdchardwaremanagement.sites.*
gdchardwaremanagement.skus.*
gdchardwaremanagement.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Reader
Beta
(roles/gdchardwaremanagement.reader)
Readonly access to GDC Hardware Management resources.
gdchardwaremanagement.changeLogEntries.*
gdchardwaremanagement.comments.get
gdchardwaremanagement.comments.list
gdchardwaremanagement.hardware.get
gdchardwaremanagement.hardware.list
gdchardwaremanagement.hardwareGroups.get
gdchardwaremanagement.hardwareGroups.list
gdchardwaremanagement.locations.*
gdchardwaremanagement.operations.get
gdchardwaremanagement.operations.list
gdchardwaremanagement.orders.get
gdchardwaremanagement.orders.list
gdchardwaremanagement.sites.get
gdchardwaremanagement.sites.list
gdchardwaremanagement.skus.*
gdchardwaremanagement.zones.get
gdchardwaremanagement.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Identity Platform Admin
Beta
(roles/identityplatform.admin)
Full access to Identity Platform resources.
firebaseauth.*
identitytoolkit.*
Identity Platform Viewer
Beta
(roles/identityplatform.viewer)
Read access to Identity Platform resources.
firebaseauth.configs.get
firebaseauth.users.get
identitytoolkit.tenants.get
identitytoolkit.tenants.getIamPolicy
identitytoolkit.tenants.list
Identity Toolkit Admin
(roles/identitytoolkit.admin)
Full access to Identity Toolkit resources.
firebaseauth.*
identitytoolkit.*
Identity Toolkit Viewer
(roles/identitytoolkit.viewer)
Read access to Identity Toolkit resources.
firebaseauth.configs.get
firebaseauth.users.get
identitytoolkit.tenants.get
identitytoolkit.tenants.getIamPolicy
identitytoolkit.tenants.list
Apigee Integration Admin
(roles/integrations.apigeeIntegrationAdminRole)
A user that has full access to all Apigee integrations.
Grants full access to all Speaker ID resources, including project settings.
speakerid.*
Speaker ID Editor
(roles/speakerid.editor)
Grants access to read and write all Speaker ID resources.
speakerid.phrases.*
speakerid.speakers.*
Speaker ID Verifier
(roles/speakerid.verifier)
Grants read access to all Speaker ID resources, and allows verification.
speakerid.phrases.get
speakerid.phrases.list
speakerid.speakers.get
speakerid.speakers.list
speakerid.speakers.verify
Speaker ID Viewer
(roles/speakerid.viewer)
Grants read access to all Speaker ID resources.
speakerid.phrases.get
speakerid.phrases.list
speakerid.speakers.get
speakerid.speakers.list
Cloud Speech Administrator
(roles/speech.admin)
Grants full access to all resources in Speech-to-text
speech.*
Cloud Speech Client
(roles/speech.client)
Grants access to the recognition APIs.
speech.adaptations.execute
speech.customClasses.get
speech.customClasses.list
speech.locations.*
speech.operations.get
speech.operations.list
speech.operations.wait
speech.phraseSets.get
speech.phraseSets.list
speech.recognizers.get
speech.recognizers.list
speech.recognizers.recognize
Cloud Speech Editor
(roles/speech.editor)
Grants access to edit resources in Speech-to-text
speech.adaptations.execute
speech.customClasses.*
speech.locations.*
speech.operations.*
speech.phraseSets.*
speech.recognizers.*
Storage Insights Admin
(roles/storageinsights.admin)
Full access to Storage Insights resources.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.*
Storage Insights Analyst
(roles/storageinsights.analyst)
Data access to Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.linkDataset
storageinsights.datasetConfigs.list
storageinsights.datasetConfigs.unlinkDataset
storageinsights.locations.*
storageinsights.operations.get
storageinsights.operations.list
storageinsights.reportConfigs.get
storageinsights.reportConfigs.list
storageinsights.reportDetails.*
Storage Insights Viewer
(roles/storageinsights.viewer)
Read-only access to Storage Insights resources.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.datasetConfigs.get
storageinsights.datasetConfigs.list
storageinsights.locations.*
storageinsights.operations.get
storageinsights.operations.list
storageinsights.reportConfigs.get
storageinsights.reportConfigs.list
storageinsights.reportDetails.*
Subscribe with Google Developer
Beta
(roles/subscribewithgoogledeveloper.developer)
Access DevTools for Subscribe with Google
resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper.tools.get
Telco Automation Admin
Beta
(roles/telcoautomation.admin)
Full access to Telco Automation resources.
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
monitoring.timeSeries.list
resourcemanager.projects.get
serviceusage.operations.*
serviceusage.quotas.*
serviceusage.services.*
source.repos.get
source.repos.list
telcoautomation.*
Telco Automation Blueprint Designer
Beta
(roles/telcoautomation.blueprintDesigner)
Ability to manage blueprints
telcoautomation.blueprints.create
telcoautomation.blueprints.delete
telcoautomation.blueprints.get
telcoautomation.blueprints.list
telcoautomation.blueprints.propose
telcoautomation.blueprints.update
telcoautomation.deployments.computeStatus
telcoautomation.deployments.get
telcoautomation.deployments.list
telcoautomation.hydratedDeployments.get
telcoautomation.hydratedDeployments.list
telcoautomation.orchestrationClusters.get
telcoautomation.orchestrationClusters.list
telcoautomation.publicBlueprints.*
Telco Automation Deployment Admin
Beta
(roles/telcoautomation.deploymentAdmin)
Ability to manage deployments
telcoautomation.blueprints.get
telcoautomation.blueprints.list
telcoautomation.deployments.*
telcoautomation.hydratedDeployments.*
telcoautomation.orchestrationClusters.get
telcoautomation.orchestrationClusters.list
Telco Automation Tier 1 Operations Admin
Beta
(roles/telcoautomation.opsAdminTier1)
Ability to get status of deployments
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
resourcemanager.projects.get
telcoautomation.blueprints.get
telcoautomation.blueprints.list
telcoautomation.deployments.computeStatus
telcoautomation.deployments.get
telcoautomation.deployments.list
telcoautomation.hydratedDeployments.get
telcoautomation.hydratedDeployments.list
telcoautomation.orchestrationClusters.get
telcoautomation.orchestrationClusters.list
Telco Automation Tier 4 Operations Admin
Beta
(roles/telcoautomation.opsAdminTier4)
Ability to manage deployments and their status
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
resourcemanager.projects.get
telcoautomation.blueprints.get
telcoautomation.blueprints.list
telcoautomation.deployments.*
telcoautomation.hydratedDeployments.*
telcoautomation.orchestrationClusters.get
telcoautomation.orchestrationClusters.list
Telco Automation Service Orchestrator
Beta
(roles/telcoautomation.serviceOrchestrator)
Ability to manage deployments
telcoautomation.blueprints.get
telcoautomation.blueprints.list
telcoautomation.deployments.*
telcoautomation.hydratedDeployments.*
telcoautomation.orchestrationClusters.get
telcoautomation.orchestrationClusters.list
Timeseries Insights DataSet Editor
Beta
(roles/timeseriesinsights.datasetsEditor)
Edit access to DataSets.
