Understanding roles

When an identity calls a Google Cloud API, Cloud Identity and Access Management requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.

This page describes the Cloud IAM roles that you can grant to identities to access Cloud Platform resources.

Prerequisite for this guide

Role types

There are three types of roles in Cloud IAM:

  • Primitive roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud IAM
  • Predefined roles, which provide granular access for a specific service and are managed by Google Cloud
  • Custom roles, which provide granular access according to a user-specified list of permissions

To determine if one or more permissions are included in a primitive, predefined, or custom role, you can use one of the following methods:

The sections below describe each role type and provide examples of how to use them.

Primitive roles

There are three roles that existed prior to the introduction of Cloud IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role.

The following table summarizes the permissions that the primitive roles include across all Google Cloud services:

Primitive role definitions

Name Title Permissions
roles/viewer Viewer Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
roles/editor Editor All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.
Note: While the roles/editor role contains permissions to create and delete resources for most Google Cloud services, some services do not include these permissions. See the section above for more information on how to check if a role has the permissions that you need.
roles/owner Owner All editor permissions and permissions for the following actions:
  • Manage roles and permissions for a project and all resources within the project.
  • Set up billing for a project.
Note:
  • Granting the owner role at a resource-level, such as a Pub/Sub topic, doesn't grant the owner role on the parent project.
  • The owner role doesn't contain any permission for the Organization resource. Therefore, granting the owner role at the organization-level doesn't allow you to update the organization's metadata. However, it allows you to modify projects under that organization.

You can apply primitive roles at the project or service resource levels by using Cloud Console, the API and the gcloud command-line tool.

Invitation flow

You cannot grant the owner role to a member for a project using the Cloud IAM API or the gcloud command-line tool. You can only add owners to a project using the Cloud Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project.

Note that invitation emails aren't sent in the following cases:

  • when you're granting a role other than the owner.
  • when an organization member adds another member of their organization as an owner of a project within that organization.

Predefined roles

In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.

The following table lists these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the Google Cloud hierarchy. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.

Access Approval roles

Role Title Description Permissions Lowest Resource
roles/
accessapproval.approver
Access Approval Approver Beta Ability to view or act on access approval requests and view configuration accessapproval.requests.*
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
accessapproval.configEditor
Access Approval Config Editor Beta Ability update the Access Approval configuration accessapproval.settings.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
accessapproval.viewer
Access Approval Viewer Beta Ability to view access approval requests and configuration accessapproval.requests.get
accessapproval.requests.list
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list

Access Context Manager roles

Role Title Description Permissions Lowest Resource
roles/
accesscontextmanager.policyAdmin
Access Context Manager Admin Full access to policies, access levels, and access zones accesscontextmanager.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
accesscontextmanager.policyEditor
Access Context Manager Editor Edit access to policies. Create, edit, and change access levels and access zones. accesscontextmanager.accessLevels.*
accesscontextmanager.accessPolicies.create
accesscontextmanager.accessPolicies.delete
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.update
accesscontextmanager.accessZones.*
accesscontextmanager.policies.create
accesscontextmanager.policies.delete
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.update
accesscontextmanager.servicePerimeters.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
accesscontextmanager.policyReader
Access Context Manager Reader Read access to policies, access levels, and access zones. accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.get
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.get
accesscontextmanager.accessZones.list
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list

Actions roles

Role Title Description Permissions Lowest Resource
roles/
actions.Admin
Actions Admin Access to edit and deploy an action actions.*
firebase.projects.get
firebase.projects.update
resourcemanager.projects.get
resourcemanager.projects.list
roles/
actions.Viewer
Actions Viewer Access to view an action actions.agent.get
actions.agentVersions.get
actions.agentVersions.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list

Android Management roles

Role Title Description Permissions Lowest Resource
roles/
androidmanagement.user
Android Management User Full access to manage devices. androidmanagement.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Apigee roles

Role Title Description Permissions Lowest Resource
roles/
apigee.admin
Apigee Organization Admin Beta Full access to all apigee resource features apigee.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
apigee.analyticsAgent
Apigee Analytics Agent Beta Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization apigee.environments.getDataLocation
roles/
apigee.analyticsEditor
Apigee Analytics Editor Beta Analytics editor for an Apigee Organization apigee.environments.get
apigee.environments.getStats
apigee.organizations.get
apigee.organizations.list
apigee.queries.*
apigee.reports.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
apigee.analyticsViewer
Apigee Analytics Viewer Beta Analytics viewer for an Apigee Organization apigee.environments.getStats
apigee.organizations.get
apigee.organizations.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
apigee.apiCreator
Apigee API Creator Beta Creator of apigee resources apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.apps.*
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemaps.*
apigee.organizations.get
apigee.organizations.list
apigee.proxies.*
apigee.proxyrevisions.delete
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.update
apigee.sharedflowrevisions.*
apigee.sharedflows.*
apigee.tracesessions.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
apigee.deployer
Apigee Deployer Beta Deployer of apigee resources apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.apps.*
apigee.deployments.*
apigee.environments.get
apigee.environments.getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.environments.setIamPolicy
apigee.flowhooks.*
apigee.keystorealiases.*
apigee.keystores.*
apigee.keyvaluemaps.*
apigee.maskconfigs.*
apigee.organizations.get
apigee.organizations.list
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.references.*
apigee.resourcefiles.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
apigee.targetservers.*
apigee.tracesessions.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
apigee.developerAdmin
Apigee Developer Admin Beta Developer admin of apigee resources apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appkeys.*
apigee.developerappattributes.*
apigee.developerapps.*
apigee.developerattributes.*
apigee.developers.*
apigee.environments.get
apigee.environments.getStats
apigee.organizations.get
apigee.organizations.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
apigee.readOnlyAdmin
Apigee Read-only Admin Beta Viewer of all apigee resources apigee.apiproductattributes.get
apigee.apiproductattributes.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appkeys.get
apigee.apps.*
apigee.deployments.get
apigee.deployments.list
apigee.developerappattributes.get
apigee.developerappattributes.list
apigee.developerapps.get
apigee.developerapps.list
apigee.developerattributes.get
apigee.developerattributes.list
apigee.developers.get
apigee.developers.list
apigee.environments.get
apigee.environments.getDataLocation
apigee.environments.getIamPolicy
apigee.environments.getStats
apigee.environments.list
apigee.flowhooks.getSharedFlow
apigee.flowhooks.list
apigee.keystorealiases.get
apigee.keystorealiases.list
apigee.keystores.get
apigee.keystores.list
apigee.keyvaluemaps.list
apigee.maskconfigs.get
apigee.organizations.get
apigee.organizations.list
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.queries.get
apigee.queries.list
apigee.references.get
apigee.references.list
apigee.reports.get
apigee.reports.list
apigee.resourcefiles.get
apigee.resourcefiles.list
apigee.sharedflowrevisions.get
apigee.sharedflowrevisions.list
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.get
apigee.targetservers.list
apigee.tracesessions.get
apigee.tracesessions.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
apigee.synchronizerManager
Apigee Synchronizer Manager Beta Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization apigee.environments.get
apigee.environments.manageRuntime

App Engine roles

Role Title Description Permissions Lowest Resource
roles/
appengine.appAdmin
App Engine Admin Read/Write/Modify access to all application configuration and settings. appengine.applications.get
appengine.applications.update
appengine.instances.*
appengine.operations.*
appengine.runtimes.*
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
appengine.appViewer
App Engine Viewer Read-only access to all application configuration and settings. appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
appengine.codeViewer
App Engine Code Viewer Read-only access to all application configuration, settings, and deployed source code. appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
appengine.deployer
App Engine Deployer Read-only access to all application configuration and settings.

Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic.

Note: The App Engine Deployer (roles/appengine.deployer) role alone grants adequate permission to deploy using the App Engine Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Compute Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (cloudbuild.builds.editor) roles.
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
appengine.serviceAdmin
App Engine Service Admin Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
appengine.applications.get
appengine.instances.*
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Project

AutoML roles

Role Title Description Permissions Lowest Resource
roles/
automl.admin
AutoML Admin Beta Full access to all AutoML resources automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
roles/
automl.editor
AutoML Editor Beta Editor of all AutoML resources automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
roles/
automl.predictor
AutoML Predictor Beta Predict using models automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list
roles/
automl.viewer
AutoML Viewer Beta Viewer of all AutoML resources automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list

BigQuery roles

Role Title Description Permissions Lowest Resource
roles/
bigquery.admin
BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. bigquery.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
bigquery.connectionAdmin
BigQuery Connection Admin Beta bigquery.connections.*
roles/
bigquery.connectionUser
BigQuery Connection User Beta bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.use
roles/
bigquery.dataEditor
BigQuery Data Editor

When applied to a dataset, dataEditor provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
Dataset
roles/
bigquery.dataOwner
BigQuery Data Owner

When applied to a dataset, dataOwner provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataset
roles/
bigquery.dataViewer
BigQuery Data Viewer

When applied to a dataset, dataViewer provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataset
roles/
bigquery.jobUser
BigQuery Job User Provides permissions to run jobs, including queries, within the project. This role can check the existence of all jobs, enumerate their own jobs, and cancel their own jobs. bigquery.jobs.create
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
bigquery.metadataViewer
BigQuery Metadata Viewer

When applied at the project or organization level, metadataViewer provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.get
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
bigquery.readSessionUser
BigQuery Read Session User Beta Access to create and use read sessions bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
bigquery.user
BigQuery User Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the bigquery.dataOwner role for these new datasets. bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
resourcemanager.projects.get
resourcemanager.projects.list
Project

Cloud Bigtable roles

Role Title Description Permissions Lowest Resource
roles/
bigtable.admin
Bigtable Administrator Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. bigtable.*
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Instance
roles/
bigtable.reader
Bigtable Reader Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Instance
roles/
bigtable.user
Bigtable User Provides read-write access to the data stored within tables. Intended for application developers or service accounts. bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Instance
roles/
bigtable.viewer
Bigtable Viewer Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Cloud Bigtable. bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.locations.*
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Instance

Billing roles

Role Title Description Permissions Lowest Resource
roles/
billing.admin
Billing Account Administrator Provides access to see and manage all aspects of billing accounts. billing.accounts.close
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.move
billing.accounts.redeemPromotion
billing.accounts.removeFromOrganization
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing.accounts.updatePaymentInfo
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.credits.*
billing.resourceAssociations.*
billing.subscriptions.*
cloudnotifications.*
logging.logEntries.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
Billing Account
roles/
billing.creator
Billing Account Creator Provides access to create billing accounts. billing.accounts.create
resourcemanager.organizations.get
Project
roles/
billing.projectManager
Project Billing Manager Provides access to assign a project's billing account or disable its billing. resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
Project
roles/
billing.user
Billing Account User Provides access to associate projects with billing accounts. billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.*
billing.resourceAssociations.create
Billing Account
roles/
billing.viewer
Billing Account Viewer View billing account cost information and transactions. billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.budgets.get
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.get
billing.subscriptions.list
Organization
Billing Account

Binary Authorization roles

Role Title Description Permissions Lowest Resource
roles/
binaryauthorization.attestorsAdmin
Binary Authorization Attestor Admin Beta Adminstrator of Binary Authorization Attestors binaryauthorization.attestors.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsEditor
Binary Authorization Attestor Editor Beta Editor of Binary Authorization Attestors binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsVerifier
Binary Authorization Attestor Image Verifier Beta Caller of Binary Authorization Attestors VerifyImageAttested binaryauthorization.attestors.get
binaryauthorization.attestors.list
binaryauthorization.attestors.verifyImageAttested
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.attestorsViewer
Binary Authorization Attestor Viewer Beta Viewer of Binary Authorization Attestors binaryauthorization.attestors.get
binaryauthorization.attestors.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyAdmin
Binary Authorization Policy Administrator Beta Administrator of Binary Authorization Policy binaryauthorization.policy.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyEditor
Binary Authorization Policy Editor Beta Editor of Binary Authorization Policy binaryauthorization.policy.get
binaryauthorization.policy.update
resourcemanager.projects.get
resourcemanager.projects.list
roles/
binaryauthorization.policyViewer
Binary Authorization Policy Viewer Beta Viewer of Binary Authorization Policy binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list

Hangouts Chat roles

Role Title Description Permissions Lowest Resource
roles/
chat.owner
Chat Bots Owner Can view and modify bot configurations chat.*
roles/
chat.reader
Chat Bots Viewer Can view bot configurations chat.bots.get

Cloud Asset roles

Role Title Description Permissions Lowest Resource
roles/
cloudasset.owner
Cloud Asset Owner Beta Full access to cloud assets metadata cloudasset.*
roles/
cloudasset.viewer
Cloud Asset Viewer Read only access to cloud assets metadata cloudasset.assets.*

Cloud Build roles

Role Title Description Permissions Lowest Resource
roles/
cloudbuild.builds.builder
Cloud Build Service Account Can perform builds cloudbuild.*
logging.logEntries.create
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
roles/
cloudbuild.builds.editor
Cloud Build Editor Provides access to create and cancel builds. cloudbuild.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
cloudbuild.builds.viewer
Cloud Build Viewer Provides access to view builds. cloudbuild.builds.get
cloudbuild.builds.list
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Project

Cloud Data Fusion roles

Role Title Description Permissions Lowest Resource
roles/
datafusion.admin
Cloud Data Fusion Admin Beta Full access to Cloud Data Fusion Instances and related resources. datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datafusion.viewer
Cloud Data Fusion Viewer Beta Read-only access to Cloud Data Fusion Instances and related resources. datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Stackdriver Debugger roles

Role Title Description Permissions Lowest Resource
roles/
clouddebugger.agent
Stackdriver Debugger Agent Beta Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create
Service Account
roles/
clouddebugger.user
Stackdriver Debugger User Beta Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
Project

