This page lists all basic and predefined roles for Identity and Access Management (IAM). To learn more about IAM roles, see Roles and permissions.
Basic roles
Basic roles are highly permissive roles that existed prior to the introduction of IAM. You can use basic roles to grant principals broad access to Google Cloud resources.
When you grant a basic role to a principal, the principal gets all of the permissions in the basic role. They also get any permissions that services provide to principals with basic roles—for example, permissions gained through Cloud Storage convenience values and BigQuery special group membership.
The following table summarizes the permissions that the basic roles give users across all Google Cloud services:
Basic roles | Permissions |
---|---|
Viewer(roles/viewer ) |
Permissions for read-only actions that don't affect state, such as viewing (but not modifying) existing resources or data. For a list of permissions in the Viewer role, see the role details in the Google Cloud console: |
Editor(roles/editor ) |
All viewer permissions, plus permissions for actions that modify state, such as changing existing resources. The permissions in the Editor role let you create and delete resources for most Google Cloud services. However, the Editor role doesn't contain permissions to perform all actions for all services. For more information about how to check whether a role has the permissions that you need, see Role types. For a list of permissions in the Editor role, see the role details in the Google Cloud console: |
Owner(roles/owner ) |
All Editor permissions, plus permissions for actions like the following:
For a list of permissions in the Owner role, see the role details in the Google Cloud console: |
Predefined roles
Predefined roles give granular access to specific Google Cloud resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.
The following table lists all IAM predefined roles, organized by service.
For more information about predefined roles, see Roles and permissions. For help choosing the most appropriate predefined roles, see Choose predefined roles.
Access Approval roles |
Permissions |
Access Approval Approver( Ability to view or act on access approval requests and view configuration |
accessapproval.requests.* accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Approval Config Editor( Ability to update the Access Approval configuration |
accessapproval. accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list |
Access Approval Invalidator( Ability to invalidate existing approved approval requests |
accessapproval. accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Approval Viewer( Ability to view access approval requests and configuration |
accessapproval.requests.get accessapproval.requests.list accessapproval. accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager roles |
Permissions |
Cloud Access Binding Admin( Create, edit, and change Cloud access bindings. |
accesscontextmanager. |
Cloud Access Binding Reader( Read access to Cloud access bindings. |
accesscontextmanager. accesscontextmanager. |
Access Context Manager Admin( Full access to policies, access levels, access zones and authorized orgs descs. |
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. cloudasset. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager Editor( Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs. |
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. cloudasset. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Access Context Manager Reader( Read access to policies, access levels, access zones and authorized orgs descs. |
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
VPC Service Controls Troubleshooter Viewer(
|
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.sinks.get logging.sinks.list logging.usage.get resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Actions roles |
Permissions |
Actions Admin( Access to edit and deploy an action |
actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Actions Viewer( Access to view an action |
actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
AI Notebooks roles |
Permissions |
Notebooks Admin( Full access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.* compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.* compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute. compute.storagePools.list compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Legacy Admin( Full access to Notebooks all resources through compute API. |
compute.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Legacy Viewer( Read-only access to Notebooks all resources through compute API. |
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.* compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.* compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute. compute.storagePools.list compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Runner( Restricted access for running scheduled Notebooks. |
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.* compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.* compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute. compute.storagePools.list compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Notebooks Viewer( Read-only access to Notebooks, all resources. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.* compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.* compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute. compute.storagePools.list compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks. notebooks.environments.list notebooks.executions.get notebooks. notebooks.executions.list notebooks. notebooks.instances.get notebooks.instances.getHealth notebooks. notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks. notebooks.runtimes.list notebooks.schedules.get notebooks. notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
AI Platform roles |
Permissions |
AI Platform Admin( Provides full access to AI Platform resources, and its jobs, operations, models, and versions. Lowest-level resources where you can grant this role:
|
ml.* resourcemanager.projects.get |
AI Platform Developer( Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests. Lowest-level resources where you can grant this role:
|
ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.* ml.trials.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get |
AI Platform Job Owner( Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job. Lowest-level resources where you can grant this role:
|
ml.jobs.* |
AI Platform Model Owner( Provides full access to the model and its versions. This role is automatically granted to the user who creates the model. Lowest-level resources where you can grant this role:
|
ml.models.* ml.versions.* |
AI Platform Model User( Provides permissions to read the model and its versions, and use them for prediction. Lowest-level resources where you can grant this role:
|
ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict |
AI Platform Operation Owner( Provides full access to all permissions for a particular operation resource. Lowest-level resources where you can grant this role:
|
ml.operations.* |
AI Platform Viewer( Provides read-only access to AI Platform resources. Lowest-level resources where you can grant this role:
|
ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get |
Analytics Hub roles |
Permissions |
Analytics Hub Admin( Administer Data Exchanges and Listings |
analyticshub. analyticshub. analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub. analyticshub. analyticshub. analyticshub.listings.create analyticshub.listings.delete analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. analyticshub.listings.update analyticshub. analyticshub.subscriptions.* resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Listing Admin( Grants full control over the Listing, including updating, deleting and setting ACLs |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.delete analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. analyticshub.listings.update analyticshub. resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Publisher( Can publish to Data Exchanges thus creating Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.create analyticshub.listings.get analyticshub. analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Subscriber( Can browse Data Exchanges and subscribe to Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub. resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Subscription Owner( Grants full control over the Subscription, including updating and deleting |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list analyticshub.subscriptions.* resourcemanager.projects.get resourcemanager.projects.list |
Analytics Hub Viewer( Can browse Data Exchanges and Listings |
analyticshub.dataExchanges.get analyticshub. analyticshub. analyticshub.listings.get analyticshub. analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list |
Android Management roles |
Permissions |
Android Management User( Full access to manage devices. |
androidmanagement. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Anthos Multi-cloud roles |
Permissions |
Anthos Multi-cloud Admin( Admin access to Anthos Multi-cloud resources. |
gkemulticloud.* resourcemanager.projects.get resourcemanager.projects.list |
Anthos Multi-cloud Telemetry Writer( Grant access to write cluster telemetry data such as logs, metrics, and resource metadata. |
logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create opsconfigmonitoring. |
Anthos Multi-cloud Viewer( Viewer access to Anthos Multi-cloud resources. |
gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud. gkemulticloud. gkemulticloud.azureClients.get gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list |
API Gateway roles |
Permissions |
ApiGateway Admin( Full access to ApiGateway and related resources. |
apigateway.* monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.get serviceusage.services.list |
ApiGateway Viewer( Read-only access to ApiGateway and related resources. |
apigateway.apiconfigs.get apigateway. apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway. apigateway.gateways.list apigateway.locations.* apigateway.operations.get apigateway.operations.list monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.get serviceusage.services.list |
Apigee roles |
Permissions |
Apigee Organization Admin( Full access to all apigee resource features |
apigee.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Analytics Agent( Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization |
apigee.datalocation.get apigee. apigee.runtimeconfigs.get |
Apigee Analytics Editor( Analytics editor for an Apigee Organization |
apigee.datacollectors.* apigee.datastores.* apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.* apigee.hostqueries.* apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee. apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list |
Apigee Analytics Viewer( Analytics viewer for an Apigee Organization |
apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee. apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee API Admin( Full read/write access to all apigee API resources |
apigee.apiproductattributes.* apigee.apiproducts.* apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.* apigee.keyvaluemaps.* apigee.organizations.get apigee.organizations.list apigee. apigee.proxies.* apigee.proxyrevisions.* apigee.sharedflowrevisions.* apigee.sharedflows.* resourcemanager.projects.get resourcemanager.projects.list |
Apigee API Reader( Reader of apigee resources |
apigee. apigee. apigee.apiproducts.get apigee.apiproducts.list apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee. apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee. apigee.sharedflowrevisions.get apigee. apigee. apigee.sharedflows.get apigee.sharedflows.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee Developer Admin( Developer admin of apigee resources |
apigee. apigee. apigee.apiproducts.get apigee.apiproducts.list apigee.appgroupapps.* apigee.appgroups.* apigee.appkeys.* apigee.apps.* apigee.datacollectors.* apigee. apigee.developerapps.* apigee.developerattributes.* apigee.developerbalances.* apigee. apigee.developers.* apigee. apigee.entitlements.get apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.hoststats.get apigee.organizations.get apigee.organizations.list apigee. apigee.rateplans.get apigee.rateplans.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Environment Admin( Full read/write access to apigee environment resources, including deployments. |
apigee.addonsconfig.* apigee.archivedeployments.* apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.* apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee. apigee.environments.getStats apigee.environments.list apigee. apigee.environments.update apigee.flowhooks.* apigee.ingressconfigs.get apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemapentries.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee. apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee. apigee.sharedflowrevisions.get apigee. apigee. apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.* apigee.traceconfig.* apigee.traceconfigoverrides.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Monetization Admin( All permissions related to monetization |
apigee.apiproducts.get apigee.apiproducts.list apigee.developerbalances.* apigee. apigee. apigee.entitlements.get apigee.organizations.get apigee.organizations.list apigee. apigee.rateplans.* resourcemanager.projects.get resourcemanager.projects.list |
Apigee Portal Admin( Portal admin for an Apigee Organization |
apigee.entitlements.get apigee.organizations.get apigee.organizations.list apigee.portals.* apigee. resourcemanager.projects.get resourcemanager.projects.list |
Apigee Read-only Admin( Viewer of all apigee resources |
apigee.addonsconfig.get apigee. apigee. apigee.apiproducts.get apigee.apiproducts.list apigee.appgroupapps.get apigee.appgroupapps.list apigee.appgroups.get apigee.appgroups.list apigee.appkeys.get apigee.apps.* apigee. apigee.archivedeployments.get apigee.archivedeployments.list apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datalocation.get apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee. apigee. apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee. apigee.developerbalances.get apigee. apigee.developers.get apigee.developers.list apigee. apigee. apigee.endpointattachments.get apigee. apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee. apigee. apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hostsecurityreports.get apigee. apigee.hoststats.get apigee.ingressconfigs.get apigee.instanceattachments.get apigee. apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemapentries.get apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.nataddresses.get apigee.nataddresses.list apigee.operations.* apigee.organizations.get apigee.organizations.list apigee.portals.get apigee.portals.list apigee. apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.rateplans.get apigee.rateplans.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.runtimeconfigs.get apigee.securityActions.get apigee.securityActions.list apigee. apigee.securityFeedback.get apigee.securityFeedback.list apigee.securityIncidents.get apigee.securityIncidents.list apigee. apigee.securityProfiles.get apigee.securityProfiles.list apigee.securitySettings.get apigee.securityStats.* apigee.securityreports.get apigee.securityreports.list apigee.setupcontexts.get apigee.sharedflowrevisions.get apigee. apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.traceconfig.get apigee. apigee. apigee.tracesessions.get apigee.tracesessions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Apigee Runtime Agent( Curated set of permissions for a runtime agent to access Apigee Organization resources |
apigee.canaryevaluations.* apigee.entitlements.get apigee.ingressconfigs.get apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee. apigee.runtimeconfigs.get |
Apigee Security Admin( Security admin for an Apigee Organization |
apigee.addonsconfig.get apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.* apigee.organizations.get apigee.organizations.list apigee. apigee.securityActions.* apigee.securityActionsConfig.* apigee.securityFeedback.* apigee.securityIncidents.* apigee. apigee.securityProfiles.* apigee.securitySettings.* apigee.securityStats.* apigee.securityreports.* resourcemanager.projects.get resourcemanager.projects.list |
Apigee Security Viewer( Security viewer for an Apigee Organization |
apigee.addonsconfig.get apigee.entitlements.get apigee.envgroupattachments.get apigee. apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.get apigee. apigee.organizations.get apigee.organizations.list apigee. apigee.securityActions.get apigee.securityActions.list apigee. apigee.securityFeedback.get apigee.securityFeedback.list apigee.securityIncidents.get apigee.securityIncidents.list apigee. apigee.securityProfiles.get apigee.securityProfiles.list apigee.securitySettings.get apigee.securityStats.* apigee.securityreports.get apigee.securityreports.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee Synchronizer Manager( Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization |
apigee.environments.get apigee. apigee.ingressconfigs.get |
Apigee Connect Admin( Admin of Apigee Connect |
apigeeconnect.connections.list |
Apigee Connect Agent( Ability to set up Apigee Connect agent between external clusters and Google. |
apigeeconnect. |
Apigee Registry roles |
Permissions |
Cloud Apigee Registry Admin Beta( Full access to Cloud Apigee Registry Registry and Runtime resources. |
apigeeregistry.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Apigee Registry Editor Beta( Edit access to Cloud Apigee Registry Registry resources. |
apigeeregistry.apis.create apigeeregistry.apis.delete apigeeregistry.apis.get apigeeregistry. apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry. apigeeregistry. apigeeregistry.artifacts.get apigeeregistry. apigeeregistry.artifacts.list apigeeregistry. apigeeregistry.deployments.* apigeeregistry.specs.create apigeeregistry.specs.delete apigeeregistry.specs.get apigeeregistry. apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.create apigeeregistry.versions.delete apigeeregistry.versions.get apigeeregistry. apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list |
Cloud Apigee Registry Viewer Beta( Read-only access to Cloud Apigee Registry Registry resources. |
apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry.deployments.get apigeeregistry. apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.versions.get apigeeregistry.versions.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Apigee Registry Worker Beta( The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts. |
apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry. apigeeregistry. apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry. apigeeregistry.deployments.get apigeeregistry. apigeeregistry. apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.get apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list |
App Engine roles |
Permissions |
App Engine Admin( Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have the
Service Account User
( Lowest-level resources where you can grant this role:
|
appengine.applications.get appengine. appengine.applications.update appengine.instances.* appengine.memcache.addKey appengine.memcache.flush appengine.memcache.get appengine.memcache.update appengine.operations.* appengine.runtimes.actAsAdmin appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list |
App Engine Creator( Ability to create the App Engine resource for the project. Lowest-level resources where you can grant this role:
|
appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list |
App Engine Viewer( Read-only access to all application configuration and settings. Lowest-level resources where you can grant this role:
|
appengine.applications.get appengine. appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list |
App Engine Code Viewer( Read-only access to all application configuration, settings, and deployed source code. Lowest-level resources where you can grant this role:
|
appengine.applications.get appengine. appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine. appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list |
App Engine Managed VM Debug Access( Ability to read or manage v2 instances. |
appengine.applications.get appengine. appengine.instances.* appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list |
App Engine Deployer( Read-only access to all application configuration and settings. To deploy new versions, you must also have the
Service Account User
( Cannot modify existing versions other than deleting versions that are not receiving traffic. Lowest-level resources where you can grant this role:
|
appengine.applications.get appengine. appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list artifactregistry. artifactregistry. artifactregistry. resourcemanager.projects.get resourcemanager.projects.list |
App Engine Memcache Data Admin( Can get, set, delete, and flush App Engine Memcache items. |
appengine.applications.get appengine.memcache.addKey appengine.memcache.flush appengine.memcache.get appengine.memcache.update resourcemanager.projects.get resourcemanager.projects.list |
App Engine Service Admin( Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version. Lowest-level resources where you can grant this role:
|
appengine.applications.get appengine. appengine.instances.delete appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list |
Artifact Registry roles |
Permissions |
Artifact Registry Administrator( Administrator access to create and manage repositories. |
artifactregistry. artifactregistry. artifactregistry.files.* artifactregistry. artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.* artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.* artifactregistry.versions.* artifactregistry. |
Artifact Registry Create-on-Push Repository Administrator( Access to manage artifacts in repositories, as well as create new repositories on push |
artifactregistry. artifactregistry. artifactregistry.files.* artifactregistry. artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.* artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.* artifactregistry.versions.* artifactregistry. |
Artifact Registry Create-on-Push Writer( Access to read and write repository items, as well as create new repositories on push |
artifactregistry. artifactregistry. artifactregistry.files.* artifactregistry. artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry. |
Artifact Registry Reader( Access to read repository items. |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list |
Artifact Registry Repository Administrator( Access to manage artifacts in repositories. |
artifactregistry. artifactregistry. artifactregistry.files.* artifactregistry. artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.* artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.* artifactregistry.versions.* artifactregistry. |
Artifact Registry Writer( Access to read and write repository items. |
artifactregistry. artifactregistry. artifactregistry.files.* artifactregistry. artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry. |
Assured Workloads roles |
Permissions |
Assured Workloads Administrator( Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration |
assuredworkloads.* bigquery.config.update logging.settings.update orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Assured Workloads Editor( Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration |
assuredworkloads.* bigquery.config.update logging.settings.update orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Assured Workloads Reader( Grants read access to all Assured Workloads resources and CRM resources - project/folder |
assuredworkloads.operations.* assuredworkloads. assuredworkloads. assuredworkloads.workload.get assuredworkloads.workload.list orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
AutoML roles |
Permissions |
AutoML Admin Beta( Full access to all AutoML resources Lowest-level resources where you can grant this role:
|
automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
AutoML Editor Beta( Editor of all AutoML resources Lowest-level resources where you can grant this role:
|
automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.files.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
AutoML Predictor Beta( Predict using models Lowest-level resources where you can grant this role:
|
automl.models.predict resourcemanager.projects.get resourcemanager.projects.list |
AutoML Viewer Beta( Viewer of all AutoML resources Lowest-level resources where you can grant this role:
|
automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.files.list automl. automl. automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Backup and DR roles |
Permissions |
Backup and DR Admin( Provides full access to all Backup and DR resources. |
backupdr.* resourcemanager.projects.get resourcemanager.projects.list |
Backup and DR Backup User( Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup. |
backupdr.locations.* backupdr. backupdr. backupdr. backupdr. backupdr.managementServers.get backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr.operations.get backupdr.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Backup and DR Cloud Storage Operator( Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage. |
storage.buckets.create storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list |
Backup and DR Compute Engine Operator( Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances. |
compute.addresses.list compute.addresses.use compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.setLabels compute.disks.use compute.firewalls.list compute.globalOperations.get compute.images.create compute.images.delete compute.images.get compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.list compute. compute.instances.setLabels compute.instances.setMetadata compute. compute.instances.setTags compute.instances.start compute.instances.stop compute.machineTypes.* compute.networks.list compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.get compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.list compute.subnetworks.use compute. compute.zoneOperations.get compute.zones.list iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
Backup and DR Mount User( Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup. |
backupdr.locations.* backupdr. backupdr.managementServers.get backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr.operations.get backupdr.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Backup and DR Restore User( Allows the user to restore or mount from a backup. This role cannot create a backup plan. |
backupdr.locations.* backupdr. backupdr.managementServers.get backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr.operations.get backupdr.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Backup and DR User( Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console. |
backupdr. backupdr. backupdr.managementServers.get backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr.operations.get backupdr.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Backup and DR User V2( Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing. |
backupdr.locations.* backupdr. backupdr. backupdr. backupdr. backupdr. backupdr.managementServers.get backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr.operations.get backupdr.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Backup and DR Viewer( Provides read-only access to all Backup and DR resources. |
backupdr.locations.* backupdr. backupdr. backupdr.managementServers.get backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr. backupdr.operations.get backupdr.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Backup for GKE roles |
Permissions |
Backup for GKE Admin( Full access to all Backup for GKE resources. |
gkebackup.* resourcemanager.projects.get resourcemanager.projects.list |
Backup for GKE Backup Admin( Allows administrators to manage all BackupPlan and Backup resources. |
gkebackup.backupPlans.* gkebackup.backups.* gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.volumeBackups.* resourcemanager.projects.get resourcemanager.projects.list |
Backup for GKE Delegated Backup Admin( Allows administrators to manage Backup resources for specific BackupPlans |
gkebackup.backupPlans.get gkebackup.backups.* gkebackup.volumeBackups.* |
Backup for GKE Delegated Restore Admin( Allows administrators to manage Restore resources for specific RestorePlans |
gkebackup.restorePlans.get gkebackup.restores.* gkebackup.volumeRestores.* |
Backup for GKE Restore Admin( Allows administrators to manage all RestorePlan and Restore resources. |
gkebackup.backupPlans.get gkebackup.backupPlans.list gkebackup.backups.get gkebackup. gkebackup.backups.list gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.restorePlans.* gkebackup.restores.* gkebackup.volumeBackups.* gkebackup.volumeRestores.* resourcemanager.projects.get resourcemanager.projects.list |
Backup for GKE Viewer( Read-only access to all Backup for GKE resources. |
gkebackup.backupPlans.get gkebackup. gkebackup.backupPlans.list gkebackup.backups.get gkebackup. gkebackup.backups.list gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.restorePlans.get gkebackup. gkebackup.restorePlans.list gkebackup.restores.get gkebackup.restores.list gkebackup.volumeBackups.* gkebackup.volumeRestores.* resourcemanager.projects.get resourcemanager.projects.list |
Bare Metal Solution roles |
Permissions |
Bare Metal Solution Admin( Administrator of Bare Metal Solution resources |
baremetalsolution. baremetalsolution.instances.* baremetalsolution.luns.* baremetalsolution. baremetalsolution. baremetalsolution.networks.* baremetalsolution.nfsshares.* baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution.skus.list baremetalsolution. baremetalsolution.sshKeys.* baremetalsolution. baremetalsolution. baremetalsolution.volumes.* baremetalsolution. resourcemanager.projects.get resourcemanager.projects.list |
Bare Metal Solution Editor( Editor of Bare Metal Solution resources |
baremetalsolution. baremetalsolution.instances.* baremetalsolution.luns.* baremetalsolution. baremetalsolution. baremetalsolution.networks.* baremetalsolution.nfsshares.* baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution.skus.list baremetalsolution. baremetalsolution.sshKeys.* baremetalsolution. baremetalsolution. baremetalsolution.volumes.* baremetalsolution. resourcemanager.projects.get resourcemanager.projects.list |
Bare Metal Solution Instances Admin( Admin of Bare Metal Solution Instance resources |
baremetalsolution.instances.* baremetalsolution. baremetalsolution. resourcemanager.projects.get resourcemanager.projects.list |
Bare Metal Solution Instances Viewer( Viewer of Bare Metal Solution Instance resources |
baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. resourcemanager.projects.get resourcemanager.projects.list |
Luns Admin( Administrator of Bare Metal Solution Lun resources |
baremetalsolution.luns.get baremetalsolution.luns.list baremetalsolution. |
Luns Viewer( Viewer of Bare Metal Solution Lun resources |
baremetalsolution.luns.get baremetalsolution.luns.list baremetalsolution. |
Maintenance Events Admin( Administrator of Bare Metal Solution maintenance events resources |
baremetalsolution. |
Maintenance Events Editor( Editor of Bare Metal Solution maintenance events resources |
baremetalsolution. |
Maintenance Events Viewer( Viewer of Bare Metal Solution maintenance events resources |
baremetalsolution. baremetalsolution. |
Networks Admin( Admin of Bare Metal Solution networks resources |
baremetalsolution. baremetalsolution.networks.* baremetalsolution. |
NFS Shares Admin( Administrator of Bare Metal Solution NFS Share resources |
baremetalsolution.nfsshares.* baremetalsolution. |
NFS Shares Editor( Editor of Bare Metal Solution NFS Share resources |
baremetalsolution.nfsshares.* baremetalsolution. |
NFS Shares Viewer( Viewer of Bare Metal Solution NFS Share resources |
baremetalsolution. baremetalsolution. baremetalsolution. |
OS Images Viewer( Viewer of Bare Metal Solution OS images resources |
baremetalsolution. |
Bare Metal Solution Procurements Admin( Administrator of Bare Metal Solution Procurements |
baremetalsolution. baremetalsolution.skus.list |
Bare Metal Solution Procurements Editor( Editor of Bare Metal Solution Procurements |
baremetalsolution. baremetalsolution.skus.list |
Bare Metal Solution Procurements Viewer( Viewer of Bare Metal Solution Procurements |
baremetalsolution. baremetalsolution. baremetalsolution.skus.list |
Bare Metal Solution Storage Admin( Administrator of Bare Metal Solution storage resources |
baremetalsolution.luns.* baremetalsolution.nfsshares.* baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution.volumes.* baremetalsolution. resourcemanager.projects.get resourcemanager.projects.list |
Bare Metal Solution Viewer( Viewer of Bare Metal Solution resources |
baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution.luns.get baremetalsolution.luns.list baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution.networks.get baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution.skus.list baremetalsolution. baremetalsolution. baremetalsolution.sshKeys.list baremetalsolution. baremetalsolution. baremetalsolution.volumes.get baremetalsolution.volumes.list baremetalsolution. baremetalsolution. resourcemanager.projects.get resourcemanager.projects.list |
Volume Admin( Administrator of Bare Metal Solution volume resources |
baremetalsolution. baremetalsolution.volumes.* |
Volumes Editor( Editor of Bare Metal Solution volumes resources |
baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution.volumes.get baremetalsolution.volumes.list baremetalsolution. baremetalsolution. baremetalsolution. |
Snapshots Admin( Administrator of Bare Metal Solution snapshots resources |
baremetalsolution. baremetalsolution. |
Snapshots Editor( Editor of Bare Metal Solution snapshots resources |
baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. |
Snapshots Viewer( Viewer of Bare Metal Solution snapshots resources |
baremetalsolution. baremetalsolution. baremetalsolution. |
Volumes Viewer( Viewer of Bare Metal Solution volumes resources |
baremetalsolution. baremetalsolution.volumes.get baremetalsolution.volumes.list |
BeyondCorp roles |
Permissions |
Cloud BeyondCorp Admin Beta( Full access to all Cloud BeyondCorp resources. |
beyondcorp.appConnections.* beyondcorp.appConnectors.* beyondcorp.appGateways.* beyondcorp. beyondcorp. beyondcorp. beyondcorp. beyondcorp. beyondcorp. beyondcorp. beyondcorp.clientGateways.* beyondcorp.locations.* beyondcorp.operations.* beyondcorp.subscriptions.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud BeyondCorp Client Connector Admin Beta( Full access to all BeyondCorp Client Connector resources. |
beyondcorp. beyondcorp. beyondcorp. beyondcorp. beyondcorp. beyondcorp. beyondcorp. beyondcorp.clientGateways.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud BeyondCorp Client Connector Service User Beta( Access Client Connector Service |
beyondcorp. |
Cloud BeyondCorp Client Connector Viewer Beta( Read-only access to all BeyondCorp Client Connector resources. |
beyondcorp. beyondcorp. beyondcorp. beyondcorp.clientGateways.get beyondcorp. beyondcorp.clientGateways.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud BeyondCorp Partner Service Delegate Admin Beta( Delegates access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner. |
beyondcorp.operations.* beyondcorp.partnerTenants.* beyondcorp.proxyConfigs.* resourcemanager. |
Cloud BeyondCorp Partner Service Delegate Viewer Beta( Delegates read-only access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner. |
beyondcorp.partnerTenants.get beyondcorp.partnerTenants.list beyondcorp.proxyConfigs.get beyondcorp.proxyConfigs.list resourcemanager. |
Cloud BeyondCorp Subscription Admin Beta( Full access to all BeyondCorp Subscription resources. |
beyondcorp.subscriptions.* resourcemanager. |
Cloud BeyondCorp Subscription Viewer Beta( Read-only access to all BeyondCorp Subscription resources. |
beyondcorp.subscriptions.get beyondcorp.subscriptions.list resourcemanager. |
Cloud BeyondCorp Viewer Beta( Read-only access to all Cloud BeyondCorp resources. |
beyondcorp.appConnections.get beyondcorp. beyondcorp.appConnections.list beyondcorp.appConnectors.get beyondcorp. beyondcorp.appConnectors.list beyondcorp.appGateways.get beyondcorp. beyondcorp.appGateways.list beyondcorp. beyondcorp. beyondcorp. beyondcorp.clientGateways.get beyondcorp. beyondcorp.clientGateways.list beyondcorp.locations.* beyondcorp.operations.get beyondcorp.operations.list beyondcorp.subscriptions.get beyondcorp.subscriptions.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
BigQuery roles |
Permissions |
BigQuery Admin( Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role:
|
bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery. bigquery.dataPolicies.list bigquery. bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery. bigquery.reservations.* bigquery.routines.* bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration. dataform.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Connection Admin(
|
bigquery.connections.* |
BigQuery Connection User(
|
bigquery.connections.get bigquery. bigquery.connections.list bigquery.connections.use |
BigQuery Data Editor( When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role:
|
bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.replicateData bigquery. bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Data Owner( When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role:
|
bigquery.config.get bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery. bigquery.dataPolicies.list bigquery. bigquery.dataPolicies.update bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Data Viewer( When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to list all of the resources in the dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata with applicable APIs and in queries. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role:
|
bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.replicateData resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Filtered Data Viewer( Access to view filtered table data defined by a row access policy |
bigquery. |
BigQuery Job User( Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role:
|
bigquery.config.get bigquery.jobs.create dataform.locations.* dataform.repositories.create dataform.repositories.list resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Metadata Viewer( When applied to a table or view, this role provides permissions to:
This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to:
When applied at the project or organization level, this role provides permissions to:
Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role:
|
bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Read Session User( Provides the ability to create and use read sessions. Lowest-level resources where you can grant this role:
|
bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Resource Admin( Administers BigQuery workloads, including slot assignments, commitments, and reservations. |
bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery. bigquery. bigquery.reservations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Resource Editor( Manages BigQuery workloads, but is unable to create or modify slot commitments. |
bigquery.bireservations.get bigquery. bigquery. bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery. bigquery. bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Resource Viewer( Can view BigQuery workloads, but cannot create or modify slot reservations or commitments. |
bigquery.bireservations.get bigquery. bigquery. bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery. bigquery. bigquery. bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Studio Admin Beta( Combination role of BigQuery Admin, Dataform Admin, and Notebook Runtime Admin. |
aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.notebookRuntimes.* aiplatform.operations.list bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery. bigquery.dataPolicies.list bigquery. bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery. bigquery.reservations.* bigquery.routines.* bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration. compute.reservations.get compute.reservations.list dataform.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Studio User Beta( Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, and Notebook Runtime User. |
aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.operations.list bigquery.config.get bigquery.jobs.create bigquery.readsessions.* dataform.locations.* dataform.repositories.create dataform.repositories.list resourcemanager.projects.get resourcemanager.projects.list |
BigQuery User( When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role ( Lowest-level resources where you can grant this role:
|
bigquery.bireservations.get bigquery. bigquery. bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery. bigquery. bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get bigquerymigration. dataform.locations.* dataform.repositories.create dataform.repositories.list resourcemanager.projects.get resourcemanager.projects.list |
Masked Reader( Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns |
bigquery. |
Billing roles |
Permissions |
Billing Account Administrator( Provides access to see and manage all aspects of billing accounts. Lowest-level resources where you can grant this role:
|
billing.accounts.close billing.accounts.get billing. billing.accounts.getIamPolicy billing. billing.accounts.getPricing billing. billing. billing.accounts.list billing.accounts.move billing. billing. billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing. billing. billing. billing. billing. billing. billing. billing.billingAccountSkus.* billing.budgets.* billing.credits.list billing. billing. billing.resourceAssociations.* billing.subscriptions.* cloudasset. cloudnotifications. cloudsupport.properties.get cloudsupport.techCases.* commerceoffercatalog.* compute.commitments.* consumerprocurement.accounts.* consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement.events.* consumerprocurement. consumerprocurement.orders.* dataprocessing.datasources.get dataprocessing. dataprocessing. dataprocessing. logging.logEntries.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.privateLogEntries.list recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.costInsights.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Billing Account Costs Manager( Manage budgets for a billing account, and view, analyze, and export cost information of a billing account. Lowest-level resources where you can grant this role:
|
billing.accounts.get billing.accounts.getIamPolicy billing. billing. billing.accounts.list billing. billing.budgets.* billing. recommender.costInsights.* |
Billing Account Creator( Provides access to create billing accounts. Lowest-level resources where you can grant this role:
|
billing.accounts.create resourcemanager. |
Project Billing Manager( When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing. Lowest-level resources where you can grant this role:
|
resourcemanager. resourcemanager. |
Billing Account User( When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts. Lowest-level resources where you can grant this role:
|
billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing. billing.credits.list billing. |
Billing Account Viewer( View billing account cost and pricing information, transactions, and billing and commitment recommendations. Lowest-level resources where you can grant this role:
|
billing.accounts.get billing. billing.accounts.getIamPolicy billing. billing.accounts.getPricing billing. billing. billing.accounts.list billing. billing. billing. billing. billing. billing.billingAccountSkus.* billing.budgets.get billing.budgets.list billing.credits.list billing. billing. billing. billing.subscriptions.get billing.subscriptions.list commerceoffercatalog.* consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement.orders.get consumerprocurement. dataprocessing.datasources.get dataprocessing. dataprocessing. dataprocessing. recommender. recommender. recommender.costInsights.get recommender.costInsights.list recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. |
Binary Authorization roles |
Permissions |
Binary Authorization Attestor Admin( Administrator of Binary Authorization Attestors |
binaryauthorization. resourcemanager.projects.get resourcemanager.projects.list |
Binary Authorization Attestor Editor( Editor of Binary Authorization Attestors |
binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. resourcemanager.projects.get resourcemanager.projects.list |
Binary Authorization Attestor Image Verifier( Caller of Binary Authorization Attestors VerifyImageAttested |
binaryauthorization. binaryauthorization. binaryauthorization. resourcemanager.projects.get resourcemanager.projects.list |
Binary Authorization Attestor Viewer( Viewer of Binary Authorization Attestors |
binaryauthorization. binaryauthorization. resourcemanager.projects.get resourcemanager.projects.list |
Binary Authorization Policy Administrator( Administrator of Binary Authorization Policy |
binaryauthorization. binaryauthorization. binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list |
Binary Authorization Policy Editor( Editor of Binary Authorization Policy |
binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization.policy.get binaryauthorization. resourcemanager.projects.get resourcemanager.projects.list |
Binary Authorization Policy Evaluator Beta( Evaluator of Binary Authorization Policy |
binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list |
Binary Authorization Policy Viewer( Viewer of Binary Authorization Policy |
binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list |
CA Service roles |
Permissions |
CA Service Admin( Full access to all CA Service resources. |
privateca.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create |
CA Service Auditor( Read-only access to all CA Service resources. |
privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca.certificates.get privateca. privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca. privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list |
CA Service Operation Manager( Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources. |
privateca.caPools.create privateca.caPools.delete privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.update privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca.certificates.get privateca. privateca.certificates.list privateca.certificates.update privateca.locations.* privateca.operations.get privateca.operations.list privateca. privateca. privateca.reusableConfigs.get privateca. privateca.reusableConfigs.list privateca. resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create |
CA Service Certificate Manager( Create certificates and read-only access for CA Service resources. |
privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca.certificates.create privateca.certificates.get privateca. privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca. privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list |
CA Service Certificate Requester( Request certificates from CA Service. |
privateca.certificates.create |
CA Service Pool Reader( Read CA Pools in CA Service. |
privateca.caPools.get |
CA Service Certificate Template User( Read, list and use certificate templates. |
privateca. privateca. privateca. |
CA Service Workload Certificate Requester( Request certificates from CA Service with caller's identity. |
privateca. |
Certificate Manager roles |
Permissions |
Certificate Manager Editor( Edit access to Certificate Manager all resources. |
certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager.certs.get certificatemanager. certificatemanager.certs.list certificatemanager. certificatemanager.certs.use certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager.locations.* certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. resourcemanager.projects.get resourcemanager.projects.list |
Certificate Manager Owner( Full access to Certificate Manager all resources. |
certificatemanager.* resourcemanager.projects.get resourcemanager.projects.list |
Certificate Manager Viewer( Read-only access to Certificate Manager all resources. |
certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager.certs.get certificatemanager. certificatemanager.certs.list certificatemanager. certificatemanager. certificatemanager. certificatemanager.locations.* certificatemanager. certificatemanager. certificatemanager. certificatemanager. resourcemanager.projects.get resourcemanager.projects.list |
Chat roles |
Permissions |
Chat Bots Owner( Can view and modify bot configurations |
chat.* |
Chat Bots Viewer( Can view bot configurations |
chat.bots.get |
Chronicle API roles |
Permissions |
Chronicle API Admin( Full access to the Chronicle API services, including global settings. |
chronicle.ais.* chronicle.analyticValues.list chronicle.analytics.list chronicle. chronicle. chronicle.collectors.* chronicle.conversations.* chronicle. chronicle. chronicle.curatedRuleSets.* chronicle.curatedRules.* chronicle.dashboards.* chronicle.dataAccessLabels.* chronicle.dataAccessScopes.* chronicle.dataExports.* chronicle.dataTaps.* chronicle.entities.* chronicle. chronicle. chronicle.events.* chronicle. chronicle. chronicle. chronicle.feeds.* chronicle.findingsGraphs.* chronicle. chronicle. chronicle.forwarders.* chronicle. chronicle. chronicle. chronicle.instances.get chronicle.instances.report chronicle.iocMatches.* chronicle.iocState.* chronicle.iocs.* chronicle.legacies.* chronicle.logTypeSchemas.list chronicle.logTypes.list chronicle.logs.* chronicle.messages.* chronicle. chronicle.operations.* chronicle.parserExtensions.* chronicle.parsers.* chronicle.parsingErrors.list chronicle.preferenceSets.* chronicle.referenceLists.* chronicle.retrohunts.* chronicle.riskConfigs.* chronicle.ruleDeployments.* chronicle. chronicle.rules.* chronicle.searchQueries.* chronicle. chronicle. chronicle.watchlists.* resourcemanager.projects.get resourcemanager.projects.list |
Chronicle API Editor( Modify Access to Chronicle API resources. |
chronicle.ais.* chronicle.analyticValues.list chronicle.analytics.list chronicle. chronicle.collectors.get chronicle.collectors.list chronicle.conversations.* chronicle. chronicle. chronicle.curatedRuleSets.* chronicle.curatedRules.* chronicle.dashboards.* chronicle. chronicle.dataExports.* chronicle.dataTaps.* chronicle.entities.* chronicle. chronicle. chronicle. chronicle.events.* chronicle.findingsGraphs.* chronicle. chronicle. chronicle.forwarders.generate chronicle.forwarders.get chronicle.forwarders.list chronicle. chronicle. chronicle. chronicle.instances.get chronicle.instances.report chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle.logTypeSchemas.list chronicle.logs.* chronicle.messages.* chronicle. chronicle.operations.* chronicle.preferenceSets.* chronicle.referenceLists.* chronicle.retrohunts.* chronicle.riskConfigs.* chronicle.ruleDeployments.* chronicle. chronicle.rules.create chronicle.rules.get chronicle.rules.list chronicle.rules.listRevisions chronicle.rules.update chronicle.rules.verifyRuleText chronicle.searchQueries.* chronicle.watchlists.* resourcemanager.projects.get resourcemanager.projects.list |
Chronicle API Limited Viewer( Grants read-only access to Chronicle API resources, excluding Rules and Retrohunts. |
chronicle.analyticValues.list chronicle.analytics.list chronicle. chronicle.conversations.get chronicle.conversations.list chronicle.dashboards.get chronicle.dashboards.list chronicle.dashboards.schedule chronicle.entities.find chronicle. chronicle.entities.get chronicle. chronicle. chronicle.entities.summarize chronicle. chronicle. chronicle. chronicle. chronicle.events.batchGet chronicle. chronicle.events.get chronicle. chronicle.events.searchRawLogs chronicle.events.udmSearch chronicle.events.validateQuery chronicle.findingsGraphs.* chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle.instances.get chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle.logTypeSchemas.list chronicle.logs.export chronicle.logs.get chronicle.logs.list chronicle.messages.get chronicle.messages.list chronicle. chronicle.operations.get chronicle.operations.list chronicle. chronicle.operations.wait chronicle.preferenceSets.* chronicle.searchQueries.* resourcemanager.projects.get resourcemanager.projects.list |
Chronicle API Restricted Data Access Beta( Grants access to data controlled by Data Access Scopes. Intended to be refined by IAM Conditions. |
chronicle. |
Chronicle API Restricted Data Access Viewer Beta( Grants readonly access to Chronicle API resources without global data access scope. |
chronicle.ais.* chronicle. chronicle.entities.find chronicle. chronicle.entities.get chronicle.entities.list chronicle. chronicle.entities.summarize chronicle. chronicle.events.batchGet chronicle. chronicle.events.get chronicle. chronicle.events.searchRawLogs chronicle.events.udmSearch chronicle.events.validateQuery chronicle.findingsGraphs.* chronicle. chronicle. chronicle.instances.get chronicle.instances.report chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle.logs.get chronicle.logs.list chronicle. chronicle.operations.get chronicle.operations.list chronicle. chronicle.operations.wait chronicle.referenceLists.get chronicle.referenceLists.list chronicle. chronicle.retrohunts.get chronicle.retrohunts.list chronicle.riskConfigs.get chronicle.ruleDeployments.get chronicle.ruleDeployments.list chronicle. chronicle.rules.get chronicle.rules.list chronicle.rules.listRevisions chronicle.rules.verifyRuleText chronicle.watchlists.get chronicle.watchlists.list resourcemanager.projects.get resourcemanager.projects.list |
Chronicle SOAR Admin Beta( Grants admin access to Chronicle SOAR. |
chronicle.instances.soarAdmin resourcemanager.projects.get resourcemanager.projects.list |
Chronicle SOAR Threat Manager Beta( Grants threat manager access to Chronicle SOAR. |
chronicle. resourcemanager.projects.get resourcemanager.projects.list |
Chronicle SOAR Vulnerability Manager Beta( Grants vulnerability manager access to Chronicle SOAR. |
chronicle. resourcemanager.projects.get resourcemanager.projects.list |
Chronicle API Viewer( Read-only access to the Chronicle API resources. |
chronicle.ais.* chronicle.analyticValues.list chronicle.analytics.list chronicle. chronicle.collectors.get chronicle.collectors.list chronicle.conversations.get chronicle.conversations.list chronicle. chronicle. chronicle. chronicle.curatedRuleSets.* chronicle.curatedRules.* chronicle.dashboards.get chronicle.dashboards.list chronicle.dashboards.schedule chronicle. chronicle. chronicle.dataExports.get chronicle.dataTaps.get chronicle.dataTaps.list chronicle.entities.find chronicle. chronicle.entities.get chronicle.entities.list chronicle. chronicle. chronicle.entities.summarize chronicle. chronicle. chronicle. chronicle. chronicle.events.batchGet chronicle. chronicle.events.get chronicle. chronicle.events.searchRawLogs chronicle.events.udmSearch chronicle.events.validateQuery chronicle.findingsGraphs.* chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle.forwarders.generate chronicle.forwarders.get chronicle.forwarders.list chronicle. chronicle. chronicle. chronicle.instances.get chronicle.instances.report chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle. chronicle.logTypeSchemas.list chronicle.logs.export chronicle.logs.get chronicle.logs.list chronicle.messages.get chronicle.messages.list chronicle. chronicle.operations.get chronicle.operations.list chronicle. chronicle.operations.wait chronicle.preferenceSets.* chronicle.referenceLists.get chronicle.referenceLists.list chronicle. chronicle.retrohunts.get chronicle.retrohunts.list chronicle.riskConfigs.get chronicle.ruleDeployments.get chronicle.ruleDeployments.list chronicle. chronicle.rules.get chronicle.rules.list chronicle.rules.listRevisions chronicle.rules.verifyRuleText chronicle.searchQueries.* chronicle.watchlists.get chronicle.watchlists.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud AlloyDB roles |
Permissions |
Cloud AlloyDB Admin Beta( Full access to Cloud AlloyDB all resources. |
alloydb.* cloudaicompanion. resourcemanager.projects.get resourcemanager.projects.list |
Cloud AlloyDB Client Beta( Connectivity access to Cloud AlloyDB instances. |
alloydb. alloydb.clusters.get alloydb.instances.connect alloydb.instances.get resourcemanager.projects.get resourcemanager.projects.list |
Cloud AlloyDB Database User Beta( Role allowing access to login as a database user. |
alloydb.clusters.get alloydb.instances.get alloydb.users.login resourcemanager.projects.get resourcemanager.projects.list |
Cloud AlloyDB Viewer Beta( Read-only access to Cloud AlloyDB all resources. |
alloydb.backups.get alloydb.backups.list alloydb. alloydb. alloydb.clusters.get alloydb.clusters.list alloydb. alloydb. alloydb.databases.list alloydb.instances.get alloydb.instances.list alloydb.locations.* alloydb.operations.get alloydb.operations.list alloydb. alloydb.users.get alloydb.users.list cloudaicompanion. resourcemanager.projects.get resourcemanager.projects.list |
Cloud Asset roles |
Permissions |
Cloud Asset Owner( Full access to cloud assets metadata |
cloudasset.* recommender. recommender.locations.* |
Cloud Asset Viewer( Read only access to cloud assets metadata |
cloudasset.assets.* recommender. recommender. recommender.locations.* |
Cloud Bigtable roles |
Permissions |
Bigtable Administrator( Administers all Bigtable instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators. Lowest-level resources where you can grant this role:
|
bigtable.* monitoring. monitoring. monitoring.timeSeries.* resourcemanager.projects.get |
Bigtable Reader( Provides read-only access to the data stored within Bigtable tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios. Lowest-level resources where you can grant this role:
|
bigtable.appProfiles.get bigtable.appProfiles.list bigtable.authorizedViews.get bigtable.authorizedViews.list bigtable. bigtable. bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.hotTablets.list bigtable.instances.get bigtable.instances.list bigtable.instances.ping bigtable.keyvisualizer.* bigtable.locations.list bigtable. bigtable. bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring. monitoring. monitoring.timeSeries.* resourcemanager.projects.get |
