Understanding roles

This page describes IAM roles and lists the predefined roles that you can grant to your principals.

A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to principals, including users, groups, and service accounts, you grant roles to the principals.

Prerequisite for this guide

Understand the basic concepts of IAM

Role types

There are three types of roles in IAM:

Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
Predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
Custom roles, which provide granular access according to a user-specified list of permissions.

To determine if a permission is included in a basic, predefined, or custom role, you can use one of the following methods:

Run the gcloud iam roles describe command to list the permissions in the role.
Call the roles.get() REST API method to list the permissions in the role.
For basic and predefined roles only: Search the permissions reference to see if the permission is granted by the role.
For predefined roles only: Search the predefined role descriptions on this page to see which permissions the role includes.

The sections below describe each role type and provide examples of how to use them.

Basic roles

There are several basic roles that existed prior to the introduction of IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role. They were originally known as "primitive roles."

The following table summarizes the permissions that the basic roles include across all Google Cloud services:

Basic role definitions

Name	Title	Permissions
`roles/viewer`	Viewer	Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
`roles/editor`	Editor	All viewer permissions, plus permissions for actions that modify state, such as changing existing resources. Note: The Editor role contains permissions to create and delete resources for most Google Cloud services. However, it does not contain permissions to perform all actions for all services. For more information about how to check whether a role has the permissions that you need, see Role types on this page.
`roles/owner`	Owner	All Editor permissions and permissions for the following actions: Manage roles and permissions for a project and all resources within the project. Set up billing for a project. Note: Granting the Owner role at a resource level, such as a Pub/Sub topic, doesn't grant the Owner role on the parent project. Granting the Owner role at the organization level doesn't allow you to update the organization's metadata. However, it allows you to modify all projects and other resources under that organization. To grant the Owner role on a project to a user outside of your organization, you must use the Google Cloud console, not the gcloud CLI. If your project is not part of an organization, you must use the Google Cloud console to grant the Owner role.

You can apply basic roles at the project or service resource levels by using the Google Cloud console, the API, and the gcloud CLI. See Granting, changing, and revoking access for instructions.

To see how to grant roles using the Google Cloud console, see Granting, changing, and revoking access.

Predefined roles

In addition to the basic roles, IAM provides additional predefined roles that give granular access to specific Google Cloud resources and prevent unwanted access to other resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.

The following tables list these roles, their description, and the lowest-level resource type where the roles can be set. A particular role can be granted to this resource type, or in most cases any type above it in the Google Cloud resource hierarchy.

You can grant multiple roles to the same user, at any level of the resource hierarchy. For example, the same user can have the Compute Network Admin and Logs Viewer roles on a project, and also have the Pub/Sub Publisher role on a Pub/Sub topic within that project. To list the permissions contained in a role, see Getting the role metadata.

For help choosing the most appropriate predefined roles, see Choose predefined roles.

Access Approval roles

Role	Permissions
Access Approval Approver ^Beta (`roles/accessapproval.approver`) Ability to view or act on access approval requests and view configuration	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
Access Approval Config Editor ^Beta (`roles/accessapproval.configEditor`) Ability to update the Access Approval configuration	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
Access Approval Invalidator ^Beta (`roles/accessapproval.invalidator`) Ability to invalidate existing approved approval requests	accessapproval.requests.invalidate accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
Access Approval Viewer ^Beta (`roles/accessapproval.viewer`) Ability to view access approval requests and configuration	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list

Access Context Manager roles

Role	Permissions
Cloud Access Binding Admin (`roles/accesscontextmanager.gcpAccessAdmin`) Create, edit, and change Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.*
Cloud Access Binding Reader (`roles/accesscontextmanager.gcpAccessReader`) Read access to Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.get accesscontextmanager.gcpUserAccessBindings.list
Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Full access to policies, access levels, and access zones	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.* accesscontextmanager.accessZones.* accesscontextmanager.policies.* accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Edit access to policies. Create, edit, and change access levels and access zones.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) Read access to policies, access levels, and access zones.	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`)	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.sinks.get logging.sinks.list logging.usage.get resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

Actions roles

Role	Permissions
Actions Admin (`roles/actions.Admin`) Access to edit and deploy an action	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Actions Viewer (`roles/actions.Viewer`) Access to view an action	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use

AI Notebooks roles

Role	Permissions
Notebooks Admin (`roles/notebooks.admin`) Full access to Notebooks, all resources. Lowest-level resources where you can grant this role: Instance	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Admin (`roles/notebooks.legacyAdmin`) Full access to Notebooks all resources through compute API.	compute.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Viewer (`roles/notebooks.legacyViewer`) Read-only access to Notebooks all resources through compute API.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Runner (`roles/notebooks.runner`) Restricted access for running scheduled Notebooks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Viewer (`roles/notebooks.viewer`) Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role: Instance	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

AI Platform roles

Role	Permissions
AI Platform Admin (`roles/ml.admin`) Provides full access to AI Platform resources, and its jobs, operations, models, and versions. Lowest-level resources where you can grant this role: Project	ml.* resourcemanager.projects.get
AI Platform Developer (`roles/ml.developer`) Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Lowest-level resources where you can grant this role: Project	ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.* ml.trials.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get
AI Platform Job Owner (`roles/ml.jobOwner`) Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Lowest-level resources where you can grant this role: Job	ml.jobs.*
AI Platform Model Owner (`roles/ml.modelOwner`) Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Lowest-level resources where you can grant this role: Model	ml.models.* ml.versions.*
AI Platform Model User (`roles/ml.modelUser`) Provides permissions to read the model and its versions, and use them for prediction. Lowest-level resources where you can grant this role: Model	ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict
AI Platform Operation Owner (`roles/ml.operationOwner`) Provides full access to all permissions for a particular operation resource. Lowest-level resources where you can grant this role: Operation	ml.operations.*
AI Platform Viewer (`roles/ml.viewer`) Provides read-only access to AI Platform resources. Lowest-level resources where you can grant this role: Project	ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get