timeseriesinsights.*
Timeseries Insights DataSet Owner
Beta
(roles/timeseriesinsights.datasetsOwner)
Full access to DataSets.
timeseriesinsights.*
Timeseries Insights DataSet Viewer
Beta
(roles/timeseriesinsights.datasetsViewer)
Read-only access (List and Query) to DataSets.
timeseriesinsights.datasets.evaluate
timeseriesinsights.datasets.list
timeseriesinsights.datasets.query
timeseriesinsights.locations.*
Traffic Director Client
Beta
(roles/trafficdirector.client)
Fetch service configurations and report metrics.
trafficdirector.*
Translation Hub Admin
Beta
(roles/translationhub.admin)
Admin of Translation Hub
automl.models.get
automl.models.list
automl.models.predict
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.glossaries.create
cloudtranslate.glossaries.delete
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
resourcemanager.projects.get
resourcemanager.projects.list
translationhub.*
Translation Hub Portal User
Beta
(roles/translationhub.portalUser)
Portal user of Translation Hub
automl.models.get
automl.models.list
automl.models.predict
cloudtranslate.customModels.get
cloudtranslate.customModels.list
cloudtranslate.customModels.predict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
resourcemanager.projects.get
resourcemanager.projects.list
translationhub.portals.get
translationhub.portals.list
Visual Inspection AI Solution Editor
(roles/visualinspection.editor)
Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics
visualinspection.annotationSets.*
visualinspection.annotationSpecs.*
visualinspection.annotations.*
visualinspection.datasets.*
visualinspection.images.*
visualinspection.locations.get
visualinspection.locations.list
visualinspection.modelEvaluations.*
visualinspection.models.*
visualinspection.modules.*
visualinspection.operations.*
visualinspection.solutionArtifacts.*
visualinspection.solutions.*
Visual Inspection AI Usage Metrics Reporter
(roles/visualinspection.usageMetricsReporter)
ReportUsageMetric access to Visual Inspection AI Service
visualinspection.locations.reportUsageMetrics
Visual Inspection AI Viewer
(roles/visualinspection.viewer)
Read access to Visual Inspection AI resources
visualinspection.annotationSets.get
visualinspection.annotationSets.list
visualinspection.annotationSpecs.get
visualinspection.annotationSpecs.list
visualinspection.annotations.get
visualinspection.annotations.list
visualinspection.datasets.export
visualinspection.datasets.get
visualinspection.datasets.list
visualinspection.images.get
visualinspection.images.list
visualinspection.locations.get
visualinspection.locations.list
visualinspection.modelEvaluations.*
visualinspection.models.get
visualinspection.models.list
visualinspection.modules.get
visualinspection.modules.list
visualinspection.operations.*
visualinspection.solutionArtifacts.get
visualinspection.solutionArtifacts.list
visualinspection.solutionArtifacts.predict
visualinspection.solutions.get
visualinspection.solutions.list
PAM roles
Permissions
Privileged Access Manager Admin
Beta
(roles/privilegedaccessmanager.admin)
Full access to Privileged Access Manager resources.
privilegedaccessmanager.*
resourcemanager.projects.get
Privileged Access Manager Viewer
Beta
(roles/privilegedaccessmanager.viewer)
Readonly access to Privileged Access Manager resources.
privilegedaccessmanager.entitlements.get
privilegedaccessmanager.entitlements.list
privilegedaccessmanager.grants.get
privilegedaccessmanager.grants.list
privilegedaccessmanager.locations.get
privilegedaccessmanager.locations.list
privilegedaccessmanager.operations.get
privilegedaccessmanager.operations.list
resourcemanager.projects.get
Project roles
Permissions
Browser
(roles/browser)
Read access to browse the hierarchy for a project, including the folder, organization, and allow
policy. This role doesn't include permission to view resources in the project.
Lowest-level resources where you can grant this role:
Project
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Proximity Beacon roles
Permissions
Beacon Attachment Editor
(roles/proximitybeacon.attachmentEditor)
Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.
proximitybeacon.attachments.*
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.namespaces.list
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Attachment Publisher
(roles/proximitybeacon.attachmentPublisher)
Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.
proximitybeacon.beacons.attach
proximitybeacon.beacons.get
proximitybeacon.beacons.list
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Attachment Viewer
(roles/proximitybeacon.attachmentViewer)
Can view all attachments under a namespace; no beacon or namespace permissions.
proximitybeacon.attachments.get
proximitybeacon.attachments.list
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Editor
(roles/proximitybeacon.beaconEditor)
Necessary access to register, modify, and view beacons; no attachment or namespace permissions.
proximitybeacon.beacons.create
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.beacons.update
resourcemanager.projects.get
resourcemanager.projects.list
Pub/Sub roles
Permissions
Pub/Sub Admin
(roles/pubsub.admin)
Provides full access to topics and subscriptions.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Editor
(roles/pubsub.editor)
Provides access to modify topics and subscriptions, and access to publish
and consume messages.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Publisher
(roles/pubsub.publisher)
Provides access to publish messages to a topic.
Lowest-level resources where you can grant this role:
Topic
pubsub.topics.publish
Pub/Sub Subscriber
(roles/pubsub.subscriber)
Provides access to consume messages from a subscription and to attach
subscriptions to a topic.