Cloud Functions roles

Role Title Description Permissions Lowest Resource
roles/
cloudfunctions.admin
Cloud Functions Admin Beta Full access to functions, operations and locations. cloudfunctions.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
cloudfunctions.developer
Cloud Functions Developer Beta Read and write access to all functions-related resources. cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.invoke
cloudfunctions.functions.list
cloudfunctions.functions.sourceCodeGet
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.locations.*
cloudfunctions.operations.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
cloudfunctions.invoker
Cloud Functions Invoker Beta Ability to invoke HTTP functions with restricted access. cloudfunctions.functions.invoke
roles/
cloudfunctions.viewer
Cloud Functions Viewer Beta Read-only access to functions and locations. cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Cloud IAP roles

Role Title Description Permissions Lowest Resource
roles/
iap.admin
IAP Policy Admin Provides full access to Identity-Aware Proxy resources. iap.tunnel.*
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
Project
roles/
iap.httpsResourceAccessor
IAP-secured Web App User Provides permission to access HTTPS resources which use Identity-Aware Proxy. iap.webServiceVersions.accessViaIAP
Project
roles/
iap.settingsAdmin
IAP Settings Admin Administrator of IAP Settings. iap.projects.*
iap.web.getSettings
iap.web.updateSettings
iap.webServiceVersions.getSettings
iap.webServiceVersions.updateSettings
iap.webServices.getSettings
iap.webServices.updateSettings
iap.webTypes.getSettings
iap.webTypes.updateSettings
roles/
iap.tunnelResourceAccessor
IAP-secured Tunnel User Access Tunnel resources which use Identity-Aware Proxy iap.tunnelInstances.accessViaIAP

Cloud IoT roles

Role Title Description Permissions Lowest Resource
roles/
cloudiot.admin
Cloud IoT Admin Full control of all Cloud IoT resources and permissions. cloudiot.*
cloudiottoken.*
Device
roles/
cloudiot.deviceController
Cloud IoT Device Controller Access to update the configuration of devices, but not to create or delete devices. cloudiot.devices.get
cloudiot.devices.list
cloudiot.devices.sendCommand
cloudiot.devices.updateConfig
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
Device
roles/
cloudiot.editor
Cloud IoT Editor Read-write access to all Cloud IoT resources. cloudiot.devices.*
cloudiot.registries.create
cloudiot.registries.delete
cloudiot.registries.get
cloudiot.registries.list
cloudiot.registries.update
cloudiottoken.*
Device
roles/
cloudiot.provisioner
Cloud IoT Provisioner Access to create and delete devices from registries, but not to modify the registries. cloudiot.devices.*
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
Device
roles/
cloudiot.viewer
Cloud IoT Viewer Read-only access to all Cloud IoT resources. cloudiot.devices.get
cloudiot.devices.list
cloudiot.registries.get
cloudiot.registries.list
cloudiottoken.tokensettings.get
Device

Cloud Talent Solution roles

Role Title Description Permissions Lowest Resource
roles/
cloudjobdiscovery.admin
Admin Access to Cloud Job Discovery Self-Service Tools cloudjobdiscovery.tools.*
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.jobsEditor
Job Editor Write access to all Cloud Job Discovery data. cloudjobdiscovery.companies.*
cloudjobdiscovery.events.*
cloudjobdiscovery.jobs.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.jobsViewer
Job Viewer Read access to all Cloud Job Discovery data. cloudjobdiscovery.companies.get
cloudjobdiscovery.companies.list
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.profilesEditor
Profile Editor Write access to all profile data in Cloud Talent Solution. cloudjobdiscovery.events.*
cloudjobdiscovery.profiles.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudjobdiscovery.profilesViewer
Profile Viewer Read access to all profile data in Cloud Talent Solution. cloudjobdiscovery.profiles.get
cloudjobdiscovery.profiles.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list

Cloud KMS roles

Role Title Description Permissions Lowest Resource
roles/
cloudkms.admin
Cloud KMS Admin Provides full access to KMS resources, except encrypt and decrypt operations. cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeyVersions.destroy
cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.restore
cloudkms.cryptoKeyVersions.update
cloudkms.cryptoKeys.*
cloudkms.importJobs.*
cloudkms.keyRings.*
resourcemanager.projects.get
CryptoKey
roles/
cloudkms.cryptoKeyDecrypter
Cloud KMS CryptoKey Decrypter Provides ability to use KMS resources for decrypt operations only. cloudkms.cryptoKeyVersions.useToDecrypt
resourcemanager.projects.get
CryptoKey
roles/
cloudkms.cryptoKeyEncrypter
Cloud KMS CryptoKey Encrypter Provides ability to use KMS resources for encrypt operations only. cloudkms.cryptoKeyVersions.useToEncrypt
resourcemanager.projects.get
CryptoKey
roles/
cloudkms.cryptoKeyEncrypterDecrypter
Cloud KMS CryptoKey Encrypter/Decrypter Provides ability to use KMS resources for encrypt and decrypt operations only. cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
resourcemanager.projects.get
CryptoKey
roles/
cloudkms.importer
Cloud KMS Importer Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.list
cloudkms.importJobs.useToImport
resourcemanager.projects.get
roles/
cloudkms.publicKeyViewer
Cloud KMS CryptoKey Public Key Viewer Enables GetPublicKey operations cloudkms.cryptoKeyVersions.viewPublicKey
resourcemanager.projects.get
roles/
cloudkms.signer
Cloud KMS CryptoKey Signer Enables the AsymmetricSign operation cloudkms.cryptoKeyVersions.useToSign
resourcemanager.projects.get
roles/
cloudkms.signerVerifier
Cloud KMS CryptoKey Signer/Verifier Enables AsymmetricSign, and GetPublicKey operations cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.viewPublicKey
resourcemanager.projects.get

Cloud Migration roles

Role Title Description Permissions Lowest Resource
roles/
cloudmigration.inframanager
Velostrata Manager Beta Ability to create and manage Compute VMs to run Velostrata Infrastructure cloudmigration.*
compute.addresses.*
compute.diskTypes.*
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.reset
compute.instances.setDiskAutoDelete
compute.instances.setLabels
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setScheduling
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.update
compute.instances.updateNetworkInterface
compute.instances.updateShieldedInstanceConfig
compute.instances.use
compute.licenseCodes.get
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenseCodes.use
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.list
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.*
gkehub.endpoints.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
roles/
cloudmigration.storageaccess
Velostrata Storage Access Beta Ability to access migration storage storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
roles/
cloudmigration.velostrataconnect
Velostrata Manager Connection Agent Beta Ability to set up connection between Velostrata Manager and Google cloudmigration.*
gkehub.endpoints.*
roles/
vmmigration.admin
VM Migration Administrator Beta Ability to view and edit all VM Migration objects vmmigration.*
roles/
vmmigration.viewer
VM Migration Viewer Beta Ability to view all VM Migration objects vmmigration.deployments.get
vmmigration.deployments.list

Cloud Private Catalog roles

Role Title Description Permissions Lowest Resource
roles/
cloudprivatecatalog.consumer
Catalog Consumer Beta Can browse catalogs in the target resource context. cloudprivatecatalog.*
roles/
cloudprivatecatalogproducer.admin
Catalog Admin Beta Can manage catalog and view its associations. cloudprivatecatalogproducer.associations.*
cloudprivatecatalogproducer.catalogs.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
roles/
cloudprivatecatalogproducer.manager
Catalog Manager Beta Can manage associations between a catalog and a target resource. cloudprivatecatalog.*
cloudprivatecatalogproducer.associations.*
cloudprivatecatalogproducer.catalogs.get
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.targets.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get

Stackdriver Profiler roles

Role Title Description Permissions Lowest Resource
roles/
cloudprofiler.agent
Stackdriver Profiler Agent Beta Stackdriver Profiler agents are allowed to register and provide the profiling data. cloudprofiler.profiles.create
cloudprofiler.profiles.update
roles/
cloudprofiler.user
Stackdriver Profiler User Beta Stackdriver Profiler users are allowed to query and view the profiling data. cloudprofiler.profiles.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Cloud Scheduler roles

Role Title Description Permissions Lowest Resource
roles/
cloudscheduler.admin
Cloud Scheduler Admin Beta Full access to jobs and executions. cloudscheduler.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudscheduler.jobRunner
Cloud Scheduler Job Runner Beta Access to run jobs. cloudscheduler.jobs.fullView
cloudscheduler.jobs.run
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudscheduler.viewer
Cloud Scheduler Viewer Beta Get and list access to jobs, executions, and locations. cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Security Scanner roles

Role Title Description Permissions Lowest Resource
roles/
cloudsecurityscanner.editor
Cloud Security Scanner Editor Full access to all Cloud Security Scanner resources appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
cloudsecurityscanner.runner
Cloud Security Scanner Runner Read access to Scan and ScanRun, plus the ability to start scans cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scanruns.stop
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
cloudsecurityscanner.scans.run
roles/
cloudsecurityscanner.viewer
Cloud Security Scanner Viewer Read access to all Cloud Security Scanner resources cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.*
cloudsecurityscanner.scanruns.get
cloudsecurityscanner.scanruns.getSummary
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.get
cloudsecurityscanner.scans.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Cloud Services roles

Role Title Description Permissions Lowest Resource
roles/
servicebroker.admin
Service Broker Admin Beta Full access to ServiceBroker resources. servicebroker.*
roles/
servicebroker.operator
Service Broker Operator Beta Operational access to the ServiceBroker resources. servicebroker.bindingoperations.*
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.list
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.list
servicebroker.instanceoperations.*
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.list
servicebroker.instances.update

Cloud SQL roles

Role Title Description Permissions Lowest Resource
roles/
cloudsql.admin
Cloud SQL Admin Provides full control of Cloud SQL resources. cloudsql.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project
roles/
cloudsql.client
Cloud SQL Client Provides connectivity access to Cloud SQL instances. cloudsql.instances.connect
cloudsql.instances.get
Project
roles/
cloudsql.editor
Cloud SQL Editor Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.instances.restart
cloudsql.instances.rotateServerCa
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project
roles/
cloudsql.viewer
Cloud SQL Viewer Provides read-only access to Cloud SQL resources. cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.export
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listServerCas
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project

Cloud Tasks roles

Role Title Description Permissions Lowest Resource
roles/
cloudtasks.admin
Cloud Tasks Admin Beta Full access to queues and tasks. cloudtasks.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.enqueuer
Cloud Tasks Enqueuer Beta Access to create tasks. cloudtasks.tasks.create
cloudtasks.tasks.fullView
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.queueAdmin
Cloud Tasks Queue Admin Beta Admin access to queues. cloudtasks.locations.*
cloudtasks.queues.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.taskDeleter
Cloud Tasks Task Deleter Beta Access to delete tasks. cloudtasks.tasks.delete
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.taskRunner
Cloud Tasks Task Runner Beta Access to run tasks. cloudtasks.tasks.fullView
cloudtasks.tasks.run
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtasks.viewer
Cloud Tasks Viewer Beta Get and list access to tasks, queues, and locations. cloudtasks.locations.*
cloudtasks.queues.get
cloudtasks.queues.list
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Trace roles

Role Title Description Permissions Lowest Resource
roles/
cloudtrace.admin
Cloud Trace Admin Provides full access to the Trace console and read-write access to traces. cloudtrace.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
cloudtrace.agent
Cloud Trace Agent For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace. cloudtrace.traces.patch
Project
roles/
cloudtrace.user
Cloud Trace User Provides full access to the Trace console and read access to traces. cloudtrace.insights.*
cloudtrace.stats.*
cloudtrace.tasks.*
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
Project

Cloud Translation roles

Role Title Description Permissions Lowest Resource
roles/
cloudtranslate.admin
Cloud Translation API Admin Full access to all Cloud Translation resources automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtranslate.editor
Cloud Translation API Editor Editor of all Cloud Translation resources automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtranslate.user
Cloud Translation API User User of Cloud Translation and AutoML models automl.models.get
automl.models.predict
cloudtranslate.generalModels.*
cloudtranslate.glossaries.batchPredict
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.glossaries.predict
cloudtranslate.languageDetectionModels.*
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtranslate.viewer
Cloud Translation API Viewer Viewer of all Translation resources automl.models.get
cloudtranslate.generalModels.get
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list

Codelab API Keys roles

Role Title Description Permissions Lowest Resource
roles/
codelabapikeys.admin
Codelab ApiKeys Admin Beta Full access to API keys resourcemanager.projects.get
resourcemanager.projects.list
roles/
codelabapikeys.editor
Codelab API Keys Editor Beta This role can view and edit all properties of API keys. resourcemanager.projects.get
resourcemanager.projects.list
roles/
codelabapikeys.viewer
Codelab API Keys Viewer Beta This role can view all properties except change history of API keys. resourcemanager.projects.get
resourcemanager.projects.list

Cloud Composer roles

Role Title Description Permissions Lowest Resource
roles/
composer.admin
Composer Administrator Provides full control of Cloud Composer resources. composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project
roles/
composer.environmentAndStorageObjectAdmin
Environment and Storage Object Administrator Provides full control of Cloud Composer resources and of the objects in all project buckets. composer.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.*
Project
roles/
composer.environmentAndStorageObjectViewer
Environment User and Storage Object Viewer Provides the permissions nessesary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. composer.environments.get
composer.environments.list
composer.imageversions.*
composer.operations.get
composer.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list
Project
roles/
composer.user
Composer User Provides the permissions necessary to list and get Cloud Composer environments and operations. composer.environments.get
composer.environments.list
composer.imageversions.*
composer.operations.get
composer.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project
roles/
composer.worker
Composer Worker Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. cloudbuild.*
container.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.*
Project

Compute Engine roles

Role Title Description Permissions Lowest Resource
roles/
compute.admin
Compute Admin

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta
roles/
compute.imageUser
Compute Image User

Permission to list and read images without having other permissions on the image. Granting the compute.imageUser role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
ImageBeta
roles/
compute.instanceAdmin
Compute Instance Admin (beta)

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VMBETA settings.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Disk, image, instance, instanceTemplate, snapshot Beta
roles/
compute.instanceAdmin.v1
Compute Instance Admin (v1) Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.