Analytics Hub roles

Role	Permissions
Analytics Hub Admin ^Beta (`roles/analyticshub.admin`) Administer Data Exchanges and Listings	analyticshub.dataExchanges.* analyticshub.listings.create analyticshub.listings.delete analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.setIamPolicy analyticshub.listings.update resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Listing Admin ^Beta (`roles/analyticshub.listingAdmin`) Grants full control over the Listing, including updating, deleting and setting ACLs	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.delete analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.setIamPolicy analyticshub.listings.update resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Publisher ^Beta (`roles/analyticshub.publisher`) Can publish to Data Exchanges thus creating Listings	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.create analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Subscriber ^Beta (`roles/analyticshub.subscriber`) Can browse Data Exchanges and subscribe to Listings	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.subscribe resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Viewer ^Beta (`roles/analyticshub.viewer`) Can browse Data Exchanges and Listings	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list

Android Management roles

Role	Permissions
Android Management User (`roles/androidmanagement.user`) Full access to manage devices.	androidmanagement.enterprises.manage serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Anthos Multi-cloud roles

Role	Permissions
Anthos Multi-cloud Admin (`roles/gkemulticloud.admin`) Admin access to Anthos Multi-cloud resources.	gkemulticloud.* resourcemanager.projects.get resourcemanager.projects.list
Anthos Multi-cloud Telemetry Writer (`roles/gkemulticloud.telemetryWriter`) Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.	logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create opsconfigmonitoring.resourceMetadata.write
Anthos Multi-cloud Viewer (`roles/gkemulticloud.viewer`) Viewer access to Anthos Multi-cloud resources.	gkemulticloud.awsClusters.generateAccessToken gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud.awsNodePools.list gkemulticloud.awsServerConfigs.get gkemulticloud.azureClients.get gkemulticloud.azureClients.list gkemulticloud.azureClusters.generateAccessToken gkemulticloud.azureClusters.get gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.get gkemulticloud.azureNodePools.list gkemulticloud.azureServerConfigs.get gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list

API Gateway roles

Role Permissions

Role	Permissions
ApiGateway Admin (`roles/apigateway.admin`) Full access to ApiGateway and related resources.	apigateway.* monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list
ApiGateway Viewer (`roles/apigateway.viewer`) Read-only access to ApiGateway and related resources.	apigateway.apiconfigs.get apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.* apigateway.operations.get apigateway.operations.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list

ApiGateway Admin
(roles/apigateway.admin)

Full access to ApiGateway and related resources.

apigateway.*
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

ApiGateway Viewer
(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.list

Apigee roles

Role	Permissions
Apigee Organization Admin (`roles/apigee.admin`) Full access to all apigee resource features	apigee.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Analytics Agent (`roles/apigee.analyticsAgent`) Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization	apigee.datalocation.get apigee.environments.getDataLocation apigee.runtimeconfigs.get
Apigee Analytics Editor (`roles/apigee.analyticsEditor`) Analytics editor for an Apigee Organization	apigee.datacollectors.* apigee.datastores.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.* apigee.hostqueries.* apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Analytics Viewer (`roles/apigee.analyticsViewer`) Analytics viewer for an Apigee Organization	apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list
Apigee API Admin (`roles/apigee.apiAdminV2`) Full read/write access to all apigee API resources	apigee.apiproductattributes.* apigee.apiproducts.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.* apigee.keyvaluemaps.* apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.* apigee.sharedflowrevisions.* apigee.sharedflows.* resourcemanager.projects.get resourcemanager.projects.list
Apigee API Reader (`roles/apigee.apiReaderV2`) Reader of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Developer Admin (`roles/apigee.developerAdmin`) Developer admin of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.apps.* apigee.datacollectors.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developers.* apigee.developersubscriptions.* apigee.environments.get apigee.environments.getStats apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee.rateplans.get apigee.rateplans.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Environment Admin (`roles/apigee.environmentAdmin`) Full read/write access to apigee environment resources, including deployments.	apigee.archivedeployments.* apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.environments.update apigee.flowhooks.* apigee.ingressconfigs.get apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Monetization Admin (`roles/apigee.monetizationAdmin`) All permissions related to monetization	apigee.apiproducts.get apigee.apiproducts.list apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developersubscriptions.* apigee.organizations.get apigee.organizations.list apigee.rateplans.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Portal Admin (`roles/apigee.portalAdmin`) Portal admin for an Apigee Organization	apigee.organizations.get apigee.organizations.list apigee.portals.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Read-only Admin (`roles/apigee.readOnlyAdmin`) Viewer of all apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.archivedeployments.download apigee.archivedeployments.get apigee.archivedeployments.list apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datalocation.get apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee.developerappattributes.get apigee.developerappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developerbalances.get apigee.developermonetizationconfigs.get apigee.developers.get apigee.developers.list apigee.developersubscriptions.get apigee.developersubscriptions.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.hoststats.get apigee.ingressconfigs.get apigee.instanceattachments.get apigee.instanceattachments.list apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.operations.* apigee.organizations.get apigee.organizations.list apigee.portals.get apigee.portals.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.rateplans.get apigee.rateplans.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.runtimeconfigs.get apigee.securityProfileEnvironments.computeScore apigee.securityProfiles.* apigee.securityStats.* apigee.securityreports.get apigee.securityreports.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Runtime Agent (`roles/apigee.runtimeAgent`) Curated set of permissions for a runtime agent to access Apigee Organization resources	apigee.canaryevaluations.* apigee.ingressconfigs.get apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.runtimeconfigs.get
Apigee Security Admin (`roles/apigee.securityAdmin`) Security admin for an Apigee Organization	apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.* apigee.organizations.get apigee.organizations.list apigee.securityProfileEnvironments.* apigee.securityProfiles.* apigee.securityStats.* apigee.securityreports.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Security Viewer (`roles/apigee.securityViewer`) Security viewer for an Apigee Organization	apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.organizations.get apigee.organizations.list apigee.securityProfileEnvironments.computeScore apigee.securityProfiles.* apigee.securityStats.* apigee.securityreports.get apigee.securityreports.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Synchronizer Manager (`roles/apigee.synchronizerManager`) Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization	apigee.environments.get apigee.environments.manageRuntime apigee.ingressconfigs.get
Apigee Connect Admin (`roles/apigeeconnect.Admin`) Admin of Apigee Connect	apigeeconnect.connections.list
Apigee Connect Agent (`roles/apigeeconnect.Agent`) Ability to set up Apigee Connect agent between external clusters and Google.	apigeeconnect.endpoints.connect