Lowest-level resources where you can grant this role:
Snapshot
Subscription
Topic
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
Pub/Sub Viewer
(roles/pubsub.viewer)
Provides access to view topics and subscriptions.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Lite roles
Permissions
Pub/Sub Lite Admin
(roles/pubsublite.admin)
Full access to topics, subscriptions and reservations.
pubsublite.*
Pub/Sub Lite Editor
(roles/pubsublite.editor)
Modify topics, subscriptions and reservations, publish and consume messages.
pubsublite.*
Pub/Sub Lite Publisher
(roles/pubsublite.publisher)
Publish messages to a topic.
pubsublite.locations.openKafkaStream
pubsublite.topics.getPartitions
pubsublite.topics.publish
Pub/Sub Lite Subscriber
(roles/pubsublite.subscriber)
Subscribe to and read messages from a topic.
pubsublite.locations.openKafkaStream
pubsublite.operations.get
pubsublite.subscriptions.getCursor
pubsublite.subscriptions.seek
pubsublite.subscriptions.setCursor
pubsublite.subscriptions.subscribe
pubsublite.topics.computeHeadCursor
pubsublite.topics.computeMessageStats
pubsublite.topics.computeTimeCursor
pubsublite.topics.getPartitions
pubsublite.topics.subscribe
Pub/Sub Lite Viewer
(roles/pubsublite.viewer)
View topics, subscriptions and reservations.
pubsublite.operations.*
pubsublite.reservations.get
pubsublite.reservations.list
pubsublite.reservations.listTopics
pubsublite.subscriptions.get
pubsublite.subscriptions.getCursor
pubsublite.subscriptions.list
pubsublite.topics.get
pubsublite.topics.getPartitions
pubsublite.topics.list
pubsublite.topics.listSubscriptions
Rapid Migration Assessment roles
Permissions
Rapid Migration Assessment Admin
(roles/rma.admin)
Full access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
Rapid Migration Assessment Runner
(roles/rma.runner)
Update and Read access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.*
rma.operations.get
rma.operations.list
Rapid Migration Assessment Viewer
(roles/rma.viewer)
Read-only access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.*
rma.operations.get
rma.operations.list
reCAPTCHA Enterprise roles
Permissions
reCAPTCHA Enterprise Admin
Beta
(roles/recaptchaenterprise.admin)
Access to view and modify reCAPTCHA Enterprise keys
monitoring.timeSeries.list
recaptchaenterprise.keys.*
recaptchaenterprise.metrics.get
resourcemanager.projects.get
resourcemanager.projects.list
reCAPTCHA Enterprise Agent
Beta
(roles/recaptchaenterprise.agent)
Access to create and annotate reCAPTCHA Enterprise assessments
Access to view reCAPTCHA Enterprise keys and metrics
monitoring.timeSeries.list
recaptchaenterprise.keys.get
recaptchaenterprise.keys.list
recaptchaenterprise.metrics.get
resourcemanager.projects.get
resourcemanager.projects.list
Recommendations AI roles
Permissions
Recommendations AI Admin
Beta
(roles/automlrecommendations.admin)
Full access to all Recommendations AI resources.
automlrecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.catalogs.update
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.purge
retail.products.update
retail.retailProjects.get
retail.userEvents.*
serviceusage.services.get
serviceusage.services.list
Recommendations AI Admin Viewer
Beta
(roles/automlrecommendations.adminViewer)
Viewer of all Recommendations AI resources.
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.eventStores.*
automlrecommendations.events.get
automlrecommendations.events.list
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.list
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.get
serviceusage.services.get
serviceusage.services.list
Recommendations AI Editor
Beta
(roles/automlrecommendations.editor)
Editor of all Recommendations AI resources.
automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.*
automlrecommendations.catalogs.getStats
automlrecommendations.catalogs.list
automlrecommendations.eventStores.*
automlrecommendations.events.create
automlrecommendations.events.get
automlrecommendations.events.list
automlrecommendations.placements.create
automlrecommendations.placements.getStats
automlrecommendations.placements.list
automlrecommendations.recommendations.create
automlrecommendations.recommendations.list
automlrecommendations.recommendations.pause
automlrecommendations.recommendations.resume
automlrecommendations.recommendations.update
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.catalogs.update
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.retailProjects.get
retail.userEvents.create
retail.userEvents.import
serviceusage.services.get
serviceusage.services.list
Recommendations AI Viewer
Beta
(roles/automlrecommendations.viewer)
Viewer of all Recommendations resources except apiKeys. To view all resources,
including apiKeys, grant the Recommendations AI Admin Viewer role
(roles/automlrecommendations.adminViewer).
An instance repository creator can connect to a Cloud Git instance via IAP (HTTPS) and create repositories in the instance.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.instances.access
securesourcemanager.instances.createRepository
securesourcemanager.sshkeys.create
securesourcemanager.sshkeys.delete
securesourcemanager.sshkeys.get
securesourcemanager.sshkeys.list
Secure Source Manager Repository Admin
Beta
(roles/securesourcemanager.repoAdmin)
A repoAdmin has the ability to CRUD a repository and its children as well as assign users to a repository. They can also set, get, or check IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.repositories.*
Secure Source Manager Repository Creator
Beta
(roles/securesourcemanager.repoCreator)
A repoCreator has access to create repostiory in a project, the creator will then become the repoAdmin on this repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.repositories.create
Secure Source Manager Repository Reader
Beta
(roles/securesourcemanager.repoReader)
A repoReader has read access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.repositories.fetch
securesourcemanager.repositories.get
securesourcemanager.repositories.list
securesourcemanager.repositories.readIssues
securesourcemanager.repositories.readPullRequests
Secure Source Manager Repository Writer
Beta
(roles/securesourcemanager.repoWriter)
A repoWriter has read/write access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.
Gives the Assured Workloads service account access to create CAIS feed and monitor Assured Workloads.
cloudasset.assets.exportResource
cloudasset.assets.listResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
Assured Workloads Service Agent
(roles/assuredworkloads.serviceAgent)
Gives the Assured Workloads service account access to create KMS keyrings and keys, and to monitor Assured Workloads.
cloudkms.cryptoKeys.create
cloudkms.keyRings.create
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
Audit Manager Auditing Service Agent
(roles/auditmanager.serviceAgent)
Grants Audit Manager Service Agent access to various list/get rpcs of products to perform an audit.
cloudasset.assets.*
cloudsql.instances.list
compute.autoscalers.list
compute.backendServices.list
compute.disks.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalForwardingRules.list
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instances.list
compute.regionSslPolicies.list
compute.regionTargetHttpProxies.list
compute.regionUrlMaps.list
compute.routers.list
compute.securityPolicies.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetSslProxies.list
compute.urlMaps.list
compute.vpnGateways.list
compute.zones.list
container.clusters.list
logging.buckets.list
monitoring.timeSeries.list
orgpolicy.policy.get
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
AutoML Service Agent
(roles/automl.serviceAgent)
AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
serviceusage.services.use
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Recommendations AI Service Agent
(roles/automlrecommendations.serviceAgent)
Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
cloudnotifications.activities.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
logging.logEntries.create
logging.logEntries.route
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
opsconfigmonitoring.resourceMetadata.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver.resourceMetadata.list
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Backup and DR Service Agent
(roles/backupdr.serviceAgent)
Grants the Backup and DR Service access to protect Compute Engine instances.
compute.addresses.list
compute.addresses.use
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.machineTypes.*
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Bare Metal Solution Service Agent
(roles/baremetalsolution.serviceAgent)
Gives permission to manage network resources such as interconnect pairing keys, required for Bare Metal Solution.
