A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to members, including users, groups, and service accounts, you grant roles to the members.
This page describes the IAM roles that you can grant.
Prerequisite for this guide
- Understand the basic concepts of IAM
Role types
There are three types of roles in IAM:
- Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
- Predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
- Custom roles, which provide granular access according to a user-specified list of permissions.
To determine if a permission is included in a basic, predefined, or custom role, you can use one of the following methods:
- Run the
gcloud iam roles describecommand to list the permissions in the role. - Call the
roles.get()REST API method to list the permissions in the role. - For basic and predefined roles only: Search the permissions reference to see if the permission is granted by the role.
- For predefined roles only: Search the predefined role descriptions on this page to see which permissions the role includes.
The sections below describe each role type and provide examples of how to use them.
Basic roles
There are several basic roles that existed prior to the introduction of IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role. They were originally known as "primitive roles."
The following table summarizes the permissions that the basic roles include across all Google Cloud services:
Basic role definitions
| Name | Title | Permissions |
|---|---|---|
roles/viewer |
Viewer | Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data. |
roles/editor |
Editor |
All viewer permissions, plus permissions for actions that modify
state, such as changing existing resources.
Note:
While the
roles/editor role contains permissions to create
and delete resources for most Google Cloud services, it does
not contain permissions to perform all actions for all services. See the
section above for more information on how to
check if a role has the permissions that you need.
|
roles/owner |
Owner |
All editor permissions and permissions for the following actions:
Note:
|
You can apply basic roles at the project or service resource levels by using the
Cloud Console, the API, and the gcloud tool. See
Granting, changing, and revoking access for
instructions.
Invitation flow
You cannot grant the owner role to a member for a project using the
Identity and Access Management API or the gcloud command-line tool. You can only add
owners to a project using the Cloud Console. An invitation will be sent
to the member via email and the member must accept the invitation to be made an
owner of the project.
Note that invitation emails aren't sent in the following cases:
- When you're granting a role other than the owner.
- When an organization member adds another member of their organization as an owner of a project within that organization.
To see how to grant roles using the Cloud Console, see Granting, changing, and revoking access.
Predefined roles
In addition to the basic roles, IAM provides additional predefined roles that give granular access to specific Google Cloud resources and prevent unwanted access to other resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.
The following table lists these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the Google Cloud hierarchy. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project. For a list of the permissions contained in a role, see Getting the role metadata.
Access Approval roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Access Approval Approver Beta | Ability to view or act on access approval requests and view configuration |
|
|
roles/ |
Access Approval Config Editor Beta | Ability update the Access Approval configuration |
|
|
roles/ |
Access Approval Viewer Beta | Ability to view access approval requests and configuration |
|
Access Context Manager roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Access Binding Admin | Create, edit, and change Cloud access bindings. |
|
|
roles/ |
Cloud Access Binding Reader | Read access to Cloud access bindings. |
|
|
roles/ |
Access Context Manager Admin | Full access to policies, access levels, and access zones |
|
|
roles/ |
Access Context Manager Editor | Edit access to policies. Create, edit, and change access levels and access zones. |
|
|
roles/ |