Apigee Registry roles

Role	Permissions
Cloud Apigee Registry Admin ^Beta (`roles/apigeeregistry.admin`) Full access to Cloud Apigee Registry Registry and Runtime resources.	apigeeregistry.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Apigee Registry Editor ^Beta (`roles/apigeeregistry.editor`) Edit access to Cloud Apigee Registry Registry resources.	apigeeregistry.apis.create apigeeregistry.apis.delete apigeeregistry.apis.get apigeeregistry.apis.getIamPolicy apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry.artifacts.create apigeeregistry.artifacts.delete apigeeregistry.artifacts.get apigeeregistry.artifacts.getIamPolicy apigeeregistry.artifacts.list apigeeregistry.artifacts.update apigeeregistry.deployments.* apigeeregistry.specs.create apigeeregistry.specs.delete apigeeregistry.specs.get apigeeregistry.specs.getIamPolicy apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.create apigeeregistry.versions.delete apigeeregistry.versions.get apigeeregistry.versions.getIamPolicy apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Apigee Registry Viewer ^Beta (`roles/apigeeregistry.viewer`) Read-only access to Cloud Apigee Registry Registry resources.	apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry.deployments.get apigeeregistry.deployments.list apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.versions.get apigeeregistry.versions.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Apigee Registry Worker ^Beta (`roles/apigeeregistry.worker`) The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.	apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry.artifacts.create apigeeregistry.artifacts.delete apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry.artifacts.update apigeeregistry.deployments.get apigeeregistry.deployments.list apigeeregistry.deployments.update apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.get apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list

App Engine roles

Role	Permissions
App Engine Admin (`roles/appengine.appAdmin`) Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have the Service Account User (`roles/iam.serviceAccountUser`) role on the App Engine default service account, and the Cloud Build Editor (`roles/cloudbuild.builds.editor`) and Cloud Storage Object Admin (`roles/storage.objectAdmin`) roles on the project. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.applications.update appengine.instances.* appengine.memcache.addKey appengine.memcache.flush appengine.memcache.get appengine.memcache.update appengine.operations.* appengine.runtimes.actAsAdmin appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list
App Engine Creator (`roles/appengine.appCreator`) Ability to create the App Engine resource for the project. Lowest-level resources where you can grant this role: Project	appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list
App Engine Viewer (`roles/appengine.appViewer`) Read-only access to all application configuration and settings. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Code Viewer (`roles/appengine.codeViewer`) Read-only access to all application configuration, settings, and deployed source code. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Deployer (`roles/appengine.deployer`) Read-only access to all application configuration and settings. To deploy new versions, you must also have the Service Account User (`roles/iam.serviceAccountUser`) role on the App Engine default service account, and the Cloud Build Editor (`roles/cloudbuild.builds.editor`) and Cloud Storage Object Admin (`roles/storage.objectAdmin`) roles on the project. Cannot modify existing versions other than deleting versions that are not receiving traffic. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Service Admin (`roles/appengine.serviceAdmin`) Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version. Lowest-level resources where you can grant this role: Project	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list

Artifact Registry roles

Role	Permissions
Artifact Registry Administrator (`roles/artifactregistry.admin`) Administrator access to create and manage repositories.	artifactregistry.*
Artifact Registry Reader (`roles/artifactregistry.reader`) Access to read repository items.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
Artifact Registry Repository Administrator (`roles/artifactregistry.repoAdmin`) Access to manage artifacts in repositories.	artifactregistry.aptartifacts.create artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.* artifactregistry.pythonpackages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.* artifactregistry.yumartifacts.create
Artifact Registry Writer (`roles/artifactregistry.writer`) Access to read and write repository items.	artifactregistry.aptartifacts.create artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.create

Assured Workloads roles

Role	Permissions
Assured Workloads Administrator (`roles/assuredworkloads.admin`) Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* logging.cmekSettings.update orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Editor (`roles/assuredworkloads.editor`) Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Reader (`roles/assuredworkloads.reader`) Grants read access to all Assured Workloads resources and CRM resources - project/folder	assuredworkloads.operations.* assuredworkloads.violations.* assuredworkloads.workload.get assuredworkloads.workload.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list

AutoML roles

Role	Permissions
AutoML Admin ^Beta (`roles/automl.admin`) Full access to all AutoML resources Lowest-level resources where you can grant this role: Dataset Model	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
AutoML Editor ^Beta (`roles/automl.editor`) Editor of all AutoML resources Lowest-level resources where you can grant this role: Dataset Model	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.files.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
AutoML Predictor ^Beta (`roles/automl.predictor`) Predict using models Lowest-level resources where you can grant this role: Model	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list
AutoML Viewer ^Beta (`roles/automl.viewer`) Viewer of all AutoML resources Lowest-level resources where you can grant this role: Dataset Model	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.files.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list