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnects.get
compute.interconnects.list
compute.networks.get
compute.networks.list
compute.projects.get
resourcemanager.projects.get
Google Batch Service Agent
(roles/batch.serviceAgent)
Gives Google Batch account access to manage customer resources.
Grants Certificate Manager access to services and APIs in the user project.
certificatemanager.locations.get
Chronicle Service Agent
(roles/chronicle.serviceAgent)
Grants Chronicle scoped access to customer project
chronicle.instances.get
monitoring.alertPolicies.*
Chronicle SOAR Service Agent
(roles/chronicle.soarServiceAgent)
Gives Chronicle SOAR the ability to perform remediation on Cloud Platform resources.
cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
compute.instances.get
compute.instances.list
compute.instances.stop
compute.zones.list
iam.serviceAccounts.disable
iam.serviceAccounts.list
recommender.iamPolicyRecommendations.*
resourcemanager.organizations.getIamPolicy
securitycenter.findingexternalsystems.update
securitycenter.findings.list
securitycenter.findings.setState
securitycenter.notificationconfig.create
securitycenter.notificationconfig.get
securitycenter.notificationconfig.update
Effective Policies Service Agent
(roles/cloudasset.effectivePolicyServiceAgent)
Give effective policy service account access to search all resources and IAM policies.
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
Cloud Asset Service Agent
(roles/cloudasset.serviceAgent)
Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
pubsub.topics.publish
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
Cloud Build Logging Service Agent
(roles/cloudbuild.loggingServiceAgent)
Gives the Cloud Build logging-specific service account access to write logs.
logging.buckets.write
Cloud Build Service Agent
(roles/cloudbuild.serviceAgent)
Gives Cloud Build service account access to managed resources.
Gives Cloud Controls Partner monitoring service agent permission to view and list Assured Workload violations. The role is assigned to enable partner monitoring capability.
assuredworkloads.violations.get
assuredworkloads.violations.list
Cloud Deploy Service Agent
(roles/clouddeploy.serviceAgent)
Gives Cloud Deploy Service Account access to managed resources.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
logging.logEntries.create
pubsub.topics.get
pubsub.topics.publish
servicemanagement.services.report
serviceusage.services.use
storage.buckets.create
storage.buckets.get
storage.objects.get
Cloud Deployment Manager Service Agent
(roles/clouddeploymentmanager.serviceAgent)
Allows Deployment Manager service to actuate resources across DM projects and folders
Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.
logging.logEntries.create
logging.logEntries.route
pubsub.topics.publish
Cloud KMS Organization Service Agent
(roles/cloudkms.orgServiceAgent)
Gives Cloud KMS organization-level service account access to managed resources.
cloudasset.assets.searchAllResources
Cloud KMS Service Agent
(roles/cloudkms.serviceAgent)
Gives Cloud KMS service account access to managed resources.
cloudasset.assets.listCloudkmsCryptoKeys
Cloud KMS KACLS Service Agent
(roles/cloudkmskacls.serviceAgent)
Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption.
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeys.get
Cloud Optimization Service Agent
(roles/cloudoptimization.serviceAgent)
Grants Cloud Optimization Service Account access to read and write data in the user project.
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Scheduler Service Agent
(roles/cloudscheduler.serviceAgent)
Grants Cloud Scheduler Service Account access to manage resources.
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
logging.logEntries.create
logging.logEntries.route
pubsub.topics.publish
Cloud SQL Service Agent
(roles/cloudsql.serviceAgent)
Grants Cloud SQL access to services and APIs in the user project
cloudsql.instances.get
Cloud Tasks Service Agent
(roles/cloudtasks.serviceAgent)
Grants Cloud Tasks Service Account access to manage resources.
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
logging.logEntries.create
Cloud TPU V2 API Service Agent
(roles/cloudtpu.serviceAgent)
Give Cloud TPUs service account access to managed resources
Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.
Gives permission for the Dataform API to access a secret from Secret Manager
dataform.compilationResults.create
dataform.workflowInvocations.create
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion API Service Agent
(roles/datafusion.serviceAgent)
Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.
Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.
automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.files.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.*
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.*
ml.trials.*
ml.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Database Migration Service Agent
(roles/datamigration.serviceAgent)
Gives Cloud Database Migration service account access to Cloud SQL resources.
alloydb.clusters.create
alloydb.clusters.delete
alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.clusters.list
alloydb.clusters.update
alloydb.instances.connect
alloydb.instances.create
alloydb.instances.delete
alloydb.instances.get
alloydb.instances.list
alloydb.instances.update
alloydb.operations.get
alloydb.operations.list
cloudsql.databases.delete
cloudsql.databases.get
cloudsql.instances.connect
cloudsql.instances.create
cloudsql.instances.delete
cloudsql.instances.demoteMaster
cloudsql.instances.get
cloudsql.instances.import
cloudsql.instances.list
cloudsql.instances.migrate
cloudsql.instances.promoteReplica
cloudsql.instances.restart
cloudsql.instances.startReplica
cloudsql.instances.stopReplica
cloudsql.instances.update
compute.forwardingRules.use
compute.globalAddresses.create
compute.globalAddresses.createInternal
compute.globalAddresses.delete
compute.globalAddresses.deleteInternal
compute.globalAddresses.get
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.removePeering
compute.networks.use
compute.regionOperations.get
compute.regionOperations.list
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute.serviceAttachments.list
compute.serviceAttachments.update
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
serviceusage.services.use
storage.objects.get
storage.objects.list
Datapipelines Service Agent
(roles/datapipelines.serviceAgent)
Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project.
appengine.applications.get
bigquery.tables.get
bigtable.tables.get
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
cloudscheduler.*
compute.machineTypes.get
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
orgpolicy.policy.get
pubsub.schemas.get
pubsub.topics.get
recommender.dataflowDiagnosticsInsights.*
recommender.iamPolicyInsights.*
recommender.iamPolicyRecommendations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
Cloud Dataplex Service Agent
(roles/dataplex.serviceAgent)
Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management.
Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.
compute.acceleratorTypes.*
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.startAsyncReplication
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.get
compute.firewalls.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalNetworkEndpointGroups.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceSettings.get
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.networks.listEffectiveTags
compute.networks.listTagBindings
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeTypes.get
compute.projects.get
compute.regionNetworkEndpointGroups.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.useReadOnly
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.listEffectiveTags
compute.subnetworks.listTagBindings
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.targetPools.listEffectiveTags
compute.targetPools.listTagBindings
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
container.clusterRoleBindings.*
container.clusterRoles.*
container.clusters.get
container.clusters.update
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container.namespaces.update
container.operations.get
container.roleBindings.*
container.roles.bind
container.roles.escalate
dataproc.autoscalingPolicies.create
dataproc.autoscalingPolicies.delete
dataproc.autoscalingPolicies.get
dataproc.autoscalingPolicies.getIamPolicy
dataproc.autoscalingPolicies.list
dataproc.autoscalingPolicies.update
dataproc.autoscalingPolicies.use
dataproc.clusters.*
dataproc.jobs.*
dataproc.nodeGroups.*
dataproc.operations.cancel
dataproc.sessions.*
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
metastore.services.get
orgpolicy.policy.get
recommender.iamPolicyInsights.*
recommender.iamPolicyRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
Datastream Service Agent
(roles/datastream.serviceAgent)
Grants Cloud Datastream permissions to write data in the user project.
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.delete
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
compute.globalAddresses.create
compute.globalAddresses.createInternal
compute.globalAddresses.delete
compute.globalAddresses.deleteInternal
compute.globalAddresses.get
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.listPeeringRoutes
compute.networks.removePeering
compute.networks.use
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
pubsub.topics.publish
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Data Studio Service Agent
(roles/datastudio.serviceAgent)
Grants Data Studio Service Account access to manage resources.
bigquery.jobs.create
Dialogflow Service Agent
(roles/dialogflow.serviceAgent)
Gives Dialogflow Service Account access to resources on behalf of user project for Integrations (Facebook Messenger, Slack, Telephony, etc.), BigQuery, Discovery Engine, and Vertex.
aiplatform.endpoints.get
aiplatform.endpoints.predict
aiplatform.models.get
bigquery.jobs.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.updateData
cloudfunctions.functions.invoke
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.agents.searchResources
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.*
dialogflow.conversationDatasets.get
dialogflow.conversationDatasets.list
dialogflow.conversationModels.get
dialogflow.conversationModels.list
dialogflow.conversationProfiles.get
dialogflow.conversationProfiles.list
dialogflow.conversations.*
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.environments.runContinuousTest
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.*
dialogflow.phoneNumberOrders.get
dialogflow.phoneNumberOrders.list
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.securitySettings.get
dialogflow.securitySettings.list
dialogflow.sessionEntityTypes.*
dialogflow.sessions.*
dialogflow.smartMessagingEntries.get
dialogflow.smartMessagingEntries.list
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.transitionRouteGroups.get
dialogflow.transitionRouteGroups.list
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.servingConfigs.search
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
logging.logEntries.create
logging.logEntries.route
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
run.jobs.run
run.routes.invoke
serviceusage.services.use
speakerid.phrases.*
speakerid.speakers.*
speech.adaptations.execute
speech.customClasses.get
speech.customClasses.list
speech.phraseSets.get
speech.phraseSets.list
speech.recognizers.get
speech.recognizers.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.create
storage.objects.get
storage.objects.list
Discovery Engine Service Agent
(roles/discoveryengine.serviceAgent)
Discovery Engine service uploads documents and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects using Cloud Logging, and writes and reads metrics for customer using Cloud Monitoring.
alloydb.instances.get
alloydb.operations.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
cloudsql.databases.get
cloudsql.instances.export
cloudsql.instances.get
datastore.databases.export
datastore.databases.get
datastore.databases.getMetadata
datastore.operations.get
discoveryengine.conversations.converse
discoveryengine.conversations.create
discoveryengine.dataStores.completeQuery
discoveryengine.servingConfigs.search
discoveryengine.userEvents.create
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.*
spanner.databases.beginReadOnlyTransaction
spanner.databases.partitionQuery
spanner.databases.select
spanner.databases.useDataBoost
spanner.sessions.create
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
DLP API Service Agent
(roles/dlp.serviceAgent)
Gives the Cloud DLP API service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub, and Cloud KMS.
appengine.applications.get
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.update
bigquery.models.*
bigquery.readsessions.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.tables.*
cloudasset.assets.analyzeIamPolicy
cloudasset.assets.exportResource
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.locations.get
cloudkms.locations.list
datacatalog.categories.fineGrainedGet
datacatalog.tagTemplates.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
datastore.databases.get
datastore.databases.getMetadata
datastore.databases.list
datastore.entities.*
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobs.*
dlp.kms.encrypt
firebase.projects.get
orgpolicy.policy.get
pubsub.*
recommender.iamPolicyInsights.*
recommender.iamPolicyRecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
DocumentAI Core Service Agent
(roles/documentaicore.serviceAgent)
Gives DocumentAI Core Service Account access to consumer resources.
automl.models.predict
documentai.humanReviewConfigs.review
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Edge Container Cluster Service Agent
(roles/edgecontainer.clusterServiceAgent)
Grants the Edge Container Cluster Service Account access to manage resources.
gkehub.endpoints.connect
gkehub.features.create
gkehub.features.get
gkehub.features.list
gkehub.features.update
gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.locations.*
gkehub.memberships.create
gkehub.memberships.delete
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.list
gkehub.memberships.update
gkehub.operations.*
logging.logEntries.create
monitoring.dashboards.*
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.get
opsconfigmonitoring.resourceMetadata.write
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
stackdriver.resourceMetadata.write
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Edge Container Service Agent
(roles/edgecontainer.serviceAgent)
Grants the Edge Container Service Account access to manage resources.
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.use
compute.globalOperations.get
compute.networks.get
compute.networks.updatePolicy
compute.regionOperations.get
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.update
compute.routers.use
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.use
compute.vpnTunnels.create
compute.vpnTunnels.delete
compute.vpnTunnels.get
gkehub.memberships.create
gkehub.memberships.delete
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.update
gkehub.operations.cancel
gkehub.operations.get
Cloud Endpoints Service Agent
(roles/endpoints.serviceAgent)
Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.
servicemanagement.services.check
servicemanagement.services.get
servicemanagement.services.quota
servicemanagement.services.report
Endpoints Portal Service Agent
(roles/endpointsportal.serviceAgent)
Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.
servicemanagement.services.get
servicemanagement.services.list
source.repos.get
Enterprise Knowledge Graph Service Agent
(roles/enterpriseknowledgegraph.serviceAgent)
Gives Enterprise Knowledge Graph Service Account access to consumer resources.
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Eventarc Service Agent
(roles/eventarc.serviceAgent)
Gives Eventarc service account access to managed resources.
cloudfunctions.functions.get
compute.instanceGroupManagers.get
compute.networkAttachments.get
compute.networkAttachments.update
compute.regionOperations.get
container.clusters.get
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.list
container.deployments.update
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container.serviceAccounts.create
container.serviceAccounts.delete
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.list
dns.networks.targetWithPeeringZone
eventarc.channels.publish
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
run.jobs.get
run.services.get
serviceusage.services.use
storage.buckets.get
storage.buckets.update
workflows.workflows.get
Cloud Filestore Service Agent
(roles/file.serviceAgent)
Gives Cloud Filestore service account access to managed resources.