Access Context Manager Reader | Read access to policies, access levels, and access zones. |
|
|
roles/ |
VPC Service Controls Troubleshooter Viewer |
|
Actions roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Actions Admin | Access to edit and deploy an action |
|
|
roles/ |
Actions Viewer | Access to view an action |
|
Android Management roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Android Management User | Full access to manage devices. |
|
API Gateway roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
ApiGateway Admin | Full access to ApiGateway and related resources. |
|
|
roles/ |
ApiGateway Viewer | Read-only access to ApiGateway and related resources. |
|
Apigee roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Apigee Organization Admin | Full access to all apigee resource features |
|
|
roles/ |
Apigee Analytics Agent | Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization |
|
|
roles/ |
Apigee Analytics Editor | Analytics editor for an Apigee Organization |
|
|
roles/ |
Apigee Analytics Viewer | Analytics viewer for an Apigee Organization |
|
|
roles/ |
Apigee API Admin | Full read/write access to all apigee API resources |
|
|
roles/ |
Apigee API Reader | Reader of apigee resources |
|
|
roles/ |
Apigee Developer Admin | Developer admin of apigee resources |
|
|
roles/ |
Apigee Environment Admin | Full read/write access to apigee environment resources, including deployments. |
|
|
roles/ |
Apigee Portal Admin | Portal admin for an Apigee Organization |
|
|
roles/ |
Apigee Read-only Admin | Viewer of all apigee resources |
|
|
roles/ |
Apigee Runtime Agent | Curated set of permissions for a runtime agent to access Apigee Organization resources |
|
|
roles/ |
Apigee Synchronizer Manager | Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization |
|
|
roles/ |
Apigee Connect Admin | Admin of Apigee Connect |
|
|
roles/ |
Apigee Connect Agent | Ability to set up Apigee Connect agent between external clusters and Google. |
|
App Engine roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
App Engine Admin |
Read/Write/Modify access to all application configuration and settings. To deploy new versions, you must also grant the
Service Account User
( To use the |
|
Project |
roles/ |
App Engine Creator | Ability to create the App Engine resource for the project. |
|
Project |
roles/ |
App Engine Viewer | Read-only access to all application configuration and settings. |
|
Project |
roles/ |
App Engine Code Viewer | Read-only access to all application configuration, settings, and deployed source code. |
|
Project |
roles/ |
App Engine Deployer |
Read-only access to all application configuration and settings. To deploy new versions, you must also grant the
Service Account User
( To use the Cannot modify existing versions other than deleting versions that are not receiving traffic. |
|
Project |
roles/ |
App Engine Service Admin |
Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version. |
|
Project |
Artifact Registry roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Artifact Registry Administrator Beta | Administrator access to create and manage repositories. |
|
|
roles/ |
Artifact Registry Reader Beta | Access to read repository items. |
|
|
roles/ |
Artifact Registry Repository Administrator Beta | Access to manage artifacts in repositories. |
|
|
roles/ |
Artifact Registry Writer Beta | Access to read and write repository items. |
|
Assured Workloads roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Assured Workloads Administrator | Grants full access to Assured Workloads resources, including IAM policy administration. |
|
|
roles/ |
Assured Workloads Editor | Grants access to read and write to Assured Workloads resources. |
|
|
roles/ |
Assured Workloads Reader | Grants read access to all Assured Workloads resources. |
|
AutoML roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
AutoML Admin Beta | Full access to all AutoML resources |
|
Dataset/Model |
roles/ |
AutoML Editor Beta | Editor of all AutoML resources |
|
Dataset/Model |
roles/ |
AutoML Predictor Beta | Predict using models |
|
Model |
roles/ |
AutoML Viewer Beta | Viewer of all AutoML resources |
|
Dataset/Model |
BigQuery roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
BigQuery Admin | Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. |