Bigtable User( Provides read-write access to the data stored within Bigtable tables. Intended for application developers or service accounts. Lowest-level resources where you can grant this role:
|
bigtable.appProfiles.get bigtable.appProfiles.list bigtable.authorizedViews.get bigtable.authorizedViews.list bigtable. bigtable. bigtable. bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.hotTablets.list bigtable.instances.get bigtable.instances.list bigtable.instances.ping bigtable.keyvisualizer.* bigtable.locations.list bigtable. bigtable. bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring. monitoring. monitoring.timeSeries.* resourcemanager.projects.get |
Bigtable Viewer( Provides no data access. Intended as a minimal set of permissions to access the Google Cloud console for Bigtable. Lowest-level resources where you can grant this role:
|
bigtable.appProfiles.get bigtable.appProfiles.list bigtable.authorizedViews.get bigtable.authorizedViews.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.hotTablets.list bigtable.instances.get bigtable.instances.list bigtable. bigtable. bigtable.locations.list bigtable. bigtable. bigtable.tables.get bigtable.tables.list monitoring. monitoring. monitoring.timeSeries.list resourcemanager.projects.get |
Cloud Build roles |
Permissions |
Cloud Build Approver( Can approve or reject pending builds. |
cloudbuild.builds.approve cloudbuild.builds.get cloudbuild.builds.list cloudbuild.operations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list |
Cloud Build Service Account( Provides access to perform builds. |
artifactregistry. artifactregistry. artifactregistry.files.* artifactregistry. artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry. cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.operations.* cloudbuild.workerpools.use containeranalysis. containeranalysis. containeranalysis. containeranalysis. containeranalysis. logging.logEntries.create logging.logEntries.list logging.views.access pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Cloud Build Editor( Provides access to create and cancel builds. Lowest-level resources where you can grant this role:
|
cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.operations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list |
Cloud Build Viewer( Provides access to view builds. Lowest-level resources where you can grant this role:
|
cloudbuild.builds.get cloudbuild.builds.list cloudbuild.operations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list |
Cloud Build Connection Admin( Can manage connections and repositories. |
cloudbuild.connections.* cloudbuild.operations.* cloudbuild.repositories.create cloudbuild.repositories.delete cloudbuild. cloudbuild.repositories.get cloudbuild.repositories.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Build Connection Viewer( Can view and list connections and repositories. |
cloudbuild. cloudbuild.connections.get cloudbuild. cloudbuild.connections.list cloudbuild. cloudbuild.repositories.get cloudbuild.repositories.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Build Integrations Editor( Can update Integrations |
cloudbuild.integrations.get cloudbuild.integrations.list cloudbuild.integrations.update resourcemanager.projects.get resourcemanager.projects.list |
Cloud Build Integrations Owner( Can create/delete Integrations |
cloudbuild.integrations.* compute.firewalls.create compute.firewalls.get compute.firewalls.list compute.networks.get compute.networks.updatePolicy compute.regions.get compute.subnetworks.get compute.subnetworks.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Build Integrations Viewer( Can view Integrations |
cloudbuild.integrations.get cloudbuild.integrations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Build Read Only Token Accessor( Can view the connection and access its read-only token. |
cloudbuild.connections.get cloudbuild. cloudbuild.repositories.get |
Cloud Build Token Accessor( Can view the connection and access its read/write and read-only tokens. |
cloudbuild.connections.get cloudbuild. cloudbuild. cloudbuild.repositories.get cloudbuild.repositories.list |
Cloud Build WorkerPool Editor( Can update and view WorkerPools |
cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list |
Cloud Build WorkerPool Owner( Can create, delete, update, and view WorkerPools |
cloudbuild.workerpools.create cloudbuild.workerpools.delete cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list |
Cloud Build WorkerPool User( Can run builds in the WorkerPool |
cloudbuild.workerpools.use |
Cloud Build WorkerPool Viewer( Can view WorkerPools |
cloudbuild.workerpools.get cloudbuild.workerpools.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Composer roles |
Permissions |
Cloud Composer v2 API Service Agent Extension( Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments. |
iam. iam. |
Composer Administrator( Provides full control of Cloud Composer resources. Lowest-level resources where you can grant this role:
|
composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Environment and Storage Object Administrator( Provides full control of Cloud Composer resources and of the objects in all project buckets. Lowest-level resources where you can grant this role:
|
composer.* orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.* storage.objects.* |
Environment and Storage Object User( Read and use access to Cloud Composer resources and read access to Cloud Storage objects. |
composer.dags.* composer.environments.get composer.environments.list composer.imageversions.list composer.operations.get composer.operations.list composer. composer. composer. composer. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.managedFolders.get storage.managedFolders.list storage.objects.get storage.objects.list |
Environment and Storage Object Viewer( Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets. Lowest-level resources where you can grant this role:
|
composer.dags.* composer.environments.get composer.environments.list composer.imageversions.list composer.operations.get composer.operations.list composer. composer. composer. composer. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.managedFolders.get storage.managedFolders.list storage.objects.get storage.objects.list |
Composer Shared VPC Agent( Role that should be assigned to Composer Agent service account in Shared VPC host project |
compute. compute. compute.networkAttachments.get compute. compute.networks.access compute.networks.addPeering compute.networks.get compute.networks.list compute. compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute. compute.zones.* dns.managedZones.get dns.managedZones.list dns. |
Composer User( Provides the permissions necessary to list and get Cloud Composer environments and operations. Lowest-level resources where you can grant this role:
|
composer.dags.* composer.environments.get composer.environments.list composer.imageversions.list composer.operations.get composer.operations.list composer. composer. composer. composer. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Composer Worker( Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts. Lowest-level resources where you can grant this role:
|
artifactregistry.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.operations.* cloudbuild.workerpools.use composer.environments.get container.* containeranalysis. containeranalysis. containeranalysis. containeranalysis. containeranalysis. datalineage.events.create datalineage.processes.create datalineage.processes.get datalineage.processes.update datalineage.runs.create datalineage.runs.get datalineage.runs.update logging.logEntries.create logging.logEntries.list logging.logEntries.route logging.views.access monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.* orgpolicy.policy.get pubsub.schemas.attach pubsub.schemas.commit pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.listRevisions pubsub.schemas.rollback pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub. pubsub.topics.create pubsub.topics.delete pubsub. pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag recommender. recommender. recommender.locations.* recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.* storage.objects.* |
Cloud Connectors roles |
Permissions |
Connector Admin( Full access to all resources of Connectors Service. |
connectors.actions.* connectors.connections.create connectors.connections.delete connectors. connectors.connections.get connectors. connectors. connectors. connectors. connectors.connections.list connectors. connectors.connections.update connectors.connectors.* connectors. connectors.customConnectors.* connectors. connectors.entities.* connectors.entityTypes.list connectors. connectors.eventtypes.* connectors.locations.* connectors.managedZones.* connectors.operations.* connectors.providers.* connectors.regionalSettings.* connectors.runtimeconfig.get connectors. connectors.settings.* connectors.versions.* resourcemanager.projects.get resourcemanager.projects.list secretmanager. |
Custom Connectors Admin( Custom Connector is a global resource which creates custom connector within the given target project. This role grants Admin access to Custom Connector resources |
connectors. connectors.customConnectors.* connectors.locations.* |
Custom Connector Viewer( Custom Connector is a global resource which creates custom connector within the given target project. This role grants Read-only access to Custom Connector & Custom Connector Version resources. |
connectors. connectors. connectors. connectors. connectors. connectors. connectors.locations.* |
Connectors Endpoint Attachment Admin( Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources. |
connectors. connectors.locations.* |
Connectors Endpoint Attachment Viewer( Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources |
connectors. connectors. connectors. connectors.locations.* |
Connectors Event Subscriptions Admin( Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources |
connectors. |
Connectors Event Subscriptions Viewer( Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources. |
connectors. connectors. |
Connector Invoker( Full Access to invoke all operations on Connections. |
connectors.actions.* connectors. connectors.entities.* connectors.entityTypes.list |
Connector Event Listener( Full Access to listen events by connections. |
connectors. |
Connectors Managed Zone Admin( Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources |
connectors.locations.* connectors.managedZones.* |
Connectors Managed Zone Viewer( Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources. |
connectors.locations.* connectors.managedZones.get connectors. connectors.managedZones.list |
Connectors Viewer( Read-only access to Connectors all resources. |
connectors.connections.get connectors. connectors. connectors. connectors. connectors.connections.list connectors.connectors.* connectors. connectors. connectors. connectors. connectors. connectors. connectors. connectors. connectors. connectors. connectors. connectors.eventtypes.* connectors.locations.* connectors.managedZones.get connectors. connectors.managedZones.list connectors.operations.get connectors.operations.list connectors.providers.* connectors. connectors.runtimeconfig.get connectors.settings.get connectors.versions.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Data Fusion roles |
Permissions |
Cloud Data Fusion Accessor Beta( Read-only access to Cloud Data Fusion Instances. Use it on instance level along with the namespace grants to provide access to the specific namespace. |
datafusion.instances.get datafusion. datafusion.instances.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Data Fusion Admin( Full access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role:
|
datafusion.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Data Fusion Developer Beta( Access Cloud Data Fusion Instances, develop and run pipelines. |
datafusion.artifacts.get datafusion.artifacts.list datafusion.instances.get datafusion. datafusion.instances.list datafusion.locations.* datafusion.operations.get datafusion.operations.list datafusion. datafusion. datafusion. datafusion.pipelines.* datafusion.profiles.get datafusion.profiles.list datafusion.secureKeys.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Data Fusion Operator Beta( Access Cloud Data Fusion Instances, operate namespaces and related resources. |
datafusion.artifacts.* datafusion.instances.get datafusion. datafusion.instances.list datafusion.locations.* datafusion.operations.get datafusion.operations.list datafusion. datafusion. datafusion. datafusion.pipelines.create datafusion.pipelines.delete datafusion.pipelines.execute datafusion.pipelines.get datafusion.pipelines.list datafusion.pipelines.update datafusion.profiles.* datafusion.secureKeys.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Data Fusion Runner( Access to Cloud Data Fusion runtime resources. |
datafusion.instances.runtime |
Cloud Data Fusion Viewer( Read-only access to Cloud Data Fusion Instances, Namespaces and related resources. Lowest-level resources where you can grant this role:
|
datafusion.artifacts.get datafusion.artifacts.list datafusion.instances.get datafusion. datafusion.instances.list datafusion.locations.* datafusion.operations.get datafusion.operations.list datafusion. datafusion. datafusion.pipelines.get datafusion.pipelines.list datafusion.profiles.get datafusion.profiles.list datafusion.secureKeys.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Data Labeling roles |
Permissions |
Data Labeling Service Admin Beta( Full access to all Data Labeling resources |
datalabeling.* resourcemanager.projects.get resourcemanager.projects.list |
Data Labeling Service Editor Beta( Editor of all Data Labeling resources |
datalabeling.* resourcemanager.projects.get resourcemanager.projects.list |
Data Labeling Service Viewer Beta( Viewer of all Data Labeling resources |
datalabeling. datalabeling. datalabeling. datalabeling. datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Dataplex roles |
Permissions |
Dataplex Administrator( Full access to all Dataplex resources. |
cloudasset. cloudasset. cloudasset. dataplex.assetActions.list dataplex.assets.create dataplex.assets.delete dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.setIamPolicy dataplex.assets.update dataplex.content.* dataplex. dataplex.dataAttributes.* dataplex.dataTaxonomies.* dataplex.datascans.* dataplex.entities.* dataplex.environments.* dataplex.lakeActions.list dataplex.lakes.* dataplex.locations.* dataplex.operations.* dataplex.partitions.* dataplex.tasks.* dataplex.zoneActions.list dataplex.zones.* resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Aspect Type Owner( Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries. |
dataplex.aspectTypes.* resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Aspect Type User( Grants access to use Aspect Types to create/modify Entries with the corresponding aspects. |
dataplex.aspectTypes.get dataplex.aspectTypes.list dataplex.aspectTypes.use resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Binding Administrator( Full access on DataAttribute Bindig resources. |
dataplex. |
Dataplex Catalog Admin Beta( Has full access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. |
dataplex.aspectTypes.* dataplex.entries.* dataplex.entryGroups.* dataplex.entryTypes.* resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Catalog Editor Beta( Has write access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Cannot set IAM policies on resources |
dataplex.aspectTypes.create dataplex.aspectTypes.delete dataplex.aspectTypes.get dataplex. dataplex.aspectTypes.list dataplex.aspectTypes.update dataplex.aspectTypes.use dataplex.entries.* dataplex.entryGroups.create dataplex.entryGroups.delete dataplex.entryGroups.get dataplex. dataplex.entryGroups.list dataplex.entryGroups.update dataplex. dataplex. dataplex. dataplex. dataplex. dataplex.entryTypes.create dataplex.entryTypes.delete dataplex.entryTypes.get dataplex. dataplex.entryTypes.list dataplex.entryTypes.update dataplex.entryTypes.use resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Catalog Viewer Beta( Has read access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Can view IAM policies on Catalog resources. |
dataplex.aspectTypes.get dataplex. dataplex.aspectTypes.list dataplex.entries.get dataplex.entries.list dataplex.entryGroups.get dataplex. dataplex.entryGroups.list dataplex.entryTypes.get dataplex. dataplex.entryTypes.list resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Data Owner( Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only. |
dataplex.assets.ownData dataplex.assets.readData dataplex.assets.writeData |
Dataplex Data Reader( Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only. |
dataplex.assets.readData |
Dataplex DataScan Administrator( Full access to DataScan resources. |
dataplex.datascans.* dataplex.operations.get dataplex.operations.list |
Dataplex DataScan Creator( Access to create new DataScan resources. |
dataplex.datascans.create dataplex.datascans.get dataplex.datascans.list dataplex.operations.get |
Dataplex DataScan DataViewer( Read access to DataScan resources and additional contents. |
dataplex.datascans.get dataplex.datascans.getData dataplex. dataplex.datascans.list |
Dataplex DataScan Editor( Write access to DataScan resources. |
dataplex.datascans.create dataplex.datascans.delete dataplex.datascans.get dataplex.datascans.getData dataplex. dataplex.datascans.list dataplex.datascans.run dataplex.datascans.update dataplex.operations.get dataplex.operations.list |
Dataplex DataScan Viewer( Read access to DataScan resources. |
dataplex.datascans.get dataplex. dataplex.datascans.list |
Dataplex Data Writer( Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only. |
dataplex.assets.writeData |
Dataplex Developer( Allows running data analytics workloads in a lake. |
dataplex.content.* dataplex.environments.execute dataplex.environments.get dataplex.environments.list dataplex.tasks.cancel dataplex.tasks.create dataplex.tasks.delete dataplex.tasks.get dataplex.tasks.list dataplex.tasks.run dataplex.tasks.update |
Dataplex Editor( Write access to Dataplex resources. |
cloudasset. dataplex.assetActions.list dataplex.assets.create dataplex.assets.delete dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.update dataplex.content.delete dataplex.content.get dataplex.content.getIamPolicy dataplex.content.list dataplex. dataplex. dataplex. dataplex. dataplex. dataplex. dataplex.dataAttributes.bind dataplex.dataAttributes.create dataplex.dataAttributes.delete dataplex.dataAttributes.get dataplex. dataplex.dataAttributes.list dataplex.dataAttributes.update dataplex. dataplex. dataplex.dataTaxonomies.create dataplex.dataTaxonomies.delete dataplex.dataTaxonomies.get dataplex. dataplex.dataTaxonomies.list dataplex.dataTaxonomies.update dataplex.datascans.create dataplex.datascans.delete dataplex.datascans.get dataplex. dataplex.datascans.list dataplex.datascans.run dataplex.datascans.update dataplex.environments.create dataplex.environments.delete dataplex.environments.get dataplex. dataplex.environments.list dataplex.environments.update dataplex.lakeActions.list dataplex.lakes.create dataplex.lakes.delete dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.lakes.update dataplex.operations.* dataplex.tasks.cancel dataplex.tasks.create dataplex.tasks.delete dataplex.tasks.get dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.tasks.run dataplex.tasks.update dataplex.zoneActions.list dataplex.zones.create dataplex.zones.delete dataplex.zones.get dataplex.zones.getIamPolicy dataplex.zones.list dataplex.zones.update |
Dataplex Entry Group Owner( Owns Entry Groups and Entries inside of them. |
dataplex.aspectTypes.get dataplex.aspectTypes.list dataplex.aspectTypes.use dataplex.entries.* dataplex.entryGroups.* dataplex.entryTypes.get dataplex.entryTypes.list dataplex.entryTypes.use resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Entry Owner( Owns Metadata Entries. |
dataplex.aspectTypes.get dataplex.aspectTypes.list dataplex.aspectTypes.use dataplex.entries.* dataplex.entryGroups.get dataplex. dataplex. dataplex. dataplex. dataplex. dataplex.entryTypes.get dataplex.entryTypes.list dataplex.entryTypes.use resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Entry Type Owner( Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries. |
dataplex.entryTypes.* resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Entry Type User( Grants access to use Entry Types to create/modify Entries of those types. |
dataplex.entryTypes.get dataplex.entryTypes.list dataplex.entryTypes.use resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Metadata Reader( Read only access to metadata. |
dataplex.assets.get dataplex.assets.list dataplex.entities.get dataplex.entities.list dataplex.partitions.get dataplex.partitions.list dataplex.zones.get dataplex.zones.list resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Metadata Writer( Write and Read access to metadata. |
dataplex.assets.get dataplex.assets.list dataplex.entities.* dataplex.partitions.* dataplex.zones.get dataplex.zones.list resourcemanager.projects.get resourcemanager.projects.list |
Dataplex Security Administrator( Permissions configure ResourceAccess and DataAccess Specs on Data Attributes. |
dataplex. dataplex. |
Dataplex Storage Data Owner( Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc. |
bigquery.datasets.get bigquery.models.create bigquery.models.delete bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.models.updateData bigquery.models.updateMetadata bigquery.routines.create bigquery.routines.delete bigquery.routines.get bigquery.routines.list bigquery.routines.update bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery. bigquery.tables.update bigquery.tables.updateData storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Dataplex Storage Data Reader( Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc. |
bigquery.datasets.get bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list storage.buckets.get storage.objects.get storage.objects.list |
Dataplex Storage Data Writer( Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc. |
bigquery.tables.updateData storage.objects.create storage.objects.delete storage.objects.update |
Dataplex Taxonomy Administrator( Full access to DataTaxonomy, DataAttribute resources. |
dataplex.dataAttributes.* dataplex.dataTaxonomies.create dataplex.dataTaxonomies.delete dataplex.dataTaxonomies.get dataplex. dataplex.dataTaxonomies.list dataplex. dataplex.dataTaxonomies.update |
Dataplex Taxonomy Viewer( Read access on DataTaxonomy, DataAttribute resources. |
dataplex.dataAttributes.get dataplex. dataplex.dataAttributes.list dataplex.dataTaxonomies.get dataplex. dataplex.dataTaxonomies.list |
Dataplex Viewer( Read access to Dataplex resources. |
cloudasset. dataplex.assetActions.list dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.content.get dataplex.content.getIamPolicy dataplex.content.list dataplex. dataplex. dataplex. dataplex.dataAttributes.get dataplex. dataplex.dataAttributes.list dataplex.dataTaxonomies.get dataplex. dataplex.dataTaxonomies.list dataplex.datascans.get dataplex. dataplex.datascans.list dataplex.environments.get dataplex. dataplex.environments.list dataplex.lakeActions.list dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.operations.get dataplex.operations.list dataplex.tasks.get dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.zoneActions.list dataplex.zones.get dataplex.zones.getIamPolicy dataplex.zones.list |
Cloud Debugger roles |
Permissions |
Cloud Debugger Agent Beta( Provides permissions to register the debug target, read active breakpoints, and report breakpoint results. Lowest-level resources where you can grant this role:
|
clouddebugger.breakpoints.list clouddebugger. clouddebugger. clouddebugger.debuggees.create |
Cloud Debugger User Beta( Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees). Lowest-level resources where you can grant this role:
|
clouddebugger. clouddebugger. clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list |
Cloud Deploy roles |
Permissions |
Cloud Deploy Admin( Full control of Cloud Deploy resources. |
clouddeploy.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Deploy Approver( Permission to approve or reject rollouts. |
clouddeploy.config.get clouddeploy.jobRuns.get clouddeploy.jobRuns.list clouddeploy.locations.* clouddeploy.operations.* clouddeploy.rollouts.approve clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Deploy Custom Target Type Admin Beta( Permission to manage CustomTargetType resources |
clouddeploy.config.get clouddeploy. resourcemanager.projects.get resourcemanager.projects.list |
Cloud Deploy Developer( Permission to manage deployment configuration without permission to access operational resources, such as targets. |
clouddeploy.automationRuns.get clouddeploy. clouddeploy.automations.get clouddeploy.automations.list clouddeploy.config.get clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy.jobRuns.get clouddeploy.jobRuns.list clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Deploy Runner( Permission to execute Cloud Deploy work without permission to deliver to a target. |
clouddeploy.config.get logging.logEntries.create storage.objects.create storage.objects.get storage.objects.list |
Cloud Deploy Operator( Permission to manage deployment configuration. |
clouddeploy.automationRuns.* clouddeploy.automations.* clouddeploy.config.get clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy.jobRuns.* clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.advance clouddeploy.rollouts.cancel clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.ignoreJob clouddeploy.rollouts.list clouddeploy.rollouts.retryJob clouddeploy.rollouts.rollback clouddeploy.targets.create clouddeploy.targets.delete clouddeploy.targets.get clouddeploy. clouddeploy.targets.list clouddeploy.targets.update resourcemanager.projects.get resourcemanager.projects.list |
Cloud Deploy Releaser( Permission to create Cloud Deploy releases and rollouts. |
clouddeploy.config.get clouddeploy. clouddeploy. clouddeploy.jobRuns.get clouddeploy.jobRuns.list clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.create clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.advance clouddeploy.rollouts.cancel clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.rollouts.rollback clouddeploy.targets.get resourcemanager.projects.get resourcemanager.projects.list |
Cloud Deploy Viewer( Can view Cloud Deploy resources. |
clouddeploy.automationRuns.get clouddeploy. clouddeploy.automations.get clouddeploy.automations.list clouddeploy.config.get clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy.jobRuns.get clouddeploy.jobRuns.list clouddeploy.locations.* clouddeploy.operations.get clouddeploy.operations.list clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get clouddeploy. clouddeploy.targets.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud DLP roles |
Permissions |
DLP Administrator( Administer DLP including jobs and templates. |
dlp.analyzeRiskTemplates.* dlp.charts.get dlp.columnDataProfiles.* dlp.connections.* dlp.deidentifyTemplates.* dlp.estimates.* dlp.inspectFindings.list dlp.inspectTemplates.* dlp.jobTriggers.* dlp.jobs.* dlp.kms.encrypt dlp.locations.* dlp.projectDataProfiles.* dlp.storedInfoTypes.* dlp.subscriptions.* dlp.tableDataProfiles.get dlp.tableDataProfiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
DLP Analyze Risk Templates Editor( Edit DLP analyze risk templates. |
dlp.analyzeRiskTemplates.* |
DLP Analyze Risk Templates Reader( Read DLP analyze risk templates. |
dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list |
DLP Column Data Profiles Reader( Read DLP column profiles. |
dlp.columnDataProfiles.* |
DLP Connections Admin( Manage DLP Connections. |
dlp.connections.* resourcemanager.projects.get resourcemanager.projects.list |
DLP Connections Viewer( View DLP Connections. |
dlp.connections.get dlp.connections.list dlp.connections.search |
DLP Data Profiles Admin( Manage DLP profiles. |
dlp.charts.get dlp.columnDataProfiles.* dlp.projectDataProfiles.* dlp.tableDataProfiles.* |
DLP Data Profiles Reader( Read DLP profiles. |
dlp.charts.get dlp.columnDataProfiles.* dlp.projectDataProfiles.* dlp.tableDataProfiles.get dlp.tableDataProfiles.list |
DLP De-identify Templates Editor( Edit DLP de-identify templates. |
dlp.deidentifyTemplates.* |
DLP De-identify Templates Reader( Read DLP de-identify templates. |
dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list |
DLP Cost Estimation( Manage DLP Cost Estimates. |
dlp.estimates.* |
DLP Inspect Findings Reader( Read DLP stored findings. |
dlp.inspectFindings.list |
DLP Inspect Templates Editor( Edit DLP inspect templates. |
dlp.inspectTemplates.* |
DLP Inspect Templates Reader( Read DLP inspect templates. |
dlp.inspectTemplates.get dlp.inspectTemplates.list |
DLP Job Triggers Editor( Edit job triggers configurations. |
dlp.jobTriggers.* |
DLP Job Triggers Reader( Read job triggers. |
dlp.jobTriggers.get dlp.jobTriggers.list |
DLP Jobs Editor( Edit and create jobs |
dlp.jobs.* dlp.kms.encrypt |
DLP Jobs Reader( Read jobs |
dlp.jobs.get dlp.jobs.list |
DLP Organization Data Profiles Driver( Permissions needed by the DLP service account to generate data profiles within an organization or folder. Lowest-level resources where you can grant this role:
|
bigquery.bireservations.get bigquery. bigquery. bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery. bigquery.models.* bigquery.readsessions.* bigquery. bigquery. bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.replicateData bigquery. bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration. cloudasset.assets.* cloudsql.instances.connect cloudsql.instances.get cloudsql.instances.login datacatalog. datacatalog.entries.updateTag datacatalog. datacatalog. datacatalog.tagTemplates.get datacatalog. datacatalog.tagTemplates.use dataform.locations.* dataform.repositories.create dataform.repositories.list dlp.analyzeRiskTemplates.* dlp.charts.get dlp.columnDataProfiles.* dlp.connections.* dlp.deidentifyTemplates.* dlp.estimates.* dlp.inspectFindings.list dlp.inspectTemplates.* dlp.jobTriggers.* dlp.jobs.* dlp.kms.encrypt dlp.locations.* dlp.projectDataProfiles.* dlp.storedInfoTypes.* dlp.subscriptions.* dlp.tableDataProfiles.get dlp.tableDataProfiles.list pubsub.topics.updateTag recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
DLP Project Data Profiles Reader( Read DLP project profiles. |
dlp.projectDataProfiles.* |
DLP Project Data Profiles Driver( Permissions needed by the DLP service account to generate data profiles within a project. |
bigquery.bireservations.get bigquery. bigquery. bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery. bigquery.models.* bigquery.readsessions.* bigquery. bigquery. bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.replicateData bigquery. bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration. cloudasset.assets.* cloudsql.instances.connect cloudsql.instances.get cloudsql.instances.login datacatalog. datacatalog.entries.updateTag datacatalog. datacatalog. datacatalog.tagTemplates.get datacatalog. datacatalog.tagTemplates.use dataform.locations.* dataform.repositories.create dataform.repositories.list dlp.analyzeRiskTemplates.* dlp.charts.get dlp.columnDataProfiles.* dlp.connections.* dlp.deidentifyTemplates.* dlp.estimates.* dlp.inspectFindings.list dlp.inspectTemplates.* dlp.jobTriggers.* dlp.jobs.* dlp.kms.encrypt dlp.locations.* dlp.projectDataProfiles.* dlp.storedInfoTypes.* dlp.subscriptions.* dlp.tableDataProfiles.get dlp.tableDataProfiles.list pubsub.topics.updateTag recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
DLP Reader( Read DLP entities, such as jobs and templates. |
dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.locations.* dlp.storedInfoTypes.get dlp.storedInfoTypes.list |
DLP Stored InfoTypes Editor( Edit DLP stored info types. |
dlp.storedInfoTypes.* |
DLP Stored InfoTypes Reader( Read DLP stored info types. |
dlp.storedInfoTypes.get dlp.storedInfoTypes.list |
DLP Subscription Admin( Manage DLP subscriptions. |
dlp.subscriptions.* resourcemanager.projects.get resourcemanager.projects.list |
DLP Subscription Viewer( View DLP subscriptions. |
dlp.subscriptions.get dlp.subscriptions.list |
DLP Table Data Profiles Admin( Manage DLP table profiles. |
dlp.tableDataProfiles.* |
DLP Table Data Profiles Reader( Read DLP table profiles. |
dlp.tableDataProfiles.get dlp.tableDataProfiles.list |
DLP User( Inspect, Redact, and De-identify Content |
dlp.kms.encrypt dlp.locations.* serviceusage.services.use |
Cloud Domains roles |
Permissions |
Cloud Domains Admin( Full access to Cloud Domains Registrations and related resources. |
domains.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Domains Viewer( Read-only access to Cloud Domains Registrations and related resources. |
domains.locations.* domains.operations.get domains.operations.list domains.registrations.get domains. domains.registrations.list domains. domains. resourcemanager.projects.get resourcemanager.projects.list |
Cloud Filestore roles |
Permissions |
Cloud Filestore Editor Beta( Read-write access to Filestore instances and related resources. |
file.* |
Cloud Filestore Viewer Beta( Read-only access to Filestore instances and related resources. |
file.backups.get file.backups.list file.backups.listEffectiveTags file.backups.listTagBindings file.instances.get file.instances.list file. file.instances.listTagBindings file.locations.* file.operations.get file.operations.list file. file.snapshots.listTagBindings |
Cloud Financial Services roles |
Permissions |
Financial Services Admin( Full access to all Financial Services API resources. |
financialservices.* resourcemanager.projects.get resourcemanager.projects.list |
Financial Services Viewer( View access to all Financial Services API resources. |
financialservices.locations.* financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices.v1models.get financialservices. financialservices. financialservices. financialservices. resourcemanager.projects.get resourcemanager.projects.list |
Cloud Functions roles |
Permissions |
Cloud Functions Admin( Full access to functions, operations and locations. |
cloudbuild.builds.get cloudbuild.builds.list cloudbuild.operations.* cloudfunctions.* eventarc.* recommender. recommender. recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud Functions Developer( Read and write access to all functions-related resources. |
cloudbuild.builds.get cloudbuild.builds.list cloudbuild.operations.* cloudfunctions.functions.call cloudfunctions. cloudfunctions. cloudfunctions.functions.get cloudfunctions. cloudfunctions.functions.list cloudfunctions. cloudfunctions. cloudfunctions. cloudfunctions.locations.list cloudfunctions.operations.* eventarc. eventarc. eventarc. eventarc. eventarc. eventarc. eventarc.channels.attach eventarc.channels.create eventarc.channels.delete eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.channels.publish eventarc.channels.undelete eventarc.channels.update eventarc. eventarc.locations.* eventarc.operations.* eventarc.providers.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update recommender. recommender. recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.executions.* run.jobs.create run.jobs.delete run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.listEffectiveTags run.jobs.listTagBindings run.jobs.run run.jobs.runWithOverrides run.jobs.update run.locations.list run.operations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update run.tasks.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud Functions Invoker( Ability to invoke 1st gen HTTP functions with restricted access. 2nd gen functions need the Cloud Run Invoker role instead. |
cloudfunctions. |
Cloud Functions Viewer( Read-only access to functions and locations. |
cloudbuild.builds.get cloudbuild.builds.list cloudbuild.operations.* cloudfunctions.functions.get cloudfunctions. cloudfunctions.functions.list cloudfunctions.locations.list cloudfunctions.operations.* eventarc. eventarc. eventarc. eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc. eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list recommender. recommender. recommender. recommender. recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.executions.get run.executions.list run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.listEffectiveTags run.jobs.listTagBindings run.locations.list run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.tasks.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud Healthcare roles |
Permissions |
Healthcare Annotation Editor( Create, delete, update, read and list annotations. |
healthcare. healthcare. healthcare.annotations.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Annotation Reader( Read and list annotations in an Annotation store. |
healthcare. healthcare. healthcare.annotations.get healthcare.annotations.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Annotation Administrator( Administer Annotation stores. |
healthcare.annotationStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Annotation Store Viewer( List Annotation Stores in a dataset. |
healthcare. healthcare. healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Attribute Definition Editor( Edit AttributeDefinition objects. |
healthcare. healthcare. healthcare. healthcare.consentStores.get healthcare.consentStores.list healthcare. healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Attribute Definition Reader( Read AttributeDefinition objects in a consent store. |
healthcare. healthcare. healthcare. healthcare. healthcare.consentStores.get healthcare.consentStores.list healthcare. healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Consent Artifact Administrator( Administer ConsentArtifact objects. |
healthcare.consentArtifacts.* healthcare. healthcare. healthcare.consentStores.get healthcare.consentStores.list healthcare. healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Consent Artifact Editor( Edit ConsentArtifact objects. |
healthcare. healthcare. healthcare. healthcare. healthcare. healthcare.consentStores.get healthcare.consentStores.list healthcare. healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Consent Artifact Reader( Read ConsentArtifact objects in a consent store. |
healthcare. healthcare. healthcare. healthcare. healthcare.consentStores.get healthcare.consentStores.list healthcare. healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Consent Editor( Edit Consent objects. |
healthcare. healthcare. healthcare.consentStores.get healthcare.consentStores.list healthcare. healthcare.consents.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Consent Reader( Read Consent objects in a consent store. |
healthcare. healthcare. healthcare.consentStores.get healthcare.consentStores.list healthcare. healthcare.consents.get healthcare.consents.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Consent Store Administrator( Administer Consent stores. |
healthcare.consentStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Consent Store Viewer( List Consent Stores in a dataset. |
healthcare. healthcare. healthcare.consentStores.get healthcare.consentStores.list healthcare. healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Dataset Administrator( Administer Healthcare Datasets. |
healthcare.datasets.* healthcare.locations.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list |
Healthcare Dataset Viewer( List the Healthcare Datasets in a project. |
healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare DICOM Editor( Edit DICOM images individually and in bulk. |
healthcare.datasets.get healthcare.datasets.list healthcare. healthcare. healthcare. healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare DICOM Store Administrator( Administer DICOM stores. |
healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare. healthcare.dicomStores.delete healthcare. healthcare.dicomStores.get healthcare. healthcare.dicomStores.list healthcare. healthcare.dicomStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare DICOM Store Viewer( List DICOM Stores in a dataset. |
healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare DICOM Viewer( Retrieve DICOM images from a DICOM store. |
healthcare.datasets.get healthcare.datasets.list healthcare. healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare FHIR Resource Editor( Create, delete, update, read and search FHIR resources. |
healthcare.datasets.get healthcare.datasets.list healthcare. healthcare. healthcare.fhirResources.get healthcare.fhirResources.patch healthcare. healthcare. healthcare. healthcare.fhirStores.get healthcare.fhirStores.list healthcare. healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare FHIR Resource Reader( Read and search FHIR resources. |
healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare. healthcare. healthcare.fhirStores.get healthcare.fhirStores.list healthcare. healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare FHIR Store Administrator( Administer FHIR resource stores. |
healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare. healthcare. healthcare.fhirStores.create healthcare. healthcare.fhirStores.delete healthcare. healthcare.fhirStores.export healthcare.fhirStores.get healthcare. healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.rollback healthcare. healthcare.fhirStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare FHIR Store Viewer( List FHIR Stores in a dataset. |
healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare HL7v2 Message Consumer( List and read HL7v2 messages, update message labels, and publish new messages. |
healthcare.datasets.get healthcare.datasets.list healthcare. healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare. healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare HL7v2 Message Editor( Read, write, and delete access to HL7v2 messages. |
healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare HL7v2 Message Ingest( Ingest HL7v2 messages received from a source network. |
healthcare.datasets.get healthcare.datasets.list healthcare. healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare HL7v2 Store Administrator( Administer HL7v2 Stores. |
healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare HL7v2 Store Viewer( View HL7v2 Stores in a dataset. |
healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Healthcare NLP Service Viewer Beta( Extract and analyze medical entities from a given text. |
healthcare.locations.* healthcare. resourcemanager.projects.get resourcemanager.projects.list |
Healthcare User Data Mapping Editor( Edit UserDataMapping objects. |
healthcare. healthcare. healthcare.consentStores.get healthcare.consentStores.list healthcare. healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.* resourcemanager.projects.get resourcemanager.projects.list |
Healthcare User Data Mapping Reader( Read UserDataMapping objects in a consent store. |
healthcare. healthcare. healthcare.consentStores.get healthcare.consentStores.list healthcare. healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare. healthcare. resourcemanager.projects.get resourcemanager.projects.list |
Cloud IAP roles |
Permissions |
IAP Policy Admin( Provides full access to Identity-Aware Proxy resources. |
iap.tunnel.* iap. iap. iap. iap. iap.tunnelLocations.* iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap. iap. iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy |
IAP-secured Web App User( Provides permission to access HTTPS resources which use Identity-Aware Proxy. |
iap. |
IAP-secured Resource Remediator User Beta( Remediate IAP resource |
iap.tunnelDestGroups.remediate iap.tunnelinstances.remediate iap. |
IAP Settings Admin( Administrator of IAP Settings. |
iap.projects.* iap.web.getSettings iap.web.updateSettings iap. iap. iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings |
IAP-secured Tunnel Destination Group Editor( Edit Tunnel Destination Group resources which use Identity-Aware Proxy |
iap.tunnelDestGroups.create iap.tunnelDestGroups.delete iap.tunnelDestGroups.get iap.tunnelDestGroups.list iap.tunnelDestGroups.update |
IAP-secured Tunnel Destination Group Viewer( View Tunnel Destination Group resources which use Identity-Aware Proxy |
iap.tunnelDestGroups.get iap.tunnelDestGroups.list |
IAP-secured Tunnel User( Access Tunnel resources which use Identity-Aware Proxy |
iap. iap. |
Cloud IDS roles |
Permissions |
Cloud IDS Admin Beta( Full access to Cloud IDS all resources. |
ids.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud IDS Viewer Beta( Read-only access to Cloud IDS all resources. |
ids.endpoints.get ids.endpoints.getIamPolicy ids.endpoints.list ids.locations.* ids.operations.get ids.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud IoT roles |
Permissions |
Cloud IoT Admin( Full control of all Cloud IoT resources and permissions. |
cloudiot.* cloudiottoken.* |
Cloud IoT Device Controller( Access to update the device configuration, but not to create or delete devices. |
cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken. |
Cloud IoT Editor( Read-write access to all Cloud IoT resources. |
cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.* |
Cloud IoT Provisioner( Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry. |
cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken. |
Cloud IoT Viewer( Read-only access to all Cloud IoT resources. |
cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken. |
Cloud KMS roles |
Permissions |
Cloud KMS Admin( Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations. Lowest-level resources where you can grant this role:
|
cloudkms. cloudkms. cloudkms.cryptoKeyVersions.get cloudkms. cloudkms. cloudkms. cloudkms. cloudkms. cloudkms.cryptoKeys.* cloudkms.ekmConfigs.* cloudkms.ekmConnections.* cloudkms.importJobs.* cloudkms.keyRings.* cloudkms.locations.get cloudkms.locations.list cloudkms. resourcemanager.projects.get |
Cloud KMS CryptoKey Decrypter( Provides ability to use Cloud KMS resources for decrypt operations only. Lowest-level resources where you can grant this role:
|
cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get |
Cloud KMS CryptoKey Decrypter Via Delegation( Enables Decrypt operations via other Google Cloud services |
cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud KMS CryptoKey Encrypter( Provides ability to use Cloud KMS resources for encrypt operations only. Lowest-level resources where you can grant this role:
|
cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get |
Cloud KMS CryptoKey Encrypter/Decrypter( Provides ability to use Cloud KMS resources for encrypt and decrypt operations only. Lowest-level resources where you can grant this role:
|
cloudkms. cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get |
Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation( Enables Encrypt and Decrypt operations via other Google Cloud services |
cloudkms. cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud KMS CryptoKey Encrypter Via Delegation( Enables Encrypt operations via other Google Cloud services |
cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud KMS Crypto Operator( Enables all Crypto Operations. |
cloudkms. cloudkms. cloudkms. cloudkms. cloudkms. cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get |
Cloud KMS EkmConnections Admin( Enables management of EkmConnections. |
cloudkms.ekmConfigs.get cloudkms.ekmConfigs.update cloudkms.ekmConnections.create cloudkms.ekmConnections.get cloudkms.ekmConnections.list cloudkms.ekmConnections.update cloudkms. resourcemanager.projects.get resourcemanager.projects.list |
Cloud KMS Expert Raw AES-CBC Key Manager( Enables raw AES-CBC keys management. |
cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud KMS Expert Raw AES-CTR Key Manager( Enables raw AES-CTR keys management. |
cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud KMS Expert Raw PKCS#1 Key Manager( Enables raw PKCS#1 keys management. |
cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud KMS Importer( Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations |
cloudkms.importJobs.create cloudkms.importJobs.get cloudkms.importJobs.list cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get |
Cloud KMS Protected Resources Viewer( Enables viewing protected resources. |
cloudkms. |
Cloud KMS CryptoKey Public Key Viewer( Enables GetPublicKey operations |
cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get |
Cloud KMS CryptoKey Signer( Enables Sign operations |
cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get |
Cloud KMS CryptoKey Signer/Verifier( Enables Sign, Verify, and GetPublicKey operations |
cloudkms. cloudkms. cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get |
Cloud KMS CryptoKey Verifier( Enables Verify and GetPublicKey operations |
cloudkms. cloudkms. cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get |
Cloud KMS Viewer( Enables Get and List operations. |
cloudkms.cryptoKeyVersions.get cloudkms. cloudkms.cryptoKeys.get cloudkms.cryptoKeys.list cloudkms.ekmConfigs.get cloudkms.ekmConnections.get cloudkms.ekmConnections.list cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.keyRings.get cloudkms.keyRings.list cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get |
Cloud Life Sciences roles |
Permissions |
Cloud Life Sciences Admin Beta( Full control of Cloud Life Sciences resources. |
lifesciences.* |
Cloud Life Sciences Editor Beta( Access to read and edit Cloud Life Sciences resources. |
lifesciences.* |
Cloud Life Sciences Viewer Beta( Access to read Cloud Life Sciences resources. |
lifesciences.operations.get lifesciences.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Life Sciences Workflows Runner Beta( Full access to operate on Cloud Life Sciences workflows. |
lifesciences.* |
Cloud Managed Identities roles |
Permissions |
Google Cloud Managed Identities Admin( Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level. |
managedidentities.* resourcemanager.projects.get resourcemanager.projects.list |
Google Cloud Managed Identities Backup Admin( Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level |
managedidentities.backups.* managedidentities.domains.get managedidentities.locations.* managedidentities.operations.* resourcemanager.projects.get resourcemanager.projects.list |
Google Cloud Managed Identities Backup Viewer( Read-only access to Google Cloud Managed Identities Backup and related resources. |
managedidentities.backups.get managedidentities. managedidentities.backups.list managedidentities.domains.get managedidentities.locations.* managedidentities. managedidentities. resourcemanager.projects.get resourcemanager.projects.list |
Google Cloud Managed Identities Domain Admin( Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level. |
managedidentities.backups.* managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities.domains.get managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities.locations.* managedidentities. managedidentities. managedidentities. resourcemanager.projects.get resourcemanager.projects.list |
Google Cloud Managed Identities Domain Join Beta( Access to domain join VMs with Cloud AD |
managedidentities. managedidentities.domains.get |
Google Cloud Managed Identities Peering Admin( Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level |
managedidentities.locations.* managedidentities.operations.* managedidentities.peerings.* resourcemanager.projects.get resourcemanager.projects.list |
Google Cloud Managed Identities Peering Viewer( Read-only access to Google Cloud Managed Identities Peering and related resources. |
managedidentities.locations.* managedidentities. managedidentities. managedidentities.peerings.get managedidentities. managedidentities. resourcemanager.projects.get resourcemanager.projects.list |
Google Cloud Managed Identities Viewer( Read-only access to Google Cloud Managed Identities Domains and related resources. |
managedidentities.backups.get managedidentities. managedidentities.backups.list managedidentities.domains.get managedidentities. managedidentities.domains.list managedidentities. managedidentities. managedidentities.locations.* managedidentities. managedidentities. managedidentities.peerings.get managedidentities. managedidentities. managedidentities. resourcemanager.projects.get resourcemanager.projects.list |
Cloud Marketplace roles |
Permissions |
Commerce Business Enablement Configuration Admin Beta( Admin of Various Provider Configuration resources |
commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Commerce Business Enablement PaymentConfig Admin Beta( Administration of Payment Configuration resource |
commercebusinessenablement. commercebusinessenablement. resourcemanager.projects.get resourcemanager.projects.list |
Commerce Business Enablement PaymentConfig Viewer Beta( Viewer of Payment Configuration resource |
commercebusinessenablement. commercebusinessenablement. resourcemanager.projects.get resourcemanager.projects.list |
Commerce Business Enablement Rebates Admin Beta( Provides admin access to rebates |
commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. |
Commerce Business Enablement Rebates Viewer Beta( Provides read-only access to rebates |
commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. |
Commerce Business Enablement Reseller Discount Admin Beta( Provides admin access to reseller discount offers |
commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Commerce Business Enablement Reseller Discount Viewer Beta( Provides read-only access to reseller discount offers |
commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Commerce Business Enablement Configuration Viewer Beta( Viewer of Various Provider Configuration resource |
commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Commerce Offer Catalog Offers Viewer Beta( Allows viewing offers |
commerceoffercatalog.* |
Commerce Organization Governance Admin Beta( Full access to Organization Governance APIs |
commerceorggovernance.* resourcemanager.projects.get resourcemanager.projects.list |
Governed Marketplace User Alpha( Full access to Governed Marketplace features. |
commerceorggovernance. resourcemanager.projects.get resourcemanager.projects.list |
Commerce Organization Governance Viewer Beta( Full access to Organization Governance read-only APIs. |
commerceorggovernance. commerceorggovernance. commerceorggovernance. commerceorggovernance. commerceorggovernance. commerceorggovernance. commerceorggovernance. resourcemanager.projects.get resourcemanager.projects.list |
Commerce Price Management Events Viewer Beta( Allows viewing key events for an offer |
commerceprice.events.* resourcemanager.projects.get resourcemanager.projects.list |
Commerce Price Management Private Offers Admin Beta( Allows managing private offers |
commerceagreementpublishing.* commerceprice.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Commerce Price Management Viewer Beta( Allows viewing offers, free trials, skus |
commerceagreementpublishing. commerceagreementpublishing. commerceagreementpublishing. commerceagreementpublishing. commerceprice. commerceprice. resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Commerce Producer Admin Beta( Grants full access to all resources in Cloud Commerce Producer API. |
commercebusinessenablement. resourcemanager.projects.get resourcemanager.projects.list |
Commerce Producer Viewer Beta( Grants read access to all resources in Cloud Commerce Producer API. |
commercebusinessenablement. resourcemanager.projects.get resourcemanager.projects.list |
Consumer Procurement Entitlement Manager( Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project. |
consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.operations.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list |
Consumer Procurement Entitlement Viewer( Allows inspecting entitlements and service states for a consumer project. |
consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Consumer Procurement Events Viewer( Allows viewing key events for an offer |
consumerprocurement.events.* |
Consumer Procurement Order Administrator( Allows managing purchases. |
billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing. billing.credits.list billing. commerceoffercatalog.* consumerprocurement.accounts.* consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement.events.* consumerprocurement. consumerprocurement.orders.* |
Consumer Procurement Order Viewer( Allows inspecting purchases. |
billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.credits.list commerceoffercatalog.* consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement.orders.get consumerprocurement. |
Consumer Procurement Administrator( Allows managing purchases, consents at both billing account and project level. |
billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing. billing.credits.list billing. commerceoffercatalog.* consumerprocurement.* orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.operations.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list |
Consumer Procurement Viewer( Allows inspecting purchases, consents and entitlements and service states for a consumer project. |
billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.credits.list commerceoffercatalog.* consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement.orders.get consumerprocurement. orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Cloud Migration roles |
Permissions |
Velostrata Manager Beta( Ability to create and manage Compute VMs to run Velostrata Infrastructure |
cloudmigration. compute.addresses.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute. compute.instances.list compute.instances.reset compute. compute.instances.setLabels compute. compute.instances.setMetadata compute. compute. compute. compute.instances.setTags compute.instances.start compute. compute.instances.stop compute.instances.update compute. compute. compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute. compute.zoneOperations.get compute.zones.* gkehub.endpoints.connect iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update |
Velostrata Storage Access Beta( Ability to access migration storage |
storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Velostrata Manager Connection Agent Beta( Ability to set up connection between Velostrata Manager and Google |
cloudmigration. gkehub.endpoints.connect |