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.networks.updatePeering
compute.routes.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Firebase App Distribution Admin SDK Service Agent
(roles/firebase.appDistributionSdkServiceAgent)
Read and write access to Firebase App Distribution with the Admin SDK
firebaseappdistro.*
Firebase Service Management Service Agent
(roles/firebase.managementServiceAgent)
Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.
apikeys.keys.create
apikeys.keys.get
apikeys.keys.list
apikeys.keys.update
appengine.applications.create
appengine.applications.get
appengine.applications.update
appengine.operations.get
appengine.services.list
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.update
bigquery.transfers.*
clientauthconfig.brands.create
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.update
firebase.clients.create
firebase.clients.delete
firebase.clients.get
firebase.clients.undelete
firebase.projects.*
firebaseabt.experiments.delete
firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.update
firebaserules.releases.create
firebaserules.releases.delete
firebaserules.releases.get
firebaserules.rulesets.create
firebasestorage.defaultBucket.get
iam.roles.get
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
resourcemanager.projects.update
servicemanagement.services.bind
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
Firebase Realtime Database Service Agent
(roles/firebasedatabase.serviceAgent)
Access to publish triggers
pubsub.topics.publish
serviceusage.services.use
Firebase Machine Learning Service Agent
Alpha
(roles/firebaseml.serviceAgent)
Access to Cloud ML and AI resources used by Firebase ML
aiplatform.endpoints.predict
Firebase Rules Firestore Service Agent
(roles/firebaserules.firestoreServiceAgent)
Grants Firebase Security Rules access to Firestore for providing cross-service Rules.
datastore.entities.get
Cloud Storage for Firebase Service Agent
(roles/firebasestorage.serviceAgent)
Access to Cloud Storage for Firebase through API and SDK.
storage.buckets.get
storage.buckets.getIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.update
Firestore Service Agent
(roles/firestore.serviceAgent)
Gives Firestore service account access to managed resources.
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Cloud Firewall Insights Service Agent
(roles/firewallinsights.serviceAgent)
Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute.networks.getEffectiveFirewalls
compute.networks.list
compute.projects.get
compute.regionTargetTcpProxies.list
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
FleetEngine Service Agent
(roles/fleetengine.serviceAgent)
Grants the FleetEngine Service Account access to manage resources.
bigquery.config.get
bigquery.datasets.get
bigquery.jobs.create
bigquery.tables.getData
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
Game Services Service Agent
(roles/gameservices.serviceAgent)
Gives Game Services Service Account access to GCP resources.
Uploads media files to customer Cloud Storage buckets.
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Logging Service Agent
(roles/logging.serviceAgent)
Grants a Cloud Logging Service Account the ability to create and link datasets.
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.link
Looker Service Agent
(roles/looker.serviceAgent)
Gives the Looker service account permission to manage customer resources
bigquery.config.get
bigquery.datasets.get
bigquery.jobs.create
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
compute.globalAddresses.get
looker.backups.create
resourcemanager.projects.get
serviceusage.services.use
Cloud Managed Identities Service Agent
(roles/managedidentities.serviceAgent)
Gives Managed Identities service account access to managed resources.
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.managedZones.update
dns.networks.bindPrivateDNSPolicy
dns.networks.bindPrivateDNSZone
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Media Asset Service Agent
(roles/mediaasset.serviceAgent)
Downloads and uploads media files from and to customer Cloud Storage buckets.
pubsub.topics.get
pubsub.topics.publish
storage.objects.create
storage.objects.delete
storage.objects.get
transcoder.jobs.create
transcoder.jobs.delete
transcoder.jobs.get
Cloud Memorystore Memcached Service Agent
(roles/memcache.serviceAgent)
Gives Cloud Memorystore Memcached service account access to managed resource
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Mesh Config Service Agent
(roles/meshconfig.serviceAgent)
Apply mesh configuration
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.setSecurityPolicy
compute.backendServices.update
compute.backendServices.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.setLabels
compute.globalForwardingRules.setTarget
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.healthChecks.useReadOnly
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.use
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.regionTargetTcpProxies.*
compute.subnetworks.use
compute.targetHttpProxies.create
compute.targetHttpProxies.delete
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpProxies.setUrlMap
compute.targetHttpProxies.use
compute.targetHttpsProxies.create
compute.targetHttpsProxies.delete
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetHttpsProxies.setSslCertificates
compute.targetHttpsProxies.setSslPolicy
compute.targetHttpsProxies.setUrlMap
compute.targetHttpsProxies.use
compute.targetSslProxies.create
compute.targetSslProxies.delete
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetSslProxies.setBackendService
compute.targetSslProxies.setProxyHeader
compute.targetSslProxies.setSslCertificates
compute.targetSslProxies.use
compute.targetTcpProxies.create
compute.targetTcpProxies.delete
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetTcpProxies.update
compute.targetTcpProxies.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.invalidateCache
compute.urlMaps.list
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate
networksecurity.clientTlsPolicies.create
networksecurity.clientTlsPolicies.delete
networksecurity.clientTlsPolicies.get
networksecurity.clientTlsPolicies.list
networksecurity.clientTlsPolicies.update
networksecurity.serverTlsPolicies.create
networksecurity.serverTlsPolicies.delete
networksecurity.serverTlsPolicies.get
networksecurity.serverTlsPolicies.list
networksecurity.serverTlsPolicies.update
networkservices.endpointConfigSelectors.create
networkservices.endpointConfigSelectors.delete
networkservices.endpointConfigSelectors.get
networkservices.endpointConfigSelectors.list
networkservices.endpointConfigSelectors.update
networkservices.httpFilters.create
networkservices.httpFilters.delete
networkservices.httpFilters.get
networkservices.httpFilters.list
networkservices.httpFilters.update
networkservices.httpfilters.create
networkservices.httpfilters.delete
networkservices.httpfilters.get
networkservices.httpfilters.list
networkservices.httpfilters.update
Mesh Managed Control Plane Service Agent
(roles/meshcontrolplane.serviceAgent)
Anthos Service Mesh Managed Control Plane Agent
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.*
container.clusterRoleBindings.*
container.clusterRoles.*
container.clusters.get
container.clusters.getCredentials
container.clusters.list
container.clusters.update
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.*
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container.horizontalPodAutoscalers.*
container.hostServiceAgent.use
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.leases.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.managedCertificates.*
container.mutatingWebhookConfigurations.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.operations.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.*
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.*
container.roles.*
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.selfSubjectRulesReviews.create
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container.storageVersionMigrations.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.create
container.updateInfos.*
container.validatingWebhookConfigurations.*
container.volumeAttachments.*
container.volumeSnapshotClasses.*
container.volumeSnapshotContents.*
container.volumeSnapshots.*
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.gateway.*
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub.scopes.listBoundMemberships
logging.logEntries.create
logging.logEntries.route
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.use
trafficdirector.*
Mesh Data Plane Service Agent
(roles/meshdataplane.serviceAgent)
Run user-space Istio components
cloudtrace.traces.patch
compute.forwardingRules.get
compute.globalForwardingRules.get
logging.logEntries.create
logging.logEntries.route
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
serviceusage.services.use
Dataproc Metastore Service Agent
(roles/metastore.serviceAgent)
Gives the Dataproc Metastore service account access to managed resources.