|
Project |
roles/ |
BigQuery Connection Admin |
|
||
roles/ |
BigQuery Connection User |
|
||
roles/ |
BigQuery Data Editor |
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. |
|
Table or view |
roles/ |
BigQuery Data Owner |
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. |
|
Table or view |
roles/ |
BigQuery Data Viewer |
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. |
|
Table or view |
roles/ |
BigQuery Job User | Provides permissions to run jobs, including queries, within the project. |
|
Project |
roles/ |
BigQuery Metadata Viewer |
When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role provides permissions to:
Additional roles are necessary to allow the running of jobs. |
|
Table or view |
roles/ |
BigQuery Read Session User | Access to create and use read sessions |
|
|
roles/ |
BigQuery Resource Admin | Administer all BigQuery resources. |
|
|
roles/ |
BigQuery Resource Editor | Manage all BigQuery resources, but cannot make purchasing decisions. |
|
|
roles/ |
BigQuery Resource Viewer | View all BigQuery resources but cannot make changes or purchasing decisions. |
|
|
roles/ |
BigQuery User |
When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A member with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role ( |
|
Dataset |
Cloud Bigtable roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Bigtable Administrator | Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. |
|
Table |
roles/ |
Bigtable Reader | Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. |
|
Table |
roles/ |
Bigtable User | Provides read-write access to the data stored within tables. Intended for application developers or service accounts. |
|
Table |
roles/ |
Bigtable Viewer | Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Cloud Bigtable. |
|
Table |
Billing roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Billing Account Administrator | Provides access to see and manage all aspects of billing accounts. |
|
Billing Account |
roles/ |
Billing Account Costs Manager | Can view and export cost information of billing accounts. |
|
|
roles/ |
Billing Account Creator | Provides access to create billing accounts. |
|
Organization |
roles/ |
Project Billing Manager | Provides access to assign a project's billing account or disable its billing. |
|
Project |
roles/ |
Billing Account User | Provides access to associate projects with billing accounts. |
|
Billing Account |
roles/ |
Billing Account Viewer | View billing account cost information and transactions. |
|
Billing Account |
Binary Authorization roles
Hangouts Chat roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Chat Bots Owner | Can view and modify bot configurations |
|
|
roles/ |
Chat Bots Viewer | Can view bot configurations |
|
Cloud Asset roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Asset Owner | Full access to cloud assets metadata |
|
|
roles/ |
Cloud Asset Viewer | Read only access to cloud assets metadata |
|
Cloud Build roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Build Service Account | Provides access to perform builds. |
|
|
roles/ |
Cloud Build Editor | Provides access to create and cancel builds. |
|
Project |
roles/ |
Cloud Build Viewer | Provides access to view builds. |
|
Project |
Cloud Data Fusion roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Data Fusion Admin Beta | Full access to Cloud Data Fusion Instances and related resources. |
|
Project |
roles/ |
Cloud Data Fusion Runner Beta | Access to Cloud Data Fusion runtime resources. |
|
|
roles/ |
Cloud Data Fusion Viewer Beta | Read-only access to Cloud Data Fusion Instances and related resources. |
|
Project |
Cloud Debugger roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Debugger Agent Beta | Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. |
|
Service Account |
roles/ |
Cloud Debugger User Beta | Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). |
|
Project |
Cloud DocumentAI roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud DocumentAI Administrator. Beta | Grants full access to all resources in Cloud DocumentAI |
|
|
roles/ |
Cloud DocumentAI API User Beta | Grants access to process documents in Cloud DocumentAI |
|
|
roles/ |
Cloud DocumentAI Editor Beta | Grants access to use all resources in Cloud DocumentAI |
|
|
roles/ |