Backup for GKE roles

Role	Permissions
Backup for GKE Admin ^Beta (`roles/gkebackup.admin`) Full access to all Backup for GKE resources.	gkebackup.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Backup Admin ^Beta (`roles/gkebackup.backupAdmin`) Allows administrators to manage all BackupPlan and Backup resources.	gkebackup.backupPlans.* gkebackup.backups.* gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.volumeBackups.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Delegated Backup Admin ^Beta (`roles/gkebackup.delegatedBackupAdmin`) Allows administrators to manage Backup resources for specific BackupPlans	gkebackup.backupPlans.get gkebackup.backups.* gkebackup.volumeBackups.*
Backup for GKE Delegated Restore Admin ^Beta (`roles/gkebackup.delegatedRestoreAdmin`) Allows administrators to manage Restore resources for specific RestorePlans	gkebackup.restorePlans.get gkebackup.restores.* gkebackup.volumeRestores.*
Backup for GKE Restore Admin ^Beta (`roles/gkebackup.restoreAdmin`) Allows administrators to manage all RestorePlan and Restore resources.	gkebackup.backupPlans.get gkebackup.backupPlans.list gkebackup.backups.get gkebackup.backups.list gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.restorePlans.* gkebackup.restores.* gkebackup.volumeBackups.* gkebackup.volumeRestores.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Viewer ^Beta (`roles/gkebackup.viewer`) Read-only access to all Backup for GKE resources.	gkebackup.backupPlans.get gkebackup.backupPlans.getIamPolicy gkebackup.backupPlans.list gkebackup.backups.get gkebackup.backups.list gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.restorePlans.get gkebackup.restorePlans.getIamPolicy gkebackup.restorePlans.list gkebackup.restores.get gkebackup.restores.list gkebackup.volumeBackups.* gkebackup.volumeRestores.* resourcemanager.projects.get resourcemanager.projects.list

BigQuery roles

Role	Permissions
BigQuery Admin (`roles/bigquery.admin`) Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role: Datasets Row access policies Tables Views	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.overrideTimeTravelRestrictions bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration.translation.translate resourcemanager.projects.get resourcemanager.projects.list
BigQuery Connection Admin (`roles/bigquery.connectionAdmin`)	bigquery.connections.*
BigQuery Connection User (`roles/bigquery.connectionUser`)	bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
BigQuery Data Editor (`roles/bigquery.dataEditor`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Owner (`roles/bigquery.dataOwner`) When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Table View	bigquery.config.get bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.dataPolicies.update bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Viewer (`roles/bigquery.dataViewer`) When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Filtered Data Viewer (`roles/bigquery.filteredDataViewer`) Access to view filtered table data defined by a row access policy	bigquery.rowAccessPolicies.getFilteredData
BigQuery Job User (`roles/bigquery.jobUser`) Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role: Project	bigquery.config.get bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list
BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table View	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Read Session User (`roles/bigquery.readSessionUser`) Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) Administer all BigQuery resources.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservations.* recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Editor (`roles/bigquery.resourceEditor`) Manage all BigQuery resources, but cannot make purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) View all BigQuery resources but cannot make changes or purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery User (`roles/bigquery.user`) When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (`roles/bigquery.dataOwner`) on these new datasets. Lowest-level resources where you can grant this role: Dataset	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get bigquerymigration.translation.translate resourcemanager.projects.get resourcemanager.projects.list
Masked Reader ^Beta (`roles/bigquerydatapolicy.maskedReader`) Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns	bigquery.dataPolicies.maskedGet

Billing roles

Role	Permissions
Billing Account Administrator (`roles/billing.admin`) Provides access to see and manage all aspects of billing accounts. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.close billing.accounts.get billing.accounts.getCarbonInformation billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.list billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.activities.list commerceoffercatalog.offers.get consumerprocurement.accounts.* consumerprocurement.orderAttributions.* consumerprocurement.orders.* dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.privateLogEntries.list recommender.commitmentUtilizationInsights.* recommender.costInsights.* recommender.spendBasedCommitmentInsights.* recommender.spendBasedCommitmentRecommendations.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment
Billing Account Costs Manager (`roles/billing.costsManager`) Manage budgets for a billing account, and view, analyze, and export cost information of a billing account. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.updateUsageExportSpec billing.budgets.* billing.resourceAssociations.list recommender.costInsights.*
Billing Account Creator (`roles/billing.creator`) Provides access to create billing accounts. Lowest-level resources where you can grant this role: Organization	billing.accounts.create resourcemanager.organizations.get
Project Billing Manager (`roles/billing.projectManager`) When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing. Lowest-level resources where you can grant this role: Project	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment
Billing Account User (`roles/billing.user`) When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.list billing.resourceAssociations.create
Billing Account Viewer (`roles/billing.viewer`) View billing account cost and pricing information, transactions, and billing and commitment recommendations. Lowest-level resources where you can grant this role: Billing Account	billing.accounts.get billing.accounts.getCarbonInformation billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.list billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list commerceoffercatalog.offers.get consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orderAttributions.get consumerprocurement.orderAttributions.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.costInsights.get recommender.costInsights.list recommender.spendBasedCommitmentInsights.get recommender.spendBasedCommitmentInsights.list recommender.spendBasedCommitmentRecommendations.get recommender.spendBasedCommitmentRecommendations.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list

Binary Authorization roles

Role	Permissions
Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Administrator of Binary Authorization Attestors	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Editor of Binary Authorization Attestors	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Caller of Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Viewer (`roles/binaryauthorization.attestorsViewer`) Viewer of Binary Authorization Attestors	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Administrator of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.* binaryauthorization.platformPolicies.* binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Editor of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.continuousValidationConfig.update binaryauthorization.platformPolicies.* binaryauthorization.policy.evaluatePolicy binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Evaluator ^Beta (`roles/binaryauthorization.policyEvaluator`) Evaluator of Binary Authorization Policy	binaryauthorization.platformPolicies.evaluatePolicy binaryauthorization.platformPolicies.get binaryauthorization.platformPolicies.list binaryauthorization.policy.evaluatePolicy binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Viewer of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.platformPolicies.get binaryauthorization.platformPolicies.list binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list