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.pscCreate
compute.forwardingRules.pscDelete
compute.globalAddresses.createInternal
compute.globalAddresses.deleteInternal
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.globalOperations.list
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.updatePeering
compute.networks.use
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
dns.changes.create
dns.changes.get
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.networks.bindPrivateDNSZone
dns.networks.targetWithPeeringZone
dns.resourceRecordSets.*
metastore.databases.get
metastore.databases.setIamPolicy
metastore.databases.update
metastore.services.get
metastore.tables.get
metastore.tables.setIamPolicy
metastore.tables.update
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.services.create
servicedirectory.services.delete
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Migration Center Service Agent
(roles/migrationcenter.serviceAgent)
Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products.
storage.objects.get
vmmigration.migratingVms.create
AI Platform Service Agent
(roles/ml.serviceAgent)
AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.
Gives privileged access manager service account access to modify IAM policies on GCP projects
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
Privileged Access Manager Service Agent
(roles/privilegedaccessmanager.serviceAgent)
Gives privileged access manager service account access to modify IAM policies on GCP resources
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
Cloud Pub/Sub Service Agent
(roles/pubsub.serviceAgent)
Grants Cloud Pub/Sub Service Account access to manage resources.
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Pub/Sub Lite Service Agent
(roles/pubsublite.serviceAgent)
Grants Pub/Sub Lite Service Agent access to project resources.
pubsub.topics.publish
pubsublite.subscriptions.get
pubsublite.subscriptions.getCursor
pubsublite.subscriptions.setCursor
pubsublite.subscriptions.subscribe
pubsublite.topics.computeHeadCursor
pubsublite.topics.getPartitions
pubsublite.topics.publish
pubsublite.topics.subscribe
RMA Service Agent
(roles/rapidmigrationassessment.serviceAgent)
Gives RMA service account access to MC resources.
autoscaling.sites.writeMetrics
cloudasset.assets.exportResource
cloudasset.feeds.create
logging.logEntries.create
migrationcenter.assets.list
migrationcenter.assets.reportFrames
migrationcenter.importJobs.get
migrationcenter.importJobs.list
migrationcenter.sources.*
monitoring.metricDescriptors.create
monitoring.metricDescriptors.list
monitoring.timeSeries.create
resourcemanager.projects.get
Cloud Memorystore Redis Service Agent
(roles/redis.serviceAgent)
Gives Cloud Memorystore Redis service account access to managed resource
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.projects.get
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Remote Build Execution Service Agent
(roles/remotebuildexecution.serviceAgent)
Gives Remote Build Execution service account access to managed resources.
remotebuildexecution.actions.update
remotebuildexecution.blobs.*
remotebuildexecution.botsessions.*
remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.update
Retail Service Agent
(roles/retail.serviceAgent)
Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Google Cloud Observability metrics for customer projects.
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
cloudnotifications.activities.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
logging.logEntries.create
logging.logEntries.route
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
opsconfigmonitoring.resourceMetadata.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver.resourceMetadata.list
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Risk Manager Service Agent
(roles/riskmanager.serviceAgent)
Service agent that grants Risk Manager service access to fetch findings for generating Reports
Give the Service Directory service agent access to Cloud Platform resources.
container.clusters.get
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.create
servicedirectory.endpoints.delete
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.update
servicedirectory.locations.*
servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.update
servicedirectory.networks.attach
servicedirectory.services.bind
servicedirectory.services.create
servicedirectory.services.delete
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
servicedirectory.services.update
Service Networking Service Agent
(roles/servicenetworking.serviceAgent)
Gives permission to manage network configuration, such as establishing network peering, necessary for service producers
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.removePeering
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.routers.get
compute.routers.list
compute.routes.list
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Source Repositories Service Agent
(roles/sourcerepo.serviceAgent)
Allow Cloud Source Repositories to integrate with other Cloud services.
iam.serviceAccounts.getAccessToken
pubsub.topics.publish
Cloud Spanner API Service Agent
(roles/spanner.serviceAgent)
Cloud Spanner API Service Agent
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.models.get
aiplatform.models.list
Cloud Speech-to-Text Service Agent
(roles/speech.serviceAgent)
Gives Speech-to-Text service account access to Cloud Storage resources.
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
StorageInsights Service Agent
(roles/storageinsights.serviceAgent)
Permissions for Insights to write reports into customer project
bigquery.datasets.create
serviceusage.services.use
storageinsights.reportDetails.list
Storage Transfer Service Agent
(roles/storagetransfer.serviceAgent)
Grants Storage Transfer Service Agent permissions required to run transfers
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.publish
pubsub.topics.update
Stream Service Agent
(roles/stream.serviceAgent)
Gives Immersive Stream for XR access to the required resources.