VM Migration Administrator Beta( Ability to view and edit all VM Migration objects |
resourcemanager.projects.get resourcemanager.projects.list vmmigration.* |
VM Migration Viewer Beta( Ability to view all VM Migration objects |
resourcemanager.projects.get resourcemanager.projects.list vmmigration.cloneJobs.get vmmigration.cloneJobs.list vmmigration.cutoverJobs.get vmmigration.cutoverJobs.list vmmigration. vmmigration. vmmigration.deployments.get vmmigration.deployments.list vmmigration.groups.get vmmigration.groups.list vmmigration.locations.* vmmigration.migratingVms.get vmmigration.migratingVms.list vmmigration.operations.get vmmigration.operations.list vmmigration. vmmigration.sources.get vmmigration.sources.list vmmigration.targets.get vmmigration.targets.list vmmigration. vmmigration. |
Cloud Private Catalog roles |
Permissions |
Catalog Consumer Beta( Can browse catalogs in the target resource context. |
cloudprivatecatalog. resourcemanager.projects.get resourcemanager.projects.list |
Catalog Admin Beta( Can manage catalog and view its associations. |
cloudprivatecatalog. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Catalog Manager Beta( Can manage associations between a catalog and a target resource. |
cloudprivatecatalog. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Catalog Org Admin Beta( Can manage catalog org settings. |
cloudprivatecatalog. cloudprivatecatalogproducer.* commerceorggovernance. resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Cloud Profiler roles |
Permissions |
Cloud Profiler Agent( Cloud Profiler agents are allowed to register and provide the profiling data. |
cloudprofiler.profiles.create cloudprofiler.profiles.update |
Cloud Profiler User( Cloud Profiler users are allowed to query and view the profiling data. |
cloudprofiler.profiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud Run roles |
Permissions |
Cloud Run Admin( Full control over all Cloud Run resources. Lowest-level resources where you can grant this role:
|
recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list run.* |
Cloud Run Developer( Read and write access to all Cloud Run resources. Lowest-level resources where you can grant this role:
|
recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.executions.* run.jobs.create run.jobs.delete run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.listEffectiveTags run.jobs.listTagBindings run.jobs.run run.jobs.runWithOverrides run.jobs.update run.locations.list run.operations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update run.tasks.* |
Cloud Run Invoker( Can invoke a Cloud Run service. Lowest-level resources where you can grant this role:
|
run.executions.cancel run.jobs.run run.routes.invoke |
Cloud Run Viewer( Can view the state of all Cloud Run resources, including IAM policies. Lowest-level resources where you can grant this role:
|
recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.executions.get run.executions.list run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.listEffectiveTags run.jobs.listTagBindings run.locations.list run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.tasks.* |
Cloud Scheduler roles |
Permissions |
Cloud Scheduler Admin( Full access to jobs and executions. Note that a Cloud Scheduler Admin (or any custom role with the permission cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the project. |
appengine.applications.get cloudscheduler.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Cloud Scheduler Job Runner( Access to run jobs. |
appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.run resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Cloud Scheduler Viewer( Get and list access to jobs, executions, and locations. |
appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.list cloudscheduler.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Cloud Security Scanner roles |
Permissions |
Web Security Scanner Editor( Full access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Web Security Scanner Runner( Read access to Scan and ScanRun, plus the ability to start scans Lowest-level resources where you can grant this role:
|
cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner.scans.get cloudsecurityscanner. cloudsecurityscanner.scans.run |
Web Security Scanner Viewer( Read access to all Web Security Scanner resources Lowest-level resources where you can grant this role:
|
cloudsecurityscanner. cloudsecurityscanner.results.* cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner.scans.get cloudsecurityscanner. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud Services roles |
Permissions |
Service Broker Admin( Full access to ServiceBroker resources. |
servicebroker.* |
Service Broker Operator( Operational access to the ServiceBroker resources. |
servicebroker. servicebroker.bindings.create servicebroker.bindings.delete servicebroker.bindings.get servicebroker.bindings.list servicebroker.catalogs.create servicebroker.catalogs.delete servicebroker.catalogs.get servicebroker.catalogs.list servicebroker. servicebroker.instances.create servicebroker.instances.delete servicebroker.instances.get servicebroker.instances.list servicebroker.instances.update |
Cloud Spanner roles |
Permissions |
Cloud Spanner Admin( Has complete access to all Spanner resources in a Google Cloud project. A principal with this role can:
Lowest-level resources where you can grant this role:
|
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.* |
Cloud Spanner Backup Admin( A principal with this role can:
This role cannot restore a database from a backup. Lowest-level resources where you can grant this role:
|
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.backupOperations.* spanner.backups.copy spanner.backups.create spanner.backups.delete spanner.backups.get spanner.backups.getIamPolicy spanner.backups.list spanner.backups.setIamPolicy spanner.backups.update spanner.databases.createBackup spanner.databases.get spanner.databases.list spanner. spanner. spanner.instances.get spanner.instances.list spanner. spanner. |
Cloud Spanner Backup Writer( This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them. Lowest-level resources where you can grant this role:
|
spanner.backupOperations.get spanner.backupOperations.list spanner.backups.copy spanner.backups.create spanner.backups.get spanner.backups.list spanner.databases.createBackup spanner.databases.get spanner.databases.list spanner.instances.get |
Cloud Spanner Database Admin( A principal with this role can:
Lowest-level resources where you can grant this role:
|
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databaseOperations.* spanner.databaseRoles.* spanner. spanner. spanner. spanner.databases.create spanner.databases.drop spanner.databases.get spanner.databases.getDdl spanner.databases.getIamPolicy spanner.databases.list spanner. spanner. spanner.databases.read spanner.databases.select spanner.databases.setIamPolicy spanner.databases.update spanner.databases.updateDdl spanner.databases.updateTag spanner.databases.useDataBoost spanner. spanner.databases.write spanner. spanner. spanner.instances.get spanner.instances.getIamPolicy spanner.instances.list spanner. spanner. spanner.sessions.* |
Cloud Spanner Database Reader( A principal with this role can:
Lowest-level resources where you can grant this role:
|
spanner. spanner.databases.getDdl spanner. spanner. spanner.databases.read spanner.databases.select spanner.instances.get spanner.sessions.* |
Cloud Spanner Database Role User( In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`. |
spanner.databaseRoles.use |
Cloud Spanner Database User( A principal with this role can:
Lowest-level resources where you can grant this role:
|
spanner.databaseOperations.* spanner. spanner. spanner. spanner.databases.getDdl spanner. spanner. spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.updateTag spanner.databases.write spanner.instances.get spanner.sessions.* |
Cloud Spanner Fine-grained Access User( Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions. |
spanner.databaseRoles.list spanner. |
Cloud Spanner Restore Admin( A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups. Lowest-level resources where you can grant this role:
|
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.backups.get spanner.backups.list spanner. spanner. spanner.databaseOperations.get spanner. spanner.databases.create spanner.databases.get spanner.databases.list spanner. spanner. spanner.instances.get spanner.instances.list spanner. spanner. |
Cloud Spanner Viewer( A principal with this role can:
For example, you can combine this role with the This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud console. Lowest-level resources where you can grant this role:
|
monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databases.list spanner.instanceConfigs.get spanner.instanceConfigs.list spanner.instances.get spanner.instances.list spanner. spanner. |
Cloud SQL roles |
Permissions |
Cloud SQL Admin( Provides full control of Cloud SQL resources. Lowest-level resources where you can grant this role:
|
cloudaicompanion. cloudsql.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud SQL Client( Provides connectivity access to Cloud SQL instances. Lowest-level resources where you can grant this role:
|
cloudsql.instances.connect cloudsql.instances.get |
Cloud SQL Editor( Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources. Lowest-level resources where you can grant this role:
|
cloudaicompanion. cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql. cloudsql.instances.list cloudsql. cloudsql. cloudsql. cloudsql.instances.migrate cloudsql. cloudsql.instances.reencrypt cloudsql. cloudsql.instances.restart cloudsql. cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.schemas.view cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.get cloudsql.users.list recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud SQL Instance User( Role allowing access to a Cloud SQL instance |
cloudsql.instances.get cloudsql.instances.login |
Cloud SQL Schema Viewer( Role allowing access to the Cloud SQL instance schema on Dataplex |
cloudsql.schemas.view |
Cloud SQL Viewer( Provides read-only access to Cloud SQL resources. Lowest-level resources where you can grant this role:
|
cloudaicompanion. cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql. cloudsql.instances.list cloudsql. cloudsql. cloudsql. cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.get cloudsql.users.list recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud Storage roles |
Permissions |
Storage Admin( Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. Lowest-level resources where you can grant this role:
|
firebase.projects.get orgpolicy.policy.get recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
Storage Folder Admin( Grants full control over folders and objects, including listing, creating, viewing, and deleting objects. |
orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
Storage HMAC Key Admin( Full control of Cloud Storage HMAC keys. |
firebase.projects.get orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.hmacKeys.* |
Storage Insights Collector Service( Read-only access to Cloud Storage Inventory metadata for Storage Insights. |
resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage. |
Storage Object Admin( Grants full control of objects, including listing, creating, viewing, and deleting objects. Lowest-level resources where you can grant this role:
|
orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.* storage.objects.* |
Storage Object Creator( Allows users to create objects. Does not give permission to view, delete, or overwrite objects. Lowest-level resources where you can grant this role:
|
orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.managedFolders.create storage.multipartUploads.abort storage. storage. storage.objects.create |
Storage Object User( Access to create, read, update and delete objects and multipart uploads in GCS. |
orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.* storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.restore storage.objects.update |
Storage Object Viewer( Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.list storage.managedFolders.get storage.managedFolders.list storage.objects.get storage.objects.list |
Storage Transfer Admin( Create, update and manage transfer jobs and operations. |
resourcemanager.projects.get resourcemanager.projects.list storagetransfer.* |
Storage Transfer Agent( Perform transfers from an agent. |
monitoring.timeSeries.create pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub. pubsub.topics.create pubsub.topics.get pubsub.topics.list pubsub.topics.publish storagetransfer. storagetransfer. storagetransfer.operations.get storagetransfer. |
Storage Transfer User( Create and update storage transfer jobs and operations. |
resourcemanager.projects.get resourcemanager.projects.list storagetransfer. storagetransfer.agentpools.get storagetransfer. storagetransfer. storagetransfer. storagetransfer.jobs.create storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.jobs.run storagetransfer.jobs.update storagetransfer.operations.* storagetransfer. |
Storage Transfer Viewer( Read access to storage transfer jobs and operations. |
resourcemanager.projects.get resourcemanager.projects.list storagetransfer.agentpools.get storagetransfer. storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.operations.get storagetransfer. storagetransfer. |
Cloud Storage Legacy roles |
Permissions |
Storage Legacy Bucket Owner( Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read and edit bucket metadata, including allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role:
|
storage.bucketOperations.* storage. storage. storage. storage.buckets.get storage.buckets.getIamPolicy storage. storage. storage.buckets.restore storage.buckets.setIamPolicy storage.buckets.update storage.managedFolders.* storage.multipartUploads.* storage.objects.create storage.objects.delete storage.objects.list storage.objects.restore storage.objects.setRetention |
Storage Legacy Bucket Reader( Grants permission to list a bucket's contents and read bucket metadata, excluding allow policies. Also grants permission to read object metadata, excluding allow policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role:
|
storage.buckets.get storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.list storage.objects.list |
Storage Legacy Bucket Writer( Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding allow policies, when listing; and read bucket metadata, excluding allow policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs. Lowest-level resources where you can grant this role:
|
storage.buckets.get storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.* storage.objects.create storage.objects.delete storage.objects.list storage.objects.restore storage.objects.setRetention |
Storage Legacy Object Owner( Grants permission to view and edit objects and their metadata, including ACLs. Lowest-level resources where you can grant this role:
|
storage.objects.get storage.objects.getIamPolicy storage. storage.objects.setIamPolicy storage.objects.setRetention storage.objects.update |
Storage Legacy Object Reader( Grants permission to view objects and their metadata, excluding ACLs. Lowest-level resources where you can grant this role:
|
storage.objects.get |
Cloud Talent Solution roles |
Permissions |
Admin( Access to Cloud Talent Solution Self-Service Tools. |
cloudjobdiscovery.tools.access iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
Job Editor( Write access to all job data in Cloud Talent Solution. |
cloudjobdiscovery.companies.* cloudjobdiscovery. cloudjobdiscovery.jobs.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list |
Job Viewer( Read access to all job data in Cloud Talent Solution. |
cloudjobdiscovery. cloudjobdiscovery. cloudjobdiscovery.jobs.get cloudjobdiscovery.jobs.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list |
Profile Editor( Write access to all profile data in Cloud Talent Solution. |
cloudjobdiscovery. cloudjobdiscovery.profiles.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list |
Profile Viewer( Read access to all profile data in Cloud Talent Solution. |
cloudjobdiscovery.profiles.get cloudjobdiscovery. cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list |
Cloud Tasks roles |
Permissions |
Cloud Tasks Admin Beta( Full access to queues and tasks. |
cloudtasks.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Tasks Enqueuer Beta( Access to create tasks. |
cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list |
Cloud Tasks Queue Admin Beta( Admin access to queues. |
cloudtasks.locations.* cloudtasks.queues.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Tasks Task Deleter Beta( Access to delete tasks. |
cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list |
Cloud Tasks Task Runner Beta( Access to run tasks. |
cloudtasks.tasks.fullView cloudtasks.tasks.run resourcemanager.projects.get resourcemanager.projects.list |
Cloud Tasks Viewer Beta( Get and list access to tasks, queues, and locations. |
cloudtasks.cmekConfig.get cloudtasks.locations.* cloudtasks.queues.get cloudtasks.queues.list cloudtasks.tasks.fullView cloudtasks.tasks.get cloudtasks.tasks.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud TPU roles |
Permissions |
TPU Admin( Full access to TPU nodes and related resources. |
resourcemanager.projects.get resourcemanager.projects.list tpu.* |
TPU Viewer( Read-only access to TPU nodes and related resources. |
resourcemanager.projects.get resourcemanager.projects.list tpu.acceleratortypes.* tpu.locations.* tpu.nodes.get tpu.nodes.list tpu.operations.* tpu.runtimeversions.* tpu.tensorflowversions.* |
TPU Shared VPC Agent( Can use shared VPC network (XPN) for the TPU VMs. |
compute. compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.update compute.globalOperations.get compute.networks.get compute.networks.list compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute. compute.zoneOperations.get |
Cloud Trace roles |
Permissions |
Cloud Trace Admin( Provides full access to the Trace console and read-write access to traces. Lowest-level resources where you can grant this role:
|
cloudtrace.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Trace Agent( For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace. Lowest-level resources where you can grant this role:
|
cloudtrace.traces.patch |
Cloud Trace User( Provides full access to the Trace console and read access to traces. Lowest-level resources where you can grant this role:
|
cloudtrace.insights.* cloudtrace.stats.get cloudtrace.tasks.* cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Translation roles |
Permissions |
Cloud Translation API Admin( Full access to all Cloud Translation resources |
automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Translation API Editor( Editor of all Cloud Translation resources |
automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Translation API User( User of Cloud Translation and AutoML models |
automl.models.get automl.models.predict cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate.datasets.get cloudtranslate.datasets.list cloudtranslate.generalModels.* cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list |
Cloud Translation API Viewer( Viewer of all Translation resources |
automl.models.get cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate.datasets.get cloudtranslate.datasets.list cloudtranslate. cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate. cloudtranslate. cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list |
Cloud Workstations roles |
Permissions |
Cloud Workstations Admin( Grants CRUD access to all Workstation resources. |
compute.acceleratorTypes.* compute.machineTypes.* compute.networks.get compute.networks.list compute.subnetworks.get compute.subnetworks.list compute.zones.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list workstations.operations.get workstations. workstations. workstations. workstations. workstations.workstations.get workstations. workstations.workstations.list workstations. workstations. workstations.workstations.stop workstations. |
Cloud Workstations Network Admin( Grants ability to connect a Workstation Cluster to a shared VPC network. |
compute.addresses.create compute. compute.addresses.delete compute. compute.addresses.get compute.addresses.use compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute. compute. compute.globalOperations.get compute.networks.get compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.regionOperations.get compute.subnetworks.get compute.subnetworks.use compute. compute.zoneOperations.get servicedirectory. servicedirectory. servicedirectory. servicedirectory. |
Cloud Workstations Operation Viewer( Grants ability to view Cloud Workstations API operations. |
workstations.operations.get |
Cloud Workstations User( Grants runtime access to Workstation resources. |
workstations.operations.get workstations. workstations.workstations.get workstations. workstations.workstations.stop workstations. workstations.workstations.use |
Cloud Workstations Creator( Grants ability to create Workstation resources. |
resourcemanager.projects.get resourcemanager.projects.list workstations.operations.get workstations. workstations. workstations. workstations. |
Compute Engine roles |
Permissions |
Compute Admin( Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
Lowest-level resources where you can grant this role:
|
compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Future Reservation Admin Beta(
|
compute.acceleratorTypes.list compute. compute. compute. compute.futureReservations.get compute. compute. compute.instanceTemplates.list compute.machineTypes.list compute.regions.list compute.reservations.create compute.zones.list |
Compute Future Reservation User Beta(
|
compute.acceleratorTypes.list compute. compute. compute.futureReservations.get compute. compute. compute.instanceTemplates.list compute.machineTypes.list compute.regions.list compute.reservations.create compute.zones.list |
Compute Future Reservation Viewer Beta(
|
compute.acceleratorTypes.list compute.futureReservations.get compute. compute.instanceTemplates.list compute.machineTypes.list compute.regions.list compute.zones.list |
Compute Image User( Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project. Lowest-level resources where you can grant this role:
|
compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Instance Admin (beta)( Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.* compute. compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute. compute. compute. compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute. compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute. compute.instanceGroups.* compute.instanceSettings.get compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineImages.* compute.machineTypes.* compute. compute.networks.get compute.networks.list compute. compute. compute.networks.use compute.networks.useExternalIp compute.projects.get compute. compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute. compute.storagePools.get compute.storagePools.list compute.storagePools.use compute.subnetworks.get compute.subnetworks.list compute. compute. compute.subnetworks.use compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Instance Admin (v1)( Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances. |
compute.acceleratorTypes.* compute. compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute. compute. compute.backendServices.get compute.backendServices.list compute. compute. compute.diskTypes.* compute.disks.* compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.* compute. compute.instanceGroups.* compute.instanceSettings.* compute.instanceTemplates.* compute.instances.* compute.instantSnapshots.* compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkAttachments.get compute. compute. compute.networks.get compute.networks.list compute. compute. compute.networks.use compute.networks.useExternalIp compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.serviceAttachments.get compute. compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute.storagePools.list compute.storagePools.use compute.subnetworks.get compute.subnetworks.list compute. compute. compute.subnetworks.use compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Load Balancer Admin( Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group. Lowest-level resources where you can grant this role:
|
certificatemanager. certificatemanager. certificatemanager. compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute. compute.disks.listTagBindings compute.forwardingRules.* compute.globalAddresses.* compute. compute. compute.globalOperations.get compute.globalOperations.list compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute. compute.images.listTagBindings compute.instanceGroups.* compute.instances.get compute.instances.list compute. compute. compute.instances.use compute.instances.useReadOnly compute. compute.networks.get compute.networks.list compute. compute. compute.networks.use compute.projects.get compute. compute. compute.regionHealthChecks.* compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.* compute. compute. compute. compute.regionUrlMaps.* compute.securityPolicies.get compute.securityPolicies.list compute. compute. compute.securityPolicies.use compute. compute. compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute. compute. compute.subnetworks.use compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* compute.zoneOperations.get compute.zoneOperations.list networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Load Balancer Services User( Permissions to use services from a load balancer in other projects. |
compute.backendServices.get compute.backendServices.list compute. compute. compute.backendServices.use compute.projects.get compute. compute. compute. compute. compute. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Network Admin( Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the networking team's group.
Or, if you have a combined team that manages both security and networking,
then grant this role as well as the
Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute. compute.disks.listTagBindings compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute. compute. compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.* compute.globalAddresses.* compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute.globalOperations.list compute. compute. compute. compute. compute. compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute. compute.images.listTagBindings compute. compute. compute. compute. compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instanceSettings.get compute.instances.get compute. compute. compute. compute.instances.list compute. compute. compute. compute. compute.instances.use compute.instances.useReadOnly compute. compute. compute. compute.interconnects.* compute.machineTypes.* compute.networkAttachments.* compute. compute. compute. compute. compute. compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.* compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.* compute. compute. compute. compute.regionUrlMaps.* compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute. compute. compute.securityPolicies.use compute.serviceAttachments.* compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networksecurity.* networkservices.* resourcemanager.projects.get resourcemanager.projects.list servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking.services.get servicenetworking. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.* |
Compute Network User( Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project. Lowest-level resources where you can grant this role:
|
compute. compute. compute.addresses.get compute.addresses.list compute.addresses.useInternal compute. compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.instanceSettings.get compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networkAttachments.get compute. compute.networks.access compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.serviceAttachments.get compute. compute.subnetworks.get compute.subnetworks.list compute. compute. compute.subnetworks.use compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.locations.* networksecurity.operations.get networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.urlLists.get networksecurity.urlLists.list networksecurity.urlLists.use networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.gateways.get networkservices.gateways.list networkservices.gateways.use networkservices.grpcRoutes.get networkservices. networkservices.grpcRoutes.use networkservices. networkservices. networkservices. networkservices.httpRoutes.get networkservices. networkservices.httpRoutes.use networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.locations.* networkservices.meshes.get networkservices.meshes.list networkservices.meshes.use networkservices.operations.get networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.tcpRoutes.get networkservices.tcpRoutes.list networkservices.tcpRoutes.use networkservices.tlsRoutes.get networkservices.tlsRoutes.list networkservices.tlsRoutes.use resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Network Viewer( Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute. compute. compute.backendServices.get compute.backendServices.list compute. compute. compute. compute.disks.listTagBindings compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute. compute.images.listTagBindings compute. compute. compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instances.get compute. compute. compute. compute.instances.list compute. compute. compute. compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networkAttachments.get compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regions.* compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.serviceAttachments.get compute. compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.locations.* networksecurity.operations.get networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.urlLists.get networksecurity.urlLists.list networkservices. networkservices. networkservices. networkservices. networkservices.gateways.get networkservices.gateways.list networkservices.grpcRoutes.get networkservices. networkservices. networkservices. networkservices.httpRoutes.get networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.locations.* networkservices.meshes.get networkservices.meshes.list networkservices.operations.get networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.tcpRoutes.get networkservices.tcpRoutes.list networkservices.tlsRoutes.get networkservices.tlsRoutes.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.* |
Compute Organization Firewall Policy Admin( Full control of Compute Engine Organization Firewall Policies. |
compute. compute. compute. compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewallPolicies.move compute. compute. compute.firewallPolicies.use compute.globalOperations.get compute. compute.globalOperations.list compute. compute.projects.get compute. compute.regionOperations.get compute. compute.regionOperations.list compute. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Organization Firewall Policy User( View or use Compute Engine Firewall Policies to associate with the organization or folders. |
compute.firewallPolicies.get compute.firewallPolicies.list compute. compute. compute.firewallPolicies.use compute.globalOperations.get compute. compute.globalOperations.list compute.projects.get compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Organization Security Policy Admin( Full control of Compute Engine Organization Security Policies. |
compute.firewallPolicies.* compute.globalOperations.get compute. compute.globalOperations.list compute. compute.projects.get compute. compute. compute. compute. compute. compute. compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.securityPolicies.move compute. compute. compute. compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Organization Security Policy User( View or use Compute Engine Security Policies to associate with the organization or folders. |
compute. compute.firewallPolicies.get compute.firewallPolicies.list compute. compute. compute. compute.firewallPolicies.use compute.globalOperations.get compute. compute.globalOperations.list compute. compute.projects.get compute. compute.securityPolicies.get compute.securityPolicies.list compute. compute. compute. compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Organization Resource Admin( Full control of Compute Engine Firewall Policy associations to the organization or folders. |
compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute. compute. compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute OS Admin Login( Access to log in to a Compute Engine instance as an administrator user. Lowest-level resources where you can grant this role:
|
compute. compute.disks.listTagBindings compute. compute.images.listTagBindings compute.instanceSettings.get compute.instances.get compute.instances.list compute. compute. compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get compute. compute. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute OS Login( Access to log in to a Compute Engine instance as a standard user. Lowest-level resources where you can grant this role:
|
compute. compute.disks.listTagBindings compute. compute.images.listTagBindings compute.instanceSettings.get compute.instances.get compute.instances.list compute. compute. compute.instances.osLogin compute.projects.get compute. compute. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute OS Login External User( Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH. Lowest-level resources where you can grant this role:
|
compute. |
Compute packet mirroring admin( Specify resources to be mirrored. |
compute. compute.networks.mirror compute.projects.get compute.subnetworks.mirror resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute packet mirroring user( Use Compute Engine packet mirrorings. |
compute.packetMirrorings.* compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Public IP Admin( Full control of public IP address management for Compute Engine. |
compute.addresses.* compute.globalAddresses.* compute. compute. compute. resourcemanager.projects.get resourcemanager.projects.list |
Compute Security Admin( Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group. Lowest-level resources where you can grant this role:
|
compute.backendBuckets.list compute.backendServices.list compute.firewallPolicies.* compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instanceSettings.get compute. compute.instances.list compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute.networks.updatePolicy compute.packetMirrorings.* compute.projects.get compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute.regionSslPolicies.* compute.regions.* compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute. compute. compute.targetInstances.list compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Sole Tenant Viewer( Permissions to view sole tenancy node groups |
compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.* |
Compute Storage Admin( Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project. Lowest-level resources where you can grant this role:
|
compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.instanceSettings.get compute.instantSnapshots.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.storagePools.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Viewer( Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks. Lowest-level resources where you can grant this role:
|
compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.* compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.* compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute. compute.storagePools.list compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Compute Shared VPC Admin( Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
( Lowest-level resources where you can grant this role:
|
compute.globalOperations.get compute.globalOperations.list compute. compute. compute. compute. compute. compute.projects.get compute. compute. resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
GuestPolicy Admin Beta( Full admin access to GuestPolicies |
osconfig.guestPolicies.* resourcemanager.projects.get resourcemanager.projects.list |
GuestPolicy Editor Beta( Editor of GuestPolicy resources |
osconfig.guestPolicies.get osconfig.guestPolicies.list osconfig.guestPolicies.update resourcemanager.projects.get resourcemanager.projects.list |
GuestPolicy Viewer Beta( Viewer of GuestPolicy resources |
osconfig.guestPolicies.get osconfig.guestPolicies.list resourcemanager.projects.get resourcemanager.projects.list |
InstanceOSPoliciesCompliance Viewer Beta( Viewer of OS Policies Compliance of VM instances |
osconfig. resourcemanager.projects.get resourcemanager.projects.list |
OS Inventory Viewer( Viewer of OS Inventories |
osconfig.inventories.* resourcemanager.projects.get resourcemanager.projects.list |
OSPolicyAssignment Admin( Full admin access to OS Policy Assignments |
osconfig.osPolicyAssignments.* resourcemanager.projects.get resourcemanager.projects.list |
OSPolicyAssignment Editor( Editor of OS Policy Assignments |
osconfig. osconfig. osconfig. osconfig. resourcemanager.projects.get resourcemanager.projects.list |
OSPolicyAssignmentReport Viewer( Viewer of OS policy assignment reports for VM instances |
osconfig. resourcemanager.projects.get resourcemanager.projects.list |
OSPolicyAssignment Viewer( Viewer of OS Policy Assignments |
osconfig. osconfig. osconfig. resourcemanager.projects.get resourcemanager.projects.list |
PatchDeployment Admin( Full admin access to PatchDeployments |
osconfig.patchDeployments.* resourcemanager.projects.get resourcemanager.projects.list |
PatchDeployment Viewer( Viewer of PatchDeployment resources |
osconfig.patchDeployments.get osconfig.patchDeployments.list resourcemanager.projects.get resourcemanager.projects.list |
Patch Job Executor( Access to execute Patch Jobs. |
osconfig.patchJobs.* resourcemanager.projects.get resourcemanager.projects.list |
Patch Job Viewer( Get and list Patch Jobs. |
osconfig.patchJobs.get osconfig.patchJobs.list resourcemanager.projects.get resourcemanager.projects.list |
Upgrade Report Viewer Beta( Provides read-only access to VM Manager Upgrade Reports |
osconfig.upgradeReports.* resourcemanager.projects.get resourcemanager.projects.list |
OS VulnerabilityReport Viewer( Viewer of OS VulnerabilityReports |
osconfig. resourcemanager.projects.get resourcemanager.projects.list |
Container Analysis roles |
Permissions |
Container Analysis Admin( Access to all Container Analysis resources. |
containeranalysis. containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis. containeranalysis.notes.list containeranalysis. containeranalysis.notes.update containeranalysis. resourcemanager.projects.get resourcemanager.projects.list |
Container Analysis Notes Attacher( Can attach Container Analysis Occurrences to Notes. |
containeranalysis. containeranalysis.notes.get |
Container Analysis Notes Editor( Can edit Container Analysis Notes. |
containeranalysis. containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update resourcemanager.projects.get resourcemanager.projects.list |
Container Analysis Occurrences for Notes Viewer( Can view all Container Analysis Occurrences attached to a Note. |
containeranalysis.notes.get containeranalysis. |
Container Analysis Notes Viewer( Can view Container Analysis Notes. |
containeranalysis.notes.get containeranalysis.notes.list resourcemanager.projects.get resourcemanager.projects.list |
Container Analysis Occurrences Editor( Can edit Container Analysis Occurrences. |
containeranalysis. containeranalysis. containeranalysis. containeranalysis. containeranalysis. resourcemanager.projects.get resourcemanager.projects.list |
Container Analysis Occurrences Viewer( Can view Container Analysis Occurrences. |
containeranalysis. containeranalysis. resourcemanager.projects.get resourcemanager.projects.list |
Data Catalog roles |
Permissions |
Data Catalog Admin( Full access to all DataCatalog resources |
bigquery.connections.get bigquery.connections.updateTag bigquery.datasets.get bigquery.datasets.updateTag bigquery.models.getMetadata bigquery.models.updateTag bigquery.routines.get bigquery.routines.updateTag bigquery.tables.get bigquery.tables.updateTag datacatalog.catalogs.searchAll datacatalog. datacatalog. datacatalog.entries.* datacatalog.entryGroups.* datacatalog.operations.list datacatalog.relationships.* datacatalog.tagTemplates.* datacatalog.taxonomies.* pubsub.topics.get pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list |
Policy Tag Admin( Manage taxonomies |
datacatalog. datacatalog. datacatalog.taxonomies.* resourcemanager.projects.get resourcemanager.projects.list |
Fine-Grained Reader( Read access to sub-resources tagged by a policy tag, for example, BigQuery columns |
datacatalog. |
DataCatalog Data Steward Beta( Can update overview and data steward fields |
datacatalog.entries.get datacatalog.entries.list datacatalog. datacatalog. datacatalog.entryGroups.get datacatalog.relationships.list resourcemanager.projects.get resourcemanager.projects.list |
DataCatalog EntryGroup Creator( Can create new entryGroups |
datacatalog.entryGroups.create datacatalog.entryGroups.get datacatalog.entryGroups.list resourcemanager.projects.get resourcemanager.projects.list |
DataCatalog EntryGroup Owner( Full access to entryGroups |
datacatalog.entries.* datacatalog.entryGroups.* resourcemanager.projects.get resourcemanager.projects.list |
DataCatalog Entry Owner( Full access to entries |
datacatalog.entries.* datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list |
DataCatalog Entry Viewer( Read access to entries |
datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get datacatalog.relationships.list resourcemanager.projects.get resourcemanager.projects.list |
DataCatalog Glossary Owner Beta( Full access to glossaries |
datacatalog.entries.* datacatalog.relationships.* |
DataCatalog Glossary User Beta( Can view glossaries and associate terms to entries |
datacatalog.entries.get datacatalog.entries.list datacatalog.relationships.* |
DataCatalog Search Admin Beta( Can search all metadata for a project/org in DataCatalog |
datacatalog.catalogs.searchAll resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Data Catalog Tag Editor( Access to modify metadata tags for entries, as well as BigQuery and Pub/Sub data assets |
bigquery.connections.updateTag bigquery.datasets.updateTag bigquery.models.updateTag bigquery.routines.updateTag bigquery.tables.updateTag datacatalog.entries.updateTag datacatalog. pubsub.topics.updateTag |
Data Catalog TagTemplate Creator( Access to create new tag templates |
datacatalog. datacatalog.tagTemplates.get |
Data Catalog TagTemplate Owner( Full access to tag templates |
datacatalog.tagTemplates.* resourcemanager.projects.get resourcemanager.projects.list |
Data Catalog TagTemplate User( Access to apply a tag template to an entry (to modify tags, see Data Catalog Tag Editor) |
datacatalog.tagTemplates.get datacatalog. datacatalog.tagTemplates.use resourcemanager.projects.get resourcemanager.projects.list |
Data Catalog TagTemplate Viewer( Read access to templates and tags created using the templates |
datacatalog.tagTemplates.get datacatalog. resourcemanager.projects.get resourcemanager.projects.list |
Data Catalog Viewer( Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub |
bigquery.connections.get bigquery.datasets.get bigquery.models.getMetadata bigquery.routines.get bigquery.tables.get datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get datacatalog.entryGroups.list datacatalog.operations.list datacatalog.relationships.list datacatalog.tagTemplates.get datacatalog. datacatalog.taxonomies.get datacatalog.taxonomies.list pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.list |
Data Connectors roles |
Permissions |
Connector Admin Beta( Full access to Data Connectors. |
dataconnectors.* resourcemanager.projects.get resourcemanager.projects.list |
Connector User Beta( Access to use Data Connectors. |
dataconnectors.connectors.get dataconnectors. dataconnectors.connectors.list dataconnectors.connectors.use |
Data Migration roles |
Permissions |
Database Migration Admin( Full access to all resources of Database Migration. |
cloudaicompanion. datamigration.* resourcemanager.projects.get resourcemanager.projects.list |
Data Pipelines roles |
Permissions |
Data pipelines Admin( Administrator of Data pipelines resources |
datapipelines.* resourcemanager.projects.get resourcemanager.projects.list |
Data pipelines Invoker( Invoker of Data pipelines jobs |
datapipelines.pipelines.run resourcemanager.projects.get resourcemanager.projects.list |
Data pipelines Viewer( Viewer of Data pipelines resources |
datapipelines.jobs.list datapipelines.pipelines.get datapipelines.pipelines.list resourcemanager.projects.get resourcemanager.projects.list |
Data Studio roles |
Permissions |
Data Studio Admin Beta( Data Studio Admin |
datastudio.* resourcemanager.projects.get resourcemanager.projects.list |
Data Studio Workspace Content Manager Beta( Content Manager of a Data Studio resource |
datastudio.datasources.get datastudio. datastudio.datasources.move datastudio. datastudio.datasources.search datastudio. datastudio.datasources.share datastudio.datasources.trash datastudio.datasources.update datastudio.reports.get datastudio. datastudio.reports.move datastudio. datastudio.reports.search datastudio. datastudio.reports.share datastudio.reports.trash datastudio.reports.update datastudio. datastudio.workspaces.get datastudio. datastudio.workspaces.moveIn datastudio.workspaces.search resourcemanager.projects.get resourcemanager. |
Data Studio Workspace Contributor Beta( Contributor of a Data Studio resource |
datastudio.datasources.get datastudio. datastudio. datastudio.datasources.search datastudio. datastudio.datasources.share datastudio.datasources.update datastudio.reports.get datastudio. datastudio. datastudio.reports.search datastudio. datastudio.reports.share datastudio.reports.update datastudio. datastudio.workspaces.get datastudio. datastudio.workspaces.moveIn datastudio.workspaces.search resourcemanager.projects.get resourcemanager. |
Data Studio Asset Editor Beta( Editor of a Data Studio resource |
datastudio.datasources.get datastudio. datastudio.datasources.search datastudio.datasources.update datastudio.reports.get datastudio. datastudio.reports.search datastudio.reports.update resourcemanager.projects.get resourcemanager. |
Data Studio Workspace Manager Beta( Manager of a Data Studio resource |
datastudio.* resourcemanager.projects.get resourcemanager. |
Data Studio Asset Viewer Beta( Viewer of a Data Studio resource |
datastudio.datasources.get datastudio.datasources.search datastudio.reports.get datastudio.reports.search resourcemanager.projects.get |
Looker Studio Pro Manager Beta( Looker Studio Pro Manager |
lookerstudio.pro.manage resourcemanager.projects.get resourcemanager.projects.list resourcemanager. |
Dataflow roles |
Permissions |
Dataflow Admin( Minimal role for creating and managing dataflow jobs. |
cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.operations.* compute.machineTypes.get compute.projects.get compute.regions.list compute.zones.list dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list |
Dataflow Developer( Provides the permissions necessary to execute and manipulate Dataflow jobs. Lowest-level resources where you can grant this role:
|
cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.operations.* compute.projects.get compute.regions.list compute.zones.list dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list |
Dataflow Viewer( Provides read-only access to all Dataflow-related resources. Lowest-level resources where you can grant this role:
|
dataflow.jobs.get dataflow.jobs.list dataflow.messages.list dataflow.metrics.get dataflow.snapshots.get dataflow.snapshots.list recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Dataflow Worker( Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline. Lowest-level resources where you can grant this role:
|
autoscaling. autoscaling.sites.writeMetrics autoscaling.sites.writeState compute. compute.instances.delete compute. dataflow.jobs.get dataflow.shuffle.* dataflow.streamingWorkItems.* dataflow.workItems.* logging.logEntries.create logging.logEntries.route monitoring.timeSeries.create storage.buckets.get storage.objects.create storage.objects.get |
Dataform roles |
Permissions |
Dataform Admin( Full access to all Dataform resources. |
dataform.* resourcemanager.projects.get resourcemanager.projects.list |
Code Creator Beta( Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you. |
dataform.locations.* dataform.repositories.create dataform.repositories.list resourcemanager.projects.get resourcemanager.projects.list |
Code Editor Beta( Edit access code resources. |
dataform.locations.* dataform.repositories.commit dataform. dataform.repositories.create dataform. dataform. dataform.repositories.get dataform. dataform.repositories.list dataform. dataform.repositories.readFile dataform.workspaces.commit dataform.workspaces.create dataform.workspaces.delete dataform. dataform. dataform. dataform.workspaces.get dataform. dataform. dataform.workspaces.list dataform. dataform. dataform.workspaces.moveFile dataform.workspaces.pull dataform.workspaces.push dataform. dataform.workspaces.readFile dataform. dataform.workspaces.removeFile dataform.workspaces.reset dataform. dataform.workspaces.writeFile resourcemanager.projects.get resourcemanager.projects.list |
Code Owner Beta( Full access to code resources. |
dataform.locations.* dataform.repositories.* dataform.workspaces.* resourcemanager.projects.get resourcemanager.projects.list |
Code Viewer Beta( Read-only access to all code resources. |
dataform.locations.* dataform. dataform. dataform. dataform.repositories.get dataform. dataform.repositories.list dataform. dataform.repositories.readFile dataform. dataform. dataform. dataform.workspaces.get dataform. dataform.workspaces.list dataform. dataform.workspaces.readFile dataform. resourcemanager.projects.get resourcemanager.projects.list |
Dataform Editor( Edit access to Workspaces and Read-only access to Repositories. |
dataform.compilationResults.* dataform.locations.* dataform.releaseConfigs.get dataform.releaseConfigs.list dataform. dataform. dataform. dataform.repositories.get dataform. dataform.repositories.list dataform. dataform.repositories.readFile dataform.workflowConfigs.get dataform.workflowConfigs.list dataform.workflowInvocations.* dataform.workspaces.commit dataform.workspaces.create dataform.workspaces.delete dataform. dataform. dataform. dataform.workspaces.get dataform. dataform. dataform.workspaces.list dataform. dataform. dataform.workspaces.moveFile dataform.workspaces.pull dataform.workspaces.push dataform. dataform.workspaces.readFile dataform. dataform.workspaces.removeFile dataform.workspaces.reset dataform. dataform.workspaces.writeFile resourcemanager.projects.get resourcemanager.projects.list |
Dataform Viewer( Read-only access to all Dataform resources. |
dataform. dataform. dataform. dataform.locations.* dataform.releaseConfigs.get dataform.releaseConfigs.list dataform. dataform. dataform. dataform.repositories.get dataform. dataform.repositories.list dataform. dataform.repositories.readFile dataform.workflowConfigs.get dataform.workflowConfigs.list dataform. dataform. dataform. dataform. dataform. dataform. dataform.workspaces.get dataform. dataform.workspaces.list dataform. dataform.workspaces.readFile dataform. resourcemanager.projects.get resourcemanager.projects.list |
Dataprep roles |
Permissions |
Dataprep User Beta( Use of Dataprep. |
dataprep.projects.use resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Dataproc roles |
Permissions |
Dataproc Administrator( Full control of Dataproc resources. |
compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.* dataproc.batches.* dataproc.clusters.* dataproc.jobs.* dataproc.nodeGroups.* dataproc.operations.* dataproc.sessionTemplates.* dataproc.sessions.* dataproc.workflowTemplates.* resourcemanager.projects.get resourcemanager.projects.list |
Dataproc Editor( Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones. Lowest-level resources where you can grant this role:
|
compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc. dataproc. dataproc. dataproc. dataproc. dataproc. dataproc.batches.* dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.start dataproc.clusters.stop dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.nodeGroups.* dataproc.operations.cancel dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.sessionTemplates.* dataproc.sessions.* dataproc. dataproc. dataproc.workflowTemplates.get dataproc. dataproc. dataproc. dataproc. resourcemanager.projects.get resourcemanager.projects.list |
Dataproc Hub Agent( Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances. |
compute.instances.get compute.instances.setMetadata compute.instances.setTags compute.zoneOperations.get compute.zones.list dataproc. dataproc. dataproc. dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.operations.cancel dataproc.operations.delete dataproc.operations.get dataproc.operations.list iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.create logging.logEntries.list logging.logEntries.route logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.get storage.objects.list |
Dataproc Viewer( Provides read-only access to Dataproc resources. Lowest-level resources where you can grant this role:
|
compute.machineTypes.get compute.regions.* compute.zones.* dataproc. dataproc. dataproc.batches.get dataproc.batches.list dataproc.clusters.get dataproc.clusters.list dataproc.jobs.get dataproc.jobs.list dataproc.nodeGroups.get dataproc.operations.get dataproc.operations.list dataproc.sessionTemplates.get dataproc.sessionTemplates.list dataproc.sessions.get dataproc.sessions.list dataproc.workflowTemplates.get dataproc. resourcemanager.projects.get resourcemanager.projects.list |
Dataproc Worker( Provides worker access to Dataproc resources. Intended for service accounts. |
dataproc.agents.* dataproc.tasks.* logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create storage.buckets.get storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.* storage.objects.* |
Dataproc Metastore roles |
Permissions |
Dataproc Metastore Admin( Full access to all Dataproc Metastore resources. |
metastore.backups.* metastore.federations.* metastore.imports.* metastore.locations.* metastore.migrations.* metastore.operations.* metastore.services.create metastore.services.delete metastore.services.export metastore.services.get metastore. metastore.services.list metastore.services.restore metastore. metastore.services.update resourcemanager.projects.get resourcemanager.projects.list |
Dataproc Metastore Editor( Read and write access to all Dataproc Metastore resources. |
metastore.backups.create metastore.backups.delete metastore.backups.get metastore.backups.list metastore.backups.use metastore.federations.create metastore.federations.delete metastore.federations.get metastore.federations.list metastore.federations.update metastore.imports.* metastore.locations.* metastore.migrations.* metastore.operations.* metastore.services.create metastore.services.delete metastore.services.export metastore.services.get metastore. metastore.services.list metastore.services.restore metastore.services.update resourcemanager.projects.get resourcemanager.projects.list |
Metastore Federation Accessor( Access to the Metastore Federation resource. |
metastore.federations.use |
Dataproc Metastore Metadata Editor( Access to read and modify the metadata of databases and tables under those databases. |
metastore.databases.create metastore.databases.delete metastore.databases.get metastore. metastore.databases.list metastore.databases.update metastore.services.get metastore.services.use metastore.tables.create metastore.tables.delete metastore.tables.get metastore.tables.getIamPolicy metastore.tables.list metastore.tables.update |
Dataproc Metastore Metadata Mutate Admin( Access to mutate metadata from a Dataproc Metastore service's underlying metadata store. |
metastore. |
Dataproc Metastore Metadata Operator( Read-only access to Dataproc Metastore resources with additional metadata operations permission. |
metastore.backups.create metastore.backups.delete metastore.backups.get metastore.backups.list metastore.backups.use metastore.imports.* metastore.locations.* metastore.operations.get metastore.operations.list metastore.services.export metastore.services.get metastore. metastore.services.list metastore.services.restore resourcemanager.projects.get resourcemanager.projects.list |
Dataproc Metastore Data Owner( Full access to the metadata of databases and tables under those databases. |
metastore.databases.* metastore.services.get metastore. metastore.services.list metastore.services.use metastore.tables.* |
Dataproc Metastore Metadata Query Admin( Access to query metadata from a Dataproc Metastore service's underlying metadata store. |
metastore. |
Dataproc Metastore Metadata User( Access to the Dataproc Metastore gRPC endpoint |
metastore.databases.get metastore.databases.list metastore.services.get metastore.services.use |
Dataproc Metastore Metadata Viewer( Access to read the metadata of databases and tables under those databases |
metastore.databases.get metastore. metastore.databases.list metastore.services.get metastore.services.use metastore.tables.get metastore.tables.getIamPolicy metastore.tables.list |
Dataproc Metastore Viewer( Read-only access to all Dataproc Metastore resources. |
metastore.backups.get metastore.backups.list metastore.federations.get metastore. metastore.federations.list metastore.imports.get metastore.imports.list metastore.locations.* metastore.operations.get metastore.operations.list metastore.services.export metastore.services.get metastore. metastore.services.list resourcemanager.projects.get resourcemanager.projects.list |
Datastore roles |
Permissions |
Cloud Datastore Backup Schedules Admin( Manage backup schedules in Cloud Datastore. |
datastore.backupSchedules.* datastore. datastore.databases.list |
Cloud Datastore Backup Schedules Viewer( Read access to backup schedules in Cloud Datastore. |
datastore.backupSchedules.get datastore.backupSchedules.list |