Cloud DocumentAI Viewer Beta | Grants access to view all resources and process documents in Cloud DocumentAI |
|
Cloud Functions roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Functions Admin | Full access to functions, operations and locations. |
|
|
roles/ |
Cloud Functions Developer | Read and write access to all functions-related resources. |
|
|
roles/ |
Cloud Functions Invoker | Ability to invoke HTTP functions with restricted access. |
|
|
roles/ |
Cloud Functions Viewer | Read-only access to functions and locations. |
|
Cloud IAP roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
IAP Policy Admin | Provides full access to Identity-Aware Proxy resources. |
|
Project |
roles/ |
IAP-secured Web App User | Provides permission to access HTTPS resources which use Identity-Aware Proxy. |
|
Project |
roles/ |
IAP Settings Admin | Administrator of IAP Settings. |
|
|
roles/ |
IAP-secured Tunnel User | Access Tunnel resources which use Identity-Aware Proxy |
|
Cloud IoT roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud IoT Admin | Full control of all Cloud IoT resources and permissions. |
|
Device |
roles/ |
Cloud IoT Device Controller | Access to update the device configuration, but not to create or delete devices. |
|
Device |
roles/ |
Cloud IoT Editor | Read-write access to all Cloud IoT resources. |
|
Device |
roles/ |
Cloud IoT Provisioner | Access to create and delete devices from registries, but not to modify the registries. |
|
Device |
roles/ |
Cloud IoT Viewer | Read-only access to all Cloud IoT resources. |
|
Device |
Cloud Talent Solution roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Admin | Access to Cloud Talent Solution Self-Service Tools. |
|
|
roles/ |
Job Editor | Write access to all job data in Cloud Talent Solution. |
|
|
roles/ |
Job Viewer | Read access to all job data in Cloud Talent Solution. |
|
|
roles/ |
Profile Editor | Write access to all profile data in Cloud Talent Solution. |
|
|
roles/ |
Profile Viewer | Read access to all profile data in Cloud Talent Solution. |
|
Cloud KMS roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud KMS Admin | Provides full access to Cloud KMS resources, except encrypt and decrypt operations. |
|
CryptoKey |
roles/ |
Cloud KMS CryptoKey Decrypter | Provides ability to use Cloud KMS resources for decrypt operations only. |
|
CryptoKey |
roles/ |
Cloud KMS CryptoKey Encrypter | Provides ability to use Cloud KMS resources for encrypt operations only. |
|
CryptoKey |
roles/ |
Cloud KMS CryptoKey Encrypter/Decrypter | Provides ability to use Cloud KMS resources for encrypt and decrypt operations only. |
|
CryptoKey |
roles/ |
Cloud KMS Importer | Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations |
|
|
roles/ |
Cloud KMS CryptoKey Public Key Viewer | Enables GetPublicKey operations |
|
|
roles/ |
Cloud KMS CryptoKey Signer | Enables Sign operations |
|
|
roles/ |
Cloud KMS CryptoKey Signer/Verifier | Enables Sign, Verify, and GetPublicKey operations |
|
Cloud Marketplace roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Consumer Procurement Entitlement Manager Beta | Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project. |
|
|
roles/ |
Consumer Procurement Entitlement Viewer Beta | Allows inspecting entitlements and service states for a consumer project. |
|
|
roles/ |
Consumer Procurement Order Administrator Beta | Allows managing purchases. |
|
|
roles/ |
Consumer Procurement Order Viewer Beta | Allows inspecting purchases. |
|
Cloud Migration roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Velostrata Manager Beta | Ability to create and manage Compute VMs to run Velostrata Infrastructure |
|
|
roles/ |
Velostrata Storage Access Beta | Ability to access migration storage |
|
|
roles/ |
Velostrata Manager Connection Agent Beta | Ability to set up connection between Velostrata Manager and Google |
|
|
roles/ |
VM Migration Administrator Beta | Ability to view and edit all VM Migration objects |
|
|
roles/ |
VM Migration Viewer Beta | Ability to view all VM Migration objects |
|
Cloud Private Catalog roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Catalog Consumer Beta | Can browse catalogs in the target resource context. |
|
|
roles/ |
Catalog Admin Beta | Can manage catalog and view its associations. |
|
|
roles/ |
Catalog Manager Beta | Can manage associations between a catalog and a target resource. |