If you grant a user this role only at an instance level, then that user cannot create new instances.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.*
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.*
compute.licenses.*
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.projects.setCommonInstanceMetadata
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
compute.loadBalancerAdmin
Compute Load Balancer Admin Beta

Permissions to create, modify, and delete load balancers and associate resources.

For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant the load balancing team's group the loadBalancerAdmin role.

compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.instances.use
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.projects.get
compute.regionBackendServices.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta
roles/
compute.networkAdmin
Compute Network Admin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the networking team's group the networkAdmin role.

compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute.externalVpnGateways.*
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.*
compute.globalAddresses.*
compute.globalForwardingRules.*
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.instances.use
compute.interconnectAttachments.*
compute.interconnectLocations.*
compute.interconnects.*
compute.networkEndpointGroups.get
compute.networkEndpointGroups.list
compute.networkEndpointGroups.use
compute.networks.*
compute.projects.get
compute.regionBackendServices.*
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.*
compute.subnetworks.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.operations.get
servicenetworking.services.addPeering
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta
roles/
compute.networkUser
Compute Network User

Provides access to a shared VPC network

Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.useInternal
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.firewalls.get
compute.firewalls.list
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.interconnects.use
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project
roles/
compute.networkViewer
Compute Network Viewer

Read-only access to all networking resources

For example, if you have software that inspects your network configuration, you could grant that software's service account the networkViewer role.

compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.networks.get
compute.networks.list
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta
roles/
compute.orgSecurityPolicyAdmin
Compute Organization Security Policy Admin Beta Full control of Compute Engine Organization Security Policies. compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.securityPolicies.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
compute.orgSecurityPolicyUser
Compute Organization Security Policy User Beta View or use Compute Engine Security Policies to associate with the organization or folders. compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
compute.securityPolicies.get
compute.securityPolicies.list
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
compute.orgSecurityResourceAdmin
Compute Organization Resource Admin Beta Full control of Compute Engine Security Policy associations to the organization or folders. compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
compute.osAdminLogin
Compute OS Admin Login

Access to log in to a Compute Engine instance as an administrator user.

compute.instances.get
compute.instances.list
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta
roles/
compute.osLogin
Compute OS Login

Access to log in to a Compute Engine instance as a standard user.

compute.instances.get
compute.instances.list
compute.instances.osLogin
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta
roles/
compute.osLoginExternalUser
Compute OS Login External User

Available only at the organization level.

Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

compute.oslogin.*
Organization
roles/
compute.packetMirroringAdmin
Compute packet mirroring admin Beta Specify resources to be mirrored. compute.networks.mirror
compute.projects.get
compute.subnetworks.mirror
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
compute.packetMirroringUser
Compute packet mirroring user Beta Use Compute Engine packet mirrorings. compute.packetMirrorings.*
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
compute.securityAdmin
Compute Security Admin

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VMBETA settings.

For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant the security team's group the securityAdmin role.

compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.packetMirrorings.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routes.get
compute.routes.list
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
InstanceBeta
roles/
compute.storageAdmin
Compute Storage Admin

Permissions to create, modify, and delete disks, images, and snapshots.

For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant their account the storageAdmin role on the project.

compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Disk, image, snapshot Beta
roles/
compute.viewer
Compute Viewer

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them.

For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.licenseCodes.get
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.*
compute.maintenancePolicies.get
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.get
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.*
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionOperations.get
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.resourcePolicies.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.securityPolicies.get
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zoneOperations.get
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta
roles/
compute.xpnAdmin
Compute Shared VPC Admin

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network.

This role can only be granted on the organization by an organization admin.

Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the compute.networkUser role to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

compute.globalOperations.get
compute.globalOperations.list
compute.organizations.*
compute.projects.get
compute.subnetworks.getIamPolicy
compute.subnetworks.setIamPolicy
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Organization

Kubernetes Engine roles

Role Title Description Permissions Lowest Resource
roles/
container.admin
Kubernetes Engine Admin Provides access to full management of Container Clusters and their Kubernetes API objects. container.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
container.clusterAdmin
Kubernetes Engine Cluster Admin Provides access to management of Container Clusters. container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
container.clusterViewer
Kubernetes Engine Cluster Viewer Read-only access to Kubernetes Clusters. container.clusters.get
container.clusters.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
container.developer
Kubernetes Engine Developer Provides full access to Kubernetes API objects inside Container Clusters. container.apiServices.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.*
container.csiDrivers.*
container.csiNodes.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpoints.*
container.events.*
container.horizontalPodAutoscalers.*
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.*
container.pods.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
container.hostServiceAgentUser
Kubernetes Engine Host Service Agent User Use access of the Kubernetes Engine Host Service Agent. compute.firewalls.get
container.hostServiceAgent.*
roles/
container.viewer
Kubernetes Engine Viewer Provides read-only access to GKE resources. container.apiServices.get
container.apiServices.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodes.get
container.csiNodes.list
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getStatus
container.deployments.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.limitRanges.get
container.limitRanges.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
Project

Container Analysis roles

Role Title Description Permissions Lowest Resource
roles/
containeranalysis.admin
Container Analysis Admin Alpha Access to all resources. resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.notes.attacher
Container Analysis Notes Attacher Alpha Can attach occurrences to notes
roles/
containeranalysis.notes.editor
Container Analysis Notes Editor Alpha Can edit container analysis notes resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.notes.viewer
Container Analysis Notes Viewer Alpha Can view container analysis notes resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.occurrences.editor
Container Analysis Occurrences Editor Alpha Can edit container analysis occurrences resourcemanager.projects.get
resourcemanager.projects.list
roles/
containeranalysis.occurrences.viewer
Container Analysis Occurrences Viewer Alpha Can view container analysis occurrences resourcemanager.projects.get
resourcemanager.projects.list

Data Catalog roles

Role Title Description Permissions Lowest Resource
roles/
datacatalog.admin
Data Catalog Admin Beta Full access to all DataCatalog resources bigquery.datasets.get
bigquery.datasets.updateTag
bigquery.models.getMetadata
bigquery.models.updateTag
bigquery.tables.get
bigquery.tables.updateTag
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.entries.*
datacatalog.entryGroups.*
datacatalog.tagTemplates.*
datacatalog.taxonomies.*
pubsub.topics.get
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datacatalog.categoryAdmin
Policy Tag Admin Beta Manage taxonomies datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.taxonomies.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datacatalog.categoryFineGrainedReader
Fine-Grained Reader Beta Read access to sub-resources tagged by a policy tag, for example, BigQuery columns datacatalog.categories.fineGrainedGet
roles/
datacatalog.entryCreator
DataCatalog Entry Creator Beta Can create new entries datacatalog.entries.create
datacatalog.entries.get
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datacatalog.entryGroupCreator
DataCatalog EntryGroup Creator Beta Can create new entryGroups datacatalog.entryGroups.create
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datacatalog.entryGroupOwner
DataCatalog entryGroup Owner Beta Full access to entryGroups datacatalog.entries.*
datacatalog.entryGroups.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datacatalog.entryOwner
DataCatalog entry Owner Beta Full access to entries datacatalog.entries.*
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datacatalog.entryViewer
DataCatalog Entry Viewer Beta Read access to entries datacatalog.entries.get
datacatalog.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datacatalog.tagEditor
Data Catalog Tag Editor Beta Gives permission to modify tags on a GCP assets (BigQuery, Pub/Sub etc). bigquery.datasets.updateTag
bigquery.models.updateTag
bigquery.tables.updateTag
pubsub.topics.updateTag
roles/
datacatalog.tagTemplateCreator
Data Catalog TagTemplate Creator Beta Can create new tag templates datacatalog.tagTemplates.create
datacatalog.tagTemplates.get
roles/
datacatalog.tagTemplateOwner
Data Catalog TagTemplate Owner Beta Full acess to tag templates datacatalog.tagTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datacatalog.tagTemplateUser
Data Catalog TagTemplate User Beta Can use tag templates to tag resources datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.tagTemplates.use
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datacatalog.tagTemplateViewer
Data Catalog TagTemplate Viewer Beta Read access to templates and tags created using the templates datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datacatalog.viewer
Data Catalog Viewer Beta View resources in DataCatalog bigquery.datasets.get
bigquery.models.getMetadata
bigquery.tables.get
datacatalog.entries.get
datacatalog.entryGroups.get
datacatalog.tagTemplates.get
datacatalog.tagTemplates.getTag
datacatalog.taxonomies.get
datacatalog.taxonomies.list
pubsub.topics.get
resourcemanager.projects.get
resourcemanager.projects.list

Dataflow roles

Role Title Description Permissions Lowest Resource
roles/
dataflow.admin
Dataflow Admin Minimal role for creating and managing dataflow jobs. compute.machineTypes.get
dataflow.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
roles/
dataflow.developer
Dataflow Developer Provides the permissions necessary to execute and manipulate Dataflow jobs. dataflow.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
dataflow.viewer
Dataflow Viewer Provides read-only access to all Dataflow-related resources. dataflow.jobs.get
dataflow.jobs.list
dataflow.messages.*
dataflow.metrics.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
dataflow.worker
Dataflow Worker Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline. compute.instanceGroupManagers.update
compute.instances.delete
compute.instances.setDiskAutoDelete
dataflow.jobs.get
logging.logEntries.create
storage.objects.create
storage.objects.get
Project

Cloud Data Labeling roles

Role Title Description Permissions Lowest Resource
roles/
datalabeling.admin
DataLabeling Service Admin Beta Full access to all DataLabeling resources datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datalabeling.editor
DataLabeling Service Editor Beta Editor of all DataLabeling resources datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
datalabeling.viewer
DataLabeling Service Viewer Beta Viewer of all DataLabeling resources datalabeling.annotateddatasets.get
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.get
datalabeling.annotationspecsets.list
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Dataprep roles

Role Title Description Permissions Lowest Resource
roles/
dataprep.projects.user
Dataprep User Beta Use of Dataprep. dataprep.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Dataproc roles

Role Title Description Permissions Lowest Resource
roles/
dataproc.admin
Dataproc Administrator Full control of Dataproc resources. compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.clusters.*
dataproc.jobs.*
dataproc.operations.*
dataproc.workflowTemplates.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
dataproc.editor
Dataproc Editor Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects and zones. compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.update
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
dataproc.viewer
Dataproc Viewer Provides read-only access to Dataproc resources. compute.machineTypes.get
compute.regions.*
compute.zones.get
dataproc.clusters.get
dataproc.clusters.list
dataproc.jobs.get
dataproc.jobs.list
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.get
dataproc.workflowTemplates.list
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
dataproc.worker
Dataproc Worker Worker access to Dataproc. Intended for service accounts. dataproc.agents.*
dataproc.tasks.*
logging.logEntries.create
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
storage.buckets.get
storage.objects.*

Datastore roles

Role Title Description Permissions Lowest Resource
roles/
datastore.importExportAdmin
Cloud Datastore Import Export Admin Provides full access to manage imports and exports. appengine.applications.get
datastore.databases.export
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
datastore.indexAdmin
Cloud Datastore Index Admin Provides full access to manage index definitions. appengine.applications.get
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
datastore.owner
Cloud Datastore Owner Provides full access to Datastore resources. appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
datastore.user
Cloud Datastore User Provides read/write access to data in a Datastore database. appengine.applications.get
datastore.databases.get
datastore.entities.*
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
datastore.viewer
Cloud Datastore Viewer Provides read access to Datastore resources. appengine.applications.get
datastore.databases.get
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
Project

Deployment Manager roles

Role Title Description Permissions Lowest Resource
roles/
deploymentmanager.editor
Deployment Manager Editor Provides the permissions necessary to create and manage deployments. deploymentmanager.compositeTypes.*
deploymentmanager.deployments.cancelPreview
deploymentmanager.deployments.create
deploymentmanager.deployments.delete
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.deployments.stop
deploymentmanager.deployments.update
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project
roles/
deploymentmanager.typeEditor
Deployment Manager Type Editor Provides read and write access to all Type Registry resources. deploymentmanager.compositeTypes.*
deploymentmanager.operations.get
deploymentmanager.typeProviders.*
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Project
roles/
deploymentmanager.typeViewer
Deployment Manager Type Viewer Provides read-only access to all Type Registry resources. deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Project
roles/
deploymentmanager.viewer
Deployment Manager Viewer Provides read-only access to all Cloud Deployment Manager-related resources. deploymentmanager.compositeTypes.get
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.typeProviders.get
deploymentmanager.typeProviders.getType
deploymentmanager.typeProviders.list
deploymentmanager.typeProviders.listTypes
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project

Dialogflow roles

Role Title Description Permissions Lowest Resource
roles/
dialogflow.admin
Dialogflow API Admin Full access to Dialogflow (API only) resources. Use the roles/owner or roles/editor primitive role for access to both API and Dialogflow console (commonly needed to create an agent from the Dialogflow console). dialogflow.*
resourcemanager.projects.get
Project
roles/
dialogflow.client
Dialogflow API Client Client access to Dialogflow (API only) resources. This grants permission to detect intent and read/write session properties (contexts, session entity types, etc.). dialogflow.contexts.*
dialogflow.sessionEntityTypes.*
dialogflow.sessions.*
Project
roles/
dialogflow.consoleAgentEditor
Dialogflow Console Agent Editor Can edit agent in Dialogflow Console actions.agentVersions.create
dialogflow.*
resourcemanager.projects.get
roles/
dialogflow.reader
Dialogflow API Reader Read access to Dialogflow (API only) resources. Cannot detect intent. Use the roles/viewer primitive role for similar access to both API and Dialogflow console. dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.search
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.documents.get
dialogflow.documents.list
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.operations.*
dialogflow.sessionEntityTypes.get
dialogflow.sessionEntityTypes.list
resourcemanager.projects.get
Project