CA Service roles

Role	Permissions
CA Service Admin (`roles/privateca.admin`) Full access to all CA Service resources.	privateca.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Auditor (`roles/privateca.auditor`) Read-only access to all CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Operation Manager (`roles/privateca.caManager`) Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.	privateca.caPools.create privateca.caPools.delete privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.update privateca.certificateAuthorities.create privateca.certificateAuthorities.delete privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.update privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.update privateca.certificateTemplates.create privateca.certificateTemplates.delete privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificateTemplates.update privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.update privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.create privateca.reusableConfigs.delete privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.update resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Certificate Manager (`roles/privateca.certificateManager`) Create certificates and read-only access for CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.create privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Certificate Requester (`roles/privateca.certificateRequester`) Request certificates from CA Service.	privateca.certificates.create
CA Service Certificate Template User (`roles/privateca.templateUser`) Read, list and use certificate templates.	privateca.certificateTemplates.get privateca.certificateTemplates.list privateca.certificateTemplates.use
CA Service Workload Certificate Requester (`roles/privateca.workloadCertificateRequester`) Request certificates from CA Service with caller's identity.	privateca.certificates.createForSelf

Certificate Manager roles

Role	Permissions
Certificate Manager Editor ^Beta (`roles/certificatemanager.editor`) Edit access to Certificate Manager all resources.	certificatemanager.certmapentries.create certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmapentries.update certificatemanager.certmaps.create certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certmaps.update certificatemanager.certmaps.use certificatemanager.certs.create certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.certs.update certificatemanager.certs.use certificatemanager.dnsauthorizations.create certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.dnsauthorizations.update certificatemanager.dnsauthorizations.use certificatemanager.locations.* certificatemanager.operations.get certificatemanager.operations.list resourcemanager.projects.get resourcemanager.projects.list
Certificate Manager Owner ^Beta (`roles/certificatemanager.owner`) Full access to Certificate Manager all resources.	certificatemanager.* resourcemanager.projects.get resourcemanager.projects.list
Certificate Manager Viewer ^Beta (`roles/certificatemanager.viewer`) Read-only access to Certificate Manager all resources.	certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.locations.* certificatemanager.operations.get certificatemanager.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud AlloyDB roles

Role	Permissions
Cloud AlloyDB Admin ^Beta (`roles/alloydb.admin`) Full access to Cloud AlloyDB all resources.	alloydb.* resourcemanager.projects.get resourcemanager.projects.list
Cloud AlloyDB Client ^Beta (`roles/alloydb.client`) Connectivity access to Cloud AlloyDB instances.	alloydb.clusters.generateClientCertificate alloydb.clusters.get alloydb.instances.connect alloydb.instances.get resourcemanager.projects.get resourcemanager.projects.list
Cloud AlloyDB Viewer ^Beta (`roles/alloydb.viewer`) Read-only access to Cloud AlloyDB all resources.	alloydb.backups.get alloydb.backups.list alloydb.clusters.get alloydb.clusters.list alloydb.instances.get alloydb.instances.list alloydb.locations.* alloydb.operations.get alloydb.operations.list alloydb.supportedDatabaseFlags.* resourcemanager.projects.get resourcemanager.projects.list

Cloud Asset roles

Role	Permissions
Cloud Asset Owner (`roles/cloudasset.owner`) Full access to cloud assets metadata	cloudasset.* recommender.cloudAssetInsights.* recommender.locations.*
Cloud Asset Viewer (`roles/cloudasset.viewer`) Read only access to cloud assets metadata	cloudasset.assets.* recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.*

Cloud Bigtable roles

Role	Permissions
Bigtable Administrator (`roles/bigtable.admin`) Administers all Bigtable instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. Lowest-level resources where you can grant this role: Table	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable Reader (`roles/bigtable.reader`) Provides read-only access to the data stored within Bigtable tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.list bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable User (`roles/bigtable.user`) Provides read-write access to the data stored within Bigtable tables. Intended for application developers or service accounts. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.list bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable Viewer (`roles/bigtable.viewer`) Provides no data access. Intended as a minimal set of permissions to access the Google Cloud console for Bigtable. Lowest-level resources where you can grant this role: Table	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.list bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get

Cloud Build roles

Role	Permissions
Cloud Build Approver (`roles/cloudbuild.builds.approver`) Can approve or reject pending builds.	cloudbuild.builds.approve cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Provides access to perform builds.	artifactregistry.aptartifacts.create artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.locations.* artifactregistry.mavenartifacts.* artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.pythonpackages.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.create cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create logging.logEntries.list logging.privateLogEntries.list logging.views.access pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Build Editor (`roles/cloudbuild.builds.editor`) Provides access to create and cancel builds. Lowest-level resources where you can grant this role: Project	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Viewer (`roles/cloudbuild.builds.viewer`) Provides access to view builds. Lowest-level resources where you can grant this role: Project	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Editor (`roles/cloudbuild.integrationsEditor`) Can update Integrations	cloudbuild.integrations.get cloudbuild.integrations.list cloudbuild.integrations.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Owner (`roles/cloudbuild.integrationsOwner`) Can create/delete Integrations	cloudbuild.integrations.* compute.firewalls.create compute.firewalls.get compute.firewalls.list compute.networks.get compute.networks.updatePolicy compute.regions.get compute.subnetworks.get compute.subnetworks.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Viewer (`roles/cloudbuild.integrationsViewer`) Can view Integrations	cloudbuild.integrations.get cloudbuild.integrations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool Editor (`roles/cloudbuild.workerPoolEditor`) Can update and view WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool Owner (`roles/cloudbuild.workerPoolOwner`) Can create, delete, update, and view WorkerPools	cloudbuild.workerpools.create cloudbuild.workerpools.delete cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool User (`roles/cloudbuild.workerPoolUser`) Can run builds in the WorkerPool	cloudbuild.workerpools.use
Cloud Build WorkerPool Viewer (`roles/cloudbuild.workerPoolViewer`) Can view WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Composer roles

Role	Permissions
Cloud Composer v2 API Service Agent Extension (`roles/composer.ServiceAgentV2Ext`) Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.	iam.serviceAccounts.getIamPolicy iam.serviceAccounts.setIamPolicy
Composer Administrator (`roles/composer.admin`) Provides full control of Cloud Composer resources. Lowest-level resources where you can grant this role: Project	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Environment and Storage Object Administrator (`roles/composer.environmentAndStorageObjectAdmin`) Provides full control of Cloud Composer resources and of the objects in all project buckets. Lowest-level resources where you can grant this role: Project	composer.* orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.multipartUploads.* storage.objects.*
Environment User and Storage Object Viewer (`roles/composer.environmentAndStorageObjectViewer`) Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. Lowest-level resources where you can grant this role: Project	composer.dags.* composer.environments.get composer.environments.list composer.imageversions.list composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list
Composer Shared VPC Agent (`roles/composer.sharedVpcAgent`) Role that should be assigned to Composer Agent service account in Shared VPC host project	compute.networks.access compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.*
Composer User (`roles/composer.user`) Provides the permissions necessary to list and get Cloud Composer environments and operations. Lowest-level resources where you can grant this role: Project	composer.dags.* composer.environments.get composer.environments.list composer.imageversions.list composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Composer Worker (`roles/composer.worker`) Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. Lowest-level resources where you can grant this role: Project	artifactregistry.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use composer.environments.get container.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create logging.logEntries.list logging.privateLogEntries.list logging.views.access monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* orgpolicy.policy.get pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.multipartUploads.* storage.objects.*

Cloud Connectors roles

Role Permissions

Role	Permissions
Connector Admin (`roles/connectors.admin`) Full access to all resources of Connectors Service.	connectors.* resourcemanager.projects.get resourcemanager.projects.list
Connectors Viewer (`roles/connectors.viewer`) Read-only access to Connectors all resources.	connectors.connections.get connectors.connections.getConnectionSchemaMetadata connectors.connections.getIamPolicy connectors.connections.getRuntimeActionSchema connectors.connections.getRuntimeEntitySchema connectors.connections.list connectors.connectors.* connectors.locations.* connectors.operations.get connectors.operations.list connectors.providers.* connectors.runtimeconfig.get connectors.versions.* resourcemanager.projects.get resourcemanager.projects.list

Connector Admin
(roles/connectors.admin)

Full access to all resources of Connectors Service.

connectors.*
resourcemanager.projects.get
resourcemanager.projects.list

Connectors Viewer
(roles/connectors.viewer)

Read-only access to Connectors all resources.

connectors.connections.get
connectors.connections.getConnectionSchemaMetadata
connectors.connections.getIamPolicy
connectors.connections.getRuntimeActionSchema
connectors.connections.getRuntimeEntitySchema
connectors.connections.list
connectors.connectors.*
connectors.locations.*
connectors.operations.get
connectors.operations.list
connectors.providers.*
connectors.runtimeconfig.get
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion roles

Role Permissions

Role	Permissions
Cloud Data Fusion Admin ^Beta (`roles/datafusion.admin`) Full access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role: Project	datafusion.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Data Fusion Runner ^Beta (`roles/datafusion.runner`) Access to Cloud Data Fusion runtime resources.	datafusion.instances.runtime
Cloud Data Fusion Viewer ^Beta (`roles/datafusion.viewer`) Read-only access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role: Project	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.runtime datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Data Fusion Admin ^Beta
(roles/datafusion.admin)

Full access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

Project

datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Fusion Runner ^Beta
(roles/datafusion.runner)

Access to Cloud Data Fusion runtime resources.

datafusion.instances.runtime

Cloud Data Fusion Viewer ^Beta
(roles/datafusion.viewer)

Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.

Lowest-level resources where you can grant this role:

Project

datafusion.instances.get
datafusion.instances.getIamPolicy
datafusion.instances.list
datafusion.instances.runtime
datafusion.locations.*
datafusion.operations.get
datafusion.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Data Labeling roles

Role	Permissions
Data Labeling Service Admin ^Beta (`roles/datalabeling.admin`) Full access to all Data Labeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Editor ^Beta (`roles/datalabeling.editor`) Editor of all Data Labeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Viewer ^Beta (`roles/datalabeling.viewer`) Viewer of all Data Labeling resources	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list

Cloud Dataplex roles

Role	Permissions
Dataplex Administrator (`roles/dataplex.admin`) Full access to all Dataplex resources.	cloudasset.assets.analyzeIamPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources dataplex.assetActions.list dataplex.assets.create dataplex.assets.delete dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.setIamPolicy dataplex.assets.update dataplex.content.* dataplex.entities.* dataplex.environments.* dataplex.lakeActions.list dataplex.lakes.* dataplex.locations.* dataplex.operations.* dataplex.partitions.* dataplex.tasks.* dataplex.zoneActions.list dataplex.zones.* resourcemanager.projects.get resourcemanager.projects.list
Dataplex Data Owner (`roles/dataplex.dataOwner`) Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	dataplex.assets.ownData dataplex.assets.readData dataplex.assets.writeData
Dataplex Data Reader (`roles/dataplex.dataReader`) Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	dataplex.assets.readData
Dataplex Data Writer (`roles/dataplex.dataWriter`) Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	dataplex.assets.writeData
Dataplex Developer (`roles/dataplex.developer`) Allows running data analytics workloads in a lake.	dataplex.content.* dataplex.environments.execute dataplex.environments.get dataplex.environments.list dataplex.tasks.cancel dataplex.tasks.create dataplex.tasks.delete dataplex.tasks.get dataplex.tasks.list dataplex.tasks.update
Dataplex Editor (`roles/dataplex.editor`) Write access to Dataplex resources.	cloudasset.assets.analyzeIamPolicy dataplex.assetActions.list dataplex.assets.create dataplex.assets.delete dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.update dataplex.content.delete dataplex.content.get dataplex.content.getIamPolicy dataplex.content.list dataplex.environments.create dataplex.environments.delete dataplex.environments.get dataplex.environments.getIamPolicy dataplex.environments.list dataplex.environments.update dataplex.lakeActions.list dataplex.lakes.create dataplex.lakes.delete dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.lakes.update dataplex.operations.* dataplex.tasks.cancel dataplex.tasks.create dataplex.tasks.delete dataplex.tasks.get dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.tasks.update dataplex.zoneActions.list dataplex.zones.create dataplex.zones.delete dataplex.zones.get dataplex.zones.getIamPolicy dataplex.zones.list dataplex.zones.update
Dataplex Metadata Reader (`roles/dataplex.metadataReader`) Read only access to metadata.	dataplex.assets.get dataplex.assets.list dataplex.entities.get dataplex.entities.list dataplex.partitions.get dataplex.partitions.list dataplex.zones.get dataplex.zones.list
Dataplex Metadata Writer (`roles/dataplex.metadataWriter`) Read and write access to metadata.	dataplex.assets.get dataplex.assets.list dataplex.entities.* dataplex.partitions.* dataplex.zones.get dataplex.zones.list
Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	bigquery.datasets.get bigquery.models.create bigquery.models.delete bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.models.updateData bigquery.models.updateMetadata bigquery.routines.create bigquery.routines.delete bigquery.routines.get bigquery.routines.list bigquery.routines.update bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	bigquery.datasets.get bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list storage.buckets.get storage.objects.get storage.objects.list
Dataplex Storage Data Writer (`roles/dataplex.storageDataWriter`) Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	bigquery.tables.updateData storage.objects.create storage.objects.delete storage.objects.update
Dataplex Viewer (`roles/dataplex.viewer`) Read access to Dataplex resources.	cloudasset.assets.analyzeIamPolicy dataplex.assetActions.list dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.content.get dataplex.content.getIamPolicy dataplex.content.list dataplex.environments.get dataplex.environments.getIamPolicy dataplex.environments.list dataplex.lakeActions.list dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.operations.get dataplex.operations.list dataplex.tasks.get dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.zoneActions.list dataplex.zones.get dataplex.zones.getIamPolicy dataplex.zones.list

Cloud Debugger roles

Role Permissions

Role	Permissions
Cloud Debugger Agent ^Beta (`roles/clouddebugger.agent`) Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. Lowest-level resources where you can grant this role: Service Account	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create
Cloud Debugger User ^Beta (`roles/clouddebugger.user`) Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). Lowest-level resources where you can grant this role: Project	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list

Cloud Debugger Agent ^Beta
(roles/clouddebugger.agent)

Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.

Lowest-level resources where you can grant this role:

Service Account

clouddebugger.breakpoints.list
clouddebugger.breakpoints.listActive
clouddebugger.breakpoints.update
clouddebugger.debuggees.create

Cloud Debugger User ^Beta
(roles/clouddebugger.user)

Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

Lowest-level resources where you can grant this role:

Project

clouddebugger.breakpoints.create
clouddebugger.breakpoints.delete
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list

Cloud Deploy roles

Role	Permissions
Cloud Deploy Admin ^Beta (`roles/clouddeploy.admin`) Full control of Cloud Deploy resources.	clouddeploy.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Approver ^Beta (`roles/clouddeploy.approver`) Permission to approve or reject rollouts.	clouddeploy.locations.* clouddeploy.operations.* clouddeploy.rollouts.approve clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Developer ^Beta (`roles/clouddeploy.developer`) Permission to manage deployment configuration without permission to access operational resources, such as targets.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Runner ^Beta (`roles/clouddeploy.jobRunner`) Permission to execute Cloud Deploy work without permission to deliver to a target.	logging.logEntries.create storage.objects.create storage.objects.get storage.objects.list
Cloud Deploy Operator ^Beta (`roles/clouddeploy.operator`) Permission to manage deployment configuration.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.create clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list clouddeploy.targets.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Releaser ^Beta (`roles/clouddeploy.releaser`) Permission to create Cloud Deploy releases and rollouts.	clouddeploy.deliveryPipelines.get clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.create clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Viewer ^Beta (`roles/clouddeploy.viewer`) Can view Cloud Deploy resources.	clouddeploy.config.get clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.locations.* clouddeploy.operations.get clouddeploy.operations.list clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list resourcemanager.projects.get resourcemanager.projects.list

Cloud DLP roles

Role	Permissions
DLP Administrator (`roles/dlp.admin`) Administer DLP including jobs and templates.	dlp.* serviceusage.services.use
DLP Analyze Risk Templates Editor (`roles/dlp.analyzeRiskTemplatesEditor`) Edit DLP analyze risk templates.	dlp.analyzeRiskTemplates.*
DLP Analyze Risk Templates Reader (`roles/dlp.analyzeRiskTemplatesReader`) Read DLP analyze risk templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
DLP Column Data Profiles Reader (`roles/dlp.columnDataProfilesReader`) Read DLP column profiles.	dlp.columnDataProfiles.*
DLP Data Profiles Reader (`roles/dlp.dataProfilesReader`) Read DLP profiles.	dlp.columnDataProfiles.* dlp.projectDataProfiles.* dlp.tableDataProfiles.*
DLP De-identify Templates Editor (`roles/dlp.deidentifyTemplatesEditor`) Edit DLP de-identify templates.	dlp.deidentifyTemplates.*
DLP De-identify Templates Reader (`roles/dlp.deidentifyTemplatesReader`) Read DLP de-identify templates.	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
DLP Cost Estimation (`roles/dlp.estimatesAdmin`) Manage DLP Cost Estimates.	dlp.estimates.*
DLP Inspect Findings Reader (`roles/dlp.inspectFindingsReader`) Read DLP stored findings.	dlp.inspectFindings.list
DLP Inspect Templates Editor (`roles/dlp.inspectTemplatesEditor`) Edit DLP inspect templates.	dlp.inspectTemplates.*
DLP Inspect Templates Reader (`roles/dlp.inspectTemplatesReader`) Read DLP inspect templates.	dlp.inspectTemplates.get dlp.inspectTemplates.list
DLP Job Triggers Editor (`roles/dlp.jobTriggersEditor`) Edit job triggers configurations.	dlp.jobTriggers.*
DLP Job Triggers Reader (`roles/dlp.jobTriggersReader`) Read job triggers.	dlp.jobTriggers.get dlp.jobTriggers.list
DLP Jobs Editor (`roles/dlp.jobsEditor`) Edit and create jobs	dlp.jobs.* dlp.kms.encrypt
DLP Jobs Reader (`roles/dlp.jobsReader`) Read jobs	dlp.jobs.get dlp.jobs.list
DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) Permissions needed by the DLP service account to generate data profiles within an organization or folder.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration.translation.translate cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP Project Data Profiles Reader (`roles/dlp.projectDataProfilesReader`) Read DLP project profiles.	dlp.projectDataProfiles.*
DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Permissions needed by the DLP service account to generate data profiles within a project.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration.translation.translate cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP Reader (`roles/dlp.reader`) Read DLP entities, such as jobs and templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.locations.* dlp.storedInfoTypes.get dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor (`roles/dlp.storedInfoTypesEditor`) Edit DLP stored info types.	dlp.storedInfoTypes.*
DLP Stored InfoTypes Reader (`roles/dlp.storedInfoTypesReader`) Read DLP stored info types.	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
DLP Table Data Profiles Reader (`roles/dlp.tableDataProfilesReader`) Read DLP table profiles.	dlp.tableDataProfiles.*
DLP User (`roles/dlp.user`) Inspect, Redact, and De-identify Content	dlp.kms.encrypt dlp.locations.* serviceusage.services.use

Cloud Domains roles

Role	Permissions
Cloud Domains Admin (`roles/domains.admin`) Full access to Cloud Domains Registrations and related resources.	domains.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Domains Viewer (`roles/domains.viewer`) Read-only access to Cloud Domains Registrations and related resources.	domains.locations.* domains.operations.get domains.operations.list domains.registrations.get domains.registrations.getIamPolicy domains.registrations.list domains.registrations.listEffectiveTags domains.registrations.listTagBindings resourcemanager.projects.get resourcemanager.projects.list

Cloud Filestore roles

Role	Permissions
Cloud Filestore Editor ^Beta (`roles/file.editor`) Read-write access to Filestore instances and related resources.	file.*
Cloud Filestore Viewer ^Beta (`roles/file.viewer`) Read-only access to Filestore instances and related resources.	file.backups.get file.backups.list file.backups.listEffectiveTags file.backups.listTagBindings file.instances.get file.instances.list file.instances.listEffectiveTags file.instances.listTagBindings file.locations.* file.operations.get file.operations.list file.snapshots.listEffectiveTags file.snapshots.listTagBindings

Cloud Functions roles

Role	Permissions
Cloud Functions Admin (`roles/cloudfunctions.admin`) Full access to functions, operations and locations.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.* eventarc.* recommender.locations.* recommender.runServiceIdentityInsights.* recommender.runServiceIdentityRecommendations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Functions Developer (`roles/cloudfunctions.developer`) Read and write access to all functions-related resources.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.list eventarc.channelConnections.create eventarc.channelConnections.delete eventarc.channelConnections.get eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channelConnections.publish eventarc.channels.create eventarc.channels.delete eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.channels.publish eventarc.channels.undelete eventarc.channels.update eventarc.locations.* eventarc.operations.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update recommender.locations.* recommender.runServiceIdentityInsights.* recommender.runServiceIdentityRecommendations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.executions.* run.jobs.create run.jobs.delete run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.run run.jobs.update run.locations.list run.operations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update run.tasks.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Functions Invoker (`roles/cloudfunctions.invoker`) Ability to invoke HTTP functions with restricted access.	cloudfunctions.functions.invoke
Cloud Functions Viewer (`roles/cloudfunctions.viewer`) Read-only access to functions and locations.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.list eventarc.channelConnections.get eventarc.channelConnections.getIamPolicy eventarc.channelConnections.list eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list recommender.locations.* recommender.runServiceIdentityInsights.get recommender.runServiceIdentityInsights.list recommender.runServiceIdentityRecommendations.get recommender.runServiceIdentityRecommendations.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.executions.get run.executions.list run.jobs.get run.jobs.getIamPolicy run.jobs.list run.locations.list run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.tasks.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list

Cloud Game Services roles

Role Permissions

Role	Permissions
Game Services API Admin (`roles/gameservices.admin`) Full access to Game Services API and related resources.	gameservices.* resourcemanager.projects.get resourcemanager.projects.list
Game Services API Viewer (`roles/gameservices.viewer`) Read-only access to Game Services API and related resources.	gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list

Game Services API Admin
(roles/gameservices.admin)

Full access to Game Services API and related resources.

gameservices.*
resourcemanager.projects.get
resourcemanager.projects.list

Game Services API Viewer
(roles/gameservices.viewer)

Read-only access to Game Services API and related resources.

gameservices.gameServerClusters.get
gameservices.gameServerClusters.list
gameservices.gameServerConfigs.get
gameservices.gameServerConfigs.list
gameservices.gameServerDeployments.get
gameservices.gameServerDeployments.list
gameservices.locations.*
gameservices.operations.get
gameservices.operations.list
gameservices.realms.get
gameservices.realms.list
resourcemanager.projects.get
resourcemanager.projects.list

Cloud Healthcare roles

Role	Permissions
Healthcare Annotation Editor (`roles/healthcare.annotationEditor`) Create, delete, update, read and list annotations.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Reader (`roles/healthcare.annotationReader`) Read and list annotations in an Annotation store.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.get healthcare.annotations.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Administrator (`roles/healthcare.annotationStoreAdmin`) Administer Annotation stores.	healthcare.annotationStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Store Viewer (`roles/healthcare.annotationStoreViewer`) List Annotation Stores in a dataset.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Attribute Definition Editor (`roles/healthcare.attributeDefinitionEditor`) Edit AttributeDefinition objects.	healthcare.attributeDefinitions.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Attribute Definition Reader (`roles/healthcare.attributeDefinitionReader`) Read AttributeDefinition objects in a consent store.	healthcare.attributeDefinitions.get healthcare.attributeDefinitions.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Administrator (`roles/healthcare.consentArtifactAdmin`) Administer ConsentArtifact objects.	healthcare.consentArtifacts.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Editor (`roles/healthcare.consentArtifactEditor`) Edit ConsentArtifact objects.	healthcare.consentArtifacts.create healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Reader (`roles/healthcare.consentArtifactReader`) Read ConsentArtifact obj