|
|
roles/ |
Catalog Org Admin Beta | Can manage catalog org settings. |
|
Cloud Profiler roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Profiler Agent | Cloud Profiler agents are allowed to register and provide the profiling data. |
|
|
roles/ |
Cloud Profiler User | Cloud Profiler users are allowed to query and view the profiling data. |
|
Cloud Scheduler roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Scheduler Admin |
Full access to jobs and executions. Note that a Cloud Scheduler Admin (or any custom role with the permission cloudschedulers.job.create) can create jobs that publish to any Pub/Sub topics within the project. |
|
|
roles/ |
Cloud Scheduler Job Runner | Access to run jobs. |
|
|
roles/ |
Cloud Scheduler Viewer | Get and list access to jobs, executions, and locations. |
|
Cloud Security Scanner roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Web Security Scanner Editor | Full access to all Web Security Scanner resources |
|
Project |
roles/ |
Web Security Scanner Runner | Read access to Scan and ScanRun, plus the ability to start scans |
|
Project |
roles/ |
Web Security Scanner Viewer | Read access to all Web Security Scanner resources |
|
Project |
Cloud Services roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Service Broker Admin | Full access to ServiceBroker resources. |
|
|
roles/ |
Service Broker Operator | Operational access to the ServiceBroker resources. |
|
Cloud SQL roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud SQL Admin | Provides full control of Cloud SQL resources. |
|
Project |
roles/ |
Cloud SQL Client | Provides connectivity access to Cloud SQL instances. |
|
Project |
roles/ |
Cloud SQL Editor | Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. |
|
Project |
roles/ |
Cloud SQL Instance User | Role allowing access to a Cloud SQL instance |
|
|
roles/ |
Cloud SQL Viewer | Provides read-only access to Cloud SQL resources. |
|
Project |
Cloud Tasks roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Tasks Admin Beta | Full access to queues and tasks. |
|
|
roles/ |
Cloud Tasks Enqueuer Beta | Access to create tasks. |
|
|
roles/ |
Cloud Tasks Queue Admin Beta | Admin access to queues. |
|
|
roles/ |
Cloud Tasks Task Deleter Beta | Access to delete tasks. |
|
|
roles/ |
Cloud Tasks Task Runner Beta | Access to run tasks. |
|
|
roles/ |
Cloud Tasks Viewer Beta | Get and list access to tasks, queues, and locations. |
|
Cloud Trace roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Trace Admin | Provides full access to the Trace console and read-write access to traces. |
|
Project |
roles/ |
Cloud Trace Agent | For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace. |
|
Project |
roles/ |
Cloud Trace User | Provides full access to the Trace console and read access to traces. |
|
Project |
Cloud Translation roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Translation API Admin | Full access to all Cloud Translation resources |
|
|
roles/ |
Cloud Translation API Editor | Editor of all Cloud Translation resources |
|
|
roles/ |
Cloud Translation API User | User of Cloud Translation and AutoML models |
|
|
roles/ |
Cloud Translation API Viewer | Viewer of all Translation resources |
|
Workflows roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Workflows Admin Beta | Full access to workflows and related resources. |
|
|
roles/ |
Workflows Editor Beta | Read and write access to workflows and related resources. |
|
|
roles/ |
Workflows Invoker Beta | Access to execute workflows and manage the executions. |
|
|
roles/ |
Workflows Viewer Beta | Read-only access to workflows and related resources. |
|
Codelab API Keys roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Codelab ApiKeys Admin Beta | Full access to API keys |
|
|
roles/ |
Codelab API Keys Editor Beta | This role can view and edit all properties of API keys. |
|
|
roles/ |
Codelab API Keys Viewer Beta | This role can view all properties except change history of API keys. |
|
Cloud Composer roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Composer Administrator | Provides full control of Cloud Composer resources. |
|
Project |
roles/ |
Environment and Storage Object Administrator | Provides full control of Cloud Composer resources and of the objects in all project buckets. |
|
Project |
roles/ |
Environment User and Storage Object Viewer | Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. |
|
Project |
roles/ |
Composer Shared VPC Agent | Role that should be assigned to Composer Agent service account in Shared VPC host project |
|
|
roles/ |
Composer User | Provides the permissions necessary to list and get Cloud Composer environments and operations. |
|
Project |
roles/ |
Composer Worker | Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. |
|
Project |
Compute Engine roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Compute Admin |
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
|
|
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta |
roles/ |
Compute Image User |
Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project. |
|
ImageBeta |
roles/ |
Compute Instance Admin (beta) |
Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VMBETA settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances. |
|
Disk, image, instance, instanceTemplate, snapshot Beta |
roles/ |
Compute Instance Admin (v1) |
Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances. |
|
|
roles/ |
Compute Load Balancer Admin Beta |
Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group. |
|
InstanceBeta |
roles/ |
Compute Network Admin |
Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group. |
|
InstanceBeta |
roles/ |
Compute Network User |
Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project. |
|
Project |
roles/ |
Compute Network Viewer |
Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account. |
|
InstanceBeta |
roles/ |
Compute Organization Firewall Policy Admin | Full control of Compute Engine Organization Firewall Policies. |
|
|
roles/ |
Compute Organization Firewall Policy User | View or use Compute Engine Firewall Policies to associate with the organization or folders. |
|
|
roles/ |
Compute Organization Security Policy Admin | Full control of Compute Engine Organization Security Policies. |
|
|
roles/ |
Compute Organization Security Policy User | View or use Compute Engine Security Policies to associate with the organization or folders. |
|
|
roles/ |
Compute Organization Resource Admin | Full control of Compute Engine Firewall Policy associations to the organization or folders. |
|
|
roles/ |
Compute OS Admin Login | Access to log in to a Compute Engine instance as an administrator user. |
|
InstanceBeta |
roles/ |
Compute OS Login | Access to log in to a Compute Engine instance as a standard user. |
|
InstanceBeta |
roles/ |
Compute OS Login External User |
Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH. |
|
Organization |
roles/ |
Compute packet mirroring admin | Specify resources to be mirrored. |
|
|
roles/ |
Compute packet mirroring user | Use Compute Engine packet mirrorings. |
|
|
roles/ |
Compute Public IP Admin Beta | Full control of public IP address management for Compute Engine. |
|
|
roles/ |
Compute Security Admin |
Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VMBETA settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group. |
|
InstanceBeta |
roles/ |
Compute Storage Admin |
Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project. |
|
Disk, image, snapshot Beta |
roles/ |
Compute Viewer |
Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks. |
|
Disk, image, instance, instanceTemplate, nodeGroup, nodeTemplate, snapshot Beta |
roles/ |
Compute Shared VPC Admin |
Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
( |
|
Folder |
roles/ |
GuestPolicy Admin Beta | Full admin access to GuestPolicies |
|
|
roles/ |
GuestPolicy Editor Beta | Editor of GuestPolicy resources |
|
|
roles/ |
GuestPolicy Viewer Beta | Viewer of GuestPolicy resources |
|
|
roles/ |
PatchDeployment Admin | Full admin access to PatchDeployments |
|
|
roles/ |
PatchDeployment Viewer | Viewer of PatchDeployment resources |
|
|
roles/ |
Patch Job Executor | Access to execute Patch Jobs. |
|
|
roles/ |
Patch Job Viewer | Get and list Patch Jobs. |
|
Kubernetes Engine roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Kubernetes Engine Admin |
Provides access to full management of clusters and their Kubernetes API objects.
To set a service account on nodes, you must also grant the Service Account User role
( |
|
Project |
roles/ |
Kubernetes Engine Cluster Admin |
Provides access to management of clusters.
To set a service account on nodes, you must also grant the Service Account User role
( |
|
Project |
roles/ |
Kubernetes Engine Cluster Viewer | Get and list access to GKE Clusters. |
|
|
roles/ |
Kubernetes Engine Developer | Provides access to Kubernetes API objects inside clusters. |
|
Project |
roles/ |
Kubernetes Engine Host Service Agent User | Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project. |
|
|
roles/ |
Kubernetes Engine Viewer | Provides read-only access to GKE resources. |
|
Project |
Container Analysis roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Container Analysis Admin | Access to all Container Analysis resources. |
|
|
roles/ |
Container Analysis Notes Attacher | Can attach Container Analysis Occurrences to Notes. |
|
|
roles/ |
Container Analysis Notes Editor | Can edit Container Analysis Notes. |
|
|
roles/ |
Container Analysis Occurrences for Notes Viewer |
|
||
roles/ |
Container Analysis Notes Viewer | Can view Container Analysis Notes. |
|
|
roles/ |
Container Analysis Occurrences Editor | Can edit Container Analysis Occurrences. |
|
|
roles/ |
Container Analysis Occurrences Viewer | Can view Container Analysis Occurrences. |
|
Data Catalog roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Data Catalog Admin | Full access to all DataCatalog resources |
|
|
roles/ |
Policy Tag Admin Beta | Manage taxonomies |
|
|
roles/ |
Fine-Grained Reader Beta | Read access to sub-resources tagged by a policy tag, for example, BigQuery columns |
|
|
roles/ |
DataCatalog EntryGroup Creator | Can create new entryGroups |
|
|
roles/ |
DataCatalog entryGroup Owner | Full access to entryGroups |
|
|
roles/ |
DataCatalog entry Owner | Full access to entries |
|
|
roles/ |
DataCatalog Entry Viewer | Read access to entries |
|
|
roles/ |
Data Catalog Tag Editor | Provides access to modify tags on Google Cloud assets for BigQuery and Pub/Sub |
|
|
roles/ |
Data Catalog TagTemplate Creator | Access to create new tag templates |
|
|
roles/ |
Data Catalog TagTemplate Owner | Full access to tag templates |
|
|
roles/ |
Data Catalog TagTemplate User | Access to use templates to tag resources |
|
|
roles/ |
Data Catalog TagTemplate Viewer | Read access to templates and tags created using the templates |
|
|
roles/ |
Data Catalog Viewer | Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub |
|
Dataflow roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Dataflow Admin | Minimal role for creating and managing dataflow jobs. |
|
|
roles/ |
Dataflow Developer | Provides the permissions necessary to execute and manipulate Dataflow jobs. |
|
Project |
roles/ |
Dataflow Viewer | Provides read-only access to all Dataflow-related resources. |
|
Project |
roles/ |
Dataflow Worker | Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline. |
|
Project |
Cloud Data Labeling roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
DataLabeling Service Admin Beta | Full access to all DataLabeling resources |
|
|
roles/ |
DataLabeling Service Editor Beta | Editor of all DataLabeling resources |
|
|
roles/ |
DataLabeling Service Viewer Beta | Viewer of all DataLabeling resources |
|
Data Migration roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Database Migration Admin Beta | Full access to all resources of Database Migration. |
|
Dataprep roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Dataprep User Beta | Use of Dataprep. |
|
Dataproc roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Dataproc Administrator | Full control of Dataproc resources. |
|
|
roles/ |
Dataproc Editor | Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones. |
|
Project |
roles/ |
Dataproc Hub Agent | Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances. |
|
|
roles/ |
Dataproc Viewer | Provides read-only access to Dataproc resources. |
|
Project |
roles/ |
Dataproc Worker | Provides worker access to Dataproc resources. Intended for service accounts. |
|
Datastore roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Datastore Import Export Admin | Provides full access to manage imports and exports. |
|
Project |
roles/ |
Cloud Datastore Index Admin | Provides full access to manage index definitions. |
|
Project |
roles/ |
Cloud Datastore Owner | Provides full access to Datastore resources. |
|
Project |
roles/ |
Cloud Datastore User | Provides read/write access to data in a Datastore database. |
|
Project |
roles/ |
Cloud Datastore Viewer | Provides read access to Datastore resources. |
|
Project |
Deployment Manager roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Deployment Manager Editor | Provides the permissions necessary to create and manage deployments. |
|
Project |
roles/ |
Deployment Manager Type Editor | Provides read and write access to all Type Registry resources. |
|
Project |
roles/ |
Deployment Manager Type Viewer | Provides read-only access to all Type Registry resources. |
|
Project |
roles/ |
Deployment Manager Viewer | Provides read-only access to all Deployment Manager-related resources. |
|
Project |
Dialogflow roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Dialogflow API Admin | Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control. |
|
Project |
roles/ |
Dialogflow API Client | Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control. |
|
Project |
roles/ |
Dialogflow Console Agent Editor | Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control. |
|
Project |
roles/ |
Dialogflow Conversation Manager | Can manage all the resources related to Dialogflow Conversations. |
|
|
roles/ |
Dialogflow Integration Manager | Can add, remove, enable and disable Dialogflow integrations. |
|
|
roles/ |
Dialogflow API Reader | Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control. |
|
Project |
Cloud DLP roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
DLP Administrator | Administer DLP including jobs and templates. |
|
|
roles/ |
DLP Analyze Risk Templates Editor | Edit DLP analyze risk templates. |
|
|
roles/ |
DLP Analyze Risk Templates Reader | Read DLP analyze risk templates. |
|
|
roles/ |
DLP De-identify Templates Editor | Edit DLP de-identify templates. |
|
|
roles/ |
DLP De-identify Templates Reader | Read DLP de-identify templates. |
|
|
roles/ |
DLP Inspect Findings Reader | Read DLP stored findings. |
|
|
roles/ |
DLP Inspect Templates Editor | Edit DLP inspect templates. |
|
|
roles/ |
DLP Inspect Templates Reader | Read DLP inspect templates. |
|
|
roles/ |
DLP Job Triggers Editor | Edit job triggers configurations. |
|
|
roles/ |
DLP Job Triggers Reader | Read job triggers. |
|
|
roles/ |
DLP Jobs Editor | Edit and create jobs |
|
|
roles/ |
DLP Jobs Reader | Read jobs |
|
|
roles/ |
DLP Reader | Read DLP entities, such as jobs and templates. |
|
|
roles/ |
DLP Stored InfoTypes Editor | Edit DLP stored info types. |
|
|
roles/ |
DLP Stored InfoTypes Reader | Read DLP stored info types. |
|
|
roles/ |
DLP User | Inspect, Redact, and De-identify Content |
|
DNS roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
DNS Administrator | Provides read-write access to all Cloud DNS resources. |
|
Project |
roles/ |
DNS Peer | Access to target networks with DNS peering zones |
|
|
roles/ |
DNS Reader | Provides read-only access to all Cloud DNS resources. |
|
Project |
Cloud Domains roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Domains Admin Beta | Full access to Cloud Domains Registrations and related resources. |
|
|
roles/ |
Cloud Domains Viewer Beta | Read-only access to Cloud Domains Registrations and related resources. |
|
Earth Engine roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Earth Engine Resource Admin Beta | Full access to all Earth Engine resource features |
|
|
roles/ |
Earth Engine Resource Viewer Beta | Viewer of all Earth Engine resources |
|
|
roles/ |
Earth Engine Resource Writer Beta | Writer of all Earth Engine resources |
|
Endpoints roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Endpoints Portal Admin Beta | Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the Cloud Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page. |
|
Project |
Error Reporting roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Error Reporting Admin Beta | Provides full access to Error Reporting data. |
|
Project |
roles/ |
Error Reporting User Beta | Provides the permissions to read and write Error Reporting data, except for sending new error events. |
|
Project |
roles/ |
Error Reporting Viewer Beta | Provides read-only access to Error Reporting data. |
|
Project |
roles/ |
Error Reporting Writer Beta | Provides the permissions to send error events to Error Reporting. |
|
Service Account |
Eventarc roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Eventarc Admin Beta | Full control over all Eventarc resources. |
|
|
roles/ |
Eventarc Event Receiver Beta | Can receive events from all event providers. |
|
|
roles/ |
Eventarc Viewer Beta | Can view the state of all Eventarc resources, including IAM policies. |
|
Cloud Filestore roles
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Cloud Filestore Editor Beta | Read-write access to Filestore instances and related resources. |
|
|
roles/ |
Cloud Filestore Viewer Beta | Read-only access to Filestore instances and related resources. |
|