Cloud Datastore Backups Admin( Read/Write access to metadata about backups in Cloud Datastore but restore is not allowed. |
datastore.backups.delete datastore.backups.get datastore.backups.list |
Cloud Datastore Backups Viewer( Read access to metadata about backups in Cloud Datastore. |
datastore.backups.get datastore.backups.list |
Cloud Datastore Import Export Admin( Provides full access to manage imports and exports. Lowest-level resources where you can grant this role:
|
appengine.applications.get datastore.databases.export datastore. datastore.databases.import datastore.operations.cancel datastore.operations.get datastore.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Datastore Index Admin( Provides full access to manage index definitions. Lowest-level resources where you can grant this role:
|
appengine.applications.get datastore. datastore.indexes.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Datastore Key Visualizer Viewer( Full access to Key Visualizer scans. |
datastore. datastore.keyVisualizerScans.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Datastore Owner( Provides full access to Datastore resources. Lowest-level resources where you can grant this role:
|
appengine.applications.get datastore.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Datastore Restore Admin( Restore into Cloud Datastore Databases from Cloud Datastore Backups. |
datastore.backups.get datastore.backups.list datastore. datastore.databases.create datastore. datastore.databases.list datastore.operations.get datastore.operations.list |
Cloud Datastore User( Provides read/write access to data in a Datastore database. Lowest-level resources where you can grant this role:
|
appengine.applications.get datastore.databases.get datastore. datastore.databases.list datastore.entities.* datastore.indexes.list datastore.namespaces.* datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Datastore Viewer( Provides read access to Datastore resources. Lowest-level resources where you can grant this role:
|
appengine.applications.get datastore.databases.get datastore. datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.* datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list |
DataStream roles |
Permissions |
Datastream Admin( Full access to all Datastream resources. |
datastream.* resourcemanager.projects.get resourcemanager.projects.list |
Datastream Viewer( Read-only access to all Datastream resources. |
datastream. datastream. datastream. datastream. datastream. datastream. datastream. datastream. datastream. datastream.locations.* datastream.objects.get datastream.objects.list datastream.operations.get datastream.operations.list datastream. datastream. datastream. datastream. datastream. datastream.routes.get datastream.routes.getIamPolicy datastream.routes.list datastream.streams.fetchErrors datastream.streams.get datastream. datastream.streams.list datastream. datastream. resourcemanager.projects.get resourcemanager.projects.list |
Deployment Manager roles |
Permissions |
Deployment Manager Editor( Provides the permissions necessary to create and manage deployments. Lowest-level resources where you can grant this role:
|
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager. deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Deployment Manager Type Editor( Provides read and write access to all Type Registry resources. Lowest-level resources where you can grant this role:
|
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get |
Deployment Manager Type Viewer( Provides read-only access to all Type Registry resources. Lowest-level resources where you can grant this role:
|
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get |
Deployment Manager Viewer( Provides read-only access to all Deployment Manager-related resources. Lowest-level resources where you can grant this role:
|
deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Dialogflow roles |
Permissions |
CX Premium Admin( An admin has access to all resources and can perform all administrative actions in an AAM project. |
dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow. dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.conversations.get dialogflow.conversations.list dialogflow.deployments.* dialogflow.documents.get dialogflow.documents.list dialogflow.encryptionspec.get dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.examples.get dialogflow.examples.list dialogflow.experiments.get dialogflow.experiments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.generators.get dialogflow.generators.list dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow. dialogflow. dialogflow.phoneNumbers.list dialogflow.playbooks.get dialogflow.playbooks.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.testcases.get dialogflow.testcases.list dialogflow.tools.get dialogflow.tools.list dialogflow. dialogflow. dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list |
CX Premium Conversational Architect( A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases. |
dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow. dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.conversations.get dialogflow.conversations.list dialogflow.deployments.* dialogflow.documents.get dialogflow.documents.list dialogflow.encryptionspec.get dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.examples.get dialogflow.examples.list dialogflow.experiments.get dialogflow.experiments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.generators.get dialogflow.generators.list dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow. dialogflow. dialogflow.phoneNumbers.list dialogflow.playbooks.get dialogflow.playbooks.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.testcases.get dialogflow.testcases.list dialogflow.tools.get dialogflow.tools.list dialogflow. dialogflow. dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list |
CX Premium Dialog Designer( A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling. |
dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow. dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.conversations.get dialogflow.conversations.list dialogflow.deployments.* dialogflow.documents.get dialogflow.documents.list dialogflow.encryptionspec.get dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.examples.get dialogflow.examples.list dialogflow.experiments.get dialogflow.experiments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.generators.get dialogflow.generators.list dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow. dialogflow. dialogflow.phoneNumbers.list dialogflow.playbooks.get dialogflow.playbooks.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.testcases.get dialogflow.testcases.list dialogflow.tools.get dialogflow.tools.list dialogflow. dialogflow. dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list |
CX Premium Lead Dialog Designer( A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling. |
dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow. dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.conversations.get dialogflow.conversations.list dialogflow.deployments.* dialogflow.documents.get dialogflow.documents.list dialogflow.encryptionspec.get dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.examples.get dialogflow.examples.list dialogflow.experiments.get dialogflow.experiments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.generators.get dialogflow.generators.list dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow. dialogflow. dialogflow.phoneNumbers.list dialogflow.playbooks.get dialogflow.playbooks.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.testcases.get dialogflow.testcases.list dialogflow.tools.get dialogflow.tools.list dialogflow. dialogflow. dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list |
CX Premium Viewer( A user can view the taxonomy and data reports in an AAM project. |
dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow. dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.conversations.get dialogflow.conversations.list dialogflow.deployments.* dialogflow.documents.get dialogflow.documents.list dialogflow.encryptionspec.get dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.examples.get dialogflow.examples.list dialogflow.experiments.get dialogflow.experiments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.generators.get dialogflow.generators.list dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow. dialogflow. dialogflow.phoneNumbers.list dialogflow.playbooks.get dialogflow.playbooks.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.testcases.get dialogflow.testcases.list dialogflow.tools.get dialogflow.tools.list dialogflow. dialogflow. dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list |
Dialogflow API Admin( Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control. Lowest-level resources where you can grant this role:
|
dialogflow.* resourcemanager.projects.get |
Dialogflow Agent Assist Client( Can create and handle live conversations using Agent Assist features. |
dialogflow.answerrecords.* dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.conversations.* dialogflow.documents.get dialogflow.documents.list dialogflow.generators.get dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.participants.* dialogflow. |
Dialogflow API Client( Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control. Lowest-level resources where you can grant this role:
|
dialogflow.contexts.* dialogflow.conversations.* dialogflow. dialogflow.messages.list dialogflow.participants.* dialogflow. dialogflow.sessions.* |
Dialogflow Console Agent Editor( Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control. Lowest-level resources where you can grant this role:
|
actions.agentVersions.create dialogflow.* resourcemanager.projects.get |
Dialogflow Console Simulator User( Can perform query of dialogflow suggestions in the simulator in web console. |
dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.conversations.* dialogflow.documents.get dialogflow.documents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.participants.* dialogflow. resourcemanager.projects.get resourcemanager.projects.list |
Dialogflow Console Smart Messaging Allowlist Editor( Can edit allowlist for smart messaging associated with conversation model in the agent assist console |
dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.documents.get dialogflow.documents.list dialogflow.operations.get dialogflow. resourcemanager.projects.get resourcemanager.projects.list |
Dialogflow Conversation Manager( Can manage all the resources related to Dialogflow Conversations. |
dialogflow. dialogflow.conversations.* dialogflow.participants.* |
Dialogflow Entity Type Admin( Can read & write entity types. |
dialogflow.entityTypes.* |
Dialogflow Environment editor( Can read & update environment and its sub-resources. |
dialogflow.deployments.* dialogflow.environments.get dialogflow. dialogflow.environments.list dialogflow. dialogflow. dialogflow.environments.update dialogflow.experiments.* |
Dialogflow Flow editor( Can read & update flow and its sub-resources. |
dialogflow.flows.get dialogflow.flows.list dialogflow.flows.train dialogflow.flows.update dialogflow.flows.validate dialogflow.pages.* dialogflow. dialogflow.versions.* |
Dialogflow Integration Manager( Can add, remove, enable and disable Dialogflow integrations. |
dialogflow.integrations.* |
Dialogflow Intent Admin( Can read & write intents. |
dialogflow.intents.* |
Dialogflow API Reader( Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control. Lowest-level resources where you can grant this role:
|
dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow. dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.conversations.get dialogflow.conversations.list dialogflow.deployments.* dialogflow.documents.get dialogflow.documents.list dialogflow.encryptionspec.get dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.examples.get dialogflow.examples.list dialogflow.experiments.get dialogflow.experiments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.generators.get dialogflow.generators.list dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow. dialogflow. dialogflow.phoneNumbers.list dialogflow.playbooks.get dialogflow.playbooks.list dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.testcases.get dialogflow.testcases.list dialogflow.tools.get dialogflow.tools.list dialogflow. dialogflow. dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get |
Dialogflow Test Case Admin( Can read & write test cases. |
dialogflow.testcases.* |
Dialogflow Webhook Admin( Can read & write webhooks. |
dialogflow.webhooks.* |
DNS roles |
Permissions |
DNS Administrator( Provides read-write access to all Cloud DNS resources. Lowest-level resources where you can grant this role:
|
compute.networks.get compute.networks.list dns.changes.* dns.dnsKeys.* dns.gkeClusters.* dns.managedZoneOperations.* dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.getIamPolicy dns.managedZones.list dns.managedZones.update dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.getIamPolicy dns.policies.list dns.policies.update dns.projects.get dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* resourcemanager.projects.get resourcemanager.projects.list |
DNS Peer( Access to target networks with DNS peering zones |
dns. |
DNS Reader( Provides read-only access to all Cloud DNS resources. Lowest-level resources where you can grant this role:
|
compute.networks.get dns.changes.get dns.changes.list dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list dns.projects.get dns.resourceRecordSets.get dns.resourceRecordSets.list dns.responsePolicies.get dns.responsePolicies.list dns.responsePolicyRules.get dns.responsePolicyRules.list resourcemanager.projects.get resourcemanager.projects.list |
Document AI roles |
Permissions |
Document AI Administrator Beta( Grants full access to all resources in Document AI |
documentai.* resourcemanager.projects.get resourcemanager.projects.list |
Document AI API User Beta( Grants access to process documents in Document AI |
documentai. documentai. documentai. documentai. documentai. documentai. |
Document AI Editor Beta( Grants access to use all resources in Document AI |
documentai.* resourcemanager.projects.get resourcemanager.projects.list |
Document AI Viewer Beta( Grants access to view all resources and process documents in Document AI |
documentai. documentai.datasetSchemas.get documentai.datasets.get documentai. documentai. documentai. documentai.evaluations.get documentai.evaluations.list documentai. documentai. documentai.labelerPools.get documentai.labelerPools.list documentai.locations.* documentai. documentai. documentai.processorTypes.* documentai. documentai. documentai. documentai. documentai. documentai.processors.get documentai.processors.list documentai. documentai. resourcemanager.projects.get resourcemanager.projects.list |
Earth Engine roles |
Permissions |
Earth Engine Resource Admin Beta( Full access to all Earth Engine resource features |
earthengine.* resourcemanager.projects.get resourcemanager.projects.list |
Earth Engine Apps Publisher Beta( Publisher of Earth Engine Apps |
iam.serviceAccounts.create iam.serviceAccounts.disable iam.serviceAccounts.enable iam.serviceAccounts.get iam. iam. resourcemanager.projects.get serviceusage.services.get |
Earth Engine Resource Viewer Beta( Viewer of all Earth Engine resources |
earthengine.assets.get earthengine. earthengine.assets.list earthengine. earthengine.config.get earthengine. earthengine.maps.get earthengine.operations.get earthengine.operations.list earthengine.tables.get earthengine.thumbnails.get earthengine. resourcemanager.projects.get resourcemanager.projects.list |
Earth Engine Resource Writer Beta( Writer of all Earth Engine resources |
earthengine.assets.create earthengine.assets.delete earthengine.assets.get earthengine. earthengine.assets.list earthengine.assets.update earthengine. earthengine.config.* earthengine.exports.create earthengine. earthengine. earthengine.imports.create earthengine.maps.* earthengine.operations.* earthengine.tables.* earthengine.thumbnails.* earthengine.videothumbnails.* resourcemanager.projects.get resourcemanager.projects.list |
Edge Container roles |
Permissions |
Edge Container Admin( Full access to Edge Container all resources. |
edgecontainer.* resourcemanager.projects.get resourcemanager.projects.list |
Edge Container Machine User( Access to use Edge Container Machine resources. |
edgecontainer.machines.get edgecontainer. edgecontainer.machines.list edgecontainer.machines.use resourcemanager.projects.get resourcemanager.projects.list |
Edge Container Cluster offline Credential User( Access to get Edge Container cluster offline credentials |
edgecontainer. resourcemanager.projects.get resourcemanager.projects.list |
Edge Container Viewer( Read-only access to Edge Container all resources. |
edgecontainer. edgecontainer.clusters.get edgecontainer. edgecontainer.clusters.list edgecontainer.locations.* edgecontainer.machines.get edgecontainer. edgecontainer.machines.list edgecontainer.nodePools.get edgecontainer. edgecontainer.nodePools.list edgecontainer.operations.get edgecontainer.operations.list edgecontainer.serverconfig.get edgecontainer. edgecontainer. edgecontainer. resourcemanager.projects.get resourcemanager.projects.list |
Edge Network roles |
Permissions |
Edge Network Admin( Full access to Edge Network all resources. |
edgenetwork.* resourcemanager.projects.get resourcemanager.projects.list |
Edge Network Viewer( Read-only access to Edge Network all resources. |
edgenetwork. edgenetwork. edgenetwork. edgenetwork.interconnects.get edgenetwork. edgenetwork. edgenetwork.interconnects.list edgenetwork.locations.* edgenetwork.networks.get edgenetwork. edgenetwork.networks.getStatus edgenetwork.networks.list edgenetwork.operations.get edgenetwork.operations.list edgenetwork.routers.get edgenetwork. edgenetwork. edgenetwork.routers.list edgenetwork.routes.get edgenetwork.routes.list edgenetwork.subnetworks.get edgenetwork. edgenetwork. edgenetwork.subnetworks.list edgenetwork.zones.get edgenetwork.zones.list resourcemanager.projects.get resourcemanager.projects.list |
Enterprise Knowledge Graph roles |
Permissions |
Enterprise Knowledge Graph Admin Beta( Administrator of Enterprise Knowledge Graph resources |
enterpriseknowledgegraph.* resourcemanager.projects.get resourcemanager.projects.list |
Enterprise Knowledge Graph Editor Beta( Editor of Enterprise Knowledge Graph resources |
enterpriseknowledgegraph.* resourcemanager.projects.get resourcemanager.projects.list |
Enterprise Knowledge Graph Viewer Beta( Viewer of Enterprise Knowledge Graph resources |
enterpriseknowledgegraph. enterpriseknowledgegraph. enterpriseknowledgegraph. enterpriseknowledgegraph. resourcemanager.projects.get resourcemanager.projects.list |
Error Reporting roles |
Permissions |
Error Reporting Admin Beta( Provides full access to Error Reporting data. Lowest-level resources where you can grant this role:
|
cloudnotifications. errorreporting.* logging.notificationRules.* resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get |
Error Reporting User Beta( Provides the permissions to read and write Error Reporting data, except for sending new error events. Lowest-level resources where you can grant this role:
|
cloudnotifications. errorreporting. errorreporting. errorreporting. errorreporting.groupMetadata.* errorreporting.groups.list logging.notificationRules.* resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get |
Error Reporting Viewer Beta( Provides read-only access to Error Reporting data. Lowest-level resources where you can grant this role:
|
cloudnotifications. errorreporting. errorreporting. errorreporting. errorreporting.groups.list logging.notificationRules.get logging.notificationRules.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get |
Error Reporting Writer Beta( Provides the permissions to send error events to Error Reporting. Lowest-level resources where you can grant this role:
|
errorreporting. |
Eventarc roles |
Permissions |
Eventarc Admin( Full control over all Eventarc resources. Lowest-level resources where you can grant this role:
|
eventarc.* resourcemanager.projects.get resourcemanager.projects.list |
Eventarc Connection Publisher Beta( Can publish events to Eventarc channel connections. Lowest-level resources where you can grant this role:
|
eventarc. eventarc. eventarc. resourcemanager.projects.get resourcemanager.projects.list |
Eventarc Developer( Access to read and write Eventarc resources. Lowest-level resources where you can grant this role:
|
eventarc. eventarc. eventarc. eventarc. eventarc. eventarc. eventarc.channels.attach eventarc.channels.create eventarc.channels.delete eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.channels.publish eventarc.channels.undelete eventarc.channels.update eventarc. eventarc.locations.* eventarc.operations.* eventarc.providers.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update resourcemanager.projects.get resourcemanager.projects.list |
Eventarc Event Receiver( Can receive events from all event providers. Lowest-level resources where you can grant this role:
|
eventarc.events.* |
Eventarc Publisher Beta( Can publish events to Eventarc channels. Lowest-level resources where you can grant this role:
|
eventarc.channels.get eventarc.channels.list eventarc.channels.publish resourcemanager.projects.get resourcemanager.projects.list |
Eventarc Viewer( Can view the state of all Eventarc resources, including IAM policies. Lowest-level resources where you can grant this role:
|
eventarc. eventarc. eventarc. eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc. eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list resourcemanager.projects.get resourcemanager.projects.list |
Firebase roles |
Permissions |
Firebase Admin( Full access to Firebase products. |
apikeys.keys.get apikeys.keys.getKeyString apikeys.keys.list apikeys.keys.lookup appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig. clientauthconfig. clientauthconfig.clients.get clientauthconfig.clients.list clientauthconfig. cloudbuild.builds.get cloudbuild.builds.list cloudbuild.operations.* cloudconfig.* cloudfunctions.* cloudmessaging.messages.create cloudnotifications. cloudtestservice. cloudtestservice.matrices.* cloudtoolresults.* datastore.* errorreporting.groups.list eventarc.* fcmdata.deliverydata.list firebase.* firebaseabt.* firebaseanalytics.* firebaseappcheck.* firebaseappdistro.* firebaseauth.* firebasecrash.* firebasecrashlytics.* firebasedatabase.* firebasedynamiclinks.* firebaseextensions.* firebaseextensionspublisher.* firebasehosting.* firebaseinappmessaging.* firebasemessagingcampaigns.* firebaseml.* firebasenotifications.* firebaseperformance.* firebaserules.* firebasestorage.* logging.logEntries.list monitoring.timeSeries.list oauthconfig.verification.get orgpolicy.policy.get recommender. recommender. recommender. recommender. recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager. resourcemanager.projects.list run.* runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
Firebase Analytics Admin( Full access to Google Analytics for Firebase. |
cloudnotifications. firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.* firebaseextensions. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Firebase Analytics Viewer( Read access to Google Analytics for Firebase. |
cloudnotifications. firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics. firebaseextensions. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Firebase Develop Admin( Full access to Firebase Develop products and Analytics. |
apikeys.keys.get apikeys.keys.getKeyString apikeys.keys.list apikeys.keys.lookup appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.get clientauthconfig.clients.list cloudbuild.builds.get cloudbuild.builds.list cloudbuild.operations.* cloudfunctions.* cloudnotifications. datastore.* errorreporting.groups.list eventarc.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.* firebaseappcheck.* firebaseauth.* firebasedatabase.* firebaseextensions. firebasehosting.* firebaseml.* firebaserules.* firebasestorage.* logging.logEntries.list monitoring.timeSeries.list oauthconfig.verification.get orgpolicy.policy.get recommender. recommender. recommender. recommender. recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager. resourcemanager.projects.list run.* runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
Firebase Develop Viewer( Read access to Firebase Develop products and Analytics. |
automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.files.list automl. automl. automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudbuild.builds.get cloudbuild.builds.list cloudbuild.operations.* cloudfunctions.functions.get cloudfunctions. cloudfunctions.functions.list cloudfunctions.locations.list cloudfunctions.operations.* cloudnotifications. datastore.databases.get datastore. datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.* datastore.statistics.* errorreporting.groups.list eventarc. eventarc. eventarc. eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc. eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck.services.get firebaseauth.configs.get firebaseauth.users.get firebasedatabase.instances.get firebasedatabase. firebaseextensions. firebasehosting.sites.get firebasehosting.sites.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list firebasestorage.buckets.get firebasestorage.buckets.list firebasestorage. logging.logEntries.list monitoring.timeSeries.list oauthconfig.verification.get recommender. recommender. recommender. recommender. recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager. resourcemanager.projects.list run.configurations.* run.executions.get run.executions.list run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.listEffectiveTags run.jobs.listTagBindings run.locations.list run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.tasks.* serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list |
Firebase Grow Admin( Full access to Firebase Grow products and Analytics. |
clientauthconfig.clients.get clientauthconfig.clients.list cloudconfig.* cloudmessaging.messages.create cloudnotifications. fcmdata.deliverydata.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseabt.* firebaseanalytics.* firebasedynamiclinks.* firebaseextensions. firebaseinappmessaging.* firebasemessagingcampaigns.* firebasenotifications.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Firebase Grow Viewer( Read access to Firebase Grow products and Analytics. |
cloudconfig.configs.get cloudnotifications. fcmdata.deliverydata.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseabt. firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt. firebaseanalytics. firebasedynamiclinks. firebasedynamiclinks. firebasedynamiclinks. firebasedynamiclinks.links.get firebasedynamiclinks. firebasedynamiclinks.stats.get firebaseextensions. firebaseinappmessaging. firebaseinappmessaging. firebasemessagingcampaigns. firebasemessagingcampaigns. firebasenotifications. firebasenotifications. monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Firebase Quality Admin( Full access to Firebase Quality products and Analytics. |
cloudnotifications. firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.* firebaseappdistro.* firebasecrash.* firebasecrashlytics.* firebaseextensions. firebaseperformance.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Firebase Quality Viewer( Read access to Firebase Quality products and Analytics. |
cloudnotifications. firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics. firebaseappdistro.groups.list firebaseappdistro. firebaseappdistro.testers.list firebasecrash.reports.get firebasecrashlytics.config.get firebasecrashlytics.data.get firebasecrashlytics.issues.get firebasecrashlytics. firebasecrashlytics. firebaseextensions. firebaseperformance.data.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Firebase Admin SDK Administrator Service Agent( Read and write access to Firebase products available in the Admin SDK |
appengine.applications.get cloudconfig.* cloudmessaging.messages.create datastore.databases.get datastore. datastore.databases.list datastore.entities.* datastore.indexes.get datastore.indexes.list datastore.namespaces.* datastore.statistics.* firebase.clients.* firebase.projects.get firebase.projects.update firebaseappcheck.* firebaseauth.configs.create firebaseauth.configs.get firebaseauth.configs.getSecret firebaseauth.configs.update firebaseauth.users.* firebasedatabase.* firebasehosting.* firebaseml.* firebasenotifications.* firebaserules.releases.get firebaserules.releases.list firebaserules.releases.update firebaserules.rulesets.create firebaserules.rulesets.delete firebaserules.rulesets.get firebaserules.rulesets.list identitytoolkit.* orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list resourcemanager. storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.* storage.objects.* |
Firebase SDK Provisioning Service Agent( Access to provision apps with the Admin SDK. |
apikeys.keys.list clientauthconfig.clients.list cloudmessaging.messages.create firebase.clients.create servicemanagement. serviceusage.services.enable serviceusage.services.get |
Firebase Viewer( Read-only access to Firebase products. |
automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.files.list automl. automl. automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudbuild.builds.get cloudbuild.builds.list cloudbuild.operations.* cloudconfig.configs.get cloudfunctions.functions.get cloudfunctions. cloudfunctions.functions.list cloudfunctions.locations.list cloudfunctions.operations.* cloudnotifications. cloudtestservice. cloudtestservice.matrices.get cloudtoolresults. cloudtoolresults. cloudtoolresults.histories.get cloudtoolresults. cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list datastore.databases.get datastore. datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.* datastore.statistics.* errorreporting.groups.list eventarc. eventarc. eventarc. eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc. eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list fcmdata.deliverydata.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseabt. firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt. firebaseanalytics. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck.services.get firebaseappdistro.groups.list firebaseappdistro. firebaseappdistro.testers.list firebaseauth.configs.get firebaseauth.users.get firebasecrash.reports.get firebasecrashlytics.config.get firebasecrashlytics.data.get firebasecrashlytics.issues.get firebasecrashlytics. firebasecrashlytics. firebasedatabase.instances.get firebasedatabase. firebasedynamiclinks. firebasedynamiclinks. firebasedynamiclinks. firebasedynamiclinks.links.get firebasedynamiclinks. firebasedynamiclinks.stats.get firebaseextensions. firebaseextensionspublisher. firebaseextensionspublisher. firebasehosting.sites.get firebasehosting.sites.list firebaseinappmessaging. firebaseinappmessaging. firebasemessagingcampaigns. firebasemessagingcampaigns. firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebasenotifications. firebasenotifications. firebaseperformance.data.get firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list firebasestorage.buckets.get firebasestorage.buckets.list firebasestorage. logging.logEntries.list monitoring.timeSeries.list oauthconfig.verification.get recommender. recommender. recommender. recommender. recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager. resourcemanager.projects.list run.configurations.* run.executions.get run.executions.list run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.listEffectiveTags run.jobs.listTagBindings run.locations.list run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.tasks.* serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list |
Firebase App Check Service Agent( Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise and Play Integrity API. |
recaptchaenterprise. serviceusage.services.use |
Firebase Extensions API Service Agent( Grants Firebase Extensions API Service Account access to manage resources. |
appengine.applications.get artifactregistry. cloudfunctions. cloudfunctions. cloudtasks.locations.* cloudtasks.queues.* cloudtasks.tasks.create cloudtasks.tasks.fullView deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager. deploymentmanager.types.* eventarc.channels.create eventarc.channels.delete eventarc.channels.get eventarc.channels.setIamPolicy iam.serviceAccounts.actAs iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list resourcemanager. run.services.getIamPolicy run.services.setIamPolicy serviceusage.quotas.get serviceusage.services.enable serviceusage.services.get serviceusage.services.list |
Firebase Products roles |
Permissions |
Firebase Remote Config Admin( Full access to Firebase Remote Config resources. |
cloudconfig.* firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list |
Firebase Remote Config Viewer( Read access to Firebase Remote Config resources. |
cloudconfig.configs.get firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list |
Firebase Test Lab Direct Access Admin Beta( Administrator owning access to Direct Access |
cloudtestservice. cloudtestservice. resourcemanager.projects.get resourcemanager.projects.list |
Firebase Test Lab Direct Access Viewer Beta( Viewer, able to see what direct access sessions exist |
cloudtestservice. cloudtestservice. resourcemanager.projects.get resourcemanager.projects.list |
Firebase Test Lab Admin( Full access to all Test Lab features |
cloudtestservice. cloudtestservice.matrices.* cloudtoolresults.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.get storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list |
Firebase Test Lab Viewer( Read access to Test Lab features |
cloudtestservice. cloudtestservice.matrices.get cloudtoolresults. cloudtoolresults. cloudtoolresults.histories.get cloudtoolresults. cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list |
Firebase A/B Testing Admin Beta( Full read/write access to Firebase A/B Testing resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseabt.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase A/B Testing Viewer Beta( Read-only access to Firebase A/B Testing resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseabt. firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt. resourcemanager.projects.get resourcemanager.projects.list |
Firebase App Check Admin( Full management of Firebase App Check. |
firebaseappcheck.* |
Firebase App Check Token Verifier( Access to token verification capabilities for Firebase App Check. |
firebaseappcheck. |
Firebase App Check Viewer( Read-only access for Firebase App Check. |
firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck. firebaseappcheck.services.get |
Firebase App Distribution Admin( Full read/write access to Firebase App Distribution resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseappdistro.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase App Distribution Viewer( Read-only access to Firebase App Distribution resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseappdistro.groups.list firebaseappdistro. firebaseappdistro.testers.list resourcemanager.projects.get resourcemanager.projects.list |
Firebase Authentication Admin( Full read/write access to Firebase Authentication resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseauth.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase Authentication Viewer( Read-only access to Firebase Authentication resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseauth.configs.get firebaseauth.users.get resourcemanager.projects.get resourcemanager.projects.list |
Firebase Crashlytics Admin( Full read/write access to Firebase Crashlytics resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebasecrashlytics.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase Crashlytics Viewer( Read-only access to Firebase Crashlytics resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebasecrashlytics.config.get firebasecrashlytics.data.get firebasecrashlytics.issues.get firebasecrashlytics. firebasecrashlytics. resourcemanager.projects.get resourcemanager.projects.list |
Firebase Realtime Database Admin( Full read/write access to Firebase Realtime Database resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebasedatabase.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase Realtime Database Viewer( Read-only access to Firebase Realtime Database resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebasedatabase.instances.get firebasedatabase. resourcemanager.projects.get resourcemanager.projects.list |
Firebase Dynamic Links Admin( Full read/write access to Firebase Dynamic Links resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebasedynamiclinks.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase Dynamic Links Viewer( Read-only access to Firebase Dynamic Links resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebasedynamiclinks. firebasedynamiclinks. firebasedynamiclinks. firebasedynamiclinks.links.get firebasedynamiclinks. firebasedynamiclinks.stats.get resourcemanager.projects.get resourcemanager.projects.list |
Firebase Extensions Developer Beta( View, create, and delete Firebase Extensions Instances and Extensions Versions, and update Extensions Instances |
firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list |
Firebase Extensions Viewer Beta( Viewer of Firebase Extensions Instances |
firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list |
Firebase Extensions Publisher - Extensions Admin Beta( Fully manage Firebase Extensions |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseextensionspublisher.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase Extensions Publisher - Extensions Viewer Beta( View Firebase Extensions |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseextensionspublisher. firebaseextensionspublisher. resourcemanager.projects.get resourcemanager.projects.list |
Firebase Hosting Admin( Full read/write access to Firebase Hosting resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebasehosting.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase Hosting Viewer( Read-only access to Firebase Hosting resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebasehosting.sites.get firebasehosting.sites.list resourcemanager.projects.get resourcemanager.projects.list |
Firebase In-App Messaging Admin Beta( Full read/write access to Firebase In-App Messaging resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseinappmessaging.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase In-App Messaging Viewer Beta( Read-only access to Firebase In-App Messaging resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseinappmessaging. firebaseinappmessaging. resourcemanager.projects.get resourcemanager.projects.list |
Firebase Messaging Campaigns Admin Beta( Full management of Firebase Messaging Campaigns. |
firebasemessagingcampaigns.* |
Firebase Messaging Campaigns Viewer Beta( Read-only access for Firebase Messaging Campaigns. |
firebasemessagingcampaigns. firebasemessagingcampaigns. |
Firebase ML Kit Admin Beta( Full read/write access to Firebase ML Kit resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseml.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase ML Kit Viewer Beta( Read-only access to Firebase ML Kit resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list resourcemanager.projects.get resourcemanager.projects.list |
Firebase Cloud Messaging Admin( Full read/write access to Firebase Cloud Messaging resources. |
fcmdata.deliverydata.list firebase.clients.get firebase.clients.list firebase.projects.get firebasenotifications.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase Cloud Messaging Viewer( Read-only access to Firebase Cloud Messaging resources. |
fcmdata.deliverydata.list firebase.clients.get firebase.clients.list firebase.projects.get firebasenotifications. firebasenotifications. resourcemanager.projects.get resourcemanager.projects.list |
Firebase Performance Reporting Admin( Full access to firebaseperformance resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseperformance.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase Performance Reporting Viewer( Read-only access to firebaseperformance resources. |
firebase.clients.get firebase.clients.list firebase.projects.get firebaseperformance.data.get resourcemanager.projects.get resourcemanager.projects.list |
Firebase Rules Admin( Full management of Firebase Rules. |
firebaserules.* resourcemanager.projects.get resourcemanager.projects.list |
Firebase Rules System( Read/write/list access for Datastore entities and Cloud Storage objects, as well as get/list/publish access for PubSub topics. |
datastore.databases.get datastore.entities.* pubsub.topics.get pubsub.topics.list pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Firebase Rules Viewer( Read-only access on all resources with the ability to test Rulesets. |
firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Storage for Firebase Admin Beta( Full management of Cloud Storage for Firebase. |
firebase.clients.get firebase.clients.list firebase.projects.get firebasestorage.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Storage for Firebase Viewer Beta( Read-only access for Cloud Storage for Firebase. |
firebasestorage.buckets.get firebasestorage.buckets.list firebasestorage. resourcemanager.projects.get resourcemanager.projects.list |
Fleet Engine roles |
Permissions |
Fleet Engine Consumer SDK User( Limited read access to Fleet Engine resources |
fleetengine.trips.get fleetengine.vehicles.get fleetengine.vehicles.search fleetengine. |
Fleet Engine Delivery Admin( Full access to Fleet Engine Delivery resources. |
fleetengine.deliveryvehicles.* fleetengine.tasks.* fleetengine.tasktrackinginfo.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Fleet Engine Delivery Consumer User( Limited read access to Fleet Engine Delivery resources |
fleetengine. fleetengine. |
Fleet Engine Delivery Fleet Reader User( Grants read access to all Fleet Engine Delivery resources |
fleetengine. fleetengine. fleetengine.tasks.get fleetengine.tasks.list fleetengine. fleetengine. |
Fleet Engine Delivery Super User( Full access to Fleet Engine DeliveryVehicles and Tasks resources. |
fleetengine. fleetengine. fleetengine. fleetengine. fleetengine. fleetengine. fleetengine.tasks.create fleetengine.tasks.get fleetengine.tasks.list fleetengine. fleetengine.tasks.update fleetengine. resourcemanager.projects.get resourcemanager.projects.list |
Fleet Engine Delivery Trusted Driver User( Read and write access to Fleet Engine Delivery resources |
fleetengine. fleetengine. fleetengine. fleetengine. fleetengine. fleetengine.tasks.create fleetengine.tasks.update |
Fleet Engine Delivery Untrusted Driver User( Limited write access to Fleet Engine Delivery Vehicle resources |
fleetengine. fleetengine. |
Fleet Engine Driver SDK User( Read and limited update access to Fleet Engine resources |
fleetengine.trips.get fleetengine.trips.search fleetengine.trips.update fleetengine.vehicles.get fleetengine. |
Fleet Engine On-Demand Admin( Full access to Vehicle and Trip resources. |
fleetengine.trips.* fleetengine.vehicles.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Fleet Engine Service Super User( Full access to all Fleet Engine resources. |
fleetengine.trips.create fleetengine.trips.get fleetengine.trips.search fleetengine.trips.update fleetengine.trips.updateState fleetengine.vehicles.create fleetengine.vehicles.get fleetengine.vehicles.list fleetengine.vehicles.search fleetengine. fleetengine.vehicles.update fleetengine. resourcemanager.projects.get resourcemanager.projects.list |
Genomics roles |
Permissions |
Genomics Admin( Full access to genomics datasets and operations. |
genomics.* |
Genomics Editor( Access to read and edit genomics datasets and operations. |
genomics.datasets.create genomics.datasets.delete genomics.datasets.get genomics.datasets.list genomics.datasets.update genomics.operations.* |
Genomics Pipelines Runner( Full access to operate on genomics pipelines. |
genomics.operations.* |
Genomics Viewer( Access to view genomics datasets and operations. |
genomics.datasets.get genomics.datasets.list genomics.operations.get genomics.operations.list |
GKE Hub roles |
Permissions |
Fleet Admin (formerly GKE Hub Admin)( Full access to Fleet resources. |
gkehub.features.* gkehub.fleet.* gkehub.locations.* gkehub.membershipbindings.* gkehub.memberships.* gkehub.namespaces.* gkehub.operations.* gkehub.rbacrolebindings.* gkehub.scopes.* resourcemanager.projects.get resourcemanager.projects.list |
GKE Connect Agent( Ability to set up GKE Connect between external clusters and Google. |
gkehub.endpoints.connect |
Fleet Editor (formerly GKE Hub Editor)( Edit access to Fleet resources. |
gkehub.features.create gkehub.features.delete gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.features.update gkehub.fleet.* gkehub.locations.* gkehub.membershipbindings.* gkehub.memberships.create gkehub.memberships.delete gkehub. gkehub.memberships.get gkehub. gkehub.memberships.list gkehub.memberships.update gkehub.namespaces.* gkehub.operations.* gkehub.rbacrolebindings.* gkehub.scopes.create gkehub.scopes.delete gkehub.scopes.get gkehub.scopes.getIamPolicy gkehub.scopes.list gkehub. gkehub.scopes.update resourcemanager.projects.get resourcemanager.projects.list |
Connect Gateway Admin( Full access to Connect Gateway. |
gkehub.gateway.* gkehub.memberships.get serviceusage.services.get |
Connect Gateway Editor( Edit access to Connect Gateway. |
gkehub.gateway.delete gkehub.gateway.get gkehub.gateway.patch gkehub.gateway.post gkehub.gateway.put gkehub.memberships.get serviceusage.services.get |
Connect Gateway Reader( Read-only access to Connect Gateway. |
gkehub.gateway.get gkehub.memberships.get serviceusage.services.get |
Fleet Viewer (formerly GKE Hub Viewer)( Read-only access to Fleets and related resources. |
gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.fleet.getFreeTrial gkehub.locations.* gkehub.membershipbindings.get gkehub.membershipbindings.list gkehub. gkehub.memberships.get gkehub. gkehub.memberships.list gkehub.namespaces.get gkehub.namespaces.list gkehub.operations.get gkehub.operations.list gkehub.rbacrolebindings.get gkehub.rbacrolebindings.list gkehub.scopes.get gkehub.scopes.list gkehub. resourcemanager.projects.get resourcemanager.projects.list |
GKE on-prem roles |
Permissions |
GKE on-prem Admin( Full access to GKE on-prem all resources. |
gkeonprem.* resourcemanager.projects.get resourcemanager.projects.list |
GKE on-prem Viewer( Read-only access to GKE on-prem all resources. |
gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem.locations.* gkeonprem.operations.get gkeonprem.operations.list gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem.vmwareClusters.get gkeonprem. gkeonprem.vmwareClusters.list gkeonprem. gkeonprem.vmwareNodePools.get gkeonprem. gkeonprem.vmwareNodePools.list resourcemanager.projects.get resourcemanager.projects.list |
Google Workspace Add-ons roles |
Permissions |
Google Workspace Add-ons Developer( Full access to Google Workspace Add-ons resources |
gsuiteaddons.* resourcemanager.projects.get resourcemanager.projects.list |
Google Workspace Add-ons Reader( Read-only access to Google Workspace Add-ons resources |
gsuiteaddons. gsuiteaddons.deployments.get gsuiteaddons.deployments.list resourcemanager.projects.get resourcemanager.projects.list |
Google Workspace Add-ons Tester( Testing execution access to Google Workspace Add-ons resources |
gsuiteaddons. gsuiteaddons. gsuiteaddons. gsuiteaddons. resourcemanager.projects.get resourcemanager.projects.list |
IAM roles |
Permissions |
Deny Admin( Deny admin role, with permissions to read and modify deny policies Lowest-level resources where you can grant this role:
|
iam.denypolicies.* |
Deny Reviewer( Deny Reviewer role, with permissions to read deny policies Lowest-level resources where you can grant this role:
|
iam.denypolicies.get iam.denypolicies.list |
Security Admin( Security admin role, with permissions to get and set any IAM policy. |
accessapproval.requests.list accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. actions.agentVersions.list advisorynotifications. aiplatform. aiplatform.annotations.list aiplatform.artifacts.list aiplatform. aiplatform.contexts.list aiplatform.customJobs.list aiplatform.dataItems.list aiplatform. aiplatform. aiplatform.datasets.list aiplatform. aiplatform. aiplatform.edgeDevices.list aiplatform. aiplatform.endpoints.list aiplatform. aiplatform. aiplatform.entityTypes.list aiplatform. aiplatform.executions.list aiplatform.extensions.list aiplatform.featureGroups.list aiplatform. aiplatform. aiplatform.featureViews.list aiplatform.features.list aiplatform. aiplatform.featurestores.list aiplatform. aiplatform. aiplatform. aiplatform.indexEndpoints.list aiplatform.indexes.list aiplatform.locations.list aiplatform. aiplatform.metadataStores.list aiplatform. aiplatform. aiplatform. aiplatform.models.list aiplatform.nasJobs.list aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.operations.list aiplatform. aiplatform.pipelineJobs.list aiplatform.schedules.list aiplatform. aiplatform.studies.list aiplatform. aiplatform. aiplatform. aiplatform.tensorboards.list aiplatform. aiplatform.trials.list alloydb.backups.list alloydb.clusters.list alloydb.databases.list alloydb.instances.list alloydb.locations.list alloydb.operations.list alloydb. alloydb.users.list analyticshub. analyticshub. analyticshub. analyticshub. analyticshub.listings.list analyticshub. analyticshub. apigateway. apigateway.apiconfigs.list apigateway. apigateway.apis.getIamPolicy apigateway.apis.list apigateway.apis.setIamPolicy apigateway. apigateway.gateways.list apigateway. apigateway.locations.list apigateway.operations.list apigee. apigee.apiproducts.list apigee.appgroupapps.list apigee.appgroups.list apigee.apps.list apigee.archivedeployments.list apigee.caches.list apigee.datacollectors.list apigee.datastores.list apigee.deployments.list apigee. apigee.developerapps.list apigee. apigee.developers.list apigee. apigee. apigee. apigee.envgroups.list apigee. apigee.environments.list apigee. apigee.exports.list apigee.flowhooks.list apigee.hostqueries.list apigee. apigee. apigee.instances.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.nataddresses.list apigee.operations.list apigee.organizations.list apigee.portals.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.rateplans.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.securityActions.list apigee.securityFeedback.list apigee.securityIncidents.list apigee.securityProfiles.list apigee.securityreports.list apigee. apigee.sharedflows.list apigee.targetservers.list apigee. apigee.tracesessions.list apigeeconnect.connections.list apigeeregistry. apigeeregistry.apis.list apigeeregistry. apigeeregistry. apigeeregistry.artifacts.list apigeeregistry. apigeeregistry. apigeeregistry.locations.list apigeeregistry.operations.list apigeeregistry. apigeeregistry.specs.list apigeeregistry. apigeeregistry. apigeeregistry.versions.list apigeeregistry. apihub.apis.list apihub.operations.list apihub.specs.list apihub.versions.list apikeys.keys.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list apphub. apphub.applications.list apphub. apphub.discoveredServices.list apphub. apphub.locations.list apphub.operations.list apphub. apphub.services.list apphub.workloads.list applianceactivation. artifactregistry. artifactregistry.files.list artifactregistry. artifactregistry. artifactregistry. artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.list artifactregistry.versions.list assuredoss.locations.list assuredoss.metadata.list assuredoss.operations.list assuredworkloads. assuredworkloads. assuredworkloads.workload.list auditmanager.locations.list auditmanager.operations.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.datasets.setIamPolicy automl.examples.list automl.files.list automl. automl.locations.getIamPolicy automl.locations.list automl.locations.setIamPolicy automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.models.setIamPolicy automl.operations.list automl.tableSpecs.list automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. autoscaling.sites.getIamPolicy autoscaling.sites.setIamPolicy backupdr.locations.list backupdr. backupdr. backupdr. backupdr.operations.list baremetalsolution. baremetalsolution. baremetalsolution.luns.list baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution.skus.list baremetalsolution. baremetalsolution.sshKeys.list baremetalsolution. baremetalsolution. baremetalsolution.volumes.list baremetalsolution. batch.jobs.list batch.locations.list batch.operations.list batch.tasks.list beyondcorp. beyondcorp.appConnections.list beyondcorp. beyondcorp. beyondcorp.appConnectors.list beyondcorp. beyondcorp. beyondcorp.appGateways.list beyondcorp. beyondcorp. beyondcorp. beyondcorp. beyondcorp. beyondcorp.clientGateways.list beyondcorp. beyondcorp.locations.list beyondcorp.operations.list beyondcorp.partnerTenants.list beyondcorp.proxyConfigs.list beyondcorp.subscriptions.list biglake.catalogs.list biglake.databases.list biglake.locks.list biglake.tables.list bigquery. bigquery. bigquery.connections.list bigquery. bigquery. bigquery.dataPolicies.list bigquery. bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy bigquery.jobs.list bigquery.models.list bigquery. bigquery.reservations.list bigquery.routines.list bigquery. bigquery. bigquery. bigquery.savedqueries.list bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.setIamPolicy bigquerymigration. bigquerymigration. bigquerymigration. bigtable.appProfiles.list bigtable. bigtable.authorizedViews.list bigtable. bigtable.backups.getIamPolicy bigtable.backups.list bigtable.backups.setIamPolicy bigtable.clusters.list bigtable.hotTablets.list bigtable. bigtable.instances.list bigtable. bigtable.keyvisualizer.list bigtable.locations.list bigtable.tables.getIamPolicy bigtable.tables.list bigtable.tables.setIamPolicy billing.accounts.getIamPolicy billing.accounts.list billing.accounts.setIamPolicy billing. billing. billing. billing. billing. billing.budgets.list billing.credits.list billing. billing.subscriptions.list binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. blockchainnodeengine. blockchainnodeengine. blockchainnodeengine. capacityplanner.forecasts.list capacityplanner. carestudio.patients.list certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager.certs.list certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. chronicle.analyticValues.list chronicle.analytics.list chronicle.collectors.list chronicle.conversations.list chronicle. chronicle. chronicle.curatedRuleSets.list chronicle.curatedRules.list chronicle.dashboards.list chronicle. chronicle. chronicle.dataTaps.list chronicle.entities.list chronicle. chronicle. chronicle. chronicle.feeds.list chronicle. chronicle. chronicle.forwarders.list chronicle.iocMatches.list chronicle.logTypeSchemas.list chronicle.logTypes.list chronicle.logs.list chronicle.messages.list chronicle.operations.list chronicle. chronicle.parsers.list chronicle.parsingErrors.list chronicle.referenceLists.list chronicle.retrohunts.list chronicle.ruleDeployments.list chronicle. chronicle.rules.list chronicle.searchQueries.list chronicle. chronicle.watchlists.list clientauthconfig.brands.list clientauthconfig.clients.list cloud.locations.list cloudasset. cloudasset.feeds.list cloudasset.savedqueries.list cloudbuild.builds.list cloudbuild. cloudbuild.connections.list cloudbuild. cloudbuild.integrations.list cloudbuild.operations.list cloudbuild.repositories.list cloudbuild.workerpools.list cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. clouddebugger.breakpoints.list clouddebugger.debuggees.list clouddeploy. clouddeploy.automations.list clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy.jobRuns.list clouddeploy.locations.list clouddeploy.operations.list clouddeploy.releases.list clouddeploy.rollouts.list clouddeploy. clouddeploy.targets.list clouddeploy. cloudfunctions. cloudfunctions.functions.list cloudfunctions. cloudfunctions.locations.list cloudfunctions.operations.list cloudiot.devices.list cloudiot. cloudiot.registries.list cloudiot. cloudjobdiscovery. cloudkms. cloudkms. cloudkms.cryptoKeys.list cloudkms. cloudkms. cloudkms. cloudkms. cloudkms.ekmConnections.list cloudkms. cloudkms. cloudkms.importJobs.list cloudkms. cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudkms.keyRings.setIamPolicy cloudkms.locations.list cloudnotifications. cloudonefs.isiloncloud. cloudonefs.isiloncloud. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner. cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport. cloudsupport.accounts.list cloudsupport. cloudsupport.techCases.list cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.queues.setIamPolicy cloudtasks.tasks.list cloudtestservice. cloudtoolresults. cloudtoolresults. cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate.datasets.list cloudtranslate.glossaries.list cloudtranslate. cloudtranslate.locations.list cloudtranslate.operations.list cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. commerceagreementpublishing. commerceagreementpublishing. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commerceoffercatalog. commerceoffercatalog. commerceorggovernance. commerceorggovernance. commerceorggovernance. commerceorggovernance. commerceprice.events.list commerceprice. composer.dags.list composer.environments.list composer.imageversions.list composer.operations.list composer. composer. compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute. compute.backendBuckets.list compute. compute. compute.backendServices.list compute. compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.disks.setIamPolicy compute. compute. compute.firewallPolicies.list compute. compute.firewalls.list compute.forwardingRules.list compute. compute. compute. compute.globalAddresses.list compute. compute. compute. compute.globalOperations.list compute. compute. compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.images.setIamPolicy compute. compute.instanceGroups.list compute. compute.instanceTemplates.list compute. compute.instances.getIamPolicy compute.instances.list compute.instances.setIamPolicy compute. compute.instantSnapshots.list compute. compute. compute. compute. compute.interconnects.list compute. compute.licenseCodes.list compute. compute.licenses.getIamPolicy compute.licenses.list compute.licenses.setIamPolicy compute. compute.machineImages.list compute. compute.machineTypes.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.list compute. compute.nodeGroups.list compute. compute. compute.nodeTemplates.list compute. compute.nodeTypes.list compute.packetMirrorings.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.list compute. compute. compute. compute.regionSslPolicies.list compute. compute. compute. compute.regionUrlMaps.list compute.regions.list compute.reservations.list compute. compute.resourcePolicies.list compute. compute.routers.list compute.routes.list compute. compute.securityPolicies.list compute. compute. compute. compute. compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.setIamPolicy compute.sslCertificates.list compute.sslPolicies.list compute. compute.storagePools.list compute. compute. compute.subnetworks.list compute. compute.targetGrpcProxies.list compute.targetHttpProxies.list compute. compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute. compute.zoneOperations.list compute. compute.zones.list confidentialcomputing. config. config.deployments.list config. config.locations.list config.operations.list config.previews.list config.resources.list config.revisions.list config.terraformversions.list connectors.actions.list connectors. connectors.connections.list connectors. connectors.connectors.list connectors. connectors. connectors. connectors. connectors. connectors. connectors. connectors. connectors. connectors.entities.list connectors.entityTypes.list connectors. connectors.eventtypes.list connectors.locations.list connectors. connectors.managedZones.list connectors. connectors.operations.list connectors.providers.list connectors.versions.list consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. contactcenteraiplatform. contactcenteraiplatform. contactcenteraiplatform. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. container.apiServices.list container.auditSinks.list container.backendConfigs.list container.bindings.list container. container. container.clusterRoles.list container.clusters.list container. container.configMaps.list container. container.cronJobs.list container.csiDrivers.list container.csiNodeInfos.list container.csiNodes.list container. container.daemonSets.list container.deployments.list container.endpointSlices.list container.endpoints.list container.events.list container.frontendConfigs.list container. container.ingresses.list container. container.jobs.list container.leases.list container.limitRanges.list container. container. container. container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container. container. container.petSets.list container. container.podPresets.list container. container.podTemplates.list container.pods.list container.priorityClasses.list container.replicaSets.list container. container.resourceQuotas.list container.roleBindings.list container.roles.list container.runtimeClasses.list container.scheduledJobs.list container. container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.storageStates.list container. container. container. container. container.updateInfos.list container. container. container. container. container.volumeSnapshots.list containeranalysis. containeranalysis.notes.list containeranalysis. containeranalysis. containeranalysis. containeranalysis. containersecurity. containersecurity. containersecurity. containersecurity. contentwarehouse.corpora.list contentwarehouse. contentwarehouse. contentwarehouse. contentwarehouse. contentwarehouse.ruleSets.list contentwarehouse. databaseinsights. datacatalog. datacatalog. datacatalog. datacatalog.entries.list datacatalog. datacatalog. datacatalog.entryGroups.list datacatalog. datacatalog.operations.list datacatalog.relationships.list datacatalog. datacatalog. datacatalog. datacatalog.taxonomies.list datacatalog. dataconnectors. dataconnectors.connectors.list dataconnectors. dataconnectors.locations.list dataconnectors.operations.list dataflow.jobs.list dataflow.messages.list dataflow.snapshots.list dataform. dataform.locations.list dataform.releaseConfigs.list dataform. dataform.repositories.list dataform. dataform.workflowConfigs.list dataform. dataform. dataform.workspaces.list dataform. datafusion.artifacts.list datafusion. datafusion.instances.list datafusion. datafusion.locations.list datafusion.operations.list datafusion. datafusion.pipelines.list datafusion.profiles.list datafusion.secureKeys.list datalabeling. datalabeling. datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list datalineage.events.list datalineage.processes.list datalineage.runs.list datamigration. datamigration. datamigration. datamigration. datamigration. datamigration. datamigration.locations.list datamigration. datamigration. datamigration. datamigration. datamigration. datamigration.operations.list datamigration. datamigration. datamigration. datapipelines.jobs.list datapipelines.pipelines.list dataplex. dataplex.aspectTypes.list dataplex. dataplex.assetActions.list dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.setIamPolicy dataplex.content.getIamPolicy dataplex.content.list dataplex.content.setIamPolicy dataplex. dataplex. dataplex. dataplex. dataplex.dataAttributes.list dataplex. dataplex. dataplex.dataTaxonomies.list dataplex. dataplex. dataplex.datascans.list dataplex. dataplex.entities.list dataplex.entries.list dataplex. dataplex.entryGroups.list dataplex. dataplex. dataplex.entryTypes.list dataplex. dataplex. dataplex.environments.list dataplex. dataplex.lakeActions.list dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.lakes.setIamPolicy dataplex.locations.list dataplex.operations.list dataplex.partitions.list dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.tasks.setIamPolicy dataplex.zoneActions.list dataplex.zones.getIamPolicy dataplex.zones.list dataplex.zones.setIamPolicy dataproc.agents.list dataproc. dataproc. dataproc. dataproc.batches.list dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.clusters.setIamPolicy dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.jobs.setIamPolicy dataproc. dataproc.operations.list dataproc. dataproc.sessionTemplates.list dataproc.sessions.list dataproc. dataproc. dataproc. dataprocessing. dataprocessing. dataprocessing. datastore.backupSchedules.list datastore.backups.list datastore.databases.list datastore.entities.list datastore.indexes.list datastore. datastore.locations.list datastore.namespaces.list datastore.operations.list datastore.statistics.list datastream. datastream. datastream. datastream.locations.list datastream.objects.list datastream.operations.list datastream. datastream. datastream. datastream.routes.getIamPolicy datastream.routes.list datastream.routes.setIamPolicy datastream. datastream.streams.list datastream. datastudio. datastudio. datastudio. datastudio. datastudio. datastudio. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.types.list dialogflow.agents.list dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.list dialogflow.contexts.list dialogflow. dialogflow. dialogflow. dialogflow.conversations.list dialogflow.deployments.list dialogflow.documents.list dialogflow.entityTypes.list dialogflow.environments.list dialogflow.examples.list dialogflow.experiments.list dialogflow.flows.list dialogflow.generators.list dialogflow.integrations.list dialogflow.intents.list dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow. dialogflow.pages.list dialogflow.participants.list dialogflow. dialogflow.phoneNumbers.list dialogflow.playbooks.list dialogflow. dialogflow. dialogflow. dialogflow.testcases.list dialogflow.tools.list dialogflow. dialogflow.versions.list dialogflow.webhooks.list discoveryengine.branches.list discoveryengine. discoveryengine. discoveryengine.controls.list discoveryengine. discoveryengine. discoveryengine.documents.list discoveryengine.engines.list discoveryengine.models.list discoveryengine. discoveryengine.schemas.list discoveryengine. discoveryengine. dlp.analyzeRiskTemplates.list dlp.columnDataProfiles.list dlp.connections.list dlp.deidentifyTemplates.list dlp.estimates.list dlp.inspectFindings.list dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.locations.list dlp.projectDataProfiles.list dlp.storedInfoTypes.list dlp.subscriptions.list dlp.tableDataProfiles.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.getIamPolicy dns.managedZones.list dns.managedZones.setIamPolicy dns.policies.getIamPolicy dns.policies.list dns.policies.setIamPolicy dns.resourceRecordSets.list dns.responsePolicies.list dns.responsePolicyRules.list documentai. documentai.evaluations.list documentai.labelerPools.list documentai.locations.list documentai.processorTypes.list documentai. documentai.processors.list domains.locations.list domains.operations.list domains. domains.registrations.list domains. earthengine. earthengine.assets.list earthengine. earthengine.operations.list edgecontainer. edgecontainer.clusters.list edgecontainer. edgecontainer.locations.list edgecontainer. edgecontainer.machines.list edgecontainer. edgecontainer. edgecontainer.nodePools.list edgecontainer. edgecontainer.operations.list edgecontainer. edgecontainer. edgecontainer. edgenetwork. edgenetwork. edgenetwork. edgenetwork. edgenetwork.interconnects.list edgenetwork. edgenetwork.locations.list edgenetwork. edgenetwork.networks.list edgenetwork. edgenetwork.operations.list edgenetwork. edgenetwork.routers.list edgenetwork. edgenetwork.routes.list edgenetwork. edgenetwork.subnetworks.list edgenetwork. edgenetwork.zones.list enterpriseknowledgegraph. enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. errorreporting. errorreporting. errorreporting.groups.list essentialcontacts. eventarc. eventarc. eventarc. eventarc.channels.getIamPolicy eventarc.channels.list eventarc.channels.setIamPolicy eventarc.locations.list eventarc.operations.list eventarc.providers.list eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.setIamPolicy fcmdata.deliverydata.list file.backups.list file.instances.list file.locations.list file.operations.list financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. firebase.clients.list firebase.links.list firebase.playLinks.list firebaseabt.experiments.list firebaseappdistro.groups.list firebaseappdistro. firebaseappdistro.testers.list firebasecrashlytics. firebasedatabase. firebasedynamiclinks. firebasedynamiclinks. firebasedynamiclinks. firebaseextensions. firebaseextensionspublisher. firebasehosting.sites.list firebaseinappmessaging. firebasemessagingcampaigns. firebaseml.models.list firebaseml.modelversions.list firebasenotifications. firebaserules.releases.list firebaserules.rulesets.list firebasestorage.buckets.list fleetengine. fleetengine.tasks.list fleetengine.vehicles.list gcp.redisenterprise. gcp.redisenterprise. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. genomics.datasets.getIamPolicy genomics.datasets.list genomics.datasets.setIamPolicy genomics.operations.list gkebackup. gkebackup.backupPlans.list gkebackup. gkebackup.backups.list gkebackup.locations.list gkebackup.operations.list gkebackup. gkebackup.restorePlans.list gkebackup. gkebackup.restores.list gkebackup.volumeBackups.list gkebackup.volumeRestores.list gkehub.features.getIamPolicy gkehub.features.list gkehub.features.setIamPolicy gkehub.gateway.getIamPolicy gkehub.gateway.setIamPolicy gkehub.locations.list gkehub.membershipbindings.list gkehub. gkehub.memberships.list gkehub. gkehub.namespaces.list gkehub.operations.list gkehub.rbacrolebindings.list gkehub.scopes.getIamPolicy gkehub.scopes.list gkehub.scopes.setIamPolicy gkemulticloud. gkemulticloud.awsClusters.list gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.operations.list gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem.locations.list gkeonprem.operations.list gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem.vmwareClusters.list gkeonprem. gkeonprem. gkeonprem.vmwareNodePools.list gkeonprem. gsuiteaddons.deployments.list healthcare. healthcare. healthcare. healthcare.annotations.list healthcare. healthcare. healthcare. healthcare.consentStores.list healthcare. healthcare.consents.list healthcare. healthcare.datasets.list healthcare. healthcare. healthcare.dicomStores.list healthcare. healthcare. healthcare.fhirStores.list healthcare. healthcare.hl7V2Messages.list healthcare. healthcare.hl7V2Stores.list healthcare. healthcare.locations.list healthcare.operations.list healthcare. iam.denypolicies.list iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam. iam.serviceAccounts.list iam. iap.tunnel.* iap. iap.tunnelDestGroups.list iap. iap. iap. iap.tunnelLocations.* iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap. iap. iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy identitytoolkit. identitytoolkit.tenants.list identitytoolkit. ids.endpoints.getIamPolicy ids.endpoints.list ids.endpoints.setIamPolicy ids.locations.list ids.operations.list integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.authConfigs.list integrations.certificates.list integrations.executions.list integrations. integrations.integrations.list integrations. integrations. integrations. integrations. integrations. integrations.sfdcChannels.list integrations. integrations.suspensions.list issuerswitch. issuerswitch. issuerswitch. issuerswitch. issuerswitch. issuerswitch.operations.list issuerswitch.ruleMetadata.list issuerswitch. issuerswitch.rules.list krmapihosting. krmapihosting.krmApiHosts.list krmapihosting. krmapihosting.locations.list krmapihosting.operations.list lifesciences.operations.list livestream.assets.list livestream.channels.list livestream.events.list livestream.inputs.list livestream.locations.list livestream.operations.list logging.buckets.list logging.exclusions.list logging.links.list logging.locations.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.list logging.operations.list logging.privateLogEntries.list logging.queries.list logging.sinks.list logging.views.list looker.backups.list looker.instances.list looker.locations.list looker.operations.list managedidentities. managedidentities.backups.list managedidentities. managedidentities. managedidentities.domains.list managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. mapsadmin.clientMaps.list mapsadmin. mapsadmin.clientStyles.list mapsadmin.styleSnapshots.list mapsanalytics. mapsplatformdatasets. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. memcache.instances.list memcache.locations.list memcache.operations.list metastore.backups.getIamPolicy metastore.backups.list metastore.backups.setIamPolicy metastore. metastore.databases.list metastore. metastore. metastore.federations.list metastore. metastore.imports.list metastore.locations.list metastore.migrations.list metastore.operations.list metastore. metastore.services.list metastore. metastore.tables.getIamPolicy metastore.tables.list metastore.tables.setIamPolicy migrationcenter.assets.list migrationcenter. migrationcenter. migrationcenter.groups.list migrationcenter. migrationcenter. migrationcenter.locations.list migrationcenter. migrationcenter. migrationcenter. migrationcenter.reports.list migrationcenter.sources.list ml.jobs.getIamPolicy ml.jobs.list ml.jobs.setIamPolicy ml.locations.list ml.models.getIamPolicy ml.models.list ml.models.setIamPolicy ml.operations.list ml.studies.getIamPolicy ml.studies.list ml.studies.setIamPolicy ml.trials.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.list monitoring.services.list monitoring.slos.list monitoring.snoozes.list monitoring.timeSeries.list monitoring. netapp.activeDirectories.list netapp.backupPolicies.list netapp.backupVaults.list netapp.backups.list netapp.kmsConfigs.list netapp.replications.list netapp.snapshots.list netapp.storagePools.list netapp.volumes.list networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity.hubs.list networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkmanagement. networkmanagement. networkmanagement. networkmanagement. networkmanagement. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.locations.list networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.urlLists.list networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.gateways.list networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.locations.list networkservices. networkservices.meshes.list networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.tcpRoutes.list networkservices. networkservices.tlsRoutes.list notebooks. notebooks.environments.list notebooks. notebooks. notebooks.executions.list notebooks. notebooks. notebooks.instances.list notebooks. notebooks.locations.list notebooks.operations.list notebooks. notebooks.runtimes.list notebooks. notebooks. notebooks.schedules.list notebooks. ondemandscanning. opsconfigmonitoring. orgpolicy.constraints.list orgpolicy. orgpolicy.policies.list osconfig.guestPolicies.list osconfig. osconfig.inventories.list osconfig. osconfig. osconfig.patchDeployments.list osconfig.patchJobs.list osconfig.upgradeReports.list osconfig. paymentsresellersubscription. paymentsresellersubscription. policyremediatormanager. policyremediatormanager. policysimulator. policysimulator. policysimulator. policysimulator.replays.* privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.setIamPolicy privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca.certificates.list privateca. privateca.locations.list privateca.operations.list privateca. privateca.reusableConfigs.list privateca. privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. proximitybeacon. proximitybeacon. proximitybeacon.beacons.list proximitybeacon. proximitybeacon. proximitybeacon. proximitybeacon. pubsub.schemas.getIamPolicy pubsub.schemas.list pubsub.schemas.setIamPolicy pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.snapshots.setIamPolicy pubsub. pubsub.subscriptions.list pubsub. pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy pubsublite.operations.list pubsublite.reservations.list pubsublite.subscriptions.list pubsublite.topics.list recaptchaenterprise.keys.list recaptchaenterprise. recaptchaenterprise. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.costInsights.list recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.locations.list recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. redis.clusters.list redis.instances.list redis.locations.list redis.operations.list remotebuildexecution. remotebuildexecution. resourcemanager. resourcemanager.folders.list resourcemanager. resourcemanager. resourcemanager. resourcemanager. resourcemanager. resourcemanager.projects.list resourcemanager. resourcemanager.tagHolds.list resourcemanager. resourcemanager.tagKeys.list resourcemanager. resourcemanager. resourcemanager.tagValues.list resourcemanager. resourcesettings.settings.list retail.catalogs.list retail.controls.list retail.experiments.list retail.models.list retail.operations.list retail.products.list retail.servingConfigs.list riskmanager. riskmanager.operations.list riskmanager.policies.list riskmanager.reports.list rma.collectors.list rma.locations.list rma.operations.list run.configurations.list run.executions.list run.jobs.getIamPolicy run.jobs.list run.jobs.setIamPolicy run.locations.list run.operations.list run.revisions.list run.routes.list run.services.getIamPolicy run.services.list run.services.setIamPolicy run.tasks.list runapps.applications.list runapps.deployments.list runapps.locations.list runapps.operations.list runtimeconfig. runtimeconfig.configs.list runtimeconfig. runtimeconfig.operations.list runtimeconfig. runtimeconfig.variables.list runtimeconfig. runtimeconfig. runtimeconfig.waiters.list runtimeconfig. secretmanager.locations.list secretmanager. secretmanager.secrets.list secretmanager. secretmanager.versions.list securedlandingzone. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securitycenter.assets.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.findings.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.sources.list securitycenter. securitycenter. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securityposture.locations.list securityposture. securityposture. securityposture. securityposture.postures.list servicebroker. servicebroker. servicebroker.bindings.list servicebroker. servicebroker. servicebroker.catalogs.list servicebroker. servicebroker. servicebroker. servicebroker.instances.list servicebroker. serviceconsumermanagement. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory.services.list servicedirectory. servicehealth.events.list servicehealth.locations.list servicehealth. servicehealth. servicemanagement. servicemanagement. servicemanagement. servicenetworking. servicesecurityinsights. servicesecurityinsights. servicesecurityinsights. serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list source.repos.setIamPolicy spanner.backupOperations.list spanner.backups.getIamPolicy spanner.backups.list spanner.backups.setIamPolicy spanner. spanner.databaseRoles.list spanner.databases.getIamPolicy spanner.databases.list spanner.databases.setIamPolicy spanner. spanner.instanceConfigs.list spanner. spanner.instances.getIamPolicy spanner.instances.list spanner.instances.setIamPolicy spanner.sessions.list speakerid.phrases.list speakerid.speakers.list speech.customClasses.list speech.locations.list speech.operations.list speech.phraseSets.list speech.recognizers.list stackdriver. storage.anywhereCaches.list storage.bucketOperations.list storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy storage.hmacKeys.list storage. storage.managedFolders.list storage. storage.multipartUploads.list storage.objects.getIamPolicy storage.objects.list storage.objects.setIamPolicy storageinsights. storageinsights.locations.list storageinsights. storageinsights. storageinsights. storagetransfer. storagetransfer.jobs.list storagetransfer. stream.locations.list stream.operations.list stream.streamContents.list stream.streamInstances.list telcoautomation. telcoautomation. telcoautomation.edgeSlms.list telcoautomation. telcoautomation.locations.list telcoautomation. telcoautomation. telcoautomation. timeseriesinsights. timeseriesinsights. tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.runtimeversions.list tpu.tensorflowversions.list transcoder.jobTemplates.list transcoder.jobs.list transferappliance. transferappliance. transferappliance. transferappliance.orders.list transferappliance. translationhub.portals.list videostitcher.cdnKeys.list videostitcher. videostitcher.liveConfigs.list videostitcher.slates.list videostitcher. videostitcher. visionai.analyses.getIamPolicy visionai.analyses.list visionai.analyses.setIamPolicy visionai.annotations.list visionai.applications.list visionai.assets.list visionai.clusters.getIamPolicy visionai.clusters.list visionai.clusters.setIamPolicy visionai.corpora.list visionai.dataSchemas.list visionai.drafts.list visionai.events.getIamPolicy visionai.events.list visionai.events.setIamPolicy visionai.indexEndpoints.list visionai.indexes.list visionai.instances.list visionai.locations.list visionai.operations.list visionai. visionai.operators.list visionai. visionai.processors.list visionai.searchConfigs.list visionai.series.getIamPolicy visionai.series.list visionai.series.setIamPolicy visionai.streams.getIamPolicy visionai.streams.list visionai.streams.setIamPolicy visionai.uistreams.list visualinspection. visualinspection. visualinspection. visualinspection.datasets.list visualinspection.images.list visualinspection. visualinspection. visualinspection.models.list visualinspection.modules.list visualinspection. visualinspection. visualinspection. vmmigration.cloneJobs.list vmmigration.cutoverJobs.list vmmigration. vmmigration.deployments.list vmmigration.groups.list vmmigration.locations.list vmmigration.migratingVms.list vmmigration.operations.list vmmigration. vmmigration.sources.list vmmigration.targets.list vmmigration. vmwareengine. vmwareengine.clusters.list vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine.locations.list vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine.nodeTypes.list vmwareengine.nodes.list vmwareengine.operations.list vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine.subnets.list vmwareengine. vpcaccess.connectors.list vpcaccess.locations.list vpcaccess.operations.list workflows.callbacks.list workflows.executions.list workflows.locations.list workflows.operations.list workflows.stepEntries.list workflows.workflows.list workloadcertificate. workloadcertificate. workloadcertificate. workloadmanager. workloadmanager. workloadmanager. workloadmanager. workloadmanager.locations.list workloadmanager. workloadmanager.results.list workloadmanager.rules.list workstations. workstations. workstations. workstations. workstations. workstations.workstations.list workstations. |
Security Reviewer( Provides permissions to list all resources and allow policies on them. |
accessapproval.requests.list accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. actions.agentVersions.list advisorynotifications. aiplatform. aiplatform.annotations.list aiplatform.artifacts.list aiplatform. aiplatform.contexts.list aiplatform.customJobs.list aiplatform.dataItems.list aiplatform. aiplatform. aiplatform.datasets.list aiplatform. aiplatform. aiplatform.edgeDevices.list aiplatform. aiplatform.endpoints.list aiplatform. aiplatform.entityTypes.list aiplatform.executions.list aiplatform.extensions.list aiplatform.featureGroups.list aiplatform. aiplatform. aiplatform.featureViews.list aiplatform.features.list aiplatform. aiplatform.featurestores.list aiplatform. aiplatform. aiplatform.indexEndpoints.list aiplatform.indexes.list aiplatform.locations.list aiplatform. aiplatform.metadataStores.list aiplatform. aiplatform. aiplatform. aiplatform.models.list aiplatform.nasJobs.list aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.operations.list aiplatform. aiplatform.pipelineJobs.list aiplatform.schedules.list aiplatform. aiplatform.studies.list aiplatform. aiplatform. aiplatform. aiplatform.tensorboards.list aiplatform. aiplatform.trials.list alloydb.backups.list alloydb.clusters.list alloydb.databases.list alloydb.instances.list alloydb.locations.list alloydb.operations.list alloydb. alloydb.users.list analyticshub. analyticshub. analyticshub. analyticshub.listings.list analyticshub. apigateway. apigateway.apiconfigs.list apigateway.apis.getIamPolicy apigateway.apis.list apigateway. apigateway.gateways.list apigateway.locations.list apigateway.operations.list apigee. apigee.apiproducts.list apigee.appgroupapps.list apigee.appgroups.list apigee.apps.list apigee.archivedeployments.list apigee.caches.list apigee.datacollectors.list apigee.datastores.list apigee.deployments.list apigee. apigee.developerapps.list apigee. apigee.developers.list apigee. apigee. apigee. apigee.envgroups.list apigee. apigee.environments.list apigee.exports.list apigee.flowhooks.list apigee.hostqueries.list apigee. apigee. apigee.instances.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemapentries.list apigee.keyvaluemaps.list apigee.nataddresses.list apigee.operations.list apigee.organizations.list apigee.portals.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.rateplans.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.securityActions.list apigee.securityFeedback.list apigee.securityIncidents.list apigee.securityProfiles.list apigee.securityreports.list apigee. apigee.sharedflows.list apigee.targetservers.list apigee. apigee.tracesessions.list apigeeconnect.connections.list apigeeregistry. apigeeregistry.apis.list apigeeregistry. apigeeregistry.artifacts.list apigeeregistry. apigeeregistry.locations.list apigeeregistry.operations.list apigeeregistry. apigeeregistry.specs.list apigeeregistry. apigeeregistry.versions.list apihub.apis.list apihub.operations.list apihub.specs.list apihub.versions.list apikeys.keys.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list apphub. apphub.applications.list apphub.discoveredServices.list apphub. apphub.locations.list apphub.operations.list apphub. apphub.services.list apphub.workloads.list applianceactivation. artifactregistry. artifactregistry.files.list artifactregistry. artifactregistry. artifactregistry. artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.list artifactregistry.versions.list assuredoss.locations.list assuredoss.metadata.list assuredoss.operations.list assuredworkloads. assuredworkloads. assuredworkloads.workload.list auditmanager.locations.list auditmanager.operations.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.examples.list automl.files.list automl. automl.locations.getIamPolicy automl.locations.list automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.operations.list automl.tableSpecs.list automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. autoscaling.sites.getIamPolicy backupdr.locations.list backupdr. backupdr. backupdr.operations.list baremetalsolution. baremetalsolution. baremetalsolution.luns.list baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution. baremetalsolution.skus.list baremetalsolution. baremetalsolution.sshKeys.list baremetalsolution. baremetalsolution. baremetalsolution.volumes.list baremetalsolution. batch.jobs.list batch.locations.list batch.operations.list batch.tasks.list beyondcorp. beyondcorp.appConnections.list beyondcorp. beyondcorp.appConnectors.list beyondcorp. beyondcorp.appGateways.list beyondcorp. beyondcorp. beyondcorp. beyondcorp.clientGateways.list beyondcorp.locations.list beyondcorp.operations.list beyondcorp.partnerTenants.list beyondcorp.proxyConfigs.list beyondcorp.subscriptions.list biglake.catalogs.list biglake.databases.list biglake.locks.list biglake.tables.list bigquery. bigquery. bigquery.connections.list bigquery. bigquery.dataPolicies.list bigquery.datasets.getIamPolicy bigquery.jobs.list bigquery.models.list bigquery. bigquery.reservations.list bigquery.routines.list bigquery. bigquery. bigquery.savedqueries.list bigquery.tables.getIamPolicy bigquery.tables.list bigquerymigration. bigquerymigration. bigquerymigration. bigtable.appProfiles.list bigtable. bigtable.authorizedViews.list bigtable.backups.getIamPolicy bigtable.backups.list bigtable.clusters.list bigtable.hotTablets.list bigtable. bigtable.instances.list bigtable.keyvisualizer.list bigtable.locations.list bigtable.tables.getIamPolicy bigtable.tables.list billing.accounts.getIamPolicy billing.accounts.list billing. billing. billing. billing. billing. billing.budgets.list billing.credits.list billing. billing.subscriptions.list binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. blockchainnodeengine. blockchainnodeengine. blockchainnodeengine. capacityplanner.forecasts.list capacityplanner. carestudio.patients.list certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager.certs.list certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. chronicle.analyticValues.list chronicle.analytics.list chronicle.collectors.list chronicle.conversations.list chronicle. chronicle. chronicle.curatedRuleSets.list chronicle.curatedRules.list chronicle.dashboards.list chronicle. chronicle. chronicle.dataTaps.list chronicle.entities.list chronicle. chronicle. chronicle. chronicle.feeds.list chronicle. chronicle. chronicle.forwarders.list chronicle.iocMatches.list chronicle.logTypeSchemas.list chronicle.logTypes.list chronicle.logs.list chronicle.messages.list chronicle.operations.list chronicle. chronicle.parsers.list chronicle.parsingErrors.list chronicle.referenceLists.list chronicle.retrohunts.list chronicle.ruleDeployments.list chronicle. chronicle.rules.list chronicle.searchQueries.list chronicle. chronicle.watchlists.list clientauthconfig.brands.list clientauthconfig.clients.list cloud.locations.list cloudasset.feeds.list cloudasset.savedqueries.list cloudbuild.builds.list cloudbuild. cloudbuild.connections.list cloudbuild.integrations.list cloudbuild.operations.list cloudbuild.repositories.list cloudbuild.workerpools.list cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. clouddebugger.breakpoints.list clouddebugger.debuggees.list clouddeploy. clouddeploy.automations.list clouddeploy. clouddeploy. clouddeploy. clouddeploy. clouddeploy.jobRuns.list clouddeploy.locations.list clouddeploy.operations.list clouddeploy.releases.list clouddeploy.rollouts.list clouddeploy. clouddeploy.targets.list cloudfunctions. cloudfunctions.functions.list cloudfunctions.locations.list cloudfunctions.operations.list cloudiot.devices.list cloudiot. cloudiot.registries.list cloudjobdiscovery. cloudkms. cloudkms. cloudkms.cryptoKeys.list cloudkms. cloudkms. cloudkms.ekmConnections.list cloudkms. cloudkms.importJobs.list cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudkms.locations.list cloudnotifications. cloudonefs.isiloncloud. cloudonefs.isiloncloud. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprivatecatalogproducer. cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner. cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport. cloudsupport.accounts.list cloudsupport.techCases.list cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.tasks.list cloudtestservice. cloudtoolresults. cloudtoolresults. cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate.datasets.list cloudtranslate.glossaries.list cloudtranslate. cloudtranslate.locations.list cloudtranslate.operations.list cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. commerceagreementpublishing. commerceagreementpublishing. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commercebusinessenablement. commerceoffercatalog. commerceoffercatalog. commerceorggovernance. commerceorggovernance. commerceorggovernance. commerceorggovernance. commerceprice.events.list commerceprice. composer.dags.list composer.environments.list composer.imageversions.list composer.operations.list composer. composer. compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute. compute.backendBuckets.list compute. compute.backendServices.list compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute. compute. compute.firewallPolicies.list compute.firewalls.list compute.forwardingRules.list compute. compute. compute.globalAddresses.list compute. compute. compute. compute.globalOperations.list compute. compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute. compute.instanceGroups.list compute. compute.instanceTemplates.list compute.instances.getIamPolicy compute.instances.list compute. compute.instantSnapshots.list compute. compute. compute. compute.interconnects.list compute. compute.licenseCodes.list compute.licenses.getIamPolicy compute.licenses.list compute. compute.machineImages.list compute.machineTypes.list compute. compute. compute. compute. compute. compute. compute. compute.networks.list compute. compute.nodeGroups.list compute. compute.nodeTemplates.list compute.nodeTypes.list compute.packetMirrorings.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.list compute. compute. compute.regionSslPolicies.list compute. compute. compute. compute.regionUrlMaps.list compute.regions.list compute.reservations.list compute. compute.resourcePolicies.list compute.routers.list compute.routes.list compute. compute.securityPolicies.list compute. compute. compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.list compute.sslPolicies.list compute. compute.storagePools.list compute. compute.subnetworks.list compute.targetGrpcProxies.list compute.targetHttpProxies.list compute. compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute. compute.zoneOperations.list compute.zones.list confidentialcomputing. config. config.deployments.list config.locations.list config.operations.list config.previews.list config.resources.list config.revisions.list config.terraformversions.list connectors.actions.list connectors. connectors.connections.list connectors.connectors.list connectors. connectors. connectors. connectors. connectors. connectors. connectors.entities.list connectors.entityTypes.list connectors. connectors.eventtypes.list connectors.locations.list connectors. connectors.managedZones.list connectors.operations.list connectors.providers.list connectors.versions.list consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. contactcenteraiplatform. contactcenteraiplatform. contactcenteraiplatform. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. container.apiServices.list container.auditSinks.list container.backendConfigs.list container.bindings.list container. container. container.clusterRoles.list container.clusters.list container. container.configMaps.list container. container.cronJobs.list container.csiDrivers.list container.csiNodeInfos.list container.csiNodes.list container. container.daemonSets.list container.deployments.list container.endpointSlices.list container.endpoints.list container.events.list container.frontendConfigs.list container. container.ingresses.list container. container.jobs.list container.leases.list container.limitRanges.list container. container. container. container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container. container. container.petSets.list container. container.podPresets.list container. container.podTemplates.list container.pods.list container.priorityClasses.list container.replicaSets.list container. container.resourceQuotas.list container.roleBindings.list container.roles.list container.runtimeClasses.list container.scheduledJobs.list container. container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.storageStates.list container. container. container. container. container.updateInfos.list container. container. container. container. container.volumeSnapshots.list containeranalysis. containeranalysis.notes.list containeranalysis. containeranalysis. containersecurity. containersecurity. containersecurity. containersecurity. contentwarehouse.corpora.list contentwarehouse. contentwarehouse. contentwarehouse. contentwarehouse.ruleSets.list contentwarehouse. databaseinsights. datacatalog. datacatalog. datacatalog.entries.list datacatalog. datacatalog.entryGroups.list datacatalog.operations.list datacatalog.relationships.list datacatalog. datacatalog. datacatalog.taxonomies.list dataconnectors. dataconnectors.connectors.list dataconnectors.locations.list dataconnectors.operations.list dataflow.jobs.list dataflow.messages.list dataflow.snapshots.list dataform. dataform.locations.list dataform.releaseConfigs.list dataform. dataform.repositories.list dataform.workflowConfigs.list dataform. dataform. dataform.workspaces.list datafusion.artifacts.list datafusion. datafusion.instances.list datafusion.locations.list datafusion.operations.list datafusion. datafusion.pipelines.list datafusion.profiles.list datafusion.secureKeys.list datalabeling. datalabeling. datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list datalineage.events.list datalineage.processes.list datalineage.runs.list datamigration. datamigration. datamigration. datamigration. datamigration.locations.list datamigration. datamigration. datamigration. datamigration.operations.list datamigration. datamigration. datapipelines.jobs.list datapipelines.pipelines.list dataplex. dataplex.aspectTypes.list dataplex.assetActions.list dataplex.assets.getIamPolicy dataplex.assets.list dataplex.content.getIamPolicy dataplex.content.list dataplex. dataplex. dataplex. dataplex.dataAttributes.list dataplex. dataplex.dataTaxonomies.list dataplex. dataplex.datascans.list dataplex.entities.list dataplex.entries.list dataplex. dataplex.entryGroups.list dataplex. dataplex.entryTypes.list dataplex. dataplex.environments.list dataplex.lakeActions.list dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.locations.list dataplex.operations.list dataplex.partitions.list dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.zoneActions.list dataplex.zones.getIamPolicy dataplex.zones.list dataproc.agents.list dataproc. dataproc. dataproc.batches.list dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc. dataproc.operations.list dataproc.sessionTemplates.list dataproc.sessions.list dataproc. dataproc. dataprocessing. dataprocessing. dataprocessing. datastore.backupSchedules.list datastore.backups.list datastore.databases.list datastore.entities.list datastore.indexes.list datastore. datastore.locations.list datastore.namespaces.list datastore.operations.list datastore.statistics.list datastream. datastream. datastream.locations.list datastream.objects.list datastream.operations.list datastream. datastream. datastream.routes.getIamPolicy datastream.routes.list datastream. datastream.streams.list datastudio. datastudio. datastudio. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.types.list dialogflow.agents.list dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.list dialogflow.contexts.list dialogflow. dialogflow. dialogflow. dialogflow.conversations.list dialogflow.deployments.list dialogflow.documents.list dialogflow.entityTypes.list dialogflow.environments.list dialogflow.examples.list dialogflow.experiments.list dialogflow.flows.list dialogflow.generators.list dialogflow.integrations.list dialogflow.intents.list dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow. dialogflow.pages.list dialogflow.participants.list dialogflow. dialogflow.phoneNumbers.list dialogflow.playbooks.list dialogflow. dialogflow. dialogflow. dialogflow.testcases.list dialogflow.tools.list dialogflow. dialogflow.versions.list dialogflow.webhooks.list discoveryengine.branches.list discoveryengine. discoveryengine. discoveryengine.controls.list discoveryengine. discoveryengine. discoveryengine.documents.list discoveryengine.engines.list discoveryengine.models.list discoveryengine. discoveryengine.schemas.list discoveryengine. discoveryengine. dlp.analyzeRiskTemplates.list dlp.columnDataProfiles.list dlp.connections.list dlp.deidentifyTemplates.list dlp.estimates.list dlp.inspectFindings.list dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.locations.list dlp.projectDataProfiles.list dlp.storedInfoTypes.list dlp.subscriptions.list dlp.tableDataProfiles.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.getIamPolicy dns.managedZones.list dns.policies.getIamPolicy dns.policies.list dns.resourceRecordSets.list dns.responsePolicies.list dns.responsePolicyRules.list documentai. documentai.evaluations.list documentai.labelerPools.list documentai.locations.list documentai.processorTypes.list documentai. documentai.processors.list domains.locations.list domains.operations.list domains. domains.registrations.list earthengine. earthengine.assets.list earthengine.operations.list edgecontainer. edgecontainer.clusters.list edgecontainer.locations.list edgecontainer. edgecontainer.machines.list edgecontainer. edgecontainer.nodePools.list edgecontainer.operations.list edgecontainer. edgecontainer. edgenetwork. edgenetwork. edgenetwork. edgenetwork.interconnects.list edgenetwork.locations.list edgenetwork. edgenetwork.networks.list edgenetwork.operations.list edgenetwork. edgenetwork.routers.list edgenetwork.routes.list edgenetwork. edgenetwork.subnetworks.list edgenetwork.zones.list enterpriseknowledgegraph. enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. errorreporting. errorreporting. errorreporting.groups.list essentialcontacts. eventarc. eventarc. eventarc.channels.getIamPolicy eventarc.channels.list eventarc.locations.list eventarc.operations.list eventarc.providers.list eventarc.triggers.getIamPolicy eventarc.triggers.list fcmdata.deliverydata.list file.backups.list file.instances.list file.locations.list file.operations.list financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. financialservices. firebase.clients.list firebase.links.list firebase.playLinks.list firebaseabt.experiments.list firebaseappdistro.groups.list firebaseappdistro. firebaseappdistro.testers.list firebasecrashlytics. firebasedatabase. firebasedynamiclinks. firebasedynamiclinks. firebasedynamiclinks. firebaseextensions. firebaseextensionspublisher. firebasehosting.sites.list firebaseinappmessaging. firebasemessagingcampaigns. firebaseml.models.list firebaseml.modelversions.list firebasenotifications. firebaserules.releases.list firebaserules.rulesets.list firebasestorage.buckets.list fleetengine. fleetengine.tasks.list fleetengine.vehicles.list gcp.redisenterprise. gcp.redisenterprise. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. genomics.datasets.getIamPolicy genomics.datasets.list genomics.operations.list gkebackup. gkebackup.backupPlans.list gkebackup.backups.list gkebackup.locations.list gkebackup.operations.list gkebackup. gkebackup.restorePlans.list gkebackup.restores.list gkebackup.volumeBackups.list gkebackup.volumeRestores.list gkehub.features.getIamPolicy gkehub.features.list gkehub.gateway.getIamPolicy gkehub.locations.list gkehub.membershipbindings.list gkehub. gkehub.memberships.list gkehub.namespaces.list gkehub.operations.list gkehub.rbacrolebindings.list gkehub.scopes.getIamPolicy gkehub.scopes.list gkemulticloud. gkemulticloud.awsClusters.list gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud.operations.list gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem.locations.list gkeonprem.operations.list gkeonprem. gkeonprem. gkeonprem. gkeonprem.vmwareClusters.list gkeonprem. gkeonprem.vmwareNodePools.list gsuiteaddons.deployments.list healthcare. healthcare. healthcare.annotations.list healthcare. healthcare. healthcare. healthcare.consentStores.list healthcare.consents.list healthcare. healthcare.datasets.list healthcare. healthcare.dicomStores.list healthcare. healthcare.fhirStores.list healthcare.hl7V2Messages.list healthcare. healthcare.hl7V2Stores.list healthcare.locations.list healthcare.operations.list healthcare. iam.denypolicies.list iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam. iam.serviceAccounts.list iap.tunnel.getIamPolicy iap. iap.tunnelDestGroups.list iap. iap. iap.tunnelZones.getIamPolicy iap.web.getIamPolicy iap. iap.webServices.getIamPolicy iap.webTypes.getIamPolicy identitytoolkit. identitytoolkit.tenants.list ids.endpoints.getIamPolicy ids.endpoints.list ids.locations.list ids.operations.list integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.authConfigs.list integrations.certificates.list integrations.executions.list integrations. integrations.integrations.list integrations. integrations. integrations. integrations. integrations. integrations.sfdcChannels.list integrations. integrations.suspensions.list issuerswitch. issuerswitch. issuerswitch. issuerswitch. issuerswitch. issuerswitch.operations.list issuerswitch.ruleMetadata.list issuerswitch. issuerswitch.rules.list krmapihosting. krmapihosting.krmApiHosts.list krmapihosting.locations.list krmapihosting.operations.list lifesciences.operations.list livestream.assets.list livestream.channels.list livestream.events.list livestream.inputs.list livestream.locations.list livestream.operations.list logging.buckets.list logging.exclusions.list logging.links.list logging.locations.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.list logging.operations.list logging.privateLogEntries.list logging.queries.list logging.sinks.list logging.views.list looker.backups.list looker.instances.list looker.locations.list looker.operations.list managedidentities. managedidentities.backups.list managedidentities. managedidentities.domains.list managedidentities. managedidentities. managedidentities. managedidentities. managedidentities. mapsadmin.clientMaps.list mapsadmin. mapsadmin.clientStyles.list mapsadmin.styleSnapshots.list mapsanalytics. mapsplatformdatasets. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. memcache.instances.list memcache.locations.list memcache.operations.list metastore.backups.getIamPolicy metastore.backups.list metastore. metastore.databases.list metastore. metastore.federations.list metastore.imports.list metastore.locations.list metastore.migrations.list metastore.operations.list metastore. metastore.services.list metastore.tables.getIamPolicy metastore.tables.list migrationcenter.assets.list migrationcenter. migrationcenter. migrationcenter.groups.list migrationcenter. migrationcenter. migrationcenter.locations.list migrationcenter. migrationcenter. migrationcenter. migrationcenter.reports.list migrationcenter.sources.list ml.jobs.getIamPolicy ml.jobs.list ml.locations.list ml.models.getIamPolicy ml.models.list ml.operations.list ml.studies.getIamPolicy ml.studies.list ml.trials.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.list monitoring.services.list monitoring.slos.list monitoring.snoozes.list monitoring.timeSeries.list monitoring. netapp.activeDirectories.list netapp.backupPolicies.list netapp.backupVaults.list netapp.backups.list netapp.kmsConfigs.list netapp.replications.list netapp.snapshots.list netapp.storagePools.list netapp.volumes.list networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity.hubs.list networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkmanagement. networkmanagement. networkmanagement. networkmanagement. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.locations.list networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.urlLists.list networkservices. networkservices. networkservices. networkservices. networkservices.gateways.list networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.locations.list networkservices. networkservices.meshes.list networkservices. networkservices. networkservices. networkservices. networkservices.tcpRoutes.list networkservices.tlsRoutes.list notebooks. notebooks.environments.list notebooks. notebooks.executions.list notebooks. notebooks.instances.list notebooks.locations.list notebooks.operations.list notebooks. notebooks.runtimes.list notebooks. notebooks.schedules.list ondemandscanning. opsconfigmonitoring. orgpolicy.constraints.list orgpolicy. orgpolicy.policies.list osconfig.guestPolicies.list osconfig. osconfig.inventories.list osconfig. osconfig. osconfig.patchDeployments.list osconfig.patchJobs.list osconfig.upgradeReports.list osconfig. paymentsresellersubscription. paymentsresellersubscription. policyremediatormanager. policyremediatormanager. policysimulator. policysimulator. policysimulator. policysimulator.replays.list privateca.caPools.getIamPolicy privateca.caPools.list privateca. privateca. privateca. privateca. privateca. privateca. privateca. privateca.certificates.list privateca.locations.list privateca.operations.list privateca. privateca.reusableConfigs.list privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. proximitybeacon. proximitybeacon. proximitybeacon.beacons.list proximitybeacon. proximitybeacon. pubsub.schemas.getIamPolicy pubsub.schemas.list pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub. pubsub.subscriptions.list pubsub.topics.getIamPolicy pubsub.topics.list pubsublite.operations.list pubsublite.reservations.list pubsublite.subscriptions.list pubsublite.topics.list recaptchaenterprise.keys.list recaptchaenterprise. recaptchaenterprise. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.costInsights.list recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.locations.list recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. redis.clusters.list redis.instances.list redis.locations.list redis.operations.list remotebuildexecution. remotebuildexecution. resourcemanager. resourcemanager.folders.list resourcemanager. resourcemanager. resourcemanager. resourcemanager.projects.list resourcemanager.tagHolds.list resourcemanager. resourcemanager.tagKeys.list resourcemanager. resourcemanager.tagValues.list resourcesettings.settings.list retail.catalogs.list retail.controls.list retail.experiments.list retail.models.list retail.operations.list retail.products.list retail.servingConfigs.list riskmanager. riskmanager.operations.list riskmanager.policies.list riskmanager.reports.list rma.collectors.list rma.locations.list rma.operations.list run.configurations.list run.executions.list run.jobs.getIamPolicy run.jobs.list run.locations.list run.operations.list run.revisions.list run.routes.list run.services.getIamPolicy run.services.list run.tasks.list runapps.applications.list runapps.deployments.list runapps.locations.list runapps.operations.list runtimeconfig. runtimeconfig.configs.list runtimeconfig.operations.list runtimeconfig. runtimeconfig.variables.list runtimeconfig. runtimeconfig.waiters.list secretmanager.locations.list secretmanager. secretmanager.secrets.list secretmanager.versions.list securedlandingzone. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securitycenter.assets.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.findings.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.sources.list securitycenter. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securityposture.locations.list securityposture. securityposture. securityposture. securityposture.postures.list servicebroker. servicebroker. servicebroker.bindings.list servicebroker. servicebroker.catalogs.list servicebroker. servicebroker. servicebroker.instances.list serviceconsumermanagement. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory.services.list servicehealth.events.list servicehealth.locations.list servicehealth. servicehealth. servicemanagement. servicemanagement. servicenetworking. servicesecurityinsights. servicesecurityinsights. servicesecurityinsights. serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list spanner.backupOperations.list spanner.backups.getIamPolicy spanner.backups.list spanner. spanner.databaseRoles.list spanner.databases.getIamPolicy spanner.databases.list spanner. spanner.instanceConfigs.list spanner. spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.list speakerid.phrases.list speakerid.speakers.list speech.customClasses.list speech.locations.list speech.operations.list speech.phraseSets.list speech.recognizers.list stackdriver. storage.anywhereCaches.list storage.bucketOperations.list storage.buckets.getIamPolicy storage.buckets.list storage.hmacKeys.list storage. storage.managedFolders.list storage.multipartUploads.list storage.objects.getIamPolicy storage.objects.list storageinsights. storageinsights.locations.list storageinsights. storageinsights. storageinsights. storagetransfer. storagetransfer.jobs.list storagetransfer. stream.locations.list stream.operations.list stream.streamContents.list stream.streamInstances.list telcoautomation. telcoautomation. telcoautomation.edgeSlms.list telcoautomation. telcoautomation.locations.list telcoautomation. telcoautomation. telcoautomation. timeseriesinsights. timeseriesinsights. tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.runtimeversions.list tpu.tensorflowversions.list transcoder.jobTemplates.list transcoder.jobs.list transferappliance. transferappliance. transferappliance. transferappliance.orders.list transferappliance. translationhub.portals.list videostitcher.cdnKeys.list videostitcher. videostitcher.liveConfigs.list videostitcher.slates.list videostitcher. videostitcher. visionai.analyses.getIamPolicy visionai.analyses.list visionai.annotations.list visionai.applications.list visionai.assets.list visionai.clusters.getIamPolicy visionai.clusters.list visionai.corpora.list visionai.dataSchemas.list visionai.drafts.list visionai.events.getIamPolicy visionai.events.list visionai.indexEndpoints.list visionai.indexes.list visionai.instances.list visionai.locations.list visionai.operations.list visionai. visionai.operators.list visionai.processors.list visionai.searchConfigs.list visionai.series.getIamPolicy visionai.series.list visionai.streams.getIamPolicy visionai.streams.list visionai.uistreams.list visualinspection. visualinspection. visualinspection. visualinspection.datasets.list visualinspection.images.list visualinspection. visualinspection. visualinspection.models.list visualinspection.modules.list visualinspection. visualinspection. visualinspection. vmmigration.cloneJobs.list vmmigration.cutoverJobs.list vmmigration. vmmigration.deployments.list vmmigration.groups.list vmmigration.locations.list vmmigration.migratingVms.list vmmigration.operations.list vmmigration. vmmigration.sources.list vmmigration.targets.list vmmigration. vmwareengine. vmwareengine.clusters.list vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine.locations.list vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine.nodeTypes.list vmwareengine.nodes.list vmwareengine.operations.list vmwareengine. vmwareengine. vmwareengine. vmwareengine.subnets.list vmwareengine. vpcaccess.connectors.list vpcaccess.locations.list vpcaccess.operations.list workflows.callbacks.list workflows.executions.list workflows.locations.list workflows.operations.list workflows.stepEntries.list workflows.workflows.list workloadcertificate. workloadcertificate. workloadcertificate. workloadmanager. workloadmanager. workloadmanager. workloadmanager. workloadmanager.locations.list workloadmanager. workloadmanager.results.list workloadmanager.rules.list workstations. workstations. workstations. workstations. workstations.workstations.list |
Infrastructure Manager roles |
Permissions |
Cloud Infrastructure Manager Admin Beta( Full access to Cloud Infrastructure Manager resources. |
config.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Infrastructure Manager Agent Beta( Required permissions to make Cloud Infrastructure Manager work with the user-specified service account |
cloudbuild.connections.list cloudbuild. cloudbuild.repositories.list cloudquotas.quotas.get config.artifacts.import config.deployments.deleteState config.deployments.getLock config.deployments.getState config.deployments.updateState config.previews.upload config.revisions.getState logging.logEntries.create storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Cloud Infrastructure Manager Viewer Beta( Read-only access to Cloud Infrastructure Manager resources. |
config.deployments.get config. config.deployments.list config.locations.* config.operations.get config.operations.list config.previews.get config.previews.list config.resources.* config.revisions.get config.revisions.list config.terraformversions.* resourcemanager.projects.get resourcemanager.projects.list |
KRM API Hosting roles |
Permissions |
Config Controller Admin( Full access to all Config Controller resources. |
krmapihosting.* resourcemanager.projects.get resourcemanager.projects.list |
Config Controller Viewer( Read-only access to all Config Controller resources. |
krmapihosting.krmApiHosts.get krmapihosting. krmapihosting.krmApiHosts.list krmapihosting.locations.* krmapihosting.operations.get krmapihosting.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Kubernetes Engine roles |
Permissions |
Kubernetes Engine Admin( Provides access to full management of clusters and their Kubernetes API objects.
To set a service account on nodes, you must also have the Service Account User role
( Lowest-level resources where you can grant this role:
|
container.* recommender. recommender. recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Kubernetes Engine Cluster Admin( Provides access to management of clusters.