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Cloud TPU API Service Agent
(roles/tpu.serviceAgent)
Give Cloud TPUs service account access to managed resources
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.*
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Transcoder Service Agent
(roles/transcoder.serviceAgent)
Downloads and uploads media files from and to customer Cloud Storage buckets. Publishes status updates to customer Pub/Sub.
pubsub.topics.publish
storage.objects.create
storage.objects.delete
storage.objects.get
transcoder.jobs.delete
Cloud Vision AI Service Agent
(roles/visionai.serviceAgent)
Grants Cloud Vision AI service account permissions to manage resources in consumer project
aiplatform.models.export
aiplatform.models.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.models.export
bigquery.readsessions.create
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
cloudfunctions.functions.get
cloudfunctions.functions.invoke
cloudfunctions.functions.list
compute.machineTypes.get
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
run.jobs.run
run.routes.invoke
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
visionai.analyses.create
visionai.analyses.delete
visionai.analyses.get
visionai.analyses.list
visionai.analyses.update
visionai.annotations.*
visionai.applications.*
visionai.assets.*
visionai.clusters.create
visionai.clusters.delete
visionai.clusters.get
visionai.clusters.list
visionai.clusters.update
visionai.clusters.watch
visionai.corpora.*
visionai.dataSchemas.*
visionai.drafts.*
visionai.events.create
visionai.events.delete
visionai.events.get
visionai.events.list
visionai.events.update
visionai.indexEndpoints.*
visionai.indexes.*
visionai.instances.*
visionai.operations.get
visionai.operations.list
visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai.operators.list
visionai.operators.update
visionai.processors.create
visionai.processors.delete
visionai.processors.get
visionai.processors.list
visionai.processors.update
visionai.searchConfigs.*
visionai.series.acquireLease
visionai.series.create
visionai.series.delete
visionai.series.get
visionai.series.list
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.series.update
visionai.streams.create
visionai.streams.delete
visionai.streams.get
visionai.streams.list
visionai.streams.receive
visionai.streams.send
visionai.streams.update
visionai.uistreams.*
Visual Inspection AI Service Agent
(roles/visualinspection.serviceAgent)
Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs.
Full control of Google Service Management resources.
monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceconsumermanagement.*
servicemanagement.*
serviceusage.quotas.get
serviceusage.services.get
Service Config Editor
(roles/servicemanagement.configEditor)
Access to update the service config and create rollouts.
servicemanagement.services.get
servicemanagement.services.update
Quota Administrator
Beta
(roles/servicemanagement.quotaAdmin)
Provides access to administer service quotas.
Lowest-level resources where you can grant this role:
Project
cloudquotas.*
monitoring.alertPolicies.*
monitoring.timeSeries.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.*
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Quota Viewer
Beta
(roles/servicemanagement.quotaViewer)
Provides access to view service quotas.
Lowest-level resources where you can grant this role:
Project
cloudquotas.quotas.get
monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Service Reporter
(roles/servicemanagement.reporter)
Can report usage of a service during runtime.
servicemanagement.services.report
Service Consumer
(roles/servicemanagement.serviceConsumer)
Can enable the service.
servicemanagement.services.bind
Service Controller
(roles/servicemanagement.serviceController)
Can check preconditions and report usage of a service during runtime.
Lowest-level resources where you can grant this role:
Project
servicemanagement.services.check
servicemanagement.services.get
servicemanagement.services.quota
servicemanagement.services.report
Service Networking roles
Permissions
Service Networking Admin
Beta
(roles/servicenetworking.networksAdmin)
Full control of service networking with projects.
servicenetworking.*
Service Usage roles
Permissions
API Keys Admin
(roles/serviceusage.apiKeysAdmin)
Ability to create, delete, update, get and list API keys for a project.
apikeys.*
serviceusage.apiKeys.*
serviceusage.operations.get
API Keys Viewer
(roles/serviceusage.apiKeysViewer)
Ability to get and list API keys for a project.
apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
Service Usage Admin
(roles/serviceusage.serviceUsageAdmin)
Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.
monitoring.timeSeries.list
serviceusage.operations.*
serviceusage.quotas.*
serviceusage.services.*
Service Usage Consumer
(roles/serviceusage.serviceUsageConsumer)
Ability to inspect service states and operations, and consume quota and billing for a consumer project.
monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Service Usage Viewer
(roles/serviceusage.serviceUsageViewer)
Ability to inspect service states and operations for a consumer project.
monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Source roles
Permissions
Source Repository Administrator
(roles/source.admin)
Provides permissions to create, update, delete, list, clone, fetch, and
browse repositories. Also provides permissions to read and change IAM
policies.
Lowest-level resources where you can grant this role:
Repository
source.*
Source Repository Reader
(roles/source.reader)
Provides permissions to list, clone, fetch, and browse repositories.
Lowest-level resources where you can grant this role:
Repository
source.repos.get
source.repos.list
Source Repository Writer
(roles/source.writer)
Provides permissions to list, clone, fetch, browse, and update
repositories.
Lowest-level resources where you can grant this role:
Repository
source.repos.get
source.repos.list
source.repos.update
Stackdriver roles
Permissions
Stackdriver Accounts Editor
(roles/stackdriver.accounts.editor)
Read/write access to manage Stackdriver account structure.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
stackdriver.projects.*
Stackdriver Accounts Viewer
(roles/stackdriver.accounts.viewer)
Read-only access to get and list information about Stackdriver account structure.
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Stackdriver Resource Metadata Writer
Beta
(roles/stackdriver.resourceMetadata.writer)
Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.
stackdriver.resourceMetadata.write
Stream roles
Permissions
Stream Admin
(roles/stream.admin)
Full access to Stream all resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.*
Stream Content Admin
(roles/stream.contentAdmin)
Full access to all StreamContent resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.streamContents.*
Stream Content Builder
(roles/stream.contentBuilder)
Read and build access to StreamContent resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.streamContents.build
stream.streamContents.get
stream.streamContents.list
Stream Instance Admin
(roles/stream.instanceAdmin)
Full access to all StreamInstance resources and Read access to all StreamContent resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.streamContents.get
stream.streamContents.list
stream.streamInstances.*
Stream Viewer
(roles/stream.viewer)
Read-only access to Stream all resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.locations.*
stream.operations.get
stream.operations.list
stream.streamContents.get
stream.streamContents.list
stream.streamInstances.get
stream.streamInstances.list
Support roles
Permissions
Support Account Administrator
(roles/cloudsupport.admin)
Allows management of a support account without giving access to support cases.
See the
Cloud Support documentation
for more information.
Lowest-level resources where you can grant this role:
Organization
cloudsupport.accounts.*
cloudsupport.operations.get
cloudsupport.properties.get
resourcemanager.organizations.get
Tech Support Editor
(roles/cloudsupport.techSupportEditor)
Full read-write access to technical support cases (applicable for GCP Customer Care and Maps
support). See the
Cloud Support documentation
for more information.
cloudasset.assets.searchAllResources
cloudsupport.properties.get
cloudsupport.techCases.*
resourcemanager.projects.get
resourcemanager.projects.list
Tech Support Viewer
(roles/cloudsupport.techSupportViewer)
Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).
See the
Cloud Support documentation
for more information.
cloudsupport.properties.get
cloudsupport.techCases.get
cloudsupport.techCases.list
resourcemanager.projects.get
resourcemanager.projects.list
Support Account Viewer
(roles/cloudsupport.viewer)
Read-only access to details of a support account. This does not allow viewing cases.
See the
Cloud Support documentation
for more information.
Lowest-level resources where you can grant this role: