This page describes IAM roles and lists the
predefined roles that you can grant to your principals.
A role contains a set of permissions that allows you to perform specific actions on
Google Cloud resources.
To make permissions available to principals, including
users, groups, and service accounts, you grant roles to the principals.
Call the roles.get() REST API method
to list the permissions in the role.
For basic and predefined roles only: Search the permissions
reference to see if the permission is granted by the role.
For predefined roles only: Search the predefined role
descriptions on this page to see which permissions the
role includes.
The sections below describe each role type and provide examples of how to use
them.
Basic roles
There are several basic roles that existed prior to the introduction of
IAM: Owner, Editor, and Viewer. These roles are concentric;
that is, the Owner role includes the permissions in the Editor role, and the
Editor role includes the permissions in the Viewer role. They were originally
known as "primitive roles."
The following table summarizes the permissions that the basic roles include
across all Google Cloud services:
Basic role definitions
Name
Title
Permissions
roles/viewer
Viewer
Permissions for read-only actions that do not affect state, such as
viewing (but not modifying) existing resources or data.
roles/editor
Editor
All viewer permissions, plus permissions for actions that modify
state, such as changing existing resources.
Note:
The Editor role contains permissions to create and delete resources for
most Google Cloud services. However, it does not contain
permissions to perform all actions for all services. For more
information about how to check whether a role has the permissions that
you need, see Role types on this page.
roles/owner
Owner
All Editor permissions and permissions for the following actions:
Manage roles and permissions for a project and all resources within
the project.
Set up billing for a project.
Note:
Granting the Owner role at a resource level, such as a
Pub/Sub topic, doesn't grant the Owner role on the
parent project.
Granting the Owner role at the organization level doesn't allow you
to update the organization's metadata. However, it allows you to
modify all projects and other resources under that organization.
To grant the Owner role on a project to a user outside of your
organization, you must use the Google Cloud console, not the
gcloud CLI. If your project is not part of an organization,
you must use the Google Cloud console to grant the Owner role.
You can apply basic roles at the project or service resource levels by using the
Google Cloud console, the API, and the gcloud CLI. See
Granting, changing, and revoking access for
instructions.
In addition to the basic roles, IAM provides additional
predefined roles that give granular access to specific Google Cloud
resources and prevent unwanted access to other resources. These roles are
created and maintained by Google. Google automatically updates their permissions
as necessary, such as when Google Cloud adds new features or services.
The following tables list these roles, their description, and the lowest-level
resource type where the roles can be set. A particular role can be granted to
this resource type, or in most cases any type above it in the
Google Cloud resource hierarchy.
You can grant multiple roles to the same user, at any level of the resource
hierarchy. For example, the same user can have the Compute Network Admin and
Logs Viewer roles on a project, and also have the Pub/Sub Publisher role on a
Pub/Sub topic within that project. To list the permissions contained in
a role, see
Getting the role metadata.
The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.artifacts.create
apigeeregistry.artifacts.delete
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.artifacts.update
apigeeregistry.deployments.get
apigeeregistry.deployments.list
apigeeregistry.deployments.update
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.get
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine roles
Role
Permissions
App Engine Admin
(roles/appengine.appAdmin)
Read/Write/Modify access to all application configuration and settings.
To deploy new versions, a principal must have the
Service Account User
(roles/iam.serviceAccountUser) role on the App Engine
default service account, and the
Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object
Admin (roles/storage.objectAdmin) roles on the project.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.update
appengine.instances.*
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Creator
(roles/appengine.appCreator)
Ability to create the App Engine resource for the project.
Lowest-level resources where you can grant this role:
Project
appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Viewer
(roles/appengine.appViewer)
Read-only access to all application configuration and settings.
Lowest-level resources where you can grant this role:
Read-only access to all application configuration, settings, and deployed
source code.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Deployer
(roles/appengine.deployer)
Read-only access to all application configuration and settings.
To deploy new versions, you must also have the
Service Account User
(roles/iam.serviceAccountUser) role on the App Engine
default service account, and the
Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object
Admin (roles/storage.objectAdmin) roles on the project.
Cannot modify existing versions other than deleting versions that are not receiving traffic.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Service Admin
(roles/appengine.serviceAdmin)
Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
Lowest-level resources where you can grant this role:
Grants read access to all Assured Workloads resources and CRM resources - project/folder
assuredworkloads.operations.*
assuredworkloads.violations.*
assuredworkloads.workload.get
assuredworkloads.workload.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
AutoML roles
Role
Permissions
AutoML AdminBeta
(roles/automl.admin)
Full access to all AutoML resources
Lowest-level resources where you can grant this role:
Dataset
Model
automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
AutoML EditorBeta
(roles/automl.editor)
Editor of all AutoML resources
Lowest-level resources where you can grant this role:
Dataset
Model
automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.files.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
AutoML PredictorBeta
(roles/automl.predictor)
Predict using models
Lowest-level resources where you can grant this role:
Model
automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list
AutoML ViewerBeta
(roles/automl.viewer)
Viewer of all AutoML resources
Lowest-level resources where you can grant this role:
Dataset
Model
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.files.list
automl.humanAnnotationTasks.get
automl.humanAnnotationTasks.list
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
Backup for GKE roles
Role
Permissions
Backup for GKE AdminBeta
(roles/gkebackup.admin)
Full access to all Backup for GKE resources.
gkebackup.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Backup AdminBeta
(roles/gkebackup.backupAdmin)
Allows administrators to manage all BackupPlan and Backup resources.
gkebackup.backupPlans.*
gkebackup.backups.*
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.volumeBackups.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Delegated Backup AdminBeta
(roles/gkebackup.delegatedBackupAdmin)
Allows administrators to manage Backup resources for specific BackupPlans
gkebackup.backupPlans.get
gkebackup.backups.*
gkebackup.volumeBackups.*
Backup for GKE Delegated Restore AdminBeta
(roles/gkebackup.delegatedRestoreAdmin)
Allows administrators to manage Restore resources for specific RestorePlans
gkebackup.restorePlans.get
gkebackup.restores.*
gkebackup.volumeRestores.*
Backup for GKE Restore AdminBeta
(roles/gkebackup.restoreAdmin)
Allows administrators to manage all RestorePlan and Restore resources.
gkebackup.backupPlans.get
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.*
gkebackup.restores.*
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE ViewerBeta
(roles/gkebackup.viewer)
Read-only access to all Backup for GKE resources.
gkebackup.backupPlans.get
gkebackup.backupPlans.getIamPolicy
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.get
gkebackup.restorePlans.getIamPolicy
gkebackup.restorePlans.list
gkebackup.restores.get
gkebackup.restores.list
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery roles
Role
Permissions
BigQuery Admin
(roles/bigquery.admin)
Provides permissions to manage all resources within the project. Can manage
all data within the project, and can cancel jobs from other users running
within the project.
Lowest-level resources where you can grant this role:
BigQuery Connection User
(roles/bigquery.connectionUser)
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.use
BigQuery Data Editor
(roles/bigquery.dataEditor)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
Table
View
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Owner
(roles/bigquery.dataOwner)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
Table
View
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.dataPolicies.setIamPolicy
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.rowAccessPolicies.create
bigquery.rowAccessPolicies.delete
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.rowAccessPolicies.setIamPolicy
bigquery.rowAccessPolicies.update
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Viewer
(roles/bigquery.dataViewer)
When applied to a table or view, this role provides permissions to:
Read data and metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Read data and metadata from the dataset's tables.
When applied at the project or organization level, this role can also
enumerate all datasets in the project. Additional roles, however, are
necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
Table
View
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Filtered Data Viewer
(roles/bigquery.filteredDataViewer)
Access to view filtered table data defined by a row access policy
bigquery.rowAccessPolicies.getFilteredData
BigQuery Job User
(roles/bigquery.jobUser)
Provides permissions to run jobs, including queries, within the project.
Lowest-level resources where you can grant this role:
View all BigQuery resources but cannot make changes or purchasing decisions.
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery User
(roles/bigquery.user)
When applied to a dataset, this role provides the ability to read the dataset's metadata and list
tables in the dataset.
When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner)
on these new datasets.
Lowest-level resources where you can grant this role:
Read-only access to Certificate Manager all resources.
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.locations.*
certificatemanager.operations.get
certificatemanager.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB roles
Role
Permissions
Cloud AlloyDB AdminBeta
(roles/alloydb.admin)
Full access to Cloud AlloyDB all resources.
alloydb.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB ClientBeta
(roles/alloydb.client)
Connectivity access to Cloud AlloyDB instances.
alloydb.clusters.generateClientCertificate
alloydb.clusters.get
alloydb.instances.connect
alloydb.instances.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB ViewerBeta
(roles/alloydb.viewer)
Read-only access to Cloud AlloyDB all resources.
alloydb.backups.get
alloydb.backups.list
alloydb.clusters.get
alloydb.clusters.list
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb.supportedDatabaseFlags.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Asset roles
Role
Permissions
Cloud Asset Owner
(roles/cloudasset.owner)
Full access to cloud assets metadata
cloudasset.*
recommender.cloudAssetInsights.*
recommender.locations.*
Cloud Asset Viewer
(roles/cloudasset.viewer)
Read only access to cloud assets metadata
cloudasset.assets.*
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.locations.*
Cloud Bigtable roles
Role
Permissions
Bigtable Administrator
(roles/bigtable.admin)
Administers all Bigtable instances within a project, including the data stored within
tables. Can create new instances. Intended for project administrators.
Lowest-level resources where you can grant this role:
Table
bigtable.*
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Bigtable Reader
(roles/bigtable.reader)
Provides read-only access to the data stored within Bigtable tables. Intended for
data scientists, dashboard generators, and other data-analysis scenarios.
Lowest-level resources where you can grant this role:
Table
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Bigtable User
(roles/bigtable.user)
Provides read-write access to the data stored within Bigtable tables. Intended for
application developers or service accounts.
Lowest-level resources where you can grant this role:
Table
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable.tables.checkConsistency
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.projects.get
Bigtable Viewer
(roles/bigtable.viewer)
Provides no data access. Intended as a minimal set of permissions to access
the Google Cloud console for Bigtable.
Lowest-level resources where you can grant this role:
Cloud Composer v2 API Service Agent Extension
(roles/composer.ServiceAgentV2Ext)
Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy
Composer Administrator
(roles/composer.admin)
Provides full control of Cloud Composer resources.
Lowest-level resources where you can grant this role:
Project
composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Environment and Storage Object Administrator
(roles/composer.environmentAndStorageObjectAdmin)
Provides full control of Cloud Composer resources and of the objects in all project buckets.
Lowest-level resources where you can grant this role:
Project
composer.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.multipartUploads.*
storage.objects.*
Environment User and Storage Object Viewer
(roles/composer.environmentAndStorageObjectViewer)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Provides read-only access to objects in all project buckets.
Lowest-level resources where you can grant this role:
Dataplex Storage Data Owner
(roles/dataplex.storageDataOwner)
Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.restoreSnapshot
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Dataplex Storage Data Reader
(roles/dataplex.storageDataReader)
Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
storage.buckets.get
storage.objects.get
storage.objects.list
Dataplex Storage Data Writer
(roles/dataplex.storageDataWriter)
Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.