To set a service account on nodes, you must also have the Service Account User role
( Lowest-level resources where you can grant this role:
|
container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.operations.* resourcemanager.projects.get resourcemanager.projects.list |
Kubernetes Engine Cluster Viewer( Provides access to get and list GKE clusters. |
container.clusters.get container.clusters.list resourcemanager.projects.get resourcemanager.projects.list |
Kubernetes Engine Developer( Provides access to Kubernetes API objects inside clusters. Lowest-level resources where you can grant this role:
|
container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container. container. container. container. container. container. container. container. container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container. container. container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container. container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container. container.ingresses.* container. container.jobs.* container.leases.* container.limitRanges.* container. container. container. container. container.namespaces.* container.networkPolicies.* container.nodes.* container. container.persistentVolumes.* container.petSets.* container. container.podPresets.* container. container. container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container. container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container. container. container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container. container. container.thirdPartyObjects.* container. container.tokenReviews.create container.updateInfos.* container. container. container.volumeAttachments.* container. container. container.volumeSnapshots.* recommender. recommender. recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Kubernetes Engine Host Service Agent User( Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project. |
compute.firewalls.get container.hostServiceAgent.use dns. dns. dns. dns.responsePolicies.* dns.responsePolicyRules.* |
Kubernetes Engine Viewer( Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects. Lowest-level resources where you can grant this role:
|
container.apiServices.get container. container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container. container. container. container. container. container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container. container. container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container. container. container. container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getScale container. container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container. container. container. container.ingresses.get container.ingresses.getStatus container.ingresses.list container. container. container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container. container. container. container. container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container. container. container. container. container. container. container.petSets.get container.petSets.list container. container. container. container.podPresets.get container.podPresets.list container. container. container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container. container.replicaSets.list container. container. container. container. container.resourceQuotas.get container. container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container. container. container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container. container.storageStates.list container. container. container. container. container. container. container. container.tokenReviews.create container.updateInfos.get container.updateInfos.list container. container. container. container. container. container. container. container. container. container. container.volumeSnapshots.get container.volumeSnapshots.list recommender. recommender. recommender. recommender. recommender.locations.* recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Live Stream roles |
Permissions |
Live Stream Editor( Full access to Live Stream resources. |
livestream.* resourcemanager.projects.get resourcemanager.projects.list |
Live Stream Viewer( Read access to Live Stream resources. |
livestream.assets.get livestream.assets.list livestream.channels.get livestream.channels.list livestream.events.get livestream.events.list livestream.inputs.get livestream.inputs.list livestream.locations.* livestream.operations.get livestream.operations.list livestream.pools.get resourcemanager.projects.get resourcemanager.projects.list |
Logging roles |
Permissions |
Logging Admin( Provides all permissions necessary to use all features of Cloud Logging. Lowest-level resources where you can grant this role:
|
logging.buckets.copyLogEntries logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.exclusions.* logging.fields.access logging.links.* logging.locations.* logging.logEntries.* logging.logMetrics.* logging.logServiceIndexes.list logging.logServices.list logging.logs.* logging.notificationRules.* logging.operations.* logging.privateLogEntries.list logging.queries.* logging.settings.* logging.sinks.* logging.usage.get logging.views.* resourcemanager.projects.get resourcemanager.projects.list |
Logs Bucket Writer( Ability to write logs to a log bucket. Lowest-level resources where you can grant this role:
|
logging.buckets.write |
Logs Configuration Writer( Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. Lowest-level resources where you can grant this role:
|
logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.exclusions.* logging.links.* logging.locations.* logging.logMetrics.* logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.* logging.operations.* logging.settings.* logging.sinks.* logging.views.create logging.views.delete logging.views.get logging.views.list logging.views.update resourcemanager.projects.get resourcemanager.projects.list |
Log Field Accessor( Ability to read restricted fields in a log bucket. Lowest-level resources where you can grant this role:
|
logging.fields.access |
Log Link Accessor( Ability to see links for a bucket. |
logging.links.get logging.links.list |
Logs Writer( Provides the permissions to write log entries. Lowest-level resources where you can grant this role:
|
logging.logEntries.create logging.logEntries.route |
Private Logs Viewer( Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. Lowest-level resources where you can grant this role:
|
logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.privateLogEntries.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.access logging.views.get logging.views.list resourcemanager.projects.get |
Logs View Accessor( Ability to read logs in a view. Lowest-level resources where you can grant this role:
|
logging.logEntries.download logging.views.access logging.views.listLogs logging.views.listResourceKeys logging. |
Logs Viewer( Provides access to view logs. Lowest-level resources where you can grant this role:
|
logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list resourcemanager.projects.get |
Looker roles |
Permissions |
Looker Admin( Full access to all Looker resources. |
looker.* resourcemanager.projects.get resourcemanager.projects.list |
Looker Instance User( Access to log in to a Looker instance. |
looker.instances.get looker.instances.login resourcemanager.projects.get resourcemanager.projects.list |
Looker Viewer( Read-only access to all Looker resources. |
looker.backups.get looker.backups.list looker.instances.get looker.instances.list looker.instances.login looker.locations.* looker.operations.get looker.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Maps API Admin roles |
Permissions |
Maps API Admin( Read and Write all Maps Management and Maps Styles Resources. |
mapsadmin.* resourcemanager.projects.get resourcemanager.projects.list |
Maps API Viewer( Read all Maps Management and Maps Styles Resources. |
mapsadmin.clientMaps.get mapsadmin.clientMaps.list mapsadmin. mapsadmin.clientStyles.get mapsadmin.clientStyles.list mapsadmin. mapsadmin.styleSnapshots.list resourcemanager.projects.get resourcemanager.projects.list |
Memorystore Memcache roles |
Permissions |
Cloud Memorystore Memcached Admin( Full access to Memcached instances and related resources. |
compute.networks.list memcache.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Memorystore Memcached Editor( Read-Write access to Memcached instances and related resources. |
memcache. memcache.instances.get memcache.instances.list memcache.instances.update memcache. memcache.locations.* memcache.operations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Memorystore Memcached Viewer( Read-only access to Memcached instances and related resources. |
memcache.instances.get memcache.instances.list memcache.locations.* memcache.operations.get memcache.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Memorystore Redis roles |
Permissions |
Cloud Memorystore Redis Admin( Full control for all Memorystore for Redis resources. |
compute.networks.list networkconnectivity. redis.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Cloud Memorystore Redis Db Connection User Beta( Access to connecting to Redis Server db. |
redis.clusters.connect |
Cloud Memorystore Redis Editor( Manage Memorystore for Redis instances. Can't create or delete instances. |
compute.networks.list redis.clusters.get redis.clusters.list redis.clusters.update redis.instances.failover redis.instances.get redis.instances.list redis.instances.update redis.locations.* redis.operations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Cloud Memorystore Redis Viewer( Read-only access to all Memorystore for Redis resources. |
redis.clusters.get redis.clusters.list redis.instances.get redis.instances.list redis. redis. redis.locations.* redis.operations.get redis.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
Mesh Management roles |
Permissions |
Mesh Config Admin Beta( Full access to all mesh configuration resources |
meshconfig.projects.init |
Mesh Config Viewer Beta( Read access to mesh configuration |
|
Migration Center roles |
Permissions |
Migration Center Admin Beta( Full access to Migration Center all resources. |
migrationcenter.* resourcemanager.projects.get resourcemanager.projects.list rma.* serviceusage.quotas.get |
Migration Center Discovery Client Beta( Migration Center Discover Client role |
migrationcenter. migrationcenter. migrationcenter. |
Migration Center Discovery Client Registrator Beta( Registrator of Migration Center Discover Clients |
migrationcenter. migrationcenter. migrationcenter. migrationcenter.operations.get migrationcenter.sources.create migrationcenter.sources.delete resourcemanager.projects.get resourcemanager.projects.list |
Migration Center Viewer Beta( Read-only access to Migration Center all resources. |
migrationcenter.assets.get migrationcenter.assets.list migrationcenter. migrationcenter. migrationcenter.errorFrames.* migrationcenter.groups.get migrationcenter.groups.list migrationcenter. migrationcenter. migrationcenter.importJobs.get migrationcenter. migrationcenter.locations.* migrationcenter.operations.get migrationcenter. migrationcenter. migrationcenter. migrationcenter. migrationcenter. migrationcenter.reports.get migrationcenter.reports.list migrationcenter.settings.get migrationcenter.sources.get migrationcenter.sources.list resourcemanager.projects.get resourcemanager.projects.list rma.annotations.get rma.collectors.get rma.collectors.list rma.locations.* rma.operations.get rma.operations.list serviceusage.quotas.get |
Monitoring roles |
Permissions |
Monitoring Admin(
Provides the same access as the Monitoring Editor role ( Lowest-level resources where you can grant this role:
|
cloudnotifications. monitoring.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable serviceusage.services.get stackdriver.* |
Monitoring AlertPolicy Editor( Read/write access to alerting policies. |
monitoring.alertPolicies.* |
Monitoring AlertPolicy Viewer( Read-only access to alerting policies. |
monitoring.alertPolicies.get monitoring.alertPolicies.list |
Monitoring Cloud Console Incident Editor Beta( Read/write access to incidents from Cloud Console. |
|
Monitoring Cloud Console Incident Viewer Beta( Read access to incidents from Cloud Console. |
|
Monitoring Dashboard Configuration Editor( Read/write access to dashboard configurations. |
monitoring.dashboards.* |
Monitoring Dashboard Configuration Viewer( Read-only access to dashboard configurations. |
monitoring.dashboards.get monitoring.dashboards.list |
Monitoring Editor( Provides full access to information about all monitoring data and configurations. Lowest-level resources where you can grant this role:
|
cloudnotifications. monitoring.alertPolicies.* monitoring.dashboards.* monitoring.groups.* monitoring.metricDescriptors.* monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.* monitoring.services.* monitoring.slos.* monitoring.snoozes.* monitoring.timeSeries.* monitoring. opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable serviceusage.services.get stackdriver.* |
Monitoring Metric Writer( Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics. Lowest-level resources where you can grant this role:
|
monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create |
Monitoring Metrics Scopes Admin Beta( Access to add and remove monitored projects from metrics scopes. |
monitoring.metricsScopes.link resourcemanager.projects.get resourcemanager.projects.list |
Monitoring Metrics Scopes Viewer Beta( Read-only access to metrics scopes and their monitored projects. |
resourcemanager.projects.get resourcemanager.projects.list |
Monitoring NotificationChannel Editor Beta( Read/write access to notification channels. |
monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. |
Monitoring NotificationChannel Viewer Beta( Read-only access to notification channels. |
monitoring. monitoring. monitoring. |
Monitoring Services Editor( Read/write access to services. |
monitoring.services.* monitoring.slos.* |
Monitoring Services Viewer( Read-only access to services. |
monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list |
Monitoring Snooze Editor(
|
monitoring.snoozes.* |
Monitoring Snooze Viewer(
|
monitoring.snoozes.get monitoring.snoozes.list |
Monitoring Uptime Check Configuration Editor Beta( Read/write access to uptime check configurations. |
monitoring. |
Monitoring Uptime Check Configuration Viewer Beta( Read-only access to uptime check configurations. |
monitoring. monitoring. |
Monitoring Viewer( Provides read-only access to get and list information about all monitoring data and configurations. Lowest-level resources where you can grant this role:
|
cloudnotifications. monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.list monitoring. monitoring. opsconfigmonitoring. resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get stackdriver. |
Network Connectivity roles |
Permissions |
Service Automation Consumer Network Admin( Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies. |
networkconnectivity. resourcemanager.projects.get resourcemanager.projects.list |
Group User( Enables use access on group resources |
networkconnectivity.groups.use |
Hub & Spoke Admin( Enables full access to hub and spoke resources. Lowest-level resources where you can grant this role:
|
networkconnectivity.groups.* networkconnectivity. networkconnectivity. networkconnectivity.hubs.* networkconnectivity. networkconnectivity. networkconnectivity.spokes.* resourcemanager.projects.get resourcemanager.projects.list |
Hub & Spoke Viewer( Enables read-only access to hub and spoke resources. Lowest-level resources where you can grant this role:
|
networkconnectivity.groups.get networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity.hubs.get networkconnectivity. networkconnectivity.hubs.list networkconnectivity. networkconnectivity. networkconnectivity.spokes.get networkconnectivity. networkconnectivity. resourcemanager.projects.get resourcemanager.projects.list |
Regional Endpoint Admin Beta( Full access to all Regional Endpoint resources. |
networkconnectivity. resourcemanager.projects.get resourcemanager.projects.list |
Regional Endpoint Viewer Beta( Read-only access to all Regional Endpoint resources. |
networkconnectivity. networkconnectivity. resourcemanager.projects.get resourcemanager.projects.list |
Service Class User( Service Class User uses a ServiceClass |
networkconnectivity. networkconnectivity. networkconnectivity. resourcemanager.projects.get resourcemanager.projects.list |
Service Automation Service Producer Admin( Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps |
networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. resourcemanager.projects.get resourcemanager.projects.list |
Spoke Admin( Enables full access to spoke resources and read-only access to hub resources. Lowest-level resources where you can grant this role:
|
networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity.hubs.get networkconnectivity. networkconnectivity.hubs.list networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity.spokes.* resourcemanager.projects.get resourcemanager.projects.list |
Network Management roles |
Permissions |
Network Management Admin( Full access to Network Management resources. Lowest-level resources where you can grant this role:
|
networkmanagement.* resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Network Management Viewer( Read-only access to Network Management resources. Lowest-level resources where you can grant this role:
|
networkmanagement.config.get networkmanagement. networkmanagement. networkmanagement. networkmanagement.locations.* networkmanagement.operations.* networkmanagement. resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
On-Demand Scanning roles |
Permissions |
On-Demand Scanning Admin Beta( All permissions for On-Demand Scanning |
ondemandscanning.* |
Ops Config Monitoring roles |
Permissions |
Ops Config Monitoring Resource Metadata Viewer Beta( Read-only access to resource metadata. |
opsconfigmonitoring. |
Ops Config Monitoring Resource Metadata Writer Beta( Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata. |
opsconfigmonitoring. |
Organization Policy roles |
Permissions |
Access Transparency Admin( Enable Access Transparency for Organization Lowest-level resources where you can grant this role:
|
axt.* resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Organization Policy Administrator( Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies. Lowest-level resources where you can grant this role:
|
orgpolicy.* policysimulator. policysimulator. |
Organization Policy Viewer( Provides access to view Organization Policies on resources. Lowest-level resources where you can grant this role:
|
orgpolicy.constraints.list orgpolicy. orgpolicy. orgpolicy.policies.list orgpolicy.policy.get |
Other roles |
Permissions |
Advisory Notifications Admin( Grants write access to settings in Advisory Notifications |
advisorynotifications.* resourcemanager. resourcemanager.projects.get |
Advisory Notifications Viewer( Grants view access in Advisory Notifications |
advisorynotifications. advisorynotifications. resourcemanager. resourcemanager.projects.get |
Cloud API Hub Admin( Full access to Cloud API Hub Registry and Runtime resources. |
apihub.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud API Hub Editor( Edit access to Cloud API Hub Registry resources. |
apihub.apis.* apihub.specs.* apihub.versions.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud API Hub Viewer( Read-only access to Cloud API Hub Registry resources. |
apihub.apis.get apihub.apis.list apihub.specs.get apihub.specs.list apihub.versions.get apihub.versions.list resourcemanager.projects.get resourcemanager.projects.list |
App Hub Admin( Full access to App Hub resources. |
apphub.* resourcemanager.projects.get resourcemanager.projects.list |
App Hub Editor( Edit access to App Hub resources. |
apphub.applications.create apphub.applications.delete apphub.applications.get apphub.applications.list apphub.applications.update apphub.discoveredServices.* apphub.discoveredWorkloads.* apphub.locations.* apphub.operations.* apphub. apphub.services.* apphub.workloads.* resourcemanager.projects.get resourcemanager.projects.list |
App Hub Viewer( View access to App Hub resources. |
apphub.applications.get apphub.applications.list apphub.discoveredServices.get apphub.discoveredServices.list apphub.discoveredWorkloads.get apphub. apphub.locations.* apphub.operations.get apphub.operations.list apphub. apphub.services.get apphub.services.list apphub.workloads.get apphub.workloads.list resourcemanager.projects.get resourcemanager.projects.list |
Appliance troubleshooting commands approver Beta( Grants access to approve commands to run on appliances |
applianceactivation. applianceactivation. resourcemanager.projects.get resourcemanager.projects.list |
On-appliance troubleshooting client Beta( Grants access to read commands for an appliance and send its result. |
applianceactivation. applianceactivation. |
Appliance troubleshooter Beta( Grants access to send new commands to run on appliances and view the outputs |
applianceactivation. applianceactivation. applianceactivation. resourcemanager.projects.get resourcemanager.projects.list |
Assured OSS Admin Beta( Access to use Assured OSS and manage configuration. |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list assuredoss.* iam.serviceAccounts.create iam.serviceAccounts.get resourcemanager. resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable serviceusage.services.get |
Assured OSS Project Admin Beta( Access to use Assured OSS and manage configuration. |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list assuredoss.* iam.serviceAccounts.create iam.serviceAccounts.get resourcemanager. resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable serviceusage.services.get |
Assured OSS Reader Beta( Access to use Assured OSS and view Assured OSS configuration. |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list assuredoss.config.get assuredoss.locations.* assuredoss.metadata.* assuredoss.operations.get assuredoss.operations.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Assured OSS User Beta( Access to use Assured OSS. |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list assuredoss.locations.* assuredoss.metadata.* assuredoss.operations.get assuredoss.operations.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Audit Manager Admin Beta( Full access to Audit Manager resources. |
auditmanager.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Audit Manager Auditor Beta( Allows creating and viewing an audit report. |
auditmanager. auditmanager. auditmanager.locations.get auditmanager.locations.list auditmanager.operations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Autoscaling Metrics Writer Beta( Access to write metrics for autoscaling site |
autoscaling.sites.writeMetrics |
Autoscaling Recommendations Reader Beta( Access to read recommendations from autoscaling site |
autoscaling. |
Autoscaling Site Admin Beta( Full access to all autoscaling site features |
autoscaling.* resourcemanager.projects.get resourcemanager.projects.list |
Autoscaling State Writer Beta( Access to write state for autoscaling site |
autoscaling.sites.writeState |
Batch Agent Reporter Beta( Reporter of batch agent states. |
batch.states.report |
Batch Job Editor Beta( Editor of batch Jobs |
batch.jobs.* batch.locations.* batch.operations.* batch.tasks.* resourcemanager.projects.get resourcemanager.projects.list |
Batch Job Viewer Beta( Viewer of Batch Jobs, Task Groups and Tasks |
batch.jobs.get batch.jobs.list batch.locations.* batch.operations.* batch.tasks.* resourcemanager.projects.get resourcemanager.projects.list |
BigLake Admin( Provides full access to all BigLake resources. |
biglake.* resourcemanager.projects.get resourcemanager.projects.list |
BigLake Viewer( Provides read-only access to all BigLake resources. |
biglake.catalogs.get biglake.catalogs.list biglake.databases.get biglake.databases.list biglake.locks.list biglake.tables.get biglake.tables.list resourcemanager.projects.get resourcemanager.projects.list |
MigrationWorkflow Editor( Editor of EDW migration workflows. |
bigquerymigration.locations.* bigquerymigration.subtasks.get bigquerymigration. bigquerymigration. bigquerymigration. bigquerymigration. bigquerymigration. bigquerymigration. |
Task Orchestrator( Orchestrator of EDW migration tasks. |
bigquerymigration. bigquerymigration. bigquerymigration. storage.objects.list |
Migration Translation User( User of EDW migration interactive SQL translation service. |
bigquerymigration. |
MigrationWorkflow Viewer( Viewer of EDW migration MigrationWorkflow. |
bigquerymigration.locations.* bigquerymigration.subtasks.get bigquerymigration. bigquerymigration. bigquerymigration. |
Task Worker( Worker that executes EDW migration subtasks. |
bigquerymigration. bigquerymigration. storage.objects.create storage.objects.get storage.objects.list |
Carbon Footprint Viewer(
|
billing.accounts.get billing. billing.accounts.list |
Blockchain Node Engine Admin( Full access to Blockchain Node Engine resources. |
blockchainnodeengine.* resourcemanager.projects.get resourcemanager.projects.list |
Blockchain Node Engine Viewer( Read-only access to Blockchain Node Engine resources. |
blockchainnodeengine. blockchainnodeengine. blockchainnodeengine. blockchainnodeengine. blockchainnodeengine. resourcemanager.projects.get resourcemanager.projects.list |
Capacity Planner Usage Viewer Beta( Read-only access to Capacity Planner usage resources |
capacityplanner.* cloudquotas.quotas.get monitoring.timeSeries.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get |
Care Studio Patients Viewer( This role can view all properties of Patients. |
carestudio.* resourcemanager.projects.get resourcemanager.projects.list |
Chronicle Service Admin( Admins can view and modify Chronicle service details. |
chroniclesm.* |
Chronicle Service Viewer( Viewers can see Chronicle service details but not change them. |
chroniclesm. chroniclesm.gcpSettings.get |
Location reader Beta( Read and enumerate locations available for resource creation. |
cloud.* |
Cloud AI Companion User Beta( A user who can receive assistance from Cloud AI Companion |
cloudaicompanion.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Controls Partner Admin( Full access to Cloud Controls Partner resources. |
cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. |
Cloud Controls Partner Editor( Editor access to Cloud Controls Partner resources. |
cloudcontrolspartner.* |
Cloud Controls Partner Inspectability Reader( Readonly access to Cloud Controls Partner inspectability resources. |
cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. |
Cloud Controls Partner Monitoring Reader( Read-only access to Cloud Controls Partner monitoring resources. |
cloudcontrolspartner. cloudcontrolspartner. cloudcontrolspartner. |
Cloud Controls Partner Reader( Read-only access to Cloud Controls Partner resources. |
cloudcontrolspartner.* |
Cloud Optimization AI Admin( Administrator of Cloud Optimization AI resources |
cloudoptimization.* |
Cloud Optimization AI Editor( Editor of Cloud Optimization AI resources |
cloudoptimization.* |
Cloud Optimization AI Viewer( Viewer of Cloud Optimization AI resources |
cloudoptimization. |
Cloud Quotas Admin Beta( Full access to Cloud Quotas resources. |
cloudquotas.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list |
Cloud Quotas Viewer Beta( Readonly access to Cloud Quotas resources. |
cloudquotas.quotas.get resourcemanager.projects.get resourcemanager.projects.list |
Commerce Agreement Publishing Admin Beta( Admin of Commerce Agreement Publishing service |
commerceagreementpublishing.* resourcemanager.projects.get resourcemanager.projects.list |
Commerce Agreement Publishing Viewer Beta( Viewer of Commerce Agreement Publishing service |
commerceagreementpublishing. commerceagreementpublishing. commerceagreementpublishing. commerceagreementpublishing. resourcemanager.projects.get resourcemanager.projects.list |
Confidential Space Workload User( Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs. |
confidentialcomputing.* logging.logEntries.create |
Contact Center AI Platform Admin( Full access to Contact Center AI Platform resources. |
contactcenteraiplatform.* resourcemanager.projects.get resourcemanager.projects.list |
Contact Center AI Platform Viewer( Read-only access to Contact Center AI Platform resources. |
contactcenteraiplatform. contactcenteraiplatform. contactcenteraiplatform. contactcenteraiplatform. contactcenteraiplatform. resourcemanager.projects.get resourcemanager.projects.list |
Contact Center AI Insights editor( Grants read and write access to all Contact Center AI Insights resources. |
contactcenterinsights.* |
Contact Center AI Insights viewer( Grants read access to all Contact Center AI Insights resources. |
contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. contactcenterinsights. |
GKE Security Posture Viewer Beta( Read-only access to GKE Security Posture resources. |
container.clusters.list containersecurity.* resourcemanager.projects.get resourcemanager.projects.list |
Content Warehouse Admin( Grants full access to all the resources in Content Warehouse |
contentwarehouse.corpora.* contentwarehouse. contentwarehouse. contentwarehouse.documents.* contentwarehouse.locations.* contentwarehouse. contentwarehouse. contentwarehouse.ruleSets.* contentwarehouse.synonymSets.* resourcemanager.projects.get resourcemanager.projects.list |
Content Warehouse Document Admin( Grants full access to the document resource in Content Warehouse |
contentwarehouse. contentwarehouse. contentwarehouse. contentwarehouse.documents.get contentwarehouse. contentwarehouse. contentwarehouse. contentwarehouse.links.* contentwarehouse. contentwarehouse. resourcemanager.projects.get resourcemanager.projects.list |
Content Warehouse document creator( Grants access to create document in Content Warehouse |
contentwarehouse. contentwarehouse. contentwarehouse. contentwarehouse. resourcemanager.projects.get resourcemanager.projects.list |
Content Warehouse Document Editor( Grants access to update document resource in Content Warehouse |
contentwarehouse. contentwarehouse.documents.get contentwarehouse. contentwarehouse. contentwarehouse.links.* contentwarehouse. contentwarehouse. resourcemanager.projects.get resourcemanager.projects.list |
Content Warehouse document schema viewer( Grants access to view the document schemas in Content Warehouse |
contentwarehouse. contentwarehouse. contentwarehouse. resourcemanager.projects.get resourcemanager.projects.list |
Content Warehouse Viewer( Grants access to view all the resources in Content Warehouse |
contentwarehouse. contentwarehouse.documents.get contentwarehouse. contentwarehouse.links.get contentwarehouse. contentwarehouse. resourcemanager.projects.get resourcemanager.projects.list |
Events Service viewer Beta( Viewer role for Events Service data |
databaseinsights. databaseinsights. databaseinsights. |
Database Insights monitoring viewer Beta( Viewer role for Database Insights monitoring data |
databaseinsights. databaseinsights. databaseinsights. databaseinsights.locations.* databaseinsights. databaseinsights. resourcemanager.projects.get resourcemanager.projects.list |
Database Insights performing operations Beta( Admin role for performing Database Insights operations |
databaseinsights. |
Database Insights recommendation viewer Beta( Viewer role for Database Insights recommendation data |
databaseinsights.locations.* databaseinsights. databaseinsights. databaseinsights. resourcemanager.projects.get resourcemanager.projects.list |
Database Insights viewer Beta( Viewer role for Database Insights data |
databaseinsights. databaseinsights. databaseinsights. databaseinsights.locations.* databaseinsights. databaseinsights. databaseinsights. databaseinsights. resourcemanager.projects.get resourcemanager.projects.list |
Data Lineage Administrator( Grants full access to all resources in Data Lineage API |
datalineage.* resourcemanager.projects.get resourcemanager.projects.list |
Data Lineage Editor( Grants edit access to all resources in Data Lineage API |
datalineage.events.* datalineage. datalineage.operations.get datalineage.processes.create datalineage.processes.get datalineage.processes.list datalineage.processes.update datalineage.runs.create datalineage.runs.get datalineage.runs.list datalineage.runs.update resourcemanager.projects.get resourcemanager.projects.list |
Data Lineage Events Producer( Grants access to creating all resources in Data Lineage API |
datalineage.events.create datalineage.processes.create datalineage.processes.get datalineage.processes.update datalineage.runs.create datalineage.runs.get datalineage.runs.update resourcemanager.projects.get resourcemanager.projects.list |
Data Lineage Viewer( Grants read access to all resources in Data Lineage API |
datalineage.events.get datalineage.events.list datalineage. datalineage.processes.get datalineage.processes.list datalineage.runs.get datalineage.runs.list resourcemanager.projects.get resourcemanager.projects.list |
Data Processing Controls Resource Admin( Data processing controls admin who can fully manage data processing controls settings and view all datasource data. |
billing.accounts.get billing.accounts.list dataprocessing.* |
Data Processing Controls Data Source Manager( Data processing controls data source manager who can get, list, and update the underlying data. |
dataprocessing. dataprocessing. |
Discovery Engine Admin( Grants full access to all discoveryengine resources. |
discoveryengine.* |
Discovery Engine Editor( Grants read and write access to all discovery engine resources. |
discoveryengine.analytics.* discoveryengine.branches.* discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine.controls.get discoveryengine.controls.list discoveryengine. discoveryengine. discoveryengine.dataStores.get discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine.documents.get discoveryengine. discoveryengine.documents.list discoveryengine. discoveryengine.engines.get discoveryengine.engines.list discoveryengine.engines.pause discoveryengine.engines.resume discoveryengine.engines.tune discoveryengine.models.* discoveryengine.operations.* discoveryengine.projects.get discoveryengine.schemas.get discoveryengine.schemas.list discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. |
Discovery Engine Viewer( Grants read access to all discovery engine resources. |
discoveryengine.analytics.* discoveryengine.branches.* discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine.controls.get discoveryengine.controls.list discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine.dataStores.get discoveryengine. discoveryengine. discoveryengine.documents.get discoveryengine.documents.list discoveryengine.engines.get discoveryengine.engines.list discoveryengine.models.get discoveryengine.models.list discoveryengine.operations.* discoveryengine.projects.get discoveryengine.schemas.get discoveryengine.schemas.list discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. |
Enterprise Purchasing Admin Beta( Full access to Enterprise Purchasing resources. |
enterprisepurchasing.* resourcemanager.projects.get resourcemanager.projects.list |
Enterprise Purchasing Editor Beta( Edit access to Enterprise Purchasing resources. |
enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. resourcemanager.projects.get resourcemanager.projects.list |
Enterprise Purchasing Viewer Beta( Readonly access to Enterprise Purchasing resources. |
enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. enterprisepurchasing. resourcemanager.projects.get resourcemanager.projects.list |
Essential Contacts Admin( Full access to all essential contacts |
essentialcontacts.* |
Essential Contacts Viewer( Viewer for all essential contacts |
essentialcontacts.contacts.get essentialcontacts. |
Firebase Cloud Messaging API Admin Beta( Full read/write access to Firebase Cloud Messaging API resources. |
cloudmessaging.messages.create fcmdata.deliverydata.list resourcemanager.projects.get resourcemanager.projects.list |
Firebase Crash Symbol Uploader( Full read/write access to symbol mapping file resources for Firebase Crash Reporting. |
firebase.clients.get firebase.clients.list resourcemanager.projects.get |
GDC Hardware Management Admin Beta( Full access to GDC Hardware Management resources. |
gdchardwaremanagement.* resourcemanager.projects.get resourcemanager.projects.list |
GDC Hardware Management Operator Beta( Create, read, and update access to GDC Hardware Management resources that support those operations. Also grants delete access to HardwareGroup resource. |
gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement.sites.* gdchardwaremanagement.skus.* gdchardwaremanagement.zones.* resourcemanager.projects.get resourcemanager.projects.list |
GDC Hardware Management Reader Beta( Readonly access to GDC Hardware Management resources. |
gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement. gdchardwaremanagement.skus.* gdchardwaremanagement. gdchardwaremanagement. resourcemanager.projects.get resourcemanager.projects.list |
Identity Platform Admin Beta( Full access to Identity Platform resources. |
firebaseauth.* identitytoolkit.* |
Identity Platform Viewer Beta( Read access to Identity Platform resources. |
firebaseauth.configs.get firebaseauth.users.get identitytoolkit.tenants.get identitytoolkit. identitytoolkit.tenants.list |
Identity Toolkit Admin( Full access to Identity Toolkit resources. |
firebaseauth.* identitytoolkit.* |
Identity Toolkit Viewer( Read access to Identity Toolkit resources. |
firebaseauth.configs.get firebaseauth.users.get identitytoolkit.tenants.get identitytoolkit. identitytoolkit.tenants.list |
Apigee Integration Admin( A user that has full access to all Apigee integrations. |
connectors.actions.* connectors. connectors.entities.* connectors.entityTypes.list integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.authConfigs.* integrations.certificates.* integrations.executions.* integrations. integrations. integrations. integrations. integrations. integrations. integrations.integrations.* integrations.sfdcChannels.* integrations.sfdcInstances.* integrations.suspensions.* resourcemanager.projects.get resourcemanager.projects.list |
Apigee Integration Deployer( A developer that can deploy/undeploy Apigee integrations to the integration runtime. |
integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.integrations.get integrations.integrations.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee Integration Editor( A developer that can list, create and update Apigee integrations. |
connectors.actions.* connectors. connectors.entities.* connectors.entityTypes.list integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.authConfigs.get integrations.authConfigs.list integrations. integrations.certificates.get integrations.executions.* integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.integrations.get integrations. integrations.integrations.list integrations. integrations.sfdcChannels.* integrations.sfdcInstances.* resourcemanager.projects.get resourcemanager.projects.list |
Apigee Integration Invoker( A role that can invoke Apigee integrations. |
connectors.actions.* connectors. connectors.entities.* connectors.entityTypes.list integrations. integrations. integrations. integrations. integrations.executions.* integrations. integrations. integrations. integrations.integrations.get integrations. integrations.integrations.list resourcemanager.projects.get resourcemanager.projects.list |
Apigee Integration Viewer( A developer that can list and view Apigee integrations. |
integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.authConfigs.get integrations.authConfigs.list integrations.certificates.get integrations.certificates.list integrations.executions.* integrations. integrations. integrations.integrations.get integrations.integrations.list integrations.sfdcChannels.list integrations. resourcemanager.projects.get resourcemanager.projects.list |
Apigee Integration Approver( A role that can approve / reject Apigee integrations that contain a suspension/wait task. |
integrations. integrations.suspensions.* resourcemanager.projects.get resourcemanager.projects.list |
Certificate Viewer( A developer that can list and view Certificates. |
integrations.certificates.get resourcemanager.projects.get resourcemanager.projects.list |
Application Integration Admin( A user that has full access (CRUD) to all integrations. |
integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.authConfigs.* integrations.certificates.* integrations.executions.* integrations. integrations. integrations. integrations. integrations. integrations. integrations.integrations.* integrations.sfdcChannels.* integrations.sfdcInstances.* integrations.suspensions.* resourcemanager.projects.get resourcemanager.projects.list |
Application Integration Deployer( A developer that can deploy/undeploy integrations to the integration runtime. |
integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.integrations.get integrations.integrations.list resourcemanager.projects.get resourcemanager.projects.list |
Application Integration Editor( A developer that can list, create and update integrations. |
integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.authConfigs.get integrations.authConfigs.list integrations. integrations.certificates.get integrations.executions.* integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.integrations.get integrations. integrations.integrations.list integrations. integrations.sfdcChannels.* integrations.sfdcInstances.* resourcemanager.projects.get resourcemanager.projects.list |
Application Integration Invoker( A role that can invoke integrations. |
integrations. integrations. integrations. integrations. integrations.executions.* integrations. integrations. integrations. integrations.integrations.get integrations. integrations.integrations.list resourcemanager.projects.get resourcemanager.projects.list |
Application Integration Viewer( A developer that can list and view integrations. |
integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.authConfigs.get integrations.authConfigs.list integrations.certificates.get integrations.certificates.list integrations.executions.* integrations. integrations. integrations.integrations.get integrations.integrations.list integrations.sfdcChannels.list integrations. resourcemanager.projects.get resourcemanager.projects.list |
Security Integration Admin Beta( A user that has full access to all Security integrations. |
integrations. integrations. integrations. integrations. integrations. |
Application Integration SFDC Instance Admin( A user that has full access (CRUD) to all SFDC instances. |
integrations.sfdcChannels.* integrations.sfdcInstances.* resourcemanager.projects.get resourcemanager.projects.list |
Application Integration SFDC Instance Editor( A developer that can list, create and update integrations. |
integrations. integrations.sfdcChannels.get integrations.sfdcChannels.list integrations. integrations. integrations.sfdcInstances.get integrations. integrations. resourcemanager.projects.get resourcemanager.projects.list |
Application Integration SFDC Instance Viewer( A developer that can list and view SFDC instances. |
integrations.sfdcChannels.get integrations.sfdcChannels.list integrations.sfdcInstances.get integrations. resourcemanager.projects.get resourcemanager.projects.list |
Application Integration Approver( A role that can resolve suspended integrations. |
integrations. integrations.suspensions.* resourcemanager.projects.get resourcemanager.projects.list |
Issuerswitch Account Manager Admin Beta( This role can perform all account manager related operations |
issuerswitch. issuerswitch.managedAccounts.* issuerswitch.operations.get issuerswitch.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Issuerswitch Account Manager Transactions Admin Beta( This role can perform all account manager transactions related operations |
issuerswitch. issuerswitch.operations.get issuerswitch.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Issuerswitch Account Manager Transactions Viewer Beta( This role can view all account manager transactions |
issuerswitch. issuerswitch.operations.get issuerswitch.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Issuerswitch Admin Beta( Access to all issuer switch roles |
issuerswitch.* resourcemanager.projects.get resourcemanager.projects.list |
Issuerswitch Participants Admin Beta( Full access to issuer switch participants |
issuerswitch. resourcemanager.projects.get resourcemanager.projects.list |
Issuerswitch Resolutions Admin Beta( Full access to issuer switch resolutions |
issuerswitch. issuerswitch.complaints.* issuerswitch.disputes.* issuerswitch.operations.get resourcemanager.projects.get resourcemanager.projects.list |
Issuerswitch Rules Admin Beta( Full access to issuer switch rules |
issuerswitch.ruleMetadata.list issuerswitch. issuerswitch.rules.list resourcemanager.projects.get resourcemanager.projects.list |
Issuerswitch Rules Viewer Beta( This role can view rules and related metadata. |
issuerswitch.ruleMetadata.list issuerswitch. issuerswitch.rules.list resourcemanager.projects.get resourcemanager.projects.list |
Issuerswitch Transactions Viewer Beta( This role can view all transactions |
issuerswitch. issuerswitch. issuerswitch. issuerswitch. issuerswitch.operations.get issuerswitch.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Metadata Publisher Beta( Publisher of Kubernetes clusters metadata |
kubernetesmetadata.* |
Mandiant Attack Surface Management Editor Beta( Access to write Attack Surface Management |
mandiant. mandiant. mandiant. mandiant. mandiant. mandiant. resourcemanager.projects.get resourcemanager.projects.list |
Mandiant Attack Surface Management Viewer Beta( Access to read Attack Surface Management |
mandiant. mandiant.genericPlatforms.get resourcemanager.projects.get resourcemanager.projects.list |
Mandiant Digital Threat Monitoring Editor Beta( Access to write Digital Threat Monitoring |
mandiant. mandiant. mandiant. mandiant. resourcemanager.projects.get resourcemanager.projects.list |
Mandiant Digital Threat Monitoring Viewer Beta( Access to read Digital Threat Monitoring |
mandiant. mandiant.genericPlatforms.get resourcemanager.projects.get resourcemanager.projects.list |
Mandiant Expertise On Demand Editor Beta( Access to write Expertise On Demand |
mandiant. mandiant. mandiant. mandiant. mandiant. mandiant. resourcemanager.projects.get resourcemanager.projects.list |
Mandiant Expertise On Demand Viewer Beta( Access to read Expertise On Demand |
mandiant. mandiant.genericPlatforms.get resourcemanager.projects.get resourcemanager.projects.list |
Mandiant Threat Intel Editor Beta( Access to write Threat Intel |
mandiant. mandiant. mandiant. mandiant. mandiant. mandiant. resourcemanager.projects.get resourcemanager.projects.list |
Mandiant Threat Intel Viewer Beta( Access to read Threat Intel |
mandiant.genericPlatforms.get mandiant. resourcemanager.projects.get resourcemanager.projects.list |
Mandiant Validation Editor Beta( Access to write Validation |
mandiant. mandiant. mandiant. mandiant. mandiant. mandiant. resourcemanager.projects.get resourcemanager.projects.list |
Mandiant Validation Viewer Beta( Access to read Validation |
mandiant.genericPlatforms.get mandiant. resourcemanager.projects.get resourcemanager.projects.list |
Maps Analytics Viewer Beta( Grants read-only access to all of the Maps Analytics resources. |
mapsanalytics.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list |
Maps Platform Datasets Admin Beta( Grants read and write access to all the Maps Platform Datasets API resources |
mapsadmin.clientStyles.* mapsplatformdatasets.* resourcemanager.projects.get resourcemanager.projects.list |
Maps Platform Datasets Viewer Beta( Grants read-only access to all the Maps Platform Datasets API resources |
mapsadmin.clientStyles.get mapsadmin.clientStyles.list mapsplatformdatasets. mapsplatformdatasets. mapsplatformdatasets. resourcemanager.projects.get resourcemanager.projects.list |
Marketplace Solutions Admin Beta( Full access to Marketplace Solutions resources. |
marketplacesolutions.* resourcemanager.projects.get resourcemanager.projects.list |
Marketplace Solutions Editor Beta( Edit access to Marketplace Solutions resources. |
marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. resourcemanager.projects.get resourcemanager.projects.list |
Marketplace Solutions Viewer Beta( Readonly access to Marketplace Solutions resources. |
marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. marketplacesolutions. resourcemanager.projects.get resourcemanager.projects.list |
Google Home Developer Console Admin( Admin access to Google Home Developer Console resources |
nestconsole.* resourcemanager.projects.get resourcemanager.projects.list |
Google Home Developer Console Editor( Read-Write access to Google Home Developer Console resources |
nestconsole. nestconsole. nestconsole. nestconsole. resourcemanager.projects.get resourcemanager.projects.list |
Google Home Developer Console Reader( Read-only access to Google Home Developer Console resources |
nestconsole. nestconsole. resourcemanager.projects.get resourcemanager.projects.list |
Google Cloud NetApp Volumes Admin Beta( Full access to Google Cloud NetApp Volumes resources. |
netapp.* resourcemanager.projects.get resourcemanager.projects.list |
Google Cloud NetApp Volumes Viewer Beta( Readonly access to Google Cloud NetApp Volumes resources. |
netapp.activeDirectories.get netapp.activeDirectories.list netapp.backupPolicies.get netapp.backupPolicies.list netapp.backupVaults.get netapp.backupVaults.list netapp.backups.get netapp.backups.list netapp.kmsConfigs.get netapp.kmsConfigs.list netapp.replications.get netapp.replications.list netapp.snapshots.get netapp.snapshots.list netapp.storagePools.get netapp.storagePools.list netapp.volumes.get netapp.volumes.list resourcemanager.projects.get resourcemanager.projects.list |
OAuth Config Editor Beta( Read/write access to OAuth config resources |
clientauthconfig.* oauthconfig.* |
OAuth Config Viewer Beta( Read-only access to OAuth config resources |
clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.clients.get clientauthconfig.clients.list oauthconfig.clientpolicy.get oauthconfig.testusers.get oauthconfig.verification.get |
Payments Reseller Admin Beta( Full access to all Payments Reseller resources, including subscriptions, products and promotions |
paymentsresellersubscription.* resourcemanager.projects.get resourcemanager.projects.list |
Payments Reseller Viewer Beta( Read access to all Payments Reseller resources, including subscriptions, products and promotions |
paymentsresellersubscription. paymentsresellersubscription. paymentsresellersubscription. resourcemanager.projects.get resourcemanager.projects.list |
Payments Reseller Products Viewer Beta( Read access to Payments Reseller Product resource |
paymentsresellersubscription. resourcemanager.projects.get resourcemanager.projects.list |
Payments Reseller Promotions Viewer Beta( Read access to Payments Reseller Promotion resource |
paymentsresellersubscription. resourcemanager.projects.get resourcemanager.projects.list |
Payments Reseller Subscriptions Editor Beta( Write access to Payments Reseller Subscription resource |
paymentsresellersubscription. resourcemanager.projects.get resourcemanager.projects.list |
Payments Reseller Subscriptions Viewer Beta( Read access to Payments Reseller Subscription resource |
paymentsresellersubscription. resourcemanager.projects.get resourcemanager.projects.list |
Activity Analysis Viewer Beta( Viewer user that can read all activity analysis. |
policyanalyzer.* |
Policy Remediator Admin Beta( Grants the ability to enable and disable the usage of the policy remediator for the organization |
policyremediatormanager.* |
Policy Remediator Reader Beta( Grants the ability to read/view the state of the policy remediator for the organization |
policyremediatormanager. policyremediatormanager. policyremediatormanager. policyremediatormanager. |
Simulator Admin Beta( Admin user that can run and access replays. |
policysimulator. policysimulator.replays.* |
OrgPolicy Simulator Admin Beta( OrgPolicy Admin that can run and access simulations. |
cloudasset. cloudasset. cloudasset.assets.listResource cloudasset. orgpolicy. orgpolicy. orgpolicy.policies.list orgpolicy.policy.get policysimulator. policysimulator. resourcemanager. |
External Account Key Creator Beta( This role can create a new externalAccountKey resource. |
publicca. resourcemanager.projects.get resourcemanager.projects.list |
Subscription Linking Admin( Full access to publication reader resources |
readerrevenuesubscriptionlinking.* resourcemanager.projects.get resourcemanager.projects.list |
Subscription Linking Entitlements Viewer( This role can view all publication reader entitlements |
readerrevenuesubscriptionlinking. |
Subscription Linking Viewer( This role can view all publication reader resources |
readerrevenuesubscriptionlinking. readerrevenuesubscriptionlinking. resourcemanager.projects.get resourcemanager.projects.list |
Recommendations Exporter( Exporter of Recommendations |
recommender.resources.export |
Remote Build Execution Action Cache Writer Beta( Remote Build Execution Action Cache Writer |
remotebuildexecution. remotebuildexecution. |
Remote Build Execution Artifact Admin Beta( Remote Build Execution Artifact Admin |
remotebuildexecution. remotebuildexecution. remotebuildexecution. remotebuildexecution.blobs.* remotebuildexecution. |
Remote Build Execution Artifact Creator Beta( Remote Build Execution Artifact Creator |
remotebuildexecution. remotebuildexecution. remotebuildexecution.blobs.* remotebuildexecution. |
Remote Build Execution Artifact Viewer Beta( Remote Build Execution Artifact Viewer |
remotebuildexecution. remotebuildexecution.blobs.get remotebuildexecution. |
Remote Build Execution Configuration Admin Beta( Remote Build Execution Configuration Admin |
remotebuildexecution. remotebuildexecution. |
Remote Build Execution Configuration Viewer Beta( Remote Build Execution Configuration Viewer |
remotebuildexecution. remotebuildexecution. remotebuildexecution. remotebuildexecution. |
Remote Build Execution Logstream Writer Beta( Remote Build Execution Logstream Writer |
remotebuildexecution. remotebuildexecution. |
Remote Build Execution Reservation Admin Beta( Remote Build Execution Reservation Admin |
remotebuildexecution. remotebuildexecution. remotebuildexecution. |
Remote Build Execution Worker Beta( Remote Build Execution Worker |
remotebuildexecution. remotebuildexecution.blobs.* remotebuildexecution. remotebuildexecution. remotebuildexecution. |
Retail Admin( Full access to Retail api resources. |
automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. retail.* |
Retail Editor( Full access to Retail api resources except purge, rejoin, and setSponsorship. |
automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. retail. retail. retail.attributesConfigs.get retail. retail. retail. retail.catalogs.* retail.controls.* retail.experiments.* retail.models.* retail.operations.* retail.placements.* retail.products.create retail.products.delete retail.products.export retail.products.get retail.products.import retail.products.list retail.products.update retail.retailProjects.get retail.servingConfigs.* retail.userEvents.create retail.userEvents.import |
Retail Viewer( Grants access to read all resources in Retail. |
automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. retail. retail.attributesConfigs.get retail.catalogs.completeQuery retail. retail.catalogs.list retail.controls.export retail.controls.get retail.controls.list retail.experiments.get retail.experiments.list retail. retail. retail.models.get retail.models.list retail.operations.* retail.placements.* retail.products.export retail.products.get retail.products.list retail.retailProjects.get retail.servingConfigs.get retail.servingConfigs.list retail.servingConfigs.predict retail.servingConfigs.search |
RISC Configuration Admin Beta( Read/write access to RISC config resources. |
clientauthconfig.clients.list riscconfigurationservice.* |
RISC Configuration Viewer Beta( Read-only access to RISC config resources. |
clientauthconfig.clients.list riscconfigurationservice. |
Serverless Integrations Developer Beta( Access to create and change Serverless Integrations and their configuration. |
resourcemanager.projects.get resourcemanager.projects.list runapps.applications.* runapps.deployments.get runapps.deployments.list runapps.locations.* runapps.operations.* |
Serverless Integrations Operator Beta( Access to deploy Serverless Integrations. |
resourcemanager.projects.get resourcemanager.projects.list runapps.applications.get runapps.applications.getStatus runapps.applications.list runapps.deployments.* runapps.locations.* runapps.operations.* |
Serverless Integrations Viewer Beta( Read-only access to Serverless Integrations resources. |
resourcemanager.projects.get resourcemanager.projects.list runapps.applications.get runapps.applications.getStatus runapps.applications.list runapps.deployments.get runapps.deployments.list runapps.locations.* runapps.operations.get runapps.operations.list |
Cloud RuntimeConfig Admin( Full access to RuntimeConfig resources. |
runtimeconfig.* |
SLZ BQDW Blueprint Organization Level Remediator Beta( Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization. |
accesscontextmanager. accesscontextmanager. accesscontextmanager. |
SLZ BQDW Blueprint Project Level Remediator Beta( Access to modify (remediate) resources in SLZ BQDW Blueprint at Project. |
bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy bigquery.datasets.update cloudkms.cryptoKeys.get cloudkms. cloudkms.cryptoKeys.list cloudkms. cloudkms.cryptoKeys.update cloudkms.keyRings.getIamPolicy cloudkms.keyRings.setIamPolicy pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy pubsub.topics.update resourcemanager. serviceusage.services.use storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy storage.buckets.update |
Overwatch Activator Beta( This role can activate or suspend Overwatches |
resourcemanager.projects.get resourcemanager.projects.list securedlandingzone. securedlandingzone. |
Overwatch Admin Beta( Full access to Overwatches |
resourcemanager.projects.get resourcemanager.projects.list securedlandingzone.* |
Overwatch Viewer Beta( This role can view all properties of Overwatches |
resourcemanager.projects.get resourcemanager.projects.list securedlandingzone. securedlandingzone. securedlandingzone. |
Security Center Management Custom Modules Editor( Full access to manage Cloud Security Command Center custom modules. |
resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycentermanagement.* |
Security Center Management Custom Modules Viewer( Readonly access to Cloud Security Command Center custom modules. |
resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. |
Security Center Management Custom ETD Modules Editor( Full access to manage Cloud Security Command Center ETD custom modules. |
resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycentermanagement. securitycentermanagement. securitycentermanagement. |
Security Center Management ETD Custom Modules Viewer( Readonly access to Cloud Security Command Center ETD custom modules. |
resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. |
Security Center Management SHA Custom Modules Editor( Full access to manage Cloud Security Command Center SHA custom modules. |
resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycentermanagement. securitycentermanagement. securitycentermanagement. |
Security Center Management SHA Custom Modules Viewer( Readonly access to Cloud Security Command Center SHA custom modules. |
resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. |
Security Posture Admin( Full access to Security Posture service APIs. |
orgpolicy.* resourcemanager. securitycenter. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securityposture.* |
Security Posture Deployer( Mutate and read permissions to the Posture Deployment resource. |
orgpolicy.* resourcemanager. securitycenter. securitycentermanagement. securitycentermanagement. securitycentermanagement. securityposture.operations.get securityposture. |
Security Posture Deployments Viewer( Read only access to the Posture Deployment resource. |
resourcemanager. securityposture.operations.get securityposture. securityposture. |
Security Posture Resource Editor( Mutate and read permissions to the Posture resource. |
securityposture.operations.get securityposture.postures.* |
Security Posture Resource Viewer( Read only access to the Posture resource. |
resourcemanager. securityposture.operations.get securityposture.postures.get securityposture.postures.list |
Security Posture Shift-Left Validator( Create access for Reports, e.g. IaC Validation Report. |
securityposture.operations.get securityposture.reports.create |
Security Posture Viewer( Read only access to all the SecurityPosture Service resources. |
resourcemanager. securityposture.operations.get securityposture. securityposture. securityposture. securityposture.postures.get securityposture.postures.list |
Personalized Service Health Viewer Beta( Readonly access to Personalized Service Health resources. |
resourcemanager.projects.get resourcemanager.projects.list servicehealth.* |
Security Insights Viewer Beta( Read-only access to Security Insights resources |
servicesecurityinsights.* |
Speaker ID Admin( Grants full access to all Speaker ID resources, including project settings. |
speakerid.* |
Speaker ID Editor( Grants access to read and write all Speaker ID resources. |
speakerid.phrases.* speakerid.speakers.* |
Speaker ID Verifier( Grants read access to all Speaker ID resources, and allows verification. |
speakerid.phrases.get speakerid.phrases.list speakerid.speakers.get speakerid.speakers.list speakerid.speakers.verify |
Speaker ID Viewer( Grants read access to all Speaker ID resources. |
speakerid.phrases.get speakerid.phrases.list speakerid.speakers.get speakerid.speakers.list |
Cloud Speech Administrator( Grants full access to all resources in Speech-to-text |
speech.* |
Cloud Speech Client( Grants access to the recognition APIs. |
speech.adaptations.execute speech.customClasses.get speech.customClasses.list speech.locations.* speech.operations.get speech.operations.list speech.operations.wait speech.phraseSets.get speech.phraseSets.list speech.recognizers.get speech.recognizers.list speech.recognizers.recognize |
Cloud Speech Editor( Grants access to edit resources in Speech-to-text |
speech.adaptations.execute speech.customClasses.* speech.locations.* speech.operations.* speech.phraseSets.* speech.recognizers.* |
Storage Insights Admin( Full access to Storage Insights resources. |
resourcemanager.projects.get resourcemanager.projects.list storageinsights.* |
Storage Insights Analyst( Data access to Storage Insights. |
resourcemanager.projects.get resourcemanager.projects.list storageinsights. storageinsights. storageinsights. storageinsights. storageinsights.locations.* storageinsights.operations.get storageinsights. storageinsights. storageinsights. storageinsights. |
Storage Insights Viewer( Read-only access to Storage Insights resources. |
resourcemanager.projects.get resourcemanager.projects.list storageinsights. storageinsights. storageinsights.locations.* storageinsights.operations.get storageinsights. storageinsights. storageinsights. storageinsights. |
Subscribe with Google Developer Beta( Access DevTools for Subscribe with Google |
resourcemanager.projects.get resourcemanager.projects.list subscribewithgoogledeveloper. |
Telco Automation Admin Beta( Full access to Telco Automation resources. |
logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list monitoring.timeSeries.list resourcemanager.projects.get serviceusage.operations.* serviceusage.quotas.* serviceusage.services.* source.repos.get source.repos.list telcoautomation.* |
Telco Automation Blueprint Designer Beta( Ability to manage blueprints |
telcoautomation. telcoautomation. telcoautomation.blueprints.get telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. |
Telco Automation Deployment Admin Beta( Ability to manage deployments |
telcoautomation.blueprints.get telcoautomation. telcoautomation.deployments.* telcoautomation. telcoautomation. telcoautomation. |
Telco Automation Tier 1 Operations Admin Beta( Ability to get status of deployments |
logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list resourcemanager.projects.get telcoautomation.blueprints.get telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. telcoautomation. |
Telco Automation Tier 4 Operations Admin Beta( Ability to manage deployments and their status |
logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.links.get logging.links.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.get logging.views.get logging.views.list resourcemanager.projects.get telcoautomation.blueprints.get telcoautomation. telcoautomation.deployments.* telcoautomation. telcoautomation. telcoautomation. |
Telco Automation Service Orchestrator Beta( Ability to manage deployments |
telcoautomation.blueprints.get telcoautomation. telcoautomation.deployments.* telcoautomation. telcoautomation. telcoautomation. |
Timeseries Insights DataSet Editor Beta( Edit access to DataSets. |
timeseriesinsights.* |
Timeseries Insights DataSet Owner Beta( Full access to DataSets. |
timeseriesinsights.* |
Timeseries Insights DataSet Viewer Beta( Read-only access (List and Query) to DataSets. |
timeseriesinsights. timeseriesinsights. timeseriesinsights. timeseriesinsights.locations.* |
Traffic Director Client Beta( Fetch service configurations and report metrics. |
trafficdirector.* |
Translation Hub Admin Beta( Admin of Translation Hub |
automl.models.get automl.models.list automl.models.predict cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate. resourcemanager.projects.get resourcemanager.projects.list translationhub.* |
Translation Hub Portal User Beta( Portal user of Translation Hub |
automl.models.get automl.models.list automl.models.predict cloudtranslate. cloudtranslate. cloudtranslate. cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate. resourcemanager.projects.get resourcemanager.projects.list translationhub.portals.get translationhub.portals.list |
Visual Inspection AI Solution Editor( Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics |
visualinspection. visualinspection. visualinspection.annotations.* visualinspection.datasets.* visualinspection.images.* visualinspection.locations.get visualinspection. visualinspection. visualinspection.models.* visualinspection.modules.* visualinspection.operations.* visualinspection. visualinspection.solutions.* |
Visual Inspection AI Usage Metrics Reporter( ReportUsageMetric access to Visual Inspection AI Service |
visualinspection. |
Visual Inspection AI Viewer( Read access to Visual Inspection AI resources |
visualinspection. visualinspection. visualinspection. visualinspection. visualinspection. visualinspection. visualinspection. visualinspection.datasets.get visualinspection.datasets.list visualinspection.images.get visualinspection.images.list visualinspection.locations.get visualinspection. visualinspection. visualinspection.models.get visualinspection.models.list visualinspection.modules.get visualinspection.modules.list visualinspection.operations.* visualinspection. visualinspection. visualinspection. visualinspection.solutions.get visualinspection. |
PAM roles |
Permissions |
Privileged Access Manager Admin Beta( Full access to Privileged Access Manager resources. |
privilegedaccessmanager.* resourcemanager.projects.get |
Privileged Access Manager Viewer Beta( Readonly access to Privileged Access Manager resources. |
privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. privilegedaccessmanager. resourcemanager.projects.get |
Project roles |
Permissions |
Browser( Read access to browse the hierarchy for a project, including the folder, organization, and allow policy. This role doesn't include permission to view resources in the project. Lowest-level resources where you can grant this role:
|
resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Proximity Beacon roles |
Permissions |
Beacon Attachment Editor( Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces. |
proximitybeacon.attachments.* proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon. resourcemanager.projects.get resourcemanager.projects.list |
Beacon Attachment Publisher( Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project. |
proximitybeacon.beacons.attach proximitybeacon.beacons.get proximitybeacon.beacons.list resourcemanager.projects.get resourcemanager.projects.list |
Beacon Attachment Viewer( Can view all attachments under a namespace; no beacon or namespace permissions. |
proximitybeacon. proximitybeacon. resourcemanager.projects.get resourcemanager.projects.list |
Beacon Editor( Necessary access to register, modify, and view beacons; no attachment or namespace permissions. |
proximitybeacon.beacons.create proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.beacons.update resourcemanager.projects.get resourcemanager.projects.list |
Pub/Sub roles |
Permissions |
Pub/Sub Admin( Provides full access to topics and subscriptions. Lowest-level resources where you can grant this role:
|
pubsub.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Pub/Sub Editor( Provides access to modify topics and subscriptions, and access to publish and consume messages. Lowest-level resources where you can grant this role:
|
pubsub.schemas.attach pubsub.schemas.commit pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.listRevisions pubsub.schemas.rollback pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub. pubsub.topics.create pubsub.topics.delete pubsub. pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Pub/Sub Publisher( Provides access to publish messages to a topic. Lowest-level resources where you can grant this role:
|
pubsub.topics.publish |
Pub/Sub Subscriber( Provides access to consume messages from a subscription and to attach subscriptions to a topic. Lowest-level resources where you can grant this role:
|
pubsub.snapshots.seek pubsub.subscriptions.consume pubsub. |
Pub/Sub Viewer( Provides access to view topics and subscriptions. Lowest-level resources where you can grant this role:
|
pubsub.schemas.get pubsub.schemas.list pubsub.schemas.listRevisions pubsub.schemas.validate pubsub.snapshots.get pubsub.snapshots.list pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.get pubsub.topics.list resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Pub/Sub Lite roles |
Permissions |
Pub/Sub Lite Admin( Full access to topics, subscriptions and reservations. |
pubsublite.* |
Pub/Sub Lite Editor( Modify topics, subscriptions and reservations, publish and consume messages. |
pubsublite.* |
Pub/Sub Lite Publisher( Publish messages to a topic. |
pubsublite. pubsublite. pubsublite.topics.publish |
Pub/Sub Lite Subscriber( Subscribe to and read messages from a topic. |
pubsublite. pubsublite.operations.get pubsublite. pubsublite.subscriptions.seek pubsublite. pubsublite. pubsublite. pubsublite. pubsublite. pubsublite. pubsublite.topics.subscribe |
Pub/Sub Lite Viewer( View topics, subscriptions and reservations. |
pubsublite.operations.* pubsublite.reservations.get pubsublite.reservations.list pubsublite. pubsublite.subscriptions.get pubsublite. pubsublite.subscriptions.list pubsublite.topics.get pubsublite. pubsublite.topics.list pubsublite. |
Rapid Migration Assessment roles |
Permissions |
Rapid Migration Assessment Admin( Full access to Rapid Migration Assessment all resources. |
resourcemanager.projects.get resourcemanager.projects.list rma.* |
Rapid Migration Assessment Runner( Update and Read access to Rapid Migration Assessment all resources. |
resourcemanager.projects.get resourcemanager.projects.list rma.annotations.get rma.collectors.get rma.collectors.list rma.collectors.update rma.locations.* rma.operations.get rma.operations.list |
Rapid Migration Assessment Viewer( Read-only access to Rapid Migration Assessment all resources. |
resourcemanager.projects.get resourcemanager.projects.list rma.annotations.get rma.collectors.get rma.collectors.list rma.locations.* rma.operations.get rma.operations.list |
reCAPTCHA Enterprise roles |
Permissions |
reCAPTCHA Enterprise Admin Beta( Access to view and modify reCAPTCHA Enterprise keys |
monitoring.timeSeries.list recaptchaenterprise.keys.* recaptchaenterprise. resourcemanager.projects.get resourcemanager.projects.list |
reCAPTCHA Enterprise Agent Beta( Access to create and annotate reCAPTCHA Enterprise assessments |
recaptchaenterprise. recaptchaenterprise. recaptchaenterprise. resourcemanager.projects.get resourcemanager.projects.list |
reCAPTCHA Enterprise Viewer Beta( Access to view reCAPTCHA Enterprise keys and metrics |
monitoring.timeSeries.list recaptchaenterprise.keys.get recaptchaenterprise.keys.list recaptchaenterprise. resourcemanager.projects.get resourcemanager.projects.list |
Recommendations AI roles |
Permissions |
Recommendations AI Admin Beta( Full access to all Recommendations AI resources. |
automlrecommendations.* resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.catalogs.update retail.operations.* retail.placements.* retail.products.create retail.products.delete retail.products.export retail.products.get retail.products.import retail.products.list retail.products.purge retail.products.update retail.retailProjects.get retail.userEvents.* serviceusage.services.get serviceusage.services.list |
Recommendations AI Admin Viewer Beta( Viewer of all Recommendations AI resources. |
automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.operations.* retail.placements.* retail.products.export retail.products.get retail.products.list retail.retailProjects.get serviceusage.services.get serviceusage.services.list |
Recommendations AI Editor Beta( Editor of all Recommendations AI resources. |
automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.catalogs.update retail.operations.* retail.placements.* retail.products.create retail.products.delete retail.products.export retail.products.get retail.products.import retail.products.list retail.products.update retail.retailProjects.get retail.userEvents.create retail.userEvents.import serviceusage.services.get serviceusage.services.list |
Recommendations AI Viewer Beta(
Viewer of all Recommendations resources except |
automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. automlrecommendations. resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.operations.* retail.placements.* retail.products.export retail.products.get retail.products.list retail.retailProjects.get serviceusage.services.get serviceusage.services.list |
Recommender roles |
Permissions |
BigQuery Slot Recommender Admin Beta( Admin of BigQuery Capacity Commitments insights and recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Recommender Billing Account Admin Beta( Billing Account Admin of BigQuery Capacity Commitments insights and recommendations. |
billing.accounts.get billing.accounts.list recommender. recommender. |
BigQuery Recommender Billing Account Viewer Beta( Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations. |
billing.accounts.get billing.accounts.list recommender. recommender. recommender. recommender. |
BigQuery Recommender Project Admin Beta( Project Admin of BigQuery Capacity Commitments insights and recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Recommender Project Viewer Beta( Project Viewer of BigQuery Capacity Commitments insights and recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Slot Recommender Viewer Beta( Viewer of BigQuery Capacity Commitments insights and recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Materialized View Recommender Admin Alpha( Admin of BigQuery Materialized View Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Materialized View Recommender Viewer Alpha( Viewer of BigQuery Materialized View Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Partitioning Clustering Recommender Admin Beta( Admin of BigQuery Partitioning Clustering recommendations. |
recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Partitioning Clustering Recommender Viewer Beta( Viewer of BigQuery Partitioning Clustering recommendations. |
recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Billing Account Usage Commitment Recommender Admin Beta( Admin of Billing Account Usage Commitment Recommender. |
billing.accounts.get billing.accounts.list recommender. recommender. |
Billing Account Usage Commitment Recommender Viewer Beta( Viewer of Billing Account Usage Commitment Recommender. |
billing.accounts.get billing.accounts.list recommender. recommender. recommender. recommender. |
Cloud Asset Insights Admin( Admin of all Cloud Asset insights. |
recommender. resourcemanager.projects.get resourcemanager.projects.list |
Cloud Asset Insights Viewer( Viewer of all Cloud Asset insights. |
recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Cloud Cost General Recommendations Recommender Admin Beta( Admin of Cloud Cost General Recommendations Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Cost General Recommendations Recommender Viewer Beta( Viewer of Cloud Cost General Recommendations Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Deprecation General Recommender Admin Beta( Admin of Cloud Deprecation General Recommender Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Deprecation General Recommender Viewer Beta( Viewer of Cloud Deprecation General Recommender Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Manageability General Recommendations Recommender Admin Beta( Admin of Cloud Manageability General Recommendations Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Manageability General Recommendations Recommender Viewer Beta( Viewer of Cloud Manageability General Recommendations Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Performance General Recommendations Recommender Admin Beta( Admin of Cloud Performance General Recommendations Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Performance General Recommendations Recommender Viewer Beta( Viewer of Cloud Performance General Recommendations Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Reliability General Recommendations Recommender Admin Beta( Admin of Cloud Reliability General Recommendations Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Reliability General Recommendations Recommender Viewer Beta( Viewer of Cloud Reliability General Recommendations Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Security General Recommendations Recommender Admin Beta( Admin of Cloud Security General Recommendations Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Security General Recommendations Recommender Viewer Beta( Viewer of Cloud Security General Recommendations Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud SQL Recommender Admin Beta( Admin of Cloud SQL insights and recommendations. |
recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Cloud SQL Recommender Viewer Beta( Viewer of Cloud SQL insights and recommendations. |
recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Compute Recommender Admin( Admin of compute recommendations. |
recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Compute Recommender Viewer( Viewer of compute recommendations. |
recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
GKE Diagnosis Recommender Admin( Admin of GKE Diagnosis Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
GKE Diagnosis Recommender Viewer( Viewer of GKE Diagnosis Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Dataflow Diagnostics Admin( Admin of Diagnostics recommendations. |
recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Dataflow Diagnostics Viewer( Viewer of Diagnostics recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Error Reporting Recommender Admin( Admin of Error Reporting Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Error Reporting Recommender Viewer( Viewer of Error Reporting Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Firewall Recommender Admin( Admin of Firewall insights and recommendations. |
monitoring.timeSeries.list recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Firewall Recommender Viewer( Viewer of Firewall insights and recommendations. |
monitoring.timeSeries.list recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Google Maps Platform Insights/Recommendations Admin( Admin of all Google Maps Platform insights and recommendations. |
recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Google Maps Platform Insights/Recommendations Viewer( Viewer of all Google Maps Platform insights and recommendations. |
recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
IAM Recommender Admin( Admin of IAM recommendations. |
recommender. recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
IAM Recommender Viewer( Viewer of IAM recommendations. |
recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
IAM Policy Change Risk Recommender Admin Beta( Admin of IAM Policy Change Risk Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
IAM Policy Change Risk Recommender Viewer Beta( Viewer of IAM Policy Change Risk Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer Recommender Admin( Admin of Network Analyzer Insights and Recommendations. |
recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer Cloud SQL Recommender Admin( Admin of Network Analyzer Cloud SQL Insights and Recommendations. |
recommender.locations.* recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer Cloud SQL Recommender Viewer( Viewer of Network Analyzer Cloud SQL Insights and Recommendations. |
recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer Dynamic Route Recommender Admin( Admin of Network Analyzer Dynamic Route Insights and Recommendations. |
recommender.locations.* recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer Dynamic Route Recommender Viewer( Viewer of Network Analyzer Dynamic Route Insights and Recommendations. |
recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer GKE Connectivity Recommender Admin( Admin of Network Analyzer GKE Connectivity Insights and Recommendations. |
recommender.locations.* recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer GKE Connectivity Recommender Viewer( Viewer of Network Analyzer GKE Connectivity Insights and Recommendations. |
recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer GKE IP Address Recommender Admin( Admin of Network Analyzer GKE IP Address Insights and Recommendations. |
recommender.locations.* recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer GKE IP Address Recommender Viewer( Viewer of Network Analyzer GKE IP Address Insights and Recommendations. |
recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer GKE Service Account Insights Recommender Admin( Admin of Network Analyzer GKE Service Account Insights Insights and Recommendations. |
recommender.locations.* recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer GKE Service Account Insights Recommender Viewer( Viewer of Network Analyzer GKE Service Account Insights Insights and Recommendations. |
recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer IP Address Recommender Admin( Admin of Network Analyzer IP Address Insights and Recommendations. |
recommender.locations.* recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer IP Address Recommender Viewer( Viewer of Network Analyzer IP Address Insights and Recommendations. |
recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer Load Balancer Recommender Admin( Admin of Network Analyzer Load Balancer Insights and Recommendations. |
recommender.locations.* recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer Load Balancer Recommender Viewer( Viewer of Network Analyzer Load Balancer Insights and Recommendations. |
recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer Recommender Viewer( Viewer of Network Analyzer Insights and Recommendations. |
recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer VPC Connectivity Recommender Admin( Admin of Network Analyzer VPC Connectivity Insights and Recommendations. |
recommender.locations.* recommender. resourcemanager.projects.get resourcemanager.projects.list |
Network Analyzer VPC Connectivity Recommender Viewer( Viewer of Network Analyzer VPC Connectivity Insights and Recommendations. |
recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Product Suggestion Recommenders Admin Beta( Admin of all Product Suggestion insights and recommendations. |
recommender.locations.* recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Product Suggestion Recommenders Viewer Beta( Viewer of all Product Suggestion insights and recommendations. |
recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Project Usage Commitment Recommender Admin Beta( Admin of Project Usage Commitment Recommender. |
recommender. recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Project Usage Commitment Recommender Viewer Beta( Viewer of Project Usage Commitment Recommender. |
recommender. recommender. recommender.locations.* recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Project Utilization Recommender Admin( Admin of Project Utilization insights and recommendations. |
recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Project Utilization Recommender Viewer( Viewer of Project Utilization insights and recommendations. |
recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
RecentChange RecommenderConfig Admin( Admin of RecentChange RecommenderConfigs. |
recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Recent Change Risk Recommender Admin( Admin of Recent Change Risk Insights and Recommendations. |
recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Recent Change Risk Recommender Viewer( Viewer of Recent Change Risk Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Service Limit Recommender Admin Beta( Admin of Service Limit insights and recommendations. |
recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Service Limit Recommender Viewer Beta( Viewer of Service Limit insights and recommendations. |
recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Service Account Change Risk Recommender Admin Beta( Admin of Service Account Change Risk Insights and Recommendations. |
recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Service Account Change Risk Recommender Viewer Beta( Viewer of Service Account Change Risk Insights and Recommendations. |
recommender. recommender. recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list |
Spend Based Commitment Recommender Admin Beta( Admin of Spend Based Commitment Recommender. |
billing.accounts.get billing.accounts.list recommender.locations.* recommender. recommender. recommender. |
Spend Based Commitment Recommender Viewer Beta( Viewer of Spend Based Commitment Recommender. |
billing.accounts.get billing.accounts.list recommender.locations.* recommender. recommender. recommender. recommender. recommender. |
Recommender Viewer( Enables Get and List operations. |
recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.costInsights.get recommender.costInsights.list recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. resourcemanager.projects.get |
Resource Manager roles |
Permissions |
Folder Admin( Provides all available permissions for working with folders. Lowest-level resources where you can grant this role:
|
essentialcontacts.* orgpolicy.constraints.list orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.* resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list resourcemanager.projects.move resourcemanager. |
Folder Creator( Provides permissions needed to browse the hierarchy and create folders. Lowest-level resources where you can grant this role:
|
essentialcontacts.contacts.get essentialcontacts. orgpolicy.constraints.list orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list |
Folder Editor( Provides permission to modify folders as well as to view a folder's allow policy. Lowest-level resources where you can grant this role:
|
essentialcontacts.contacts.get essentialcontacts. orgpolicy.constraints.list orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.delete resourcemanager.folders.get resourcemanager. resourcemanager.folders.list resourcemanager. resourcemanager.folders.update resourcemanager.projects.get resourcemanager.projects.list |
Folder IAM Admin( Provides permissions to administer allow policies on folders. Lowest-level resources where you can grant this role:
|
resourcemanager.folders.get resourcemanager. resourcemanager. |
Folder Mover( Provides permission to move projects and folders into and out of a parent organization or folder. Lowest-level resources where you can grant this role:
|
resourcemanager.folders.move resourcemanager.projects.move |
Folder Viewer( Provides permission to get a folder and list the folders and projects below a resource. Lowest-level resources where you can grant this role:
|
essentialcontacts.contacts.get essentialcontacts. orgpolicy.constraints.list orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list |
Project Lien Modifier( Provides access to modify Liens on projects. Lowest-level resources where you can grant this role:
|
resourcemanager. |
Organization Administrator( Access to manage IAM policies and view organization policies for organizations, folders, and projects. Lowest-level resources where you can grant this role:
|
essentialcontacts.* orgpolicy.constraints.list orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.get resourcemanager. resourcemanager.folders.list resourcemanager. resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list resourcemanager. |
Organization Viewer( Provides access to view an organization. Lowest-level resources where you can grant this role:
|
resourcemanager. |
Project Creator( Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project. Lowest-level resources where you can grant this role:
|
resourcemanager. resourcemanager. |
Project Deleter( Provides access to delete Google Cloud projects. Lowest-level resources where you can grant this role:
|
resourcemanager. |
Project IAM Admin( Provides permissions to administer allow policies on projects. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager. resourcemanager. |
Project Mover( Provides access to update and move projects. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.move resourcemanager. |
Tag Administrator( Access to create, delete, update, and manage access to Tags |
resourcemanager.tagHolds.* resourcemanager.tagKeys.* resourcemanager.tagValues.* |
Tag Hold Administrator( Access to create, delete and list TagHolds under a TagValue |
resourcemanager.tagHolds.* |
Tag User( Access to list Tags and manage their associations with resources |
alloydb. alloydb. alloydb. alloydb. alloydb. alloydb. alloydb. alloydb. artifactregistry. artifactregistry. artifactregistry. artifactregistry. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigtable. bigtable. bigtable. bigtable. bigtable. bigtable. bigtable. bigtable. cloudkms. cloudkms. cloudkms. cloudkms. cloudsql. cloudsql. cloudsql. cloudsql. compute. compute. compute. compute. compute. compute. compute. compute. compute.disks.createTagBinding compute.disks.deleteTagBinding compute. compute.disks.listTagBindings compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.images.listTagBindings compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.routes.listTagBindings compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. container. container. container. container. datastore. datastore. datastore. datastore. datastream. datastream. datastream. datastream. datastream. datastream. datastream. datastream. datastream. datastream. datastream. datastream. domains. domains. domains. domains. file.backups.createTagBinding file.backups.deleteTagBinding file.backups.listEffectiveTags file.backups.listTagBindings file. file. file. file.instances.listTagBindings file. file. file. file.snapshots.listTagBindings managedidentities. managedidentities. managedidentities. managedidentities. redis. redis. redis. redis. resourcemanager. resourcemanager.projects.get resourcemanager.tagKeys.get resourcemanager.tagKeys.list resourcemanager. resourcemanager.tagValues.get resourcemanager.tagValues.list run.jobs.createTagBinding run.jobs.deleteTagBinding run.jobs.listEffectiveTags run.jobs.listTagBindings run.services.createTagBinding run.services.deleteTagBinding run.services.listEffectiveTags run.services.listTagBindings spanner. spanner. spanner. spanner. storage. storage. storage. storage. |
Tag Viewer( Access to list Tags and their associations with resources |
alloydb. alloydb. alloydb. alloydb. artifactregistry. artifactregistry. bigquery. bigquery. bigtable. bigtable. bigtable. bigtable. cloudkms. cloudkms. cloudsql. cloudsql. compute. compute. compute. compute. compute. compute.disks.listTagBindings compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.images.listTagBindings compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.routes.listTagBindings compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. container. container. datastore. datastore. datastream. datastream. datastream. datastream. datastream. datastream. domains. domains. file.backups.listEffectiveTags file.backups.listTagBindings file. file.instances.listTagBindings file. file.snapshots.listTagBindings managedidentities. managedidentities. redis. redis. resourcemanager. resourcemanager. resourcemanager.tagHolds.list resourcemanager.tagKeys.get resourcemanager.tagKeys.list resourcemanager.tagValues.get resourcemanager.tagValues.list run.jobs.listEffectiveTags run.jobs.listTagBindings run.services.listEffectiveTags run.services.listTagBindings spanner. spanner. storage. storage. |
Resource Settings roles |
Permissions |
Resource Settings Administrator( Provides admin capabilities to set Resource Setting Values on resources. Lowest-level resources where you can grant this role:
|
resourcesettings.* |
Resource Settings Viewer( Provides capabilities to view Resource Settings and Resource Setting Values on resources. |
resourcesettings.settings.get resourcesettings.settings.list |
Risk Manager roles |
Permissions |
Risk Manager Admin Beta( Grants all Risk Manager permissions |
resourcemanager.projects.get resourcemanager.projects.list riskmanager.* |
Risk Manager Editor Beta( Access to edit Risk Manager resources |
resourcemanager.projects.get resourcemanager.projects.list riskmanager. riskmanager.operations.* riskmanager.policies.* riskmanager.reports.create riskmanager.reports.delete riskmanager.reports.get riskmanager.reports.list riskmanager. riskmanager.settings.* |
Risk Manager Report Reviewer Beta( Access to review Risk Manager reports |
resourcemanager.projects.get resourcemanager.projects.list riskmanager. riskmanager.operations.get riskmanager.operations.list riskmanager.reports.get riskmanager.reports.list riskmanager.reports.review |
Risk Manager Viewer Beta( Access to view Risk Manager resources |
resourcemanager.projects.get resourcemanager.projects.list riskmanager. riskmanager.operations.get riskmanager.operations.list riskmanager.policies.* riskmanager.reports.get riskmanager.reports.list riskmanager.settings.get |
Roles roles |
Permissions |
Organization Role Administrator( Provides access to administer all custom roles in the organization and the projects below it. Lowest-level resources where you can grant this role:
|
iam.roles.* resourcemanager. resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Organization Role Viewer( Provides read access to all custom roles in the organization and the projects below it. Lowest-level resources where you can grant this role:
|
iam.roles.get iam.roles.list resourcemanager. resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list |
Role Administrator( Provides access to all custom roles in the project. Lowest-level resources where you can grant this role:
|
iam.roles.* resourcemanager.projects.get resourcemanager. |
Role Viewer( Provides read access to all custom roles in the project. Lowest-level resources where you can grant this role:
|
iam.roles.get iam.roles.list resourcemanager.projects.get resourcemanager. |
Secret Manager roles |
Permissions |
Secret Manager Admin( Full access to administer Secret Manager resources. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.list secretmanager.* |
Secret Manager Secret Accessor( Allows accessing the payload of secrets. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.access |
Secret Manager Secret Version Adder( Allows adding versions to existing secrets. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.add |
Secret Manager Secret Version Manager( Allows creating and managing versions of existing secrets. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.add secretmanager.versions.destroy secretmanager.versions.disable secretmanager.versions.enable secretmanager.versions.get secretmanager.versions.list |
Secret Manager Viewer( Allows viewing metadata of all Secret Manager resources Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.list secretmanager.locations.* secretmanager.secrets.get secretmanager. secretmanager.secrets.list secretmanager.versions.get secretmanager.versions.list |
Secure Source Manager roles |
Permissions |
Secure Source Manager Admin Beta( Full access to all Secure Source Manager resources. |
resourcemanager.projects.get resourcemanager.projects.list securesourcemanager.* |
Secure Source Manager Instance Accessor Beta( An instance accessor can access an instance, but not necessarily create resources in the instance. |
resourcemanager.projects.get resourcemanager.projects.list securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. |
Secure Source Manager Instance Manager Beta( Read-write access to all Secure Source Manager resources (full control except for the ability to modify permissions). |
resourcemanager.projects.get resourcemanager.projects.list securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager.sshkeys.* |
Secure Source Manager Instance Owner Beta( Full control over Secure Source Manager instances, including listing, creating, and deleting them. Also enables instance user management. |
resourcemanager.projects.get resourcemanager.projects.list securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager.sshkeys.* |
Secure Source Manager Instance Repository Creator Beta( An instance repository creator can connect to a Cloud Git instance via IAP (HTTPS) and create repositories in the instance. |
resourcemanager.projects.get resourcemanager.projects.list securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. |
Secure Source Manager Repository Admin Beta( A repoAdmin has the ability to CRUD a repository and its children as well as assign users to a repository. They can also set, get, or check IAM policies on the repository. |
resourcemanager.projects.get resourcemanager.projects.list securesourcemanager. |
Secure Source Manager Repository Creator Beta( A repoCreator has access to create repostiory in a project, the creator will then become the repoAdmin on this repository. |
resourcemanager.projects.get resourcemanager.projects.list securesourcemanager. |
Secure Source Manager Repository Reader Beta( A repoReader has read access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository. |
resourcemanager.projects.get resourcemanager.projects.list securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. |
Secure Source Manager Repository Writer Beta( A repoWriter has read/write access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository. |
resourcemanager.projects.get resourcemanager.projects.list securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. |
Secure Source Manager SSH Key User Beta( An sshKeyUser can create SSH keys for themselves and list/delete SSH keys they own. |
resourcemanager.projects.get resourcemanager.projects.list securesourcemanager. securesourcemanager. securesourcemanager. securesourcemanager. |
Security Center roles |
Permissions |
Security Center Admin( Admin(super user) access to security center Lowest-level resources where you can grant this role:
|
appengine.applications.get artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list assuredoss.* cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudsecurityscanner.* compute.addresses.list iam.serviceAccounts.create iam.serviceAccounts.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list resourcemanager.tagValues.get securitycenter.* securitycentermanagement.* serviceusage.quotas.get serviceusage.services.enable serviceusage.services.get serviceusage.services.list |
Security Center Admin Editor( Admin Read-write access to security center Lowest-level resources where you can grant this role:
|
appengine.applications.get artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list assuredoss.config.get assuredoss.locations.* assuredoss.metadata.* assuredoss.operations.get assuredoss.operations.list cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudsecurityscanner.* compute.addresses.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list resourcemanager.tagValues.get securitycenter.assets.* securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.findings.* securitycenter. securitycenter. securitycenter. securitycenter.muteconfigs.* securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.simulations.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Security Center Admin Viewer( Admin Read access to security center Lowest-level resources where you can grant this role:
|
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list assuredoss.config.get assuredoss.locations.* assuredoss.metadata.* assuredoss.operations.get assuredoss.operations.list cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudsecurityscanner. cloudsecurityscanner.results.* cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner. cloudsecurityscanner.scans.get cloudsecurityscanner. resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list resourcemanager.tagValues.get securitycenter.assets.group securitycenter.assets.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.findings.group securitycenter.findings.list securitycenter. securitycenter. securitycenter. securitycenter.muteconfigs.get securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.simulations.get securitycenter.sources.get securitycenter.sources.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Security Center Asset Security Marks Writer( Write access to asset security marks Lowest-level resources where you can grant this role:
|
securitycenter. securitycenter. |
Security Center Assets Discovery Runner( Run asset discovery access to assets Lowest-level resources where you can grant this role:
|
securitycenter. securitycenter. |
Security Center Assets Viewer( Read access to assets Lowest-level resources where you can grant this role:
|
cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. resourcemanager.folders.get resourcemanager. resourcemanager.projects.get securitycenter.assets.group securitycenter.assets.list securitycenter. securitycenter. |
Security Center Attack Paths Reader( Read access to security center attack paths |
securitycenter. |
Security Center BigQuery Exports Editor( Read-Write access to security center BigQuery Exports |
resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycenter. |
Security Center BigQuery Exports Viewer( Read access to security center BigQuery Exports |
resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycenter. securitycenter. |
Security Center Compliance Snapshots Viewer Beta( Read access to security center compliance snapshots |
securitycenter. |
Security Center External Systems Editor( Write access to security center external systems |
securitycenter. |
Security Center Finding Security Marks Writer( Write access to finding security marks Lowest-level resources where you can grant this role:
|
securitycenter. securitycenter. |
Security Center Findings Bulk Mute Editor( Ability to mute findings in bulk |
securitycenter. |
Security Center Findings Editor( Read-write access to findings Lowest-level resources where you can grant this role:
|
resourcemanager.folders.get resourcemanager. resourcemanager.projects.get securitycenter. securitycenter. securitycenter. securitycenter.findings.group securitycenter.findings.list securitycenter. securitycenter. securitycenter. securitycenter.findings.update securitycenter.sources.get securitycenter.sources.list securitycenter. |
Security Center Findings Mute Setter( Set mute access to findings |
securitycenter. |
Security Center Findings State Setter( Set state access to findings Lowest-level resources where you can grant this role:
|
securitycenter. securitycenter. |
Security Center Findings Viewer( Read access to findings Lowest-level resources where you can grant this role:
|
resourcemanager.folders.get resourcemanager. resourcemanager.projects.get securitycenter. securitycenter. securitycenter.findings.group securitycenter.findings.list securitycenter. securitycenter.sources.get securitycenter.sources.list securitycenter. |
Security Center Findings Workflow State Setter Beta( Set workflow state access to findings Lowest-level resources where you can grant this role:
|
securitycenter. securitycenter. |
Security Center Mute Configurations Editor( Read-Write access to security center mute configurations |
securitycenter.muteconfigs.* |
Security Center Mute Configurations Viewer( Read access to security center mute configurations |
securitycenter.muteconfigs.get securitycenter. |
Security Center Notification Configurations Editor( Write access to notification configurations Lowest-level resources where you can grant this role:
|
securitycenter. securitycenter. |
Security Center Notification Configurations Viewer( Read access to notification configurations Lowest-level resources where you can grant this role:
|
securitycenter. securitycenter. securitycenter. |
Security Center Resource Value Configurations Editor( Read-Write access to security center resource value configurations |
resourcemanager.tagValues.get securitycenter. |
Security Center Resource Value Configurations Viewer( Read access to security center resource value configurations |
resourcemanager.tagValues.get securitycenter. securitycenter. |
Security Health Analytics Custom Modules Tester( Test access to Security Health Analytics Custom Modules |
securitycenter. securitycenter. securitycentermanagement. securitycentermanagement. |
Security Center Settings Admin( Admin(super user) access to security center settings Lowest-level resources where you can grant this role:
|
resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.muteconfigs.* securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycentermanagement.* |
Security Center Settings Editor( Read-Write access to security center settings Lowest-level resources where you can grant this role:
|
resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.muteconfigs.* securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycentermanagement.* |
Security Center Settings Viewer( Read access to security center settings Lowest-level resources where you can grant this role:
|
resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.muteconfigs.get securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. |
Security Center Simulations Reader( Read access to security center simulations |
securitycenter.simulations.get |
Security Center Sources Admin( Admin access to sources Lowest-level resources where you can grant this role:
|
resourcemanager. securitycenter.sources.* securitycenter. |
Security Center Sources Editor( Read-write access to sources Lowest-level resources where you can grant this role:
|
resourcemanager. securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter. |
Security Center Sources Viewer( Read access to sources Lowest-level resources where you can grant this role:
|
resourcemanager. securitycenter.sources.get securitycenter.sources.list securitycenter. |
Security Center Valued Resources Reader( Read access to security center valued resources |
securitycenter. |
Serverless VPC Access roles |
Permissions |
Serverless VPC Access Admin( Full access to all Serverless VPC Access resources |
resourcemanager.projects.get resourcemanager.projects.list vpcaccess.* |
Serverless VPC Access User( User of Serverless VPC Access connectors |
compute.networks.access resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.connectors.use vpcaccess.locations.list vpcaccess.operations.* |
Serverless VPC Access Viewer( Viewer of all Serverless VPC Access resources |
resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.locations.list vpcaccess.operations.* |
Service Accounts roles |
Permissions |
Service Account Admin( Create and manage service accounts. Lowest-level resources where you can grant this role:
|
iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.disable iam.serviceAccounts.enable iam.serviceAccounts.get iam. iam.serviceAccounts.list iam. iam.serviceAccounts.undelete iam.serviceAccounts.update resourcemanager.projects.get resourcemanager.projects.list |
Create Service Accounts( Access to create service accounts. |
iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
Delete Service Accounts( Access to delete service accounts. |
iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
Service Account Key Admin( Create and manage (and rotate) service account keys. Lowest-level resources where you can grant this role:
|
iam.serviceAccountKeys.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
Service Account OpenID Connect Identity Token Creator( Create OpenID Connect (OIDC) identity tokens |
iam. |
Service Account Token Creator( Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). Lowest-level resources where you can grant this role:
|
iam.serviceAccounts.get iam. iam. iam. iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt resourcemanager.projects.get resourcemanager.projects.list |
Service Account User( Run operations as the service account. Lowest-level resources where you can grant this role:
|
iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
View Service Accounts( Read access to service accounts, metadata, and keys. |
iam.serviceAccountKeys.get iam.serviceAccountKeys.list iam.serviceAccounts.get iam. iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
Workload Identity User( Impersonate service accounts from federated workloads. |
iam.serviceAccounts.get iam. iam. iam.serviceAccounts.list |
Service Agents roles |
Permissions |
Vertex AI Colab Service Agent( Gives Vertex AI Colab the proper permissions to function. |
compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.disks.create compute.disks.createSnapshot compute.disks.createTagBinding compute.disks.delete compute.disks.get compute.disks.setLabels compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.instances.attachDisk compute.instances.create compute. compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.setLabels compute.instances.setMetadata compute. compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.useReadOnly compute.networks.get compute.networks.use compute.networks.useExternalIp compute.snapshots.create compute.snapshots.delete compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute. compute.zoneOperations.get notebooks.instances.create notebooks.instances.delete notebooks.instances.get |
Vertex AI Custom Code Service Agent( Gives Vertex AI Custom Code the proper permissions. |
aiplatform.annotationSpecs.* aiplatform.annotations.* aiplatform.artifacts.* aiplatform. aiplatform.contexts.* aiplatform.customJobs.* aiplatform.dataItems.* aiplatform.dataLabelingJobs.* aiplatform.datasetVersions.* aiplatform.datasets.* aiplatform. aiplatform. aiplatform. aiplatform.edgeDevices.* aiplatform.endpoints.create aiplatform.endpoints.delete aiplatform.endpoints.deploy aiplatform.endpoints.explain aiplatform.endpoints.get aiplatform.endpoints.list aiplatform.endpoints.predict aiplatform.endpoints.undeploy aiplatform.endpoints.update aiplatform.entityTypes.create aiplatform.entityTypes.delete aiplatform. aiplatform. aiplatform.entityTypes.get aiplatform. aiplatform.entityTypes.list aiplatform. aiplatform. aiplatform.entityTypes.update aiplatform. aiplatform.executions.* aiplatform.extensions.* aiplatform.featureGroups.* aiplatform. aiplatform.featureViewSyncs.* aiplatform.featureViews.* aiplatform.features.* aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.featurestores.get aiplatform. aiplatform.featurestores.list aiplatform. aiplatform. aiplatform. aiplatform.humanInTheLoops.* aiplatform. aiplatform.indexEndpoints.* aiplatform.indexes.* aiplatform.locations.* aiplatform.metadataSchemas.* aiplatform.metadataStores.* aiplatform. aiplatform. aiplatform.modelEvaluations.* aiplatform.models.* aiplatform.nasJobs.* aiplatform.nasTrialDetails.* aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.notebookRuntimes.* aiplatform.operations.list aiplatform. aiplatform. aiplatform.pipelineJobs.* aiplatform.schedules.* aiplatform.specialistPools.* aiplatform.studies.* aiplatform. aiplatform.tensorboardRuns.* aiplatform. aiplatform.tensorboards.create aiplatform.tensorboards.delete aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.tensorboards.update aiplatform.trainingPipelines.* aiplatform.trials.* artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.versions.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.readsessions.create bigquery.readsessions.getData bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.update bigquery.tables.updateData iam.serviceAccounts.get iam. iam. iam. iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Vertex AI Extension Custom Code Service Agent Alpha( Gives Vertex AI Extension that executes custom code the permissions it needs to function. |
logging.logEntries.create logging.logEntries.route orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.* storage.objects.* |
Vertex AI Extension Service Agent Alpha( Gives Vertex AI Extension the permissions it needs to function. |
aiplatform.endpoints.predict iam. iam. logging.logEntries.create logging.logEntries.route storage.objects.get |
Vertex AI Notebook Service Agent( Vertex AI Service Agent used to run Notebook managed resources in user project with restricted permissions. |
logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create |
Vertex AI RAG Data Service Agent( Vertex AI Service Agent used by Vertex RAG to access user imported data and Vertex AI in the project |
aiplatform.endpoints.predict logging.logEntries.create logging.logEntries.route storage.buckets.get storage.buckets.list storage.objects.get storage.objects.list |
Vertex AI Rapid Eval Service Agent Alpha( Vertex AI Service Agent used by GenAI Rapid Evaluation Service to access publisher model endpoints in the user project |
aiplatform.endpoints.predict |
Vertex AI Reasoning Engine Service Agent Alpha( Gives Vertex AI Reasoning Engine the proper permissions to function. |
aiplatform.endpoints.create aiplatform.endpoints.delete aiplatform.endpoints.deploy aiplatform.endpoints.explain aiplatform.endpoints.get aiplatform.endpoints.list aiplatform.endpoints.predict aiplatform.endpoints.undeploy aiplatform.endpoints.update logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create serviceusage.services.use storage.buckets.get storage.buckets.list storage.objects.get storage.objects.list |
Vertex AI Service Agent( Gives Vertex AI the permissions it needs to function. |
aiplatform.annotationSpecs.* aiplatform.annotations.* aiplatform.artifacts.* aiplatform. aiplatform.contexts.* aiplatform.customJobs.* aiplatform.dataItems.* aiplatform.dataLabelingJobs.* aiplatform.datasetVersions.* aiplatform.datasets.* aiplatform. aiplatform. aiplatform. aiplatform.edgeDevices.* aiplatform.endpoints.create aiplatform.endpoints.delete aiplatform.endpoints.deploy aiplatform.endpoints.explain aiplatform.endpoints.get aiplatform.endpoints.list aiplatform.endpoints.predict aiplatform.endpoints.undeploy aiplatform.endpoints.update aiplatform.entityTypes.create aiplatform.entityTypes.delete aiplatform. aiplatform. aiplatform.entityTypes.get aiplatform. aiplatform.entityTypes.list aiplatform. aiplatform. aiplatform.entityTypes.update aiplatform. aiplatform.executions.* aiplatform.extensions.* aiplatform.featureGroups.* aiplatform. aiplatform.featureViewSyncs.* aiplatform.featureViews.* aiplatform.features.* aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.featurestores.get aiplatform. aiplatform.featurestores.list aiplatform. aiplatform. aiplatform. aiplatform.humanInTheLoops.* aiplatform. aiplatform.indexEndpoints.* aiplatform.indexes.* aiplatform.locations.* aiplatform.metadataSchemas.* aiplatform.metadataStores.* aiplatform. aiplatform. aiplatform.modelEvaluations.* aiplatform.models.* aiplatform.nasJobs.* aiplatform.nasTrialDetails.* aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.notebookRuntimes.* aiplatform.operations.list aiplatform. aiplatform. aiplatform.pipelineJobs.* aiplatform.schedules.* aiplatform.specialistPools.* aiplatform.studies.* aiplatform. aiplatform.tensorboardRuns.* aiplatform. aiplatform.tensorboards.create aiplatform.tensorboards.delete aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.tensorboards.update aiplatform.trainingPipelines.* aiplatform.trials.* artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.versions.get automl.datasets.export automl.datasets.get automl.datasets.list automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.tableSpecs.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.models.create bigquery.models.export bigquery.models.getData bigquery.readsessions.create bigquery.readsessions.getData bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.update bigquery.tables.updateData bigtable.tables.get bigtable.tables.list bigtable.tables.readRows compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.disks.create compute.disks.createSnapshot compute.disks.createTagBinding compute.disks.delete compute.disks.get compute.disks.setLabels compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.instances.attachDisk compute.instances.create compute. compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.setLabels compute.instances.setMetadata compute. compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.useReadOnly compute.machineTypes.get compute.networks.get compute.networks.use compute.networks.useExternalIp compute.snapshots.create compute.snapshots.delete compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute. compute.zoneOperations.get dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* datalabeling. datalabeling.datasets.export datalabeling.datasets.get datalabeling.datasets.list datalabeling.operations.get iam.serviceAccounts.actAs iam. logging.logEntries.create logging.logEntries.route ml.models.list ml.operations.get ml.versions.get ml.versions.list monitoring. notebooks.instances.create notebooks.instances.delete notebooks.instances.get resourcemanager.projects.get resourcemanager.projects.list run.executions.delete run.executions.get run.jobs.create run.jobs.delete run.jobs.get run.jobs.run run.jobs.update run.operations.delete run.operations.get run.routes.invoke run.services.create run.services.delete run.services.get serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Vertex AI Tuning Service Agent Alpha( Vertex AI Service Agent used for tuning in user project. |
aiplatform.artifacts.* aiplatform. aiplatform. aiplatform. aiplatform.contexts.* aiplatform.endpoints.create aiplatform.endpoints.deploy aiplatform.endpoints.get aiplatform.metadataSchemas.* aiplatform.metadataStores.* aiplatform.models.get aiplatform.models.upload aiplatform.operations.list aiplatform. aiplatform.tensorboardRuns.* aiplatform. aiplatform.tensorboards.create aiplatform.tensorboards.delete aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.tensorboards.update resourcemanager.projects.get storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list storage.objects.update |
AlloyDB Service Agent( Gives the AlloyDB service account permission to manage customer resources |
alloydb.clusters.list |
Anthos Service Agent( Gives the Anthos service agent access to Google Cloud resources. |
gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list serviceusage.services.get serviceusage.services.list |
Anthos Audit Service Agent( Gives the Anthos Audit service agent access to Cloud Platform resources. |
gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list |
Anthos Config Management Service Agent( Gives the Anthos Config Management service agent access to Google Cloud resources. |
container.clusters.get gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list |
Anthos Identity Service Agent( Gives the Anthos Identity service agent access to Google Cloud resources. |
gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list |
Anthos Policy Controller Service Agent( Gives the Anthos Policy Controller service agent access toCloud Platform resources. |
gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list |
Anthos Service Mesh Service Agent( Gives the Anthos Service Mesh service agent access to Cloud Platform resources. |
compute.backendServices.create compute.backendServices.delete compute.backendServices.get compute.backendServices.list compute.backendServices.update compute.backendServices.use compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.update compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.list compute.healthChecks.update compute.healthChecks.use compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.updatePolicy container.backendConfigs.* container. container.clusterRoles.* container.clusters.get container.clusters.update container.configMaps.* container. container. container. container. container.daemonSets.create container.daemonSets.delete container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.daemonSets.update container.deployments.get container.deployments.list container.events.get container.events.list container.jobs.create container.jobs.delete container.jobs.get container.jobs.list container.jobs.update container. container. container. container. container.namespaces.create container.namespaces.get container.namespaces.list container.operations.get container.pods.get container.pods.list container.secrets.* container. container. container.serviceAccounts.get container.serviceAccounts.list container. container.services.get container.services.list container. container. container. container. container. gkehub.features.get gkehub.gateway.delete gkehub.gateway.get gkehub.gateway.patch gkehub.gateway.post gkehub.gateway.put gkehub.locations.* gkehub.memberships.get gkehub.memberships.list logging.logEntries.create meshconfig.projects.init monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.operations.* networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.gateways.* networkservices. networkservices. networkservices.grpcRoutes.get networkservices. networkservices. networkservices.grpcRoutes.use networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.httpRoutes.get networkservices. networkservices. networkservices.httpRoutes.use networkservices.meshes.create networkservices.meshes.delete networkservices.meshes.get networkservices.meshes.list networkservices.meshes.update networkservices.meshes.use networkservices.operations.* networkservices. networkservices. networkservices. networkservices.tcpRoutes.get networkservices.tcpRoutes.list networkservices. networkservices.tcpRoutes.use networkservices.tlsRoutes.* serviceusage.services.get serviceusage.services.use trafficdirector.* workloadcertificate. workloadcertificate. workloadcertificate. workloadcertificate. workloadcertificate. workloadcertificate. |
Anthos Support Service Agent( Gives the Anthos Support Service Agent access to Cloud Platform resource. |
gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.fleet.getFreeTrial gkehub.gateway.get gkehub.locations.* gkehub.membershipbindings.get gkehub.membershipbindings.list gkehub. gkehub.memberships.get gkehub. gkehub.memberships.list gkehub.namespaces.get gkehub.namespaces.list gkehub.operations.get gkehub.operations.list gkehub.rbacrolebindings.get gkehub.rbacrolebindings.list gkehub.scopes.get gkehub.scopes.list gkehub. resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get |
Cloud API Gateway Service Agent( Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts. |
iam. iam. servicemanagement. servicemanagement. servicemanagement. |
Cloud API Gateway Management Service Agent( Gives Cloud API Gateway service account access to retrieve a Service configuration. |