Cloud DLP roles

Role Title Description Permissions Lowest Resource
roles/
dlp.admin
DLP Administrator Administer DLP including jobs and templates. dlp.*
serviceusage.services.use
roles/
dlp.analyzeRiskTemplatesEditor
DLP Analyze Risk Templates Editor Edit DLP analyze risk templates. dlp.analyzeRiskTemplates.*
roles/
dlp.analyzeRiskTemplatesReader
DLP Analyze Risk Templates Reader Read DLP analyze risk templates. dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
roles/
dlp.deidentifyTemplatesEditor
DLP De-identify Templates Editor Edit DLP de-identify templates. dlp.deidentifyTemplates.*
roles/
dlp.deidentifyTemplatesReader
DLP De-identify Templates Reader Read DLP de-identify templates. dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
roles/
dlp.inspectTemplatesEditor
DLP Inspect Templates Editor Edit DLP inspect templates. dlp.inspectTemplates.*
roles/
dlp.inspectTemplatesReader
DLP Inspect Templates Reader Read DLP inspect templates. dlp.inspectTemplates.get
dlp.inspectTemplates.list
roles/
dlp.jobTriggersEditor
DLP Job Triggers Editor Edit job triggers configurations. dlp.jobTriggers.*
roles/
dlp.jobTriggersReader
DLP Job Triggers Reader Read job triggers. dlp.jobTriggers.get
dlp.jobTriggers.list
roles/
dlp.jobsEditor
DLP Jobs Editor Edit and create jobs dlp.jobs.*
dlp.kms.*
roles/
dlp.jobsReader
DLP Jobs Reader Read jobs dlp.jobs.get
dlp.jobs.list
roles/
dlp.reader
DLP Reader Read DLP entities, such as jobs and templates. dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
roles/
dlp.storedInfoTypesEditor
DLP Stored InfoTypes Editor Edit DLP stored info types. dlp.storedInfoTypes.*
roles/
dlp.storedInfoTypesReader
DLP Stored InfoTypes Reader Read DLP stored info types. dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
roles/
dlp.user
DLP User Inspect, Redact, and De-identify Content dlp.kms.*
serviceusage.services.use

DNS roles

Role Title Description Permissions Lowest Resource
roles/
dns.admin
DNS Administrator Provides read-write access to all Cloud DNS resources. compute.networks.get
compute.networks.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.*
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.*
dns.resourceRecordSets.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
dns.peer
DNS Peer Beta Access to target networks with DNS peering zones dns.networks.targetWithPeeringZone
roles/
dns.reader
DNS Reader Provides read-only access to all Cloud DNS resources. compute.networks.get
dns.changes.get
dns.changes.list
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.projects.*
dns.resourceRecordSets.list
resourcemanager.projects.get
resourcemanager.projects.list
Project

Endpoints roles

Role Title Description Permissions Lowest Resource
roles/
endpoints.portalAdmin
Endpoints Portal Admin Beta Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the GCP Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page. endpoints.*
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
Project

Error Reporting roles

Role Title Description Permissions Lowest Resource
roles/
errorreporting.admin
Error Reporting Admin Beta Provides full access to Error Reporting data. cloudnotifications.*
errorreporting.*
Project
roles/
errorreporting.user
Error Reporting User Beta Provides the permissions to read and write Error Reporting data, except for sending new error events. cloudnotifications.*
errorreporting.applications.*
errorreporting.errorEvents.delete
errorreporting.errorEvents.list
errorreporting.groupMetadata.*
errorreporting.groups.*
Project
roles/
errorreporting.viewer
Error Reporting Viewer Beta Provides read-only access to Error Reporting data. cloudnotifications.*
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groupMetadata.get
errorreporting.groups.*
Project
roles/
errorreporting.writer
Errors Writer Beta Provides the permissions to send error events to Error Reporting. errorreporting.errorEvents.create
Service Account

Cloud Filestore roles

Role Title Description Permissions Lowest Resource
roles/
file.editor
Cloud Filestore Editor Beta Read-write access to Filestore instances and related resources. file.*
roles/
file.viewer
Cloud Filestore Viewer Beta Read-only access to Filestore instances and related resources. file.instances.get
file.instances.list
file.locations.*
file.operations.get
file.operations.list
file.snapshots.get
file.snapshots.list

Firebase roles

Role Title Description Permissions Lowest Resource
roles/
firebase.admin
Firebase Admin Full access to Firebase products. appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.list
clientauthconfig.clients.update
cloudconfig.*
cloudfunctions.*
cloudmessaging.*
cloudnotifications.*
cloudtestservice.*
cloudtoolresults.*
datastore.*
errorreporting.groups.*
firebase.*
firebaseabt.*
firebaseanalytics.*
firebaseappdistro.*
firebaseauth.*
firebasecrash.*
firebasecrashlytics.*
firebasedatabase.*
firebasedynamiclinks.*
firebaseextensions.*
firebasehosting.*
firebaseinappmessaging.*
firebaseml.*
firebasenotifications.*
firebaseperformance.*
firebasepredictions.*
firebaserules.*
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.objects.*
roles/
firebase.analyticsAdmin
Firebase Analytics Admin Full access to Google Analytics for Firebase. cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
firebase.analyticsViewer
Firebase Analytics Viewer Read access to Google Analytics for Firebase. cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseextensions.configs.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
roles/
firebase.developAdmin
Firebase Develop Admin Full access to Firebase Develop products and Analytics. appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudfunctions.*
cloudnotifications.*
datastore.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseauth.*
firebasedatabase.*
firebaseextensions.configs.list
firebasehosting.*
firebaseml.*
firebaserules.*
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.objects.*
roles/
firebase.developViewer
Firebase Develop Viewer Read access to Firebase Develop products and Analytics. automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudnotifications.*
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseauth.configs.get
firebaseauth.users.get
firebasedatabase.instances.get
firebasedatabase.instances.list
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
roles/
firebase.growthAdmin
Firebase Grow Admin Full access to Firebase Grow products and Analytics. clientauthconfig.clients.get
clientauthconfig.clients.list
cloudconfig.*
cloudmessaging.*
cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.*
firebaseanalytics.*
firebasedynamiclinks.*
firebaseextensions.configs.list
firebaseinappmessaging.*
firebasenotifications.*
firebasepredictions.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.growthViewer
Firebase Grow Viewer Read access to Firebase Grow products and Analytics. cloudconfig.configs.get
cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasepredictions.predictions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.qualityAdmin
Firebase Quality Admin Full access to Firebase Quality products and Analytics. cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.*
firebaseappdistro.*
firebasecrash.*
firebasecrashlytics.*
firebaseextensions.configs.list
firebaseperformance.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.qualityViewer
Firebase Quality Viewer Read access to Firebase Quality products and Analytics. cloudnotifications.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrash.reports.*
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
firebaseextensions.configs.list
firebaseperformance.data.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
roles/
firebase.viewer
Firebase Viewer Read-only access to Firebase products. automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudconfig.configs.get
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.*
cloudnotifications.*
cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
datastore.databases.get
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.statistics.*
errorreporting.groups.*
firebase.billingPlans.get
firebase.clients.get
firebase.links.list
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebaseauth.configs.get
firebaseauth.users.get
firebasecrash.reports.*
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
firebaseextensions.configs.list
firebasehosting.sites.get
firebasehosting.sites.list
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebasenotifications.messages.get
firebasenotifications.messages.list
firebaseperformance.data.*
firebasepredictions.predictions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
logging.logEntries.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list

Firebase Products roles

Role Title Description Permissions Lowest Resource
roles/
cloudconfig.admin
Firebase Remote Config Admin Full access to Firebase Remote Config resources. cloudconfig.*
firebase.clients.get
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudconfig.viewer
Firebase Remote Config Viewer Read access to Firebase Remote Config resources. cloudconfig.configs.get
firebase.clients.get
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
cloudtestservice.testAdmin
Firebase Test Lab Admin Full access to all Test Lab features cloudtestservice.*
cloudtoolresults.*
firebase.billingPlans.get
firebase.clients.get
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list
roles/
cloudtestservice.testViewer
Firebase Test Lab Viewer Read access to Test Lab features cloudtestservice.environmentcatalog.*
cloudtestservice.matrices.get
cloudtoolresults.executions.get
cloudtoolresults.executions.list
cloudtoolresults.histories.get
cloudtoolresults.histories.list
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
firebase.clients.get
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
roles/
firebaseabt.admin
Firebase A/B Testing Admin Beta Full read/write access to Firebase A/B Testing resources. firebase.clients.get
firebase.projects.get
firebaseabt.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseabt.viewer
Firebase A/B Testing Viewer Beta Read-only access to Firebase A/B Testing resources. firebase.clients.get
firebase.projects.get
firebaseabt.experimentresults.*
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseappdistro.admin
Firebase App Distribution Admin Beta Full read/write access to Firebase App Distribution resources. firebase.clients.get
firebase.projects.get
firebaseappdistro.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseappdistro.viewer
Firebase App Distribution Viewer Beta Read-only access to Firebase App Distribution resources. firebase.clients.get
firebase.projects.get
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseauth.admin
Firebase Authentication Admin Full read/write access to Firebase Authentication resources. firebase.clients.get
firebase.projects.get
firebaseauth.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseauth.viewer
Firebase Authentication Viewer Read-only access to Firebase Authentication resources. firebase.clients.get
firebase.projects.get
firebaseauth.configs.get
firebaseauth.users.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasecrashlytics.admin
Firebase Crashlytics Admin Full read/write access to Firebase Crashlytics resources. firebase.clients.get
firebase.projects.get
firebasecrashlytics.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasecrashlytics.viewer
Firebase Crashlytics Viewer Read-only access to Firebase Crashlytics resources. firebase.clients.get
firebase.projects.get
firebasecrashlytics.config.get
firebasecrashlytics.data.*
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasedatabase.admin
Firebase Realtime Database Admin Full read/write access to Firebase Realtime Database resources. firebase.clients.get
firebase.projects.get
firebasedatabase.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasedatabase.viewer
Firebase Realtime Database Viewer Read-only access to Firebase Realtime Database resources. firebase.clients.get
firebase.projects.get
firebasedatabase.instances.get
firebasedatabase.instances.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasedynamiclinks.admin
Firebase Dynamic Links Admin Full read/write access to Firebase Dynamic Links resources. firebase.clients.get
firebase.projects.get
firebasedynamiclinks.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasedynamiclinks.viewer
Firebase Dynamic Links Viewer Read-only access to Firebase Dynamic Links resources. firebase.clients.get
firebase.projects.get
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasehosting.admin
Firebase Hosting Admin Full read/write access to Firebase Hosting resources. firebase.clients.get
firebase.projects.get
firebasehosting.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasehosting.viewer
Firebase Hosting Viewer Read-only access to Firebase Hosting resources. firebase.clients.get
firebase.projects.get
firebasehosting.sites.get
firebasehosting.sites.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseinappmessaging.admin
Firebase In-App Messaging Admin Beta Full read/write access to Firebase In-App Messaging resources. firebase.clients.get
firebase.projects.get
firebaseinappmessaging.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseinappmessaging.viewer
Firebase In-App Messaging Viewer Beta Read-only access to Firebase In-App Messaging resources. firebase.clients.get
firebase.projects.get
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseml.admin
Firebase ML Kit Admin Beta Full read/write access to Firebase ML Kit resources. firebase.clients.get
firebase.projects.get
firebaseml.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseml.viewer
Firebase ML Kit Viewer Beta Read-only access to Firebase ML Kit resources. firebase.clients.get
firebase.projects.get
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasenotifications.admin
Firebase Cloud Messaging Admin Full read/write access to Firebase Cloud Messaging resources. firebase.clients.get
firebase.projects.get
firebasenotifications.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasenotifications.viewer
Firebase Cloud Messaging Viewer Read-only access to Firebase Cloud Messaging resources. firebase.clients.get
firebase.projects.get
firebasenotifications.messages.get
firebasenotifications.messages.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseperformance.admin
Firebase Performance Reporting Admin Full access to firebaseperformance resources. firebase.clients.get
firebase.projects.get
firebaseperformance.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaseperformance.viewer
Firebase Performance Reporting Viewer Read-only access to firebaseperformance resources. firebase.clients.get
firebase.projects.get
firebaseperformance.data.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasepredictions.admin
Firebase Predictions Admin Full read/write access to Firebase Predictions resources. firebase.clients.get
firebase.projects.get
firebasepredictions.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebasepredictions.viewer
Firebase Predictions Viewer Read-only access to Firebase Predictions resources. firebase.clients.get
firebase.projects.get
firebasepredictions.predictions.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaserules.admin
Firebase Rules Admin Full management of Firebase Rules. firebaserules.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
firebaserules.viewer
Firebase Rules Viewer Read-only access on all resources with the ability to test Rulesets. firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
resourcemanager.projects.get
resourcemanager.projects.list

Genomics roles

Role Title Description Permissions Lowest Resource
roles/
genomics.admin
Genomics Admin Full access to genomics datasets and operations. genomics.*
roles/
genomics.editor
Genomics Editor Access to read and edit genomics datasets and operations. genomics.datasets.create
genomics.datasets.delete
genomics.datasets.get
genomics.datasets.list
genomics.datasets.update
genomics.operations.*
roles/
genomics.pipelinesRunner
Genomics Pipelines Runner Full access to operate on genomics pipelines. genomics.operations.*
roles/
genomics.viewer
Genomics Viewer Access to view genomics datasets and operations. genomics.datasets.get
genomics.datasets.list
genomics.operations.get
genomics.operations.list

GKE Hub roles

Role Title Description Permissions Lowest Resource
roles/
gkehub.admin
GKE Hub Admin Beta Full access to GKE Hubs and related resources. gkehub.locations.*
gkehub.memberships.*
gkehub.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
gkehub.connect
GKE Hub Connection Agent Beta Ability to set up GKE Connect between external clusters and Google. gkehub.endpoints.*
roles/
gkehub.viewer
GKE Hub Viewer Beta Read-only access to GKE Hubs and related resources. gkehub.locations.*
gkehub.memberships.generateConnectManifest
gkehub.memberships.get
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.operations.get
gkehub.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Healthcare roles

Role Title Description Permissions Lowest Resource
roles/
healthcare.annotationEditor
Healthcare Annotation Editor Beta Create, delete, update, read and list annotations. healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.annotationReader
Healthcare Annotation Reader Beta Read and list annotations in an Annotation store. healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.annotationStoreAdmin
Healthcare Annotation Administrator Beta Administer Annotation stores. healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.annotationStoreViewer
Healthcare Annotation Store Viewer Beta List Annotation Stores in a dataset. healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.datasetAdmin
Healthcare Dataset Administrator Beta Administer Healthcare Datasets. healthcare.datasets.*
healthcare.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.datasetViewer
Healthcare Dataset Viewer Beta List the Healthcare Datasets in a project. healthcare.datasets.get
healthcare.datasets.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomEditor
Healthcare DICOM Editor Beta Edit DICOM images individually and in bulk. healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.dicomWebWrite
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomStoreAdmin
Healthcare DICOM Store Administrator Beta Administer DICOM stores. healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare.dicomStores.delete
healthcare.dicomStores.dicomWebDelete
healthcare.dicomStores.get
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.dicomStores.setIamPolicy
healthcare.dicomStores.update
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomStoreViewer
Healthcare DICOM Store Viewer Beta List DICOM Stores in a dataset. healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.dicomViewer
Healthcare DICOM Viewer Beta Retrieve DICOM images from a DICOM store. healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.dicomWebRead
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirResourceEditor
Healthcare FHIR Resource Editor Beta Create, delete, update, read and search FHIR resources. healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.create
healthcare.fhirResources.delete
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare.fhirResources.update
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirResourceReader
Healthcare FHIR Resource Reader Beta Read and search FHIR resources. healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.fhirStores.searchResources
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirStoreAdmin
Healthcare FHIR Store Administrator Beta Administer FHIR resource stores. healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.purge
healthcare.fhirStores.create
healthcare.fhirStores.delete
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.setIamPolicy
healthcare.fhirStores.update
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.fhirStoreViewer
Healthcare FHIR Store Viewer Beta List FHIR Stores in a dataset. healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2Consumer
Healthcare HL7v2 Message Consumer Beta List and read HL7v2 messages, update message labels, and publish new messages. healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.create
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare.hl7V2Messages.update
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2Editor
Healthcare HL7v2 Message Editor Beta Read, write, and delete access to HL7v2 messages. healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2Ingest
Healthcare HL7v2 Message Ingest Beta Ingest HL7v2 messages received from a source network. healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.ingest
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2StoreAdmin
Healthcare HL7v2 Store Administrator Beta Administer HL7v2 Stores. healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
healthcare.hl7V2StoreViewer
Healthcare HL7v2 Store Viewer Beta View HL7v2 Stores in a dataset. healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list

IAM roles

Role Title Description Permissions Lowest Resource
roles/
iam.securityAdmin
Security Admin Security admin role, with permissions to get and set any IAM policy. accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessPolicies.setIamPolicy
accesscontextmanager.accessZones.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.setIamPolicy
accesscontextmanager.servicePerimeters.list
actions.agentVersions.list
apigee.apiproductattributes.list
apigee.apiproducts.list
apigee.apps.list
apigee.deployments.list
apigee.developerappattributes.list
apigee.developerapps.list
apigee.developerattributes.list
apigee.developers.list
apigee.environments.getIamPolicy
apigee.environments.list
apigee.environments.setIamPolicy
apigee.flowhooks.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemaps.list
apigee.organizations.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.sharedflowrevisions.list
apigee.sharedflows.list
apigee.targetservers.list
apigee.tracesessions.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.datasets.setIamPolicy
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.models.setIamPolicy
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.*
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.routines.list
bigquery.savedqueries.list
bigquery.tables.list
bigtable.appProfiles.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.instances.setIamPolicy
bigtable.locations.*
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.setIamPolicy
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.attestors.setIamPolicy
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudasset.feeds.list
cloudbuild.builds.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy
cloudfunctions.locations.*
cloudfunctions.operations.list
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudiot.registries.setIamPolicy
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.importJobs.setIamPolicy
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.keyRings.setIamPolicy
cloudnotifications.*
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprivatecatalogproducer.catalogs.setIamPolicy
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudsupport.accounts.setIamPolicy
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.setIamPolicy
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
cloudtranslate.glossaries.list
cloudtranslate.locations.list
cloudtranslate.operations.list
composer.environments.list
composer.imageversions.*
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.disks.setIamPolicy
compute.externalVpnGateways.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.images.setIamPolicy
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenseCodes.setIamPolicy
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.maintenancePolicies.setIamPolicy
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeGroups.setIamPolicy
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTemplates.setIamPolicy
compute.nodeTypes.list
compute.regionBackendServices.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regionOperations.setIamPolicy
compute.regions.list
compute.reservations.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.securityPolicies.setIamPolicy
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.setIamPolicy
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zoneOperations.setIamPolicy
compute.zones.list
container.apiServices.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.csiDrivers.list
container.csiNodes.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpoints.list
container.events.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.secrets.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
datacatalog.categories.getIamPolicy
datacatalog.categories.setIamPolicy
datacatalog.entries.getIamPolicy
datacatalog.entries.setIamPolicy
datacatalog.entryGroups.getIamPolicy
datacatalog.entryGroups.setIamPolicy
datacatalog.tagTemplates.getIamPolicy
datacatalog.tagTemplates.setIamPolicy
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
datacatalog.taxonomies.setIamPolicy
dataflow.jobs.list
dataflow.messages.*
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.setIamPolicy
datafusion.locations.list
datafusion.operations.list
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
dataproc.agents.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.setIamPolicy
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.operations.setIamPolicy
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
dataproc.workflowTemplates.setIamPolicy
dataprocessing.featurecontrols.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.databases.setIamPolicy
datastore.entities.list
datastore.indexes.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.namespaces.setIamPolicy
datastore.operations.list
datastore.statistics.list
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.deployments.setIamPolicy
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.contexts.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.sessionEntityTypes.list
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.storedInfoTypes.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.policies.setIamPolicy
dns.resourceRecordSets.list
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
file.instances.list
file.locations.list
file.operations.list
file.snapshots.list
firebase.links.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrashlytics.issues.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.datasets.setIamPolicy
genomics.operations.list
gkehub.locations.list
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.memberships.setIamPolicy
gkehub.operations.list
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.datasets.setIamPolicy
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.dicomStores.setIamPolicy
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.list
healthcare.fhirStores.setIamPolicy
healthcare.hl7V2Messages.list
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.list
healthcare.hl7V2Stores.setIamPolicy
healthcare.operations.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iap.tunnel.*
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
lifesciences.operations.list
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.list
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.domains.setIamPolicy
managedidentities.locations.list
managedidentities.operations.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.jobs.setIamPolicy
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.models.setIamPolicy
ml.operations.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
netappcloudvolumes.activeDirectories.list
netappcloudvolumes.ipRanges.*
netappcloudvolumes.jobs.list
netappcloudvolumes.regions.*
netappcloudvolumes.serviceLevels.*
netappcloudvolumes.snapshots.list
netappcloudvolumes.volumes.list
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.environments.setIamPolicy
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.instances.setIamPolicy
notebooks.locations.list
notebooks.operations.list
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.beacons.setIamPolicy
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
proximitybeacon.namespaces.setIamPolicy
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.setIamPolicy
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.subscriptions.setIamPolicy
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.list
recommender.iamPolicyRecommendations.list
recommender.locations.list
redis.instances.list
redis.locations.list
redis.operations.list
redisenterprisecloud.databases.list
redisenterprisecloud.subscriptions.list
remotebuildexecution.instances.list
remotebuildexecution.workerpools.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
run.configurations.list
run.locations.*
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.configs.setIamPolicy
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.variables.setIamPolicy
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
runtimeconfig.waiters.setIamPolicy
secretmanager.locations.list
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.secrets.setIamPolicy
secretmanager.versions.list
securitycenter.assets.list
securitycenter.findings.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
securitycenter.sources.setIamPolicy
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.bindings.setIamPolicy
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.catalogs.setIamPolicy
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
servicebroker.instances.setIamPolicy
serviceconsumermanagement.tenancyu.list
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
servicemanagement.consumerSettings.setIamPolicy
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicemanagement.services.setIamPolicy
servicenetworking.operations.list
serviceusage.apiKeys.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
source.repos.setIamPolicy
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.databases.setIamPolicy
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.instances.setIamPolicy
spanner.sessions.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.hmacKeys.list
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storagetransfer.jobs.list
storagetransfer.operations.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
vmmigration.deployments.list
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.list
roles/
iam.securityReviewer
Security Reviewer Provides permissions to list all resources and Cloud IAM policies on them. accessapproval.requests.list
accesscontextmanager.accessLevels.list
accesscontextmanager.accessPolicies.getIamPolicy
accesscontextmanager.accessPolicies.list
accesscontextmanager.accessZones.list
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.servicePerimeters.list
actions.agentVersions.list
apigee.apiproductattributes.list
apigee.apiproducts.list
apigee.apps.list
apigee.deployments.list
apigee.developerappattributes.list
apigee.developerapps.list
apigee.developerattributes.list
apigee.developers.list
apigee.environments.getIamPolicy
apigee.environments.list
apigee.flowhooks.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemaps.list
apigee.organizations.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.sharedflowrevisions.list
apigee.sharedflows.list
apigee.targetservers.list
apigee.tracesessions.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.examples.list
automl.humanAnnotationTasks.list
automl.locations.getIamPolicy
automl.locations.list
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.operations.list
automl.tableSpecs.list
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.list
automlrecommendations.events.list
automlrecommendations.placements.list
automlrecommendations.recommendations.*
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.routines.list
bigquery.savedqueries.list
bigquery.tables.list
bigtable.appProfiles.list
bigtable.clusters.list
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.locations.*
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.list
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.policy.getIamPolicy
clientauthconfig.brands.list
clientauthconfig.clients.list
cloudasset.feeds.list
cloudbuild.builds.list
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.locations.*
cloudfunctions.operations.list
cloudiot.devices.list
cloudiot.registries.getIamPolicy
cloudiot.registries.list
cloudjobdiscovery.companies.list
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudnotifications.*
cloudprivatecatalogproducer.associations.list
cloudprivatecatalogproducer.catalogs.getIamPolicy
cloudprivatecatalogproducer.catalogs.list
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.crawledurls.*
cloudsecurityscanner.results.list
cloudsecurityscanner.scanruns.list
cloudsecurityscanner.scans.list
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.accounts.getIamPolicy
cloudsupport.accounts.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.tasks.list
cloudtoolresults.executions.list
cloudtoolresults.histories.list
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traces.list
cloudtranslate.glossaries.list
cloudtranslate.locations.list
cloudtranslate.operations.list
composer.environments.list
composer.imageversions.*
composer.operations.list
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.backendBuckets.list
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.externalVpnGateways.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalAddresses.list
compute.globalForwardingRules.list
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.instanceGroupManagers.list
compute.instanceGroups.list
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instances.getIamPolicy
compute.instances.list
compute.interconnectAttachments.list
compute.interconnectLocations.list
compute.interconnects.list
compute.licenseCodes.getIamPolicy
compute.licenseCodes.list
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineTypes.list
compute.maintenancePolicies.getIamPolicy
compute.maintenancePolicies.list
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networks.list
compute.nodeGroups.getIamPolicy
compute.nodeGroups.list
compute.nodeTemplates.getIamPolicy
compute.nodeTemplates.list
compute.nodeTypes.list
compute.regionBackendServices.list
compute.regionOperations.getIamPolicy
compute.regionOperations.list
compute.regions.list
compute.reservations.list
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.getIamPolicy
compute.securityPolicies.list
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.zoneOperations.getIamPolicy
compute.zoneOperations.list
compute.zones.list
container.apiServices.list
container.backendConfigs.list
container.bindings.list
container.certificateSigningRequests.list
container.clusterRoleBindings.list
container.clusterRoles.list
container.clusters.list
container.componentStatuses.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.csiDrivers.list
container.csiNodes.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpoints.list
container.events.list
container.horizontalPodAutoscalers.list
container.ingresses.list
container.initializerConfigurations.list
container.jobs.list
container.limitRanges.list
container.localSubjectAccessReviews.list
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.persistentVolumeClaims.list
container.persistentVolumes.list
container.petSets.list
container.podDisruptionBudgets.list
container.podPresets.list
container.podSecurityPolicies.list
container.podTemplates.list
container.pods.list
container.replicaSets.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.secrets.list
container.selfSubjectAccessReviews.list
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.subjectAccessReviews.list
container.thirdPartyObjects.list
container.thirdPartyResources.list
datacatalog.categories.getIamPolicy
datacatalog.entries.getIamPolicy
datacatalog.entryGroups.getIamPolicy
datacatalog.tagTemplates.getIamPolicy
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.list
dataflow.jobs.list
dataflow.messages.*
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.locations.list
datafusion.operations.list
datalabeling.annotateddatasets.list
datalabeling.annotationspecsets.list
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
dataproc.agents.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.operations.getIamPolicy
dataproc.operations.list
dataproc.workflowTemplates.getIamPolicy
dataproc.workflowTemplates.list
dataprocessing.featurecontrols.list
datastore.databases.getIamPolicy
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.locations.list
datastore.namespaces.getIamPolicy
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
deploymentmanager.compositeTypes.list
deploymentmanager.deployments.getIamPolicy
deploymentmanager.deployments.list
deploymentmanager.manifests.list
deploymentmanager.operations.list
deploymentmanager.resources.list
deploymentmanager.typeProviders.list
deploymentmanager.types.list
dialogflow.contexts.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.sessionEntityTypes.list
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.storedInfoTypes.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.resourceRecordSets.list
errorreporting.applications.*
errorreporting.errorEvents.list
errorreporting.groups.*
file.instances.list
file.locations.list
file.operations.list
file.snapshots.list
firebase.links.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebasecrashlytics.issues.list
firebasedatabase.instances.list
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.list
firebaseextensions.configs.list
firebasehosting.sites.list
firebaseinappmessaging.campaigns.list
firebaseml.compressionjobs.list
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.messages.list
firebasepredictions.predictions.list
firebaserules.releases.list
firebaserules.rulesets.list
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.operations.list
gkehub.locations.list
gkehub.memberships.getIamPolicy
gkehub.memberships.list
gkehub.operations.list
healthcare.datasets.getIamPolicy
healthcare.datasets.list
healthcare.dicomStores.getIamPolicy
healthcare.dicomStores.list
healthcare.fhirStores.getIamPolicy
healthcare.fhirStores.list
healthcare.hl7V2Messages.list
healthcare.hl7V2Stores.getIamPolicy
healthcare.hl7V2Stores.list
healthcare.operations.list
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iap.tunnel.getIamPolicy
iap.tunnelInstances.getIamPolicy
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
lifesciences.operations.list
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.list
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.locations.list
managedidentities.operations.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.operations.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.list
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.list
netappcloudvolumes.activeDirectories.list
netappcloudvolumes.ipRanges.*
netappcloudvolumes.jobs.list
netappcloudvolumes.regions.*
netappcloudvolumes.serviceLevels.*
netappcloudvolumes.snapshots.list
netappcloudvolumes.volumes.list
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.list
notebooks.operations.list
proximitybeacon.attachments.list
proximitybeacon.beacons.getIamPolicy
proximitybeacon.beacons.list
proximitybeacon.namespaces.getIamPolicy
proximitybeacon.namespaces.list
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.topics.getIamPolicy
pubsub.topics.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.list
recommender.iamPolicyRecommendations.list
recommender.locations.list
redis.instances.list
redis.locations.list
redis.operations.list
redisenterprisecloud.databases.list
redisenterprisecloud.subscriptions.list
remotebuildexecution.instances.list
remotebuildexecution.workerpools.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.configurations.list
run.locations.*
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
runtimeconfig.configs.getIamPolicy
runtimeconfig.configs.list
runtimeconfig.operations.list
runtimeconfig.variables.getIamPolicy
runtimeconfig.variables.list
runtimeconfig.waiters.getIamPolicy
runtimeconfig.waiters.list
secretmanager.locations.list
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.versions.list
securitycenter.assets.list
securitycenter.findings.list
securitycenter.sources.getIamPolicy
securitycenter.sources.list
servicebroker.bindingoperations.list
servicebroker.bindings.getIamPolicy
servicebroker.bindings.list
servicebroker.catalogs.getIamPolicy
servicebroker.catalogs.list
servicebroker.instanceoperations.list
servicebroker.instances.getIamPolicy
servicebroker.instances.list
serviceconsumermanagement.tenancyu.list
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
servicemanagement.services.getIamPolicy
servicemanagement.services.list
servicenetworking.operations.list
serviceusage.apiKeys.list
serviceusage.operations.list
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
spanner.databaseOperations.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.instanceConfigs.list
spanner.instanceOperations.list
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.hmacKeys.list
storage.objects.getIamPolicy
storage.objects.list
storagetransfer.jobs.list
storagetransfer.operations.list
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.tensorflowversions.list
vmmigration.deployments.list
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.list
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta

Roles roles

Role Title Description Permissions Lowest Resource
roles/
iam.organizationRoleAdmin
Organization Role Administrator Provides access to administer all custom roles in the organization and the projects below it. iam.roles.*
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Organization
roles/
iam.organizationRoleViewer
Organization Role Viewer Provides read access to all custom roles in the organization and the projects below it. iam.roles.get
iam.roles.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Project
roles/
iam.roleAdmin
Role Administrator Provides access to all custom roles in the project. iam.roles.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
Project
roles/
iam.roleViewer
Role Viewer Provides read access to all custom roles in the project. iam.roles.get
iam.roles.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
Project

Service Accounts roles

Role Title Description Permissions Lowest Resource
roles/
iam.serviceAccountAdmin
Service Account Admin Create and manage service accounts. iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list
Service Account
roles/
iam.serviceAccountCreator
Create Service Accounts Access to create service accounts. iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
iam.serviceAccountDeleter
Delete Service Accounts Access to delete service accounts. iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
iam.serviceAccountKeyAdmin
Service Account Key Admin Create and manage (and rotate) service account keys. iam.serviceAccountKeys.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account
roles/
iam.serviceAccountTokenCreator
Service Account Token Creator Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Service Account
roles/
iam.serviceAccountUser
Service Account User Run operations as the service account. iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account
roles/
iam.workloadIdentityUser
Workload Identity User Impersonate service accounts from GKE Workloads iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.list

Cloud Life Sciences roles

Role Title Description Permissions Lowest Resource
roles/
lifesciences.admin
Cloud Life Sciences Admin Beta Full control of Cloud Life Sciences resources. lifesciences.*
roles/
lifesciences.editor
Cloud Life Sciences Editor Beta Access to read and edit Cloud Life Sciences resources. lifesciences.*
roles/
lifesciences.viewer
Cloud Life Sciences Viewer Beta Access to read Cloud Life Sciences resources. lifesciences.operations.get
lifesciences.operations.list
roles/
lifesciences.workflowsRunner
Cloud Life Sciences Workflows Runner Beta Full access to operate on Cloud Life Sciences workflows. lifesciences.*

Logging roles

Role Title Description Permissions Lowest Resource
roles/
logging.admin
Logging Admin Provides all permissions necessary to use all features of Stackdriver Logging. logging.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
logging.configWriter
Logs Configuration Writer Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. logging.exclusions.*
logging.logMetrics.*
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
logging.logWriter
Logs Writer Provides the permissions to write log entries. logging.logEntries.create
Project
roles/
logging.privateLogViewer
Private Logs Viewer Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.projects.get
Project
roles/
logging.viewer
Logs Viewer Provides access to view logs. logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.*
resourcemanager.projects.get
Project

Cloud Managed Identities roles

Role Title Description Permissions Lowest Resource
roles/
managedidentities.admin
Google Cloud Managed Identities Admin Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level. managedidentities.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
managedidentities.domainAdmin
Google Cloud Managed Identities Domain Admin Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level. managedidentities.domains.attachTrust
managedidentities.domains.delete
managedidentities.domains.detachTrust
managedidentities.domains.get
managedidentities.domains.getIamPolicy
managedidentities.domains.reconfigureTrust
managedidentities.domains.resetpassword
managedidentities.domains.update
managedidentities.domains.validateTrust
managedidentities.locations.*
managedidentities.operations.get
managedidentities.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
managedidentities.viewer
Google Cloud Managed Identities Viewer Read-only access to Google Cloud Managed Identities Domains and related resources. managedidentities.domains.get
managedidentities.domains.getIamPolicy
managedidentities.domains.list
managedidentities.locations.*
managedidentities.operations.get
managedidentities.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Machine Learning Engine roles

Role Title Description Permissions Lowest Resource
roles/
ml.admin
ML Engine Admin Provides full access to AI Platform resources, and its jobs, operations, models, and versions. ml.*
resourcemanager.projects.get
Project
roles/
ml.developer
ML Engine Developer Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get
Project
roles/
ml.jobOwner
ML Engine Job Owner Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. ml.jobs.*
Job
roles/
ml.modelOwner
ML Engine Model Owner Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. ml.models.*
ml.versions.*
Model
roles/
ml.modelUser
ML Engine Model User Provides permissions to read the model and its versions, and use them for prediction. ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict
Model
roles/
ml.operationOwner
ML Engine Operation Owner Provides full access to all permissions for a particular operation resource. ml.operations.*
Operation
roles/
ml.viewer
ML Engine Viewer Provides read-only access to AI Platform resources. ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.*
ml.versions.get
ml.versions.list
resourcemanager.projects.get
Project

Monitoring roles

Role Title Description Permissions Lowest Resource
roles/
monitoring.admin
Monitoring Admin Provides the same access as roles/monitoring.editor. cloudnotifications.*
monitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.*
Project
roles/
monitoring.alertPolicyEditor
Monitoring AlertPolicy Editor Beta Read/write access to alerting policies. monitoring.alertPolicies.*
roles/
monitoring.alertPolicyViewer
Monitoring AlertPolicy Viewer Beta Read-only access to alerting policies. monitoring.alertPolicies.get
monitoring.alertPolicies.list
roles/
monitoring.editor
Monitoring Editor Provides full access to information about all monitoring data and configurations. cloudnotifications.*
monitoring.alertPolicies.*
monitoring.dashboards.*
monitoring.groups.*
monitoring.metricDescriptors.*
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.publicWidgets.*
monitoring.timeSeries.*
monitoring.uptimeCheckConfigs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.*
Project
roles/
monitoring.metricWriter
Monitoring Metric Writer Provides write-only access to metrics. This provides exactly the permissions needed by the Stackdriver agent and other systems that send metrics. monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.timeSeries.create
Project
roles/
monitoring.notificationChannelEditor
Monitoring NotificationChannel Editor Beta Read/write access to notification channels. monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
roles/
monitoring.notificationChannelViewer
Monitoring NotificationChannel Viewer Beta Read-only access to notification channels. monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
roles/
monitoring.uptimeCheckConfigEditor
Monitoring Uptime Check Configuration Editor Beta Read/write access to uptime check configurations. monitoring.uptimeCheckConfigs.*
roles/
monitoring.uptimeCheckConfigViewer
Monitoring Uptime Check Configuration Viewer Beta Read-only access to uptime check configurations. monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
roles/
monitoring.viewer
Monitoring Viewer Provides read-only access to get and list information about all monitoring data and configurations. cloudnotifications.*
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.*
monitoring.notificationChannelDescriptors.*
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Project

AI Notebooks roles

Role Title Description Permissions Lowest Resource
roles/
notebooks.admin
Notebooks Admin Beta Full access to Notebooks all resources. notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
notebooks.viewer
Notebooks Viewer Beta Read-only access to Notebooks all resources. notebooks.environments.get
notebooks.environments.getIamPolicy
notebooks.environments.list
notebooks.instances.get
notebooks.instances.getIamPolicy
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Organization Policy roles

Role Title Description Permissions Lowest Resource
roles/
axt.admin
Access Transparency Admin Enable Access Transparency for Organization axt.*
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
roles/
orgpolicy.policyAdmin
Organization Policy Administrator Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies. orgpolicy.*
Organization
roles/
orgpolicy.policyViewer
Organization Policy Viewer Provides access to view Organization Policies on resources. orgpolicy.policy.get
Organization

Other roles

Role Title Description Permissions Lowest Resource
roles/
dataprocessing.admin
Data Processing Controls Resource Admin Beta Data processing controls admin who can fully manage data processing controls settings and view all datasource data. dataprocessing.*
roles/
dataprocessing.iamAccessHistoryExporter
Data Processing IAM Access History Exporter Beta Data Processing exporter who can export IAM access history using bigquery. dataprocessing.iamaccesshistory.*
roles/
firebasecrash.symbolMappingsAdmin
Firebase Crash Symbol Uploader Full read/write access to symbol mapping file resources for Firebase Crash Reporting. firebase.clients.get
resourcemanager.projects.get
roles/
identitytoolkit.admin
Identity Toolkit Admin Full access to Identity Toolkit resources. firebaseauth.*
roles/
identitytoolkit.viewer
Identity Toolkit Viewer Read access to Identity Toolkit resources. firebaseauth.configs.get
firebaseauth.users.get
roles/
mobilecrashreporting.symbolMappingsAdmin
Firebase Crash Symbol Uploader (Deprecated) Full read/write access to symbol mapping file resources for Firebase Crash Reporting.Deprecated in favor of firebasecrash.symbolMappingsAdmin firebase.clients.get
resourcemanager.projects.get
roles/
remotebuildexecution.actionCacheWriter
Remote Build Execution Action Cache Writer Beta Remote Build Execution Action Cache Writer remotebuildexecution.actions.set
remotebuildexecution.blobs.create
roles/
remotebuildexecution.artifactAdmin
Remote Build Execution Artifact Admin Beta Remote Build Execution Artifact Admin remotebuildexecution.actions.create
remotebuildexecution.actions.delete
remotebuildexecution.actions.get
remotebuildexecution.blobs.*
remotebuildexecution.logstreams.*
roles/
remotebuildexecution.artifactCreator
Remote Build Execution Artifact Creator Beta Remote Build Execution Artifact Creator remotebuildexecution.actions.create
remotebuildexecution.actions.get
remotebuildexecution.blobs.*
remotebuildexecution.logstreams.*
roles/
remotebuildexecution.artifactViewer
Remote Build Execution Artifact Viewer Beta Remote Build Execution Artifact Viewer remotebuildexecution.actions.get
remotebuildexecution.blobs.get
remotebuildexecution.logstreams.get
roles/
remotebuildexecution.configurationAdmin
Remote Build Execution Configuration Admin Beta Remote Build Execution Configuration Admin remotebuildexecution.instances.*
remotebuildexecution.workerpools.*
roles/
remotebuildexecution.configurationViewer
Remote Build Execution Configuration Viewer Beta Remote Build Execution Configuration Viewer remotebuildexecution.instances.get
remotebuildexecution.instances.list
remotebuildexecution.workerpools.get
remotebuildexecution.workerpools.list
roles/
remotebuildexecution.logstreamWriter
Remote Build Execution Logstream Writer Beta Remote Build Execution Logstream Writer remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.update
roles/
remotebuildexecution.worker
Remote Build Execution Worker Beta Remote Build Execution Worker remotebuildexecution.actions.update
remotebuildexecution.blobs.*
remotebuildexecution.botsessions.*
remotebuildexecution.logstreams.create
remotebuildexecution.logstreams.update
roles/
resourcemanager.organizationCreator
Organization Creator Access to create and list organizations.
roles/
runtimeconfig.admin
Cloud RuntimeConfig Admin Full access to RuntimeConfig resources. runtimeconfig.*
roles/
subscribewithgoogledeveloper.developer
Subscribe with Google Developer Beta Access DevTools for Subscribe with Google resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper.*

Third-party Partner roles

Role Title Description Permissions Lowest Resource
roles/
netappcloudvolumes.admin
NetApp Cloud Volumes Admin Beta This role is managed by NetApp, not Google. netappcloudvolumes.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
netappcloudvolumes.viewer
NetApp Cloud Volumes Viewer Beta This role is managed by NetApp, not Google. netappcloudvolumes.activeDirectories.get
netappcloudvolumes.activeDirectories.list
netappcloudvolumes.ipRanges.*
netappcloudvolumes.jobs.*
netappcloudvolumes.regions.*
netappcloudvolumes.serviceLevels.*
netappcloudvolumes.snapshots.get
netappcloudvolumes.snapshots.list
netappcloudvolumes.volumes.get
netappcloudvolumes.volumes.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
redisenterprisecloud.admin
Redis Enterprise Cloud Admin Beta This role is managed by Redis Labs, not Google. redisenterprisecloud.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
redisenterprisecloud.viewer
Redis Enterprise Cloud Viewer Beta This role is managed by Redis Labs, not Google. redisenterprisecloud.databases.get
redisenterprisecloud.databases.list
redisenterprisecloud.subscriptions.get
redisenterprisecloud.subscriptions.list
resourcemanager.projects.get
resourcemanager.projects.list

Project roles

Role Title Description Permissions Lowest Resource
roles/
browser
Browser Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project. resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Project

Proximity Beacon roles

Role Title Description Permissions Lowest Resource
roles/
proximitybeacon.attachmentEditor
Beacon Attachment Editor Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces. proximitybeacon.attachments.*
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.namespaces.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
proximitybeacon.attachmentPublisher
Beacon Attachment Publisher Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project. proximitybeacon.beacons.attach
proximitybeacon.beacons.get
proximitybeacon.beacons.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
proximitybeacon.attachmentViewer
Beacon Attachment Viewer Can view all attachments under a namespace; no beacon or namespace permissions. proximitybeacon.attachments.get
proximitybeacon.attachments.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
proximitybeacon.beaconEditor
Beacon Editor Necessary access to register, modify, and view beacons; no attachment or namespace permissions. proximitybeacon.beacons.create
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.beacons.update
resourcemanager.projects.get
resourcemanager.projects.list

Pub/Sub roles

Role Title Description Permissions Lowest Resource
roles/
pubsub.admin
Pub/Sub Admin Provides full access to topics and subscriptions. pubsub.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Topic
roles/
pubsub.editor
Pub/Sub Editor Provides access to modify topics and subscriptions, and access to publish and consume messages. pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Topic
roles/
pubsub.publisher
Pub/Sub Publisher Provides access to publish messages to a topic. pubsub.topics.publish
Topic
roles/
pubsub.subscriber
Pub/Sub Subscriber Provides access to consume messages from a subscription and to attach subscriptions to a topic. pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.topics.attachSubscription
Topic
roles/
pubsub.viewer
Pub/Sub Viewer Provides access to view topics and subscriptions. pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Topic

Recommendations AI roles

Role Title Description Permissions Lowest Resource
roles/
automlrecommendations.admin
Recommendations AI Admin Beta Full access to all Recommendations AI resources. automlrecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
roles/
automlrecommendations.adminViewer
Recommendations AI Admin Viewer Beta Viewer of all Recommendations AI resources. automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.*
automlrecommendations.eventStores.*
automlrecommendations.events.list
automlrecommendations.placements.*
automlrecommendations.recommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
roles/
automlrecommendations.editor
Recommendations AI Editor Beta Editor of all Recommendations AI resources. automlrecommendations.apiKeys.create
automlrecommendations.apiKeys.list
automlrecommendations.catalogItems.*
automlrecommendations.catalogs.*
automlrecommendations.eventStores.*
automlrecommendations.events.create
automlrecommendations.events.list
automlrecommendations.placements.*
automlrecommendations.recommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
roles/
automlrecommendations.viewer
Recommendations AI Viewer Beta Viewer of all Recommendations AI resources. automlrecommendations.catalogItems.get
automlrecommendations.catalogItems.list
automlrecommendations.catalogs.*
automlrecommendations.eventStores.*
automlrecommendations.events.list
automlrecommendations.placements.*
automlrecommendations.recommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list

Recommender roles

Role Title Description Permissions Lowest Resource
roles/
recommender.computeAdmin
Compute Recommender Admin Beta Admin of Compute recommendations. recommender.computeInstanceGroupManagerMachineTypeRecommendations.*
recommender.computeInstanceMachineTypeRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
recommender.computeViewer
Compute Recommender Viewer Beta Viewer of Compute recommendations. recommender.computeInstanceGroupManagerMachineTypeRecommendations.get
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.get
recommender.computeInstanceMachineTypeRecommendations.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
recommender.iamAdmin
IAM Recommender Admin Beta Admin of IAM policy recommendations. recommender.iamPolicyRecommendations.*
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
recommender.iamViewer
IAM Recommender Viewer Beta Reviewer of IAM policy recommendations. recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list

Memorystore Redis roles

Role Title Description Permissions Lowest Resource
roles/
redis.admin
Cloud Memorystore Redis Admin Beta Full control for all Memorystore resources. compute.networks.list
redis.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Instance
roles/
redis.editor
Cloud Memorystore Redis Editor Beta Manage Memorystore instances. Can't create or delete instances. compute.networks.list
redis.instances.get
redis.instances.list
redis.instances.update
redis.locations.*
redis.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Instance
roles/
redis.viewer
Cloud Memorystore Redis Viewer Beta Read-only access to all Memorystore resources. redis.instances.get
redis.instances.list
redis.locations.*
redis.operations.get
redis.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Instance

Resource Manager roles

Role Title Description Permissions Lowest Resource
roles/
resourcemanager.folderAdmin
Folder Admin Provides all available permissions for working with folders. orgpolicy.policy.get
resourcemanager.folders.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager.projects.setIamPolicy
Folder
roles/
resourcemanager.folderCreator
Folder Creator Provides permissions needed to browse the hierarchy and create folders. orgpolicy.policy.get
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
Folder
roles/
resourcemanager.folderEditor
Folder Editor Provides permission to modify folders as well as to view a folder's Cloud IAM policy. orgpolicy.policy.get
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.undelete
resourcemanager.folders.update
resourcemanager.projects.get
resourcemanager.projects.list
Folder
roles/
resourcemanager.folderIamAdmin
Folder IAM Admin Provides permissions to administer Cloud IAM policies on folders. resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.setIamPolicy
Folder
roles/
resourcemanager.folderMover
Folder Mover Provides permission to move projects and folders into and out of a parent Organization or folder. resourcemanager.folders.move
resourcemanager.projects.move
Folder
roles/
resourcemanager.folderViewer
Folder Viewer Provides permission to get a folder and list the folders and projects below a resource. orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
Folder
roles/
resourcemanager.lienModifier
Project Lien Modifier Provides access to modify Liens on projects. resourcemanager.projects.updateLiens
Project
roles/
resourcemanager.organizationAdmin
Organization Administrator Access to administer all resources belonging to the organization. orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.*
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
roles/
resourcemanager.organizationViewer
Organization Viewer Provides access to view an organization. resourcemanager.organizations.get
Organization
roles/
resourcemanager.projectCreator
Project Creator Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project. resourcemanager.organizations.get
resourcemanager.projects.create
Folder
roles/
resourcemanager.projectDeleter
Project Deleter Provides access to delete GCP projects. resourcemanager.projects.delete
Folder
roles/
resourcemanager.projectIamAdmin
Project IAM Admin Provides permissions to administer Cloud IAM policies on projects. resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
Project
roles/
resourcemanager.projectMover
Project Mover Provides access to update and move projects. resourcemanager.projects.get
resourcemanager.projects.move
resourcemanager.projects.update
Project

Cloud Run roles

Role Title Description Permissions Lowest Resource
roles/
run.admin
Cloud Run Admin Beta Full control over all Cloud Run resources. resourcemanager.projects.get
resourcemanager.projects.list
run.*
Cloud Run service
roles/
run.invoker
Cloud Run Invoker Beta Can invoke a Cloud Run service. run.routes.invoke
Cloud Run service
roles/
run.viewer
Cloud Run Viewer Beta Can view the state of all Cloud Run resources, including IAM policies. resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.locations.*
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
Cloud Run service

Secret Manager roles

Role Title Description Permissions Lowest Resource
roles/
secretmanager.admin
Cloud Secrets Admin Beta Full access to administrate Cloud Secrets resources. resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.*
Secret
roles/
secretmanager.secretAccessor
Cloud Secrets secret accessor Beta Allows accessing the payload of secrets. secretmanager.versions.access
Secret
roles/
secretmanager.viewer
Cloud Secrets Viewer Beta Allows viewing metadata of all Cloud Secrets resources resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.locations.*
secretmanager.secrets.get
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.versions.get
secretmanager.versions.list
Secret

Security Center roles

Role Title Description Permissions Lowest Resource
roles/
securitycenter.admin
Security Center Admin Admin(super user) access to security center resourcemanager.organizations.get
securitycenter.*
Organization
roles/
securitycenter.adminEditor
Security Center Admin Editor Admin Read-write access to security center resourcemanager.organizations.get
securitycenter.assets.*
securitycenter.assetsecuritymarks.*
securitycenter.findings.*
securitycenter.findingsecuritymarks.*
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
Organization
roles/
securitycenter.adminViewer
Security Center Admin Viewer Admin Read access to security center resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/
securitycenter.assetSecurityMarksWriter
Security Center Asset Security Marks Writer Write access to asset security marks securitycenter.assetsecuritymarks.*
Organization
roles/
securitycenter.assetsDiscoveryRunner
Security Center Assets Discovery Runner Run asset discovery access to assets securitycenter.assets.runDiscovery
Organization
roles/
securitycenter.assetsViewer
Security Center Assets Viewer Read access to assets resourcemanager.organizations.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.assets.listAssetPropertyNames
Organization
roles/
securitycenter.findingSecurityMarksWriter
Security Center Finding Security Marks Writer Write access to finding security marks securitycenter.findingsecuritymarks.*
Organization
roles/
securitycenter.findingsEditor
Security Center Findings Editor Read-write access to findings resourcemanager.organizations.get
securitycenter.findings.*
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/
securitycenter.findingsStateSetter
Security Center Findings State Setter Set state access to findings securitycenter.findings.setState
Organization
roles/
securitycenter.findingsViewer
Security Center Findings Viewer Read access to findings resourcemanager.organizations.get
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.sources.get
securitycenter.sources.list
Organization
roles/
securitycenter.sourcesAdmin
Security Center Sources Admin Admin access to sources resourcemanager.organizations.get
securitycenter.sources.*
Organization
roles/
securitycenter.sourcesEditor
Security Center Sources Editor Read-write access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
Organization
roles/
securitycenter.sourcesViewer
Security Center Sources Viewer Read access to sources resourcemanager.organizations.get
securitycenter.sources.get
securitycenter.sources.list
Organization

Service Consumer Management roles

Role Title Description Permissions Lowest Resource
roles/
serviceconsumermanagement.tenancyUnitsAdmin
Admin of Tenancy Units Beta Administrate tenancy units serviceconsumermanagement.tenancyu.*
roles/
serviceconsumermanagement.tenancyUnitsViewer
Viewer of Tenancy Units Beta View tenancy units serviceconsumermanagement.tenancyu.list

Service Management roles

Role Title Description Permissions Lowest Resource
roles/
cloudbuild.serviceAgent
Cloud Build Service Agent Alpha Gives Cloud Build service account access to managed resources. cloudbuild.*
compute.firewalls.get
compute.firewalls.list
compute.networks.get
compute.subnetworks.get
logging.logEntries.create
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
roles/
cloudfunctions.serviceAgent
Cloud Functions Service Agent Alpha Gives Cloud Functions service account access to managed resources. clientauthconfig.clients.list
cloudfunctions.functions.invoke
firebasedatabase.instances.get
firebasedatabase.instances.update
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.signBlob
pubsub.subscriptions.*
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
serviceusage.quotas.get
serviceusage.services.disable
serviceusage.services.enable
storage.buckets.get
storage.buckets.update
roles/
cloudscheduler.serviceAgent
Cloud Scheduler Service Agent Alpha Grants Cloud Scheduler Service Account access to manage resources. iam.serviceAccounts.getAccessToken
logging.logEntries.create
pubsub.topics.publish
roles/
cloudtasks.serviceAgent
Cloud Tasks Service Agent Alpha Grants Cloud Tasks Service Account access to manage resources. iam.serviceAccounts.getAccessToken
logging.logEntries.create
roles/
datafusion.serviceAgent
Cloud Data Fusion API Service Agent Alpha Gives Cloud Data Fusion service account access to Service Networking, Dataproc, Storage, BigQuery, Spanner and BigTable resources. bigquery.datasets.*
bigquery.jobs.create
bigquery.models.*
bigquery.routines.*
bigquery.tables.*
bigtable.*
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalOperations.get
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.getGuestAttributes
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.listReferrers
compute.interconnectAttachments.get
compute.interconnectAttachments.list
compute.interconnectLocations.*
compute.interconnects.get
compute.interconnects.list
compute.machineTypes.*
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute.networks.removePeering
compute.networks.update
compute.projects.get
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regions.*
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.sslCertificates.get
compute.sslCertificates.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.sslPolicies.listAvailableFeatures
compute.subnetworks.get
compute.subnetworks.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.zones.*
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.workflowTemplates.create
dataproc.workflowTemplates.delete
dataproc.workflowTemplates.get
dataproc.workflowTemplates.instantiate
dataproc.workflowTemplates.instantiateInline
dataproc.workflowTemplates.list
dataproc.workflowTemplates.update
firebase.projects.get
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
spanner.databaseOperations.*
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.list
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.write
spanner.instanceConfigs.*
spanner.instances.get
spanner.instances.list
spanner.sessions.*
storage.buckets.*
storage.objects.*
roles/
dataproc.serviceAgent
Dataproc Service Agent Alpha Gives Dataproc Service Account access to service accounts, compute resources, and storage resources. Includes access to service accounts. compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.get
compute.firewalls.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.*
compute.instanceGroups.*
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networkEndpointGroups.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetPools.get
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
dataproc.clusters.*
dataproc.jobs.*
firebase.projects.get
iam.serviceAccounts.actAs
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.*
storage.objects.*
roles/
serverless.serviceAgent
Cloud Run Service Agent Alpha Gives Cloud Run service account access to managed resources. clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.signBlob
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
run.routes.invoke
storage.objects.get
storage.objects.list
roles/
servicemanagement.admin
Service Management Administrator Full control of Google Service Management resources. monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceconsumermanagement.*
servicemanagement.services.*
serviceusage.quotas.get
serviceusage.services.get
roles/
servicemanagement.configEditor
Service Config Editor Access to update the service config and create rollouts. servicemanagement.services.get
servicemanagement.services.update
roles/
servicemanagement.quotaAdmin
Quota Administrator Beta Provides access to administer service quotas. monitoring.timeSeries.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.consumerSettings.*
serviceusage.quotas.*
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Project
roles/
servicemanagement.quotaViewer
Quota Viewer Beta Provides access to view service quotas. monitoring.timeSeries.list
servicemanagement.consumerSettings.get
servicemanagement.consumerSettings.getIamPolicy
servicemanagement.consumerSettings.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Project
roles/
servicemanagement.serviceConsumer
Service Consumer Can enable the service. servicemanagement.services.bind
roles/
servicemanagement.serviceController
Service Controller Runtime control of checking and reporting usage of a service. servicemanagement.services.check
servicemanagement.services.get
servicemanagement.services.quota
servicemanagement.services.report
Project

Service Networking roles

Role Title Description Permissions Lowest Resource
roles/
servicenetworking.networksAdmin
Service Networking Admin Beta Full control of service networking with projects. servicenetworking.*

Service Usage roles

Role Title Description Permissions Lowest Resource
roles/
serviceusage.apiKeysAdmin
API Keys Admin Beta Ability to create, delete, update, get and list API keys for a project. serviceusage.apiKeys.*
serviceusage.operations.get
roles/
serviceusage.apiKeysViewer
API Keys Viewer Beta Ability to get and list API keys for a project. serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
roles/
serviceusage.serviceUsageAdmin
Service Usage Admin Beta Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project. monitoring.timeSeries.list
serviceusage.operations.*
serviceusage.quotas.*
serviceusage.services.*
roles/
serviceusage.serviceUsageConsumer
Service Usage Consumer Beta Ability to inspect service states and operations, and consume quota and billing for a consumer project. monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
roles/
serviceusage.serviceUsageViewer
Service Usage Viewer Beta Ability to inspect service states and operations for a consumer project. monitoring.timeSeries.list
serviceusage.operations.get
serviceusage.operations.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list

Source roles

Role Title Description Permissions Lowest Resource
roles/
source.admin
Source Repository Administrator Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies. source.*
Repository
roles/
source.reader
Source Repository Reader Provides permissions to list, clone, fetch, and browse repositories. source.repos.get
source.repos.list
Repository
roles/
source.writer
Source Repository Writer Provides permissions to list, clone, fetch, browse, and update repositories. source.repos.get
source.repos.list
source.repos.update
Repository

Cloud Spanner roles

Role Title Description Permissions Lowest Resource
roles/
spanner.admin
Cloud Spanner Admin Permission to grant and revoke permissions to other principals, allocate and delete chargeable resources, issue get/list/modify operations on resources, read from and write to databases, and fetch project metadata. monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.*
Project
roles/
spanner.databaseAdmin
Cloud Spanner Database Admin Permission to get/list all Cloud Spanner resources in a project, create/list/drop databases, grant/revoke access to project databases, and read from and write to all Cloud Spanner databases in the project. monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databaseOperations.*
spanner.databases.*
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.*
Project
roles/
spanner.databaseReader
Cloud Spanner Database Reader Permission to read from the Cloud Spanner database, execute SQL queries on the database, and view the schema. spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.read
spanner.databases.select
spanner.sessions.*
Database
roles/
spanner.databaseUser
Cloud Spanner Database User Permission to read from and write to the Cloud Spanner database, execute SQL queries on the database, and view and update the schema. spanner.databaseOperations.*
spanner.databases.beginOrRollbackReadWriteTransaction
spanner.databases.beginReadOnlyTransaction
spanner.databases.getDdl
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.write
spanner.sessions.*
Database
roles/
spanner.viewer
Cloud Spanner Viewer Permission to view all Cloud Spanner instances and databases, but not modify or read from them. monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.list
spanner.instanceConfigs.*
spanner.instances.get
spanner.instances.list
Project

Stackdriver roles

Role Title Description Permissions Lowest Resource
roles/
stackdriver.accounts.editor
Stackdriver Accounts Editor Read/write access to manage Stackdriver account structure. resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
stackdriver.projects.*
roles/
stackdriver.accounts.viewer
Stackdriver Accounts Viewer Read-only access to get and list information about Stackdriver account structure. resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
roles/
stackdriver.resourceMaintenanceWindow.editor
Stackdriver Resource Maintenance Window Editor Read/write access to manage Stackdriver resource maintenance windows.
roles/
stackdriver.resourceMaintenanceWindow.viewer
Stackdriver Resource Maintenance Window Viewer Read-only access to information about Stackdriver resource maintenance windows.
roles/
stackdriver.resourceMetadata.writer
Stackdriver Resource Metadata Writer Beta Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata. stackdriver.resourceMetadata.*

Storage roles

Role Title Description Permissions Lowest Resource
roles/
storage.admin
Storage Admin Grants full control of objects and buckets.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.*
storage.objects.*
Bucket
roles/
storage.hmacKeyAdmin
Storage HMAC Key Admin Full control of GCS HMAC Keys. firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.hmacKeys.*
roles/
storage.objectAdmin
Storage Object Admin Grants full control of objects, including listing, creating, viewing, and deleting objects. resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.*
Bucket
roles/
storage.objectCreator
Storage Object Creator Allows users to create objects. Does not give permission to view, delete, or overwrite objects. resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
Bucket
roles/
storage.objectViewer
Storage Object Viewer Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket. resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Bucket
roles/
storagetransfer.admin
Storage Transfer Admin Create, update and manage transfer jobs and operations. resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.*
roles/
storagetransfer.user
Storage Transfer User Create and update storage transfer jobs and operations. resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.jobs.create
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.update
storagetransfer.operations.*
storagetransfer.projects.*
roles/
storagetransfer.viewer
Storage Transfer Viewer Read access to storage transfer jobs and operations. resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.operations.get
storagetransfer.operations.list
storagetransfer.projects.*

Storage Legacy roles

Role Title Description Permissions Lowest Resource
roles/
storage.legacyBucketOwner
Storage Legacy Bucket Owner Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read and edit bucket metadata, including Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.list
Bucket
roles/
storage.legacyBucketReader
Storage Legacy Bucket Reader Grants permission to list a bucket's contents and read bucket metadata, excluding Cloud IAM policies. Also grants permission to read object metadata, excluding Cloud IAM policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

storage.buckets.get
storage.objects.list
Bucket
roles/
storage.legacyBucketWriter
Storage Legacy Bucket Writer Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read bucket metadata, excluding Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. For more information, see Cloud IAM relation to ACLs.

storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.list
Bucket
roles/
storage.legacyObjectOwner
Storage Legacy Object Owner Grants permission to view and edit objects and their metadata, including ACLs. storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
Bucket
roles/
storage.legacyObjectReader
Storage Legacy Object Reader Grants permission to view objects and their metadata, excluding ACLs. storage.objects.get
Bucket

Support roles

Role Title Description Permissions Lowest Resource
roles/
cloudsupport.admin
Support Account Administrator Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information. cloudsupport.*
Organization
roles/
cloudsupport.viewer
Support Account Viewer Read-only access to details of a support account. This does not allow viewing cases. cloudsupport.accounts.get
cloudsupport.accounts.getUserRoles
cloudsupport.accounts.list
Organization

Cloud Threat Detection roles

Role Title Description Permissions Lowest Resource
roles/
threatdetection.editor
Threat Detection Settings Editor Beta Read-write access to all Threat Detection settings threatdetection.*
Organization
roles/
threatdetection.viewer
Threat Detection Settings Viewer Beta Read access to all Threat Detection settings threatdetection.detectorSettings.get
threatdetection.sinkSettings.get
threatdetection.sourceSettings.get
Organization

Cloud TPU roles

Role Title Description Permissions Lowest Resource
roles/
tpu.admin
TPU Admin Full access to TPU nodes and related resources. resourcemanager.projects.get
resourcemanager.projects.list
tpu.*
roles/
tpu.viewer
TPU Viewer Read-only access to TPU nodes and related resources. resourcemanager.projects.get
resourcemanager.projects.list
tpu.acceleratortypes.*
tpu.locations.*
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
tpu.tensorflowversions.*

Serverless VPC Access roles

Role Title Description Permissions Lowest Resource
roles/
vpaccess.user
Serverless VPC Access User User of Serverless VPC Access connectors resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.connectors.use
vpcaccess.locations.*
vpcaccess.operations.*
roles/
vpaccess.viewer
Serverless VPC Access Viewer Viewer of all Serverless VPC Access resources resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.locations.*
vpcaccess.operations.*
roles/
vpcaccess.admin
Serverless VPC Access Admin Full access to all Serverless VPC Access resources resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.*

Custom roles

In addition to the predefined roles, Cloud IAM also provides the ability to create customized Cloud IAM roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization. See Understanding Custom Roles and Creating and Managing Custom Roles for more information.

Product-specific Cloud IAM documentation

Product-specific Cloud IAM documentation explains more about the predefined roles offered by each product. Read the following pages to learn more about the predefined roles.

Documentation Description
Cloud IAM for App Engine Explains Cloud IAM roles for App Engine
Cloud IAM for BigQuery Explains Cloud IAM roles for BigQuery
Cloud IAM for Cloud Bigtable Explains Cloud IAM roles for Cloud Bigtable
Cloud IAM for Cloud Billing API Explains Cloud IAM roles and permissions for Cloud Billing API
Cloud IAM for Dataflow Explains Cloud IAM roles for Dataflow
Cloud IAM for Dataproc Explains Cloud IAM roles and permissions for Dataproc
Cloud IAM for Datastore Explains Cloud IAM roles and permissions for Datastore
Cloud IAM for Cloud DNS Explains Cloud IAM roles and permissions for Cloud DNS
Cloud IAM for KMS Explains Cloud IAM roles and permissions for KMS
Cloud IAM for AI Platform Explains Cloud IAM roles and permissions for AI Platform
Cloud IAM for Pub/Sub Explains Cloud IAM roles for Pub/Sub
Cloud IAM for Cloud Spanner Explains Cloud IAM roles and permissions for Cloud Spanner
Cloud IAM for Cloud SQL Explains Cloud IAM roles for Cloud SQL
Cloud IAM for Cloud Storage Explains Cloud IAM roles for Cloud Storage
Cloud IAM for Compute Engine Explains Cloud IAM roles for Compute Engine
Cloud IAM for GKE Explains Cloud IAM roles and permissions for GKE
Cloud IAM for Cloud Deployment Manager Explains Cloud IAM roles and permissions for Cloud Deployment Manager
Cloud IAM for Organizations Explains Cloud IAM roles for Organization.
Cloud IAM for Folders Explains Cloud IAM roles for folders.
Cloud IAM for Projects Explains Cloud IAM roles for projects.
Cloud IAM for Service Management Explains Cloud IAM roles and permissions for Service Management
Cloud IAM for Stackdriver Debugger Explains Cloud IAM roles for Debugger
Cloud IAM for Stackdriver Logging Explains Cloud IAM roles for Logging
Cloud IAM for Stackdriver Monitoring Explains Cloud IAM roles for Monitoring
Cloud IAM for Stackdriver Trace Explains Cloud IAM roles and permissions for Trace

What's next

Bu sayfayı yararlı buldunuz mu? Lütfen görüşünüzü bildirin:

Şunun hakkında geri bildirim gönderin...

Cloud IAM Documentation