iam.serviceAccounts.get servicemanagement. servicemanagement. servicemanagement.services.get servicemanagement. servicemanagement. serviceusage.services.get |
Apigee Service Agent( Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys. |
apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.create apigee.appkeys.delete apigee.appkeys.manage apigee.apps.get apigee.canaryevaluations.* apigee.developerapps.* apigee.developers.create apigee.developers.delete apigee.developers.get apigee.environments.get apigee. apigee. apigee.ingressconfigs.get apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.proxyrevisions.get apigee.runtimeconfigs.get cloudtrace.traces.patch iam. iam. logging.buckets.create logging.buckets.get logging.buckets.list logging.views.create logging.views.get logging.views.list monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create |
App Development Experience Service Agent( Give the App Development Experience service agent access to Cloud Platform resources. |
container.clusters.get container.clusters.update gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list |
App Engine Standard Environment Service Agent( Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts. |
appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update artifactregistry. artifactregistry. artifactregistry.files.* artifactregistry. artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry. datastore.databases.get datastore.entities.create datastore.entities.delete datastore.entities.get datastore.entities.list datastore.entities.update datastore.indexes.list datastore.namespaces.* datastore.statistics.* iam. iam. iam.serviceAccounts.signBlob serviceusage.services.enable serviceusage.services.get storage.buckets.create storage.buckets.get |
App Engine flexible environment Service Agent( Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts. |
billing.accounts.get cloudbuild.builds.create cloudbuild.builds.get compute.addresses.create compute.addresses.delete compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get compute.autoscalers.update compute.backendServices.create compute.backendServices.delete compute.backendServices.get compute.backendServices.list compute.backendServices.update compute.backendServices.use compute.disks.create compute.disks.list compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.list compute.firewalls.update compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute.globalAddresses.create compute.globalAddresses.delete compute.globalAddresses.get compute.globalAddresses.use compute. compute. compute. compute.globalOperations.get compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.update compute. compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.use compute. compute. compute. compute.httpsHealthChecks.get compute. compute.httpsHealthChecks.use compute. compute.images.get compute.images.useReadOnly compute. compute. compute. compute. compute. compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.update compute.instanceGroups.use compute. compute. compute.instanceTemplates.get compute. compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute. compute. compute.instances.list compute.instances.reset compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.use compute.machineTypes.get compute.networks.create compute.networks.delete compute.networks.get compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute.regions.get compute.routes.create compute.routes.delete compute.routes.get compute.routes.list compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.use compute. compute. compute. compute.targetHttpProxies.get compute.targetHttpProxies.use compute. compute. compute.targetHttpsProxies.get compute. compute.targetHttpsProxies.use compute.urlMaps.create compute.urlMaps.delete compute.urlMaps.get compute.urlMaps.update compute.urlMaps.use compute.zoneOperations.get compute.zoneOperations.list compute.zones.* deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager. deploymentmanager. iam.serviceAccounts.actAs iam.serviceAccounts.get iam. iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create logging.logMetrics.create logging.logMetrics.delete logging.logMetrics.get logging.logMetrics.update resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager. storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list |
Artifact Registry Service Agent( Gives the Artifact Registry service account access to managed resources. |
artifactregistry. artifactregistry. artifactregistry. artifactregistry. pubsub.topics.publish |
Assured Workloads Monitoring Service Agent( Gives the Assured Workloads service account access to create CAIS feed and monitor Assured Workloads. |
cloudasset. cloudasset.assets.listResource cloudasset.feeds.create cloudasset.feeds.delete cloudasset.feeds.get |
Assured Workloads Service Agent( Gives the Assured Workloads service account access to create KMS keyrings and keys, and to monitor Assured Workloads. |
cloudkms.cryptoKeys.create cloudkms.keyRings.create serviceusage.services.enable serviceusage.services.get serviceusage.services.use |
Audit Manager Auditing Service Agent( Grants Audit Manager Service Agent access to various list/get rpcs of products to perform an audit. |
cloudasset.assets.* cloudsql.instances.list compute.autoscalers.list compute.backendServices.list compute.disks.list compute.firewalls.list compute.forwardingRules.list compute. compute. compute.instanceGroups.list compute.instances.list compute.regionSslPolicies.list compute. compute.regionUrlMaps.list compute.routers.list compute.securityPolicies.list compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.list compute.targetHttpProxies.list compute.targetSslProxies.list compute.urlMaps.list compute.vpnGateways.list compute.zones.list container.clusters.list logging.buckets.list monitoring.timeSeries.list orgpolicy.policy.get recommender. recommender. recommender.locations.* resourcemanager.folders.get resourcemanager. resourcemanager.folders.list resourcemanager. resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list |
AutoML Service Agent( AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable. |
bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.update bigquery.tables.updateData bigtable.tables.get bigtable.tables.list bigtable.tables.readRows serviceusage.services.use storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Recommendations AI Service Agent( Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects. |
bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData cloudnotifications. dataflow.jobs.* dataflow.messages.list dataflow.metrics.get logging.logEntries.create logging.logEntries.route monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.* monitoring. monitoring. opsconfigmonitoring. resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get stackdriver. storage.buckets.create storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Backup and DR Service Agent( Grants the Backup and DR Service access to protect Compute Engine instances. |
compute.addresses.list compute.addresses.use compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.setLabels compute.disks.use compute.firewalls.list compute.globalOperations.get compute.images.create compute.images.delete compute.images.get compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.list compute.instances.setLabels compute.instances.setMetadata compute. compute.instances.setTags compute.instances.start compute.instances.stop compute.machineTypes.* compute.networks.list compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.get compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.list compute.subnetworks.use compute. compute.zoneOperations.get compute.zones.list iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list |
Bare Metal Solution Service Agent( Gives permission to manage network resources such as interconnect pairing keys, required for Bare Metal Solution. |
compute. compute. compute.interconnects.get compute.interconnects.list compute.networks.get compute.networks.list compute.projects.get resourcemanager.projects.get |
Google Batch Service Agent( Gives Google Batch account access to manage customer resources. |
compute.acceleratorTypes.* compute. compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute. compute. compute.backendServices.get compute.backendServices.list compute. compute. compute.diskTypes.* compute. compute.disks.create compute.disks.createSnapshot compute.disks.createTagBinding compute.disks.delete compute.disks.deleteTagBinding compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute.disks.resize compute.disks.setLabels compute. compute. compute. compute.disks.update compute.disks.use compute.disks.useReadOnly compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.create compute. compute.images.delete compute. compute.images.deprecate compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute.images.setLabels compute.images.update compute.images.useReadOnly compute. compute.instanceGroups.* compute.instanceSettings.* compute. compute. compute.instanceTemplates.get compute. compute.instanceTemplates.list compute. compute. compute. compute. compute.instances.attachDisk compute.instances.create compute. compute.instances.delete compute. compute. compute.instances.detachDisk compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instances.osAdminLogin compute.instances.osLogin compute. compute. compute. compute.instances.reset compute.instances.resume compute. compute. compute. compute.instances.setLabels compute. compute. compute.instances.setMetadata compute. compute.instances.setName compute. compute. compute. compute. compute. compute.instances.setTags compute. compute.instances.start compute. compute.instances.stop compute.instances.suspend compute.instances.update compute. compute. compute. compute. compute. compute. compute.instances.use compute.instances.useReadOnly compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute. compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.create compute.licenses.delete compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.create compute.machineImages.delete compute.machineImages.get compute. compute.machineImages.list compute. compute.machineTypes.* compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute.networks.list compute. compute. compute.networks.use compute.networks.useExternalIp compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regions.* compute.reservations.get compute.reservations.list compute. compute. compute.resourcePolicies.get compute. compute.resourcePolicies.list compute. compute.resourcePolicies.use compute. compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.serviceAttachments.get compute. compute.snapshots.create compute. compute.snapshots.delete compute. compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.snapshots.setLabels compute.snapshots.useReadOnly compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute.storagePools.list compute.storagePools.use compute.subnetworks.get compute.subnetworks.list compute. compute. compute.subnetworks.use compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use |
BigQuery Connection Service Agent( Gives BigQuery Connection Service access to Cloud SQL instances in user projects. |
cloudsql.instances.connect cloudsql.instances.get logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create |
BigQuery Continuous Query Service Agent( Gives BigQuery Continuous Query access to the service accounts in the user project. |
iam. |
BigQuery Data Transfer Service Agent( Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project. |
bigquery.config.get bigquery.jobs.create compute.networkAttachments.get compute. compute.regionOperations.get compute.subnetworks.use dataform.locations.* dataform.repositories.create dataform.repositories.list iam. logging.logEntries.create logging.logEntries.route resourcemanager.projects.get resourcemanager.projects.list |
BigQuery Omni Service Agent( Gives BigQuery Omni access to tables in user projects. |
bigquery.jobs.create bigquery.tables.updateData |
BigQuery Spark Service Agent( Gives BigQuery Spark access to the service accounts in the user project. |
iam. |
Binary Authorization Service Agent( Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures. |
artifactregistry. artifactregistry. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. cloudasset. cloudasset.feeds.create cloudasset.feeds.delete cloudasset.feeds.get cloudasset.feeds.update containeranalysis.notes.get containeranalysis.notes.list containeranalysis. containeranalysis. containeranalysis. resourcemanager.projects.get resourcemanager.projects.list storage.objects.list |
Certificate Manager Service Agent( Grants Certificate Manager access to services and APIs in the user project. |
certificatemanager. |
Chronicle Service Agent( Grants Chronicle scoped access to customer project |
chronicle.instances.get monitoring.alertPolicies.* |
Chronicle SOAR Service Agent Alpha( Gives Chronicle SOAR the ability to perform remediation on Cloud Platform resources. |
cloudasset. cloudasset. cloudasset. compute.instances.get compute.instances.list compute.instances.stop compute.zones.list iam.serviceAccounts.disable iam.serviceAccounts.list recommender. resourcemanager. securitycenter. securitycenter.findings.list securitycenter. securitycenter. securitycenter. securitycenter. |
Effective Policies Service Agent( Give effective policy service account access to search all resources and IAM policies. |
cloudasset. cloudasset. |
Cloud Asset Service Agent( Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed. |
bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.delete bigquery.tables.get bigquery.tables.update bigquery.tables.updateData pubsub.topics.publish storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.objects.create storage.objects.delete storage.objects.get |
Cloud Build Logging Service Agent( Gives the Cloud Build logging-specific service account access to write logs. |
logging.buckets.write |
Cloud Build Service Agent( Gives Cloud Build service account access to managed resources. |
artifactregistry. artifactregistry. artifactregistry.files.* artifactregistry. artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.connections.get cloudbuild.operations.* cloudbuild. cloudbuild. cloudbuild.repositories.get cloudbuild.repositories.list cloudbuild.workerpools.use compute.firewalls.get compute.firewalls.list compute.networks.get compute.subnetworks.get containeranalysis. containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update containeranalysis. containeranalysis. containeranalysis. containeranalysis. containeranalysis. iam.serviceAccounts.get iam. iam. logging.buckets.create logging.buckets.get logging.buckets.list logging.logEntries.create logging.logEntries.list logging.views.access pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.update pubsub. pubsub.topics.create pubsub.topics.get pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.get servicedirectory. servicedirectory. servicedirectory.locations.* servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory.services.get servicedirectory. servicedirectory.services.list servicedirectory. serviceusage.services.use source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Infrastructure Manager Service Agent( Gives Infrastructure Manager service agent access to managed resources |
cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use iam.serviceAccounts.actAs iam. logging.logEntries.create logging.logEntries.route serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Cloud Controls Partner Access Approval Service Agent( Gives the Partner Console service account access to read Access Approval Requests for workloads associated with a partner. |
accessapproval.requests.get accessapproval.requests.list |
Cloud Controls Partner EKM Service Agent( Gives Cloud Controls Partner service agent permission to list EKM connections, get EKM connection status, and provide EKM diagnostic information. |
cloudkms.ekmConnections.get cloudkms. cloudkms.ekmConnections.list cloudkms. |
Cloud Controls Partner Monitoring Service Agent( Gives Cloud Controls Partner monitoring service agent permission to view and list Assured Workload violations. The role is assigned to enable partner monitoring capability. |
assuredworkloads. assuredworkloads. |
Cloud Deploy Service Agent( Gives Cloud Deploy Service Account access to managed resources. |
cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use iam.serviceAccounts.actAs iam. logging.logEntries.create pubsub.topics.get pubsub.topics.publish servicemanagement. serviceusage.services.use storage.buckets.create storage.buckets.get storage.objects.get |
Cloud Deployment Manager Service Agent( Allows Deployment Manager service to actuate resources across DM projects and folders |
accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. accesscontextmanager. appengine.applications.get appengine.operations.get appengine.services.update appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. bigquery.connections.get bigquery.datasets.create bigquery.datasets.delete bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.update bigquery.jobs.create bigquery.routines.create bigquery.routines.get bigquery.routines.update bigquery.tables.create bigquery.tables.delete bigquery.tables.get bigquery.tables.getData bigquery.tables.setCategory bigquery.tables.update bigquery.tables.updateData bigtable.instances.create bigtable.instances.delete bigtable.instances.get bigtable.instances.update bigtable.tables.create bigtable.tables.delete bigtable.tables.get bigtable.tables.update billing. billing.resourcebudgets.write cloudbuild.builds.create cloudbuild.builds.get cloudfunctions.functions.call cloudfunctions. cloudfunctions. cloudfunctions.functions.get cloudfunctions. cloudfunctions.functions.list cloudfunctions. cloudfunctions.operations.get cloudprivatecatalog. cloudscheduler.jobs.create cloudscheduler.jobs.delete cloudscheduler.jobs.get cloudscheduler.jobs.update cloudsql.backupRuns.create cloudsql.databases.* cloudsql.instances.create cloudsql.instances.delete cloudsql.instances.get cloudsql.instances.import cloudsql.instances.restart cloudsql.instances.update cloudsql.sslCerts.create cloudsql.sslCerts.delete cloudsql.sslCerts.get cloudsql.users.create cloudsql.users.delete cloudtasks.queues.create cloudtasks.queues.delete cloudtasks.queues.get compute.addresses.* compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get compute.autoscalers.update compute.backendBuckets.create compute.backendBuckets.delete compute.backendBuckets.get compute.backendBuckets.update compute.backendBuckets.use compute.backendServices.create compute.backendServices.delete compute.backendServices.get compute. compute.backendServices.update compute.backendServices.use compute. compute.disks.create compute.disks.delete compute.disks.get compute. compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute. compute. compute. compute. compute. compute. compute. compute.firewallPolicies.get compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.list compute.firewalls.update compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute. compute. compute. compute. compute.forwardingRules.update compute.forwardingRules.use compute.globalAddresses.create compute. compute.globalAddresses.delete compute. compute.globalAddresses.get compute. compute.globalAddresses.use compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.update compute.healthChecks.use compute. compute. compute. compute.httpHealthChecks.get compute. compute.httpHealthChecks.use compute. compute. compute. compute.httpsHealthChecks.get compute. compute.httpsHealthChecks.use compute. compute.images.create compute.images.delete compute.images.deprecate compute.images.get compute.images.setLabels compute.images.useReadOnly compute. compute. compute. compute. compute. compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.update compute.instanceGroups.use compute. compute. compute.instanceTemplates.get compute. compute. compute.instances.create compute.instances.delete compute. compute.instances.get compute. compute.instances.resume compute. compute. compute.instances.setLabels compute.instances.setMetadata compute. compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.suspend compute.instances.update compute. compute.instances.use compute. compute. compute. compute. compute. compute.interconnects.create compute.interconnects.delete compute.interconnects.get compute. compute.interconnects.use compute. compute.machineTypes.get compute. compute. compute. compute. compute. compute.networks.addPeering compute.networks.create compute.networks.delete compute.networks.get compute. compute.networks.removePeering compute. compute.networks.update compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute. compute. compute. compute. compute. compute.packetMirrorings.get compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute.regionHealthChecks.use compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.create compute.regionUrlMaps.delete compute.regionUrlMaps.get compute.regionUrlMaps.use compute.regions.get compute.reservations.list compute. compute. compute.resourcePolicies.get compute.resourcePolicies.use compute.routers.create compute.routers.delete compute.routers.get compute.routers.update compute.routers.use compute.routes.create compute.routes.delete compute.routes.get compute. compute. compute.securityPolicies.get compute. compute. compute.securityPolicies.use compute. compute.serviceAttachments.get compute.snapshots.useReadOnly compute.sslCertificates.create compute.sslCertificates.delete compute.sslCertificates.get compute.sslPolicies.create compute.sslPolicies.delete compute.sslPolicies.get compute.sslPolicies.use compute.subnetworks.create compute.subnetworks.delete compute. compute.subnetworks.get compute.subnetworks.list compute.subnetworks.mirror compute.subnetworks.update compute.subnetworks.use compute. compute. compute. compute.targetHttpProxies.get compute.targetHttpProxies.use compute. compute. compute.targetHttpsProxies.get compute. compute. compute.targetHttpsProxies.use compute.targetInstances.create compute.targetInstances.delete compute.targetInstances.get compute.targetInstances.use compute. compute. compute.targetPools.create compute.targetPools.delete compute.targetPools.get compute. compute. compute.targetPools.use compute. compute. compute.targetSslProxies.get compute. compute.targetSslProxies.use compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.use compute. compute. compute.targetVpnGateways.get compute. compute.targetVpnGateways.use compute.urlMaps.create compute.urlMaps.delete compute.urlMaps.get compute.urlMaps.update compute.urlMaps.use compute.vpnGateways.create compute.vpnGateways.delete compute.vpnGateways.get compute.vpnGateways.setLabels compute.vpnGateways.use compute.vpnTunnels.create compute.vpnTunnels.delete compute.vpnTunnels.get compute.vpnTunnels.setLabels compute.zoneOperations.get compute.zoneOperations.list compute.zones.get container. container. container.backendConfigs.get container. container. container. container.clusterRoles.bind container.clusterRoles.create container.clusterRoles.delete container. container.clusterRoles.get container.clusters.create container.clusters.delete container.clusters.get container. container.clusters.update container.configMaps.create container.configMaps.delete container.configMaps.get container.configMaps.update container.cronJobs.create container.cronJobs.delete container.cronJobs.get container.cronJobs.update container.daemonSets.create container.daemonSets.delete container.daemonSets.get container.daemonSets.update container.deployments.create container.deployments.delete container.deployments.get container.deployments.update container. container. container.frontendConfigs.get container. container. container. container.ingresses.create container.ingresses.delete container.ingresses.get container.jobs.create container.jobs.delete container.jobs.get container. container. container. container. container. container.namespaces.create container.namespaces.delete container.namespaces.get container. container. container.networkPolicies.get container.operations.get container. container. container. container. container. container. container. container.priorityClasses.get container. container. container. container.roleBindings.create container.roleBindings.delete container.roleBindings.get container.roles.bind container.roles.create container.roles.delete container.roles.escalate container.roles.get container.roles.update container.secrets.create container.secrets.delete container.secrets.get container.secrets.update container. container. container.serviceAccounts.get container. container.services.create container.services.delete container.services.get container.statefulSets.create container.statefulSets.delete container.statefulSets.get container.statefulSets.update container. container. container.storageClasses.get container. container. container. container. container. container. datacatalog.taxonomies.get dataproc. dataproc. dataproc. dataproc. dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.nodeGroups.create dataproc.operations.get dataproc. dataproc. dataproc.workflowTemplates.get deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. dns.changes.* dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.list dns.managedZones.update dns. dns. dns.policies.delete dns.policies.get dns.resourceRecordSets.create dns.resourceRecordSets.delete dns.resourceRecordSets.list dns.resourceRecordSets.update file.instances.create file.instances.delete file.instances.get file.instances.update file.operations.get firebase.projects.get firebase.projects.update firebaseanalytics. iam.roles.create iam.roles.delete iam.roles.get iam.roles.list iam.roles.update iam.serviceAccountKeys.delete iam.serviceAccountKeys.get iam.serviceAccounts.actAs iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.list iam.serviceAccounts.update logging.buckets.update logging.exclusions.create logging.exclusions.delete logging.exclusions.get logging.exclusions.update logging.logEntries.create logging.logMetrics.create logging.logMetrics.delete logging.logMetrics.get logging.logMetrics.update logging. logging.sinks.create logging.sinks.delete logging.sinks.get logging.sinks.update monitoring.alertPolicies.* monitoring.dashboards.create monitoring.dashboards.delete monitoring.dashboards.get monitoring.dashboards.update monitoring.groups.create monitoring.groups.delete monitoring.groups.get monitoring.groups.update monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. networksecurity. pubsub.schemas.attach pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.update pubsub. pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.publish pubsub.topics.update redis.instances.create redis.instances.delete redis.instances.get redis.instances.update redis.instances.updateAuth redis.operations.get resourcemanager.folders.create resourcemanager.folders.delete resourcemanager.folders.get resourcemanager. resourcemanager.folders.list resourcemanager.folders.update resourcemanager. resourcemanager. resourcemanager. resourcemanager. resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list resourcemanager.projects.move resourcemanager. resourcemanager. resourcemanager. resourcemanager. resourcemanager. resourcemanager.tagValues.get runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicemanagement. servicenetworking. servicenetworking. servicenetworking.services.get serviceusage.operations.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.use source.repos.create spanner.databaseOperations.get spanner.databases.create spanner.databases.drop spanner.databases.get spanner.databases.updateDdl spanner.instanceOperations.get spanner.instances.create spanner.instances.delete spanner.instances.get spanner.instances.update storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.getIamPolicy storage.buckets.update storage.hmacKeys.create storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list vpcaccess.connectors.create vpcaccess.connectors.delete vpcaccess.operations.get workflows.operations.get workflows.workflows.create workflows.workflows.delete workflows.workflows.get |
Cloud Functions Service Agent( Gives Cloud Functions service account access to managed resources. |
artifactregistry. artifactregistry. artifactregistry.files.* artifactregistry. artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.* artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.* artifactregistry.versions.* artifactregistry. clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.operations.* cloudbuild.workerpools.use cloudfunctions.functions.get cloudfunctions. cloudfunctions.functions.list cloudfunctions.operations.* compute.globalOperations.get compute.networks.access eventarc. eventarc. eventarc. eventarc. eventarc. eventarc. eventarc.channels.attach eventarc.channels.create eventarc.channels.delete eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.channels.publish eventarc.channels.undelete eventarc.channels.update eventarc. eventarc.locations.* eventarc.operations.* eventarc.providers.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update firebasedatabase.instances.get firebasedatabase. iam.serviceAccounts.actAs iam. iam. iam.serviceAccounts.signBlob pubsub.subscriptions.* pubsub. pubsub.topics.create pubsub.topics.get pubsub.topics.list recommender.locations.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager. resourcemanager.projects.list run.configurations.* run.executions.* run.jobs.create run.jobs.delete run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.listEffectiveTags run.jobs.listTagBindings run.jobs.run run.jobs.runWithOverrides run.jobs.update run.locations.list run.operations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update run.tasks.* serviceusage.quotas.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.use source.repos.get source.repos.list storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use |
Cloud IoT Core Service Agent( Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs. |
logging.logEntries.create logging.logEntries.route pubsub.topics.publish |
Cloud KMS Organization Service Agent( Gives Cloud KMS organization-level service account access to managed resources. |
cloudasset. |
Cloud KMS Service Agent( Gives Cloud KMS service account access to managed resources. |
cloudasset. |
Cloud KMS KACLS Service Agent( Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption. |
cloudkms. cloudkms. cloudkms.cryptoKeys.get |
Cloud Optimization Service Agent( Grants Cloud Optimization Service Account access to read and write data in the user project. |
storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Cloud Scheduler Service Agent( Grants Cloud Scheduler Service Account access to manage resources. |
iam. iam. logging.logEntries.create logging.logEntries.route pubsub.topics.publish |
Cloud SQL Service Agent( Grants Cloud SQL access to services and APIs in the user project |
cloudsql.instances.get |
Cloud Tasks Service Agent( Grants Cloud Tasks Service Account access to manage resources. |
iam. iam. logging.logEntries.create |
Cloud TPU V2 API Service Agent( Give Cloud TPUs service account access to managed resources |
compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute. compute. compute.firewallPolicies.use compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.list compute. compute. compute.firewalls.update compute.forwardingRules.* compute.globalAddresses.* compute. compute. compute.globalOperations.get compute.globalOperations.list compute. compute. compute. compute. compute. compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute. compute.instanceGroups.* compute.instanceSettings.* compute.instanceTemplates.* compute.instances.* compute.instantSnapshots.* compute. compute. compute. compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkAttachments.* compute. compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.* compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.* compute. compute. compute. compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute. compute. compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.* compute.storagePools.get compute.storagePools.list compute.storagePools.use compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networksecurity.* networkservices.* pubsub.* resourcemanager.projects.get resourcemanager.projects.list servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking.services.get servicenetworking. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.* |
Cloud Translation API Service Agent( Gives Cloud Translation Service Account access to consumer resources. |
automl.datasets.export automl.datasets.get automl.datasets.list automl.models.get automl.models.list automl.operations.get storage.buckets.get storage.objects.create storage.objects.get storage.objects.list |
Cloud Composer API Service Agent( Cloud Composer API service agent can manage environments. |
appengine.applications.get appengine. appengine.applications.update appengine.instances.* appengine.memcache.addKey appengine.memcache.flush appengine.memcache.get appengine.memcache.update appengine.operations.* appengine.runtimes.actAsAdmin appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. cloudaicompanion. cloudnotifications. cloudsql.* composer.dags.get composer.environments.get compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute. compute. compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.* compute.globalAddresses.* compute. compute. compute.globalOperations.get compute.globalOperations.list compute. compute. compute. compute. compute. compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute. compute.instanceGroups.* compute.instanceSettings.* compute.instanceTemplates.* compute.instances.* compute.instantSnapshots.* compute. compute. compute. compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkAttachments.* compute. compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.* compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.* compute. compute. compute. compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute. compute. compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.* compute.storagePools.get compute.storagePools.list compute.storagePools.use compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container.* deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager. deploymentmanager.types.* dns.managedZones.get dns.managedZones.list dns. firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam. iam.serviceAccounts.list logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.exclusions.* logging.links.* logging.locations.* logging.logEntries.create logging.logEntries.route logging.logMetrics.* logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.* logging.operations.* logging.settings.* logging.sinks.* logging.views.create logging.views.delete logging.views.get logging.views.list logging.views.update monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.* monitoring. monitoring. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networksecurity.* networkservices.* opsconfigmonitoring. orgpolicy.policy.get pubsub.* recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking.services.get servicenetworking. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get stackdriver. storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* trafficdirector.* |
Instance Group Manager Service Agent( Role containing all permissions required by Managed Instance Groups to create and manage instances. |
compute.addresses.* compute. compute.disks.create compute.disks.createSnapshot compute.disks.createTagBinding compute.disks.delete compute.disks.deleteTagBinding compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute.disks.resize compute.disks.setLabels compute. compute. compute. compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalOperations.get compute.healthChecks.get compute.httpHealthChecks.get compute.httpsHealthChecks.get compute.images.useReadOnly compute.instanceGroups.update compute. compute. compute. compute. compute.instances.attachDisk compute.instances.create compute. compute.instances.delete compute. compute. compute.instances.detachDisk compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instances.osAdminLogin compute.instances.osLogin compute. compute. compute. compute.instances.reset compute.instances.resume compute. compute. compute. compute.instances.setLabels compute. compute. compute.instances.setMetadata compute. compute.instances.setName compute. compute. compute. compute. compute. compute.instances.setTags compute. compute.instances.start compute. compute.instances.stop compute.instances.suspend compute.instances.update compute. compute. compute. compute. compute. compute. compute.instances.use compute.instances.useReadOnly compute.networks.use compute.networks.useExternalIp compute.regionOperations.get compute.resourcePolicies.use compute.snapshots.useReadOnly compute.subnetworks.use compute. compute. compute. compute.zoneOperations.get iam.serviceAccounts.actAs |
Compute Engine Service Agent( Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts. |
cloudnotifications. compute.addresses.use compute.addresses.useInternal compute.disks.create compute.disks.createTagBinding compute.disks.setLabels compute.disks.use compute.disks.useReadOnly compute.images.useReadOnly compute. compute. compute.instances.create compute. compute. compute.instances.setLabels compute.instances.setMetadata compute. compute.instances.setTags compute. compute. compute.networks.use compute.networks.useExternalIp compute.resourcePolicies.use compute.snapshots.useReadOnly compute.subnetworks.use compute. iam.serviceAccounts.actAs iam. iam. iam. iam.serviceAccounts.signJwt logging.logEntries.create monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.list monitoring. monitoring. opsconfigmonitoring. resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get stackdriver. storage.objects.create storage.objects.get storage.objects.list storage.objects.update |
Connectors Platform Service Agent( Grants Connectors Platform service account to manage customer resources |
connectors.actions.list connectors.connections.get connectors. connectors.connections.list connectors.connectors.* connectors. connectors. connectors. connectors. connectors. connectors. connectors.entityTypes.list connectors. connectors. connectors.eventtypes.* connectors.locations.* connectors.managedZones.get connectors.managedZones.list connectors.providers.* connectors.runtimeconfig.get iam. iam. iam. monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create |
Contact Center AI Insights Service Agent( Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage. |
bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.get bigquery.tables.update bigquery.tables.updateData datalabeling.dataitems.* datalabeling.datasets.create datalabeling.datasets.delete datalabeling.datasets.export datalabeling.datasets.get datalabeling.datasets.import datalabeling.operations.get datalabeling.operations.list dialogflow. dialogflow. dialogflow. dialogflow.documents.* dialogflow.operations.get dialogflow. dialogflow. dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.kms.encrypt dlp.locations.* pubsub.topics.get pubsub.topics.publish serviceusage.services.use speech.customClasses.get speech.operations.get speech.phraseSets.get speech.recognizers.create speech.recognizers.get speech.recognizers.recognize speech.recognizers.update storage.objects.create storage.objects.get storage.objects.list storage.objects.update |
Kubernetes Engine Node Service Agent( Minimal set of permission required by a GKE node to support standard capabilities such as logging and monitoring export, and image pulls. |
autoscaling.sites.writeMetrics logging.logEntries.create monitoring. monitoring. monitoring.timeSeries.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use storage.objects.get storage.objects.list |
Kubernetes Engine Service Agent( Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts. |
bigquery.datasets.create bigquery.datasets.get bigquery.tables.create bigquery.tables.get bigquery.tables.update bigquery.tables.updateData binaryauthorization. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager.certs.get certificatemanager. certificatemanager.certs.list certificatemanager. certificatemanager.certs.use certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.* compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.* compute. compute. compute.globalOperations.get compute.globalOperations.list compute. compute. compute. compute. compute. compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute. compute.instanceGroups.* compute.instanceSettings.* compute.instanceTemplates.* compute.instances.* compute.instantSnapshots.* compute. compute. compute. compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkAttachments.* compute. compute.networks.* compute.nodeGroups.get compute.packetMirrorings.* compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.* compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute.regionSslPolicies.* compute. compute. compute. compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.* compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.* compute.sslPolicies.* compute.storagePools.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container.* dns.changes.* dns.dnsKeys.* dns.gkeClusters.* dns.managedZoneOperations.* dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.getIamPolicy dns.managedZones.list dns.managedZones.update dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.getIamPolicy dns.policies.list dns.policies.update dns.projects.get dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* file.* iam.serviceAccounts.actAs iam.serviceAccounts.get logging.logEntries.create monitoring. monitoring. monitoring. monitoring.timeSeries.* networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networksecurity.* networkservices.* pubsub.topics.create pubsub.topics.get pubsub.topics.publish recommender. recommender. recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking.services.get servicenetworking. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use tpu.locations.* tpu.nodes.create tpu.nodes.delete tpu.nodes.get tpu.nodes.list tpu.operations.* trafficdirector.* |
Container Analysis Service Agent( Gives Container Analysis API the access it needs to function |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list containeranalysis.notes.list containeranalysis. containeranalysis. containeranalysis. containeranalysis. containeranalysis. pubsub.schemas.attach pubsub.schemas.commit pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.listRevisions pubsub.schemas.rollback pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub. pubsub.topics.create pubsub.topics.delete pubsub. pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list |
Container Registry Service Agent( Access for Container Registry |
pubsub.topics.publish storage.objects.get storage.objects.getIamPolicy storage.objects.list |
Container Scanner Service Agent( Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list containeranalysis.notes.list containeranalysis. containeranalysis. containeranalysis. containeranalysis. containeranalysis. resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list |
Container Threat Detection Service Agent( Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters. |
container.apiServices.get container. container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container. container. container. container. container.clusterRoles.* container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container. container. container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container. container. container. container. container. container. container.daemonSets.* container.deployments.get container.deployments.getScale container. container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container. container. container. container.ingresses.get container.ingresses.getStatus container.ingresses.list container. container. container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container. container. container. container. container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container. container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container. container. container. container. container. container. container.petSets.get container.petSets.list container. container. container. container.podPresets.get container.podPresets.list container. container. container.podTemplates.get container.podTemplates.list container.pods.attach container.pods.create container.pods.delete container.pods.exec container.pods.get container.pods.getLogs container.pods.getStatus container.pods.list container.pods.portForward container.pods.update container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container. container.replicaSets.list container. container. container. container. container.resourceQuotas.get container. container.resourceQuotas.list container.roleBindings.* container.roles.* container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.secrets.create container.secrets.delete container.secrets.list container.secrets.update container. container. container.serviceAccounts.get container.serviceAccounts.list container. container.services.get container.services.getStatus container.services.list container.statefulSets.get container. container. container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container. container.storageStates.list container. container. container. container. container. container. container. container.tokenReviews.create container.updateInfos.get container.updateInfos.list container. container. container. container. container. container. container. container. container. container. container.volumeSnapshots.get container.volumeSnapshots.list recommender. recommender. recommender. recommender. recommender.locations.* recommender. recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Content Warehouse Service Agent( Gives the Content Warehouse service account to manage customer resources |
cloudfunctions. documentai. documentai.processors.get documentai. pubsub.topics.publish pubsublite.topics.publish storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Data Connectors Service Agent( Gives Data Connectors service agent permission to access the virtual private cloud |
compute.globalOperations.get compute.networks.access vpcaccess.connectors.get vpcaccess.connectors.use |
Cloud Dataflow Service Agent( Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts. |
bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery. bigquery.dataPolicies.list bigquery. bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery. bigquery.reservations.* bigquery.routines.* bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration. clouddebugger.breakpoints.list clouddebugger. clouddebugger. clouddebugger.debuggees.create cloudnotifications. compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute. compute. compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.* compute.globalAddresses.* compute. compute. compute.globalOperations.get compute.globalOperations.list compute. compute. compute. compute. compute. compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute. compute.instanceGroups.* compute.instanceSettings.get compute.instanceTemplates.* compute.instances.* compute.instantSnapshots.* compute. compute. compute. compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkAttachments.* compute. compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.* compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.* compute. compute. compute. compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute. compute. compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.* compute.storagePools.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* dataform.* firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam. iam. iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.exclusions.* logging.links.* logging.locations.* logging.logEntries.create logging.logEntries.route logging.logMetrics.* logging.logServiceIndexes.list logging.logServices.list logging.logs.list logging.notificationRules.* logging.operations.* logging.settings.* logging.sinks.* logging.views.create logging.views.delete logging.views.get logging.views.list logging.views.update monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.* monitoring. monitoring. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networksecurity.* networkservices.* opsconfigmonitoring. orgpolicy.policy.get pubsub.* recommender. recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking. servicenetworking.services.get servicenetworking. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use stackdriver.projects.get stackdriver. storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* trafficdirector.* |
Dataform Service Agent( Gives permission for the Dataform API to access a secret from Secret Manager |
dataform. dataform. resourcemanager.projects.get resourcemanager.projects.list |
Cloud Data Fusion API Service Agent( Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources. |
bigquery.config.get bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery. bigquery.dataPolicies.list bigquery. bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.create bigquery.models.* bigquery.routines.* bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery.tables.* bigtable.* compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute. compute. compute.backendServices.get compute.backendServices.list compute. compute. compute. compute.disks.listTagBindings compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute.globalOperations.get compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute. compute.images.listTagBindings compute. compute. compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instances.get compute. compute. compute. compute.instances.list compute. compute. compute. compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networkAttachments.get compute. compute. compute.networks.addPeering compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.networks.removePeering compute.networks.update compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regions.* compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.serviceAttachments.get compute. compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.subnetworks.get compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* dataform.locations.* dataform.repositories.create dataform.repositories.list dataproc. dataproc. dataproc. dataproc. dataproc. dataproc. dataproc.batches.* dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.start dataproc.clusters.stop dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.nodeGroups.* dataproc.operations.cancel dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.sessionTemplates.* dataproc.sessions.* dataproc. dataproc. dataproc.workflowTemplates.get dataproc. dataproc. dataproc. dataproc. dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.list dns. dns. firebase.projects.get monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.* networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networkconnectivity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.locations.* networksecurity.operations.get networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity.urlLists.get networksecurity.urlLists.list networkservices. networkservices. networkservices. networkservices. networkservices.gateways.get networkservices.gateways.list networkservices.grpcRoutes.get networkservices. networkservices. networkservices. networkservices.httpRoutes.get networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.locations.* networkservices.meshes.get networkservices.meshes.list networkservices.operations.get networkservices. networkservices. networkservices. networkservices. networkservices. networkservices.tcpRoutes.get networkservices.tcpRoutes.list networkservices.tlsRoutes.get networkservices.tlsRoutes.list orgpolicy.policy.get recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list spanner.databaseOperations.* spanner. spanner. spanner. spanner.databases.getDdl spanner.databases.list spanner. spanner. spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.updateTag spanner.databases.write spanner.instanceConfigs.get spanner.instanceConfigs.list spanner.instances.get spanner.instances.list spanner. spanner. spanner.sessions.* storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* trafficdirector.* |
Data Labeling Service Agent( Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service. |
automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.files.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.get bigquery.tables.getData ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.* ml.operations.get ml.operations.list ml.projects.getConfig ml.studies.* ml.trials.* ml.versions.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Database Migration Service Agent( Gives Cloud Database Migration service account access to Cloud SQL resources. |
alloydb.clusters.create alloydb.clusters.delete alloydb. alloydb.clusters.get alloydb.clusters.list alloydb.clusters.update alloydb.instances.connect alloydb.instances.create alloydb.instances.delete alloydb.instances.get alloydb.instances.list alloydb.instances.update alloydb.operations.get alloydb.operations.list cloudsql.instances.connect cloudsql.instances.create cloudsql.instances.delete cloudsql. cloudsql.instances.get cloudsql.instances.import cloudsql.instances.list cloudsql.instances.migrate cloudsql. cloudsql.instances.restart cloudsql. cloudsql.instances.stopReplica cloudsql.instances.update compute.forwardingRules.use compute.globalAddresses.create compute. compute.globalAddresses.delete compute. compute.globalAddresses.get compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.list compute. compute.networks.removePeering compute.networks.use compute.regionOperations.get compute.regionOperations.list compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute. compute. compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use storage.objects.get storage.objects.list |
Datapipelines Service Agent( Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project. |
appengine.applications.get bigquery.tables.get bigtable.tables.get cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.operations.* cloudscheduler.* compute.machineTypes.get compute.projects.get compute.regions.list compute.zones.list dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list orgpolicy.policy.get pubsub.schemas.get pubsub.topics.get recommender. recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
Cloud Dataplex Service Agent( Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management. |
bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery. bigquery.dataPolicies.list bigquery. bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery. bigquery.reservations.* bigquery.routines.* bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration. datacatalog.catalogs.searchAll datacatalog. datacatalog. datacatalog.entries.get datacatalog.taxonomies.create datacatalog.taxonomies.delete datacatalog.taxonomies.get datacatalog.taxonomies.list datacatalog.taxonomies.update dataform.* dataplex.assets.getIamPolicy dataplex.environments.execute dataplex.environments.get dataplex.environments.list dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.zones.getIamPolicy dataproc.batches.cancel dataproc.batches.create dataproc.batches.get dataproc.operations.cancel dataproc.operations.get dataproc.operations.list firebase.projects.get iam.serviceAccounts.actAs logging.logEntries.create logging.logEntries.route metastore.services.get monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create orgpolicy.policy.get recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list servicemanagement. serviceusage.services.use storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
Dataprep Service Agent( Dataprep service identity. Includes access to service accounts. |
bigquery.bireservations.get bigquery. bigquery. bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.list bigquery.models.* bigquery.readsessions.* bigquery. bigquery. bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.replicateData bigquery. bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration. cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.operations.* compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute. compute.disks.listTagBindings compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute. compute.images.listTagBindings compute. compute. compute. compute. compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute. compute.instanceTemplates.list compute.instances.get compute. compute. compute.instances.getIamPolicy compute. compute. compute. compute. compute.instances.list compute. compute. compute. compute.instantSnapshots.get compute. compute.instantSnapshots.list compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute. compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute. compute.machineImages.list compute.machineTypes.* compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.* compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute. compute.resourcePolicies.list compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute. compute.storagePools.list compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.* dataflow.jobs.* dataflow.messages.list dataflow.metrics.get dataflow.snapshots.* dataform.locations.* dataform.repositories.create dataform.repositories.list iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list orgpolicy.policy.get recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.list storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.list storage.multipartUploads.* storage.objects.* |
Dataproc Service Agent( Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts. |
compute.acceleratorTypes.* compute. compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.createTagBinding compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute. compute. compute. compute.disks.update compute.disks.use compute.disks.useReadOnly compute.firewalls.get compute.firewalls.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute. compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute. compute.instanceGroups.* compute.instanceSettings.get compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineImages.* compute.machineTypes.* compute. compute.networks.get compute. compute.networks.list compute. compute. compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeTypes.get compute.projects.get compute. compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute. compute.storagePools.get compute.storagePools.list compute.storagePools.use compute.subnetworks.get compute.subnetworks.list compute. compute. compute.subnetworks.use compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container. container.clusterRoles.* container.clusters.get container.clusters.update container. container. container. container. container. container.namespaces.create container.namespaces.delete container.namespaces.get container.namespaces.list container.namespaces.update container.operations.get container.roleBindings.* container.roles.bind container.roles.escalate dataproc. dataproc. dataproc. dataproc. dataproc. dataproc. dataproc. dataproc.clusters.* dataproc.jobs.* dataproc.nodeGroups.* dataproc.operations.cancel dataproc.sessions.* firebase.projects.get iam.serviceAccounts.actAs iam. metastore.services.get orgpolicy.policy.get recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
Datastream Service Agent( Grants Cloud Datastream permissions to write data in the user project. |
bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.delete bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData compute.globalAddresses.create compute. compute.globalAddresses.delete compute. compute.globalAddresses.get compute.globalOperations.get compute.networks.addPeering compute.networks.get compute. compute.networks.removePeering compute.networks.use compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list pubsub.topics.publish storage.buckets.get storage.objects.create storage.objects.get storage.objects.list |
Data Studio Service Agent( Grants Data Studio Service Account access to manage resources. |
bigquery.jobs.create |
Dialogflow Service Agent( Gives Dialogflow Service Account access to resources on behalf of user project for Integrations (Facebook Messenger, Slack, Telephony, etc.), BigQuery, Discovery Engine, and Vertex. |
aiplatform.endpoints.get aiplatform.endpoints.predict aiplatform.models.get bigquery.jobs.create bigquery.tables.get bigquery.tables.getData bigquery.tables.updateData cloudfunctions. dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow. dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.* dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow. dialogflow.conversations.* dialogflow.deployments.* dialogflow.documents.get dialogflow.documents.list dialogflow.encryptionspec.get dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow. dialogflow.examples.get dialogflow.examples.list dialogflow.experiments.get dialogflow.experiments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.generators.get dialogflow.generators.list dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.list dialogflow.modelEvaluations.* dialogflow.operations.get dialogflow.pages.get dialogflow.pages.list dialogflow.participants.* dialogflow. dialogflow. dialogflow.phoneNumbers.list dialogflow.playbooks.get dialogflow.playbooks.list dialogflow. dialogflow. dialogflow. dialogflow.sessions.* dialogflow. dialogflow. dialogflow.testcases.get dialogflow.testcases.list dialogflow.tools.get dialogflow.tools.list dialogflow. dialogflow. dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list discoveryengine.engines.delete discoveryengine.engines.get discoveryengine. dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list logging.logEntries.create logging.logEntries.route pubsub.snapshots.seek pubsub.subscriptions.consume pubsub. pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list run.jobs.run run.routes.invoke serviceusage.services.use speakerid.phrases.* speakerid.speakers.* speech.adaptations.execute speech.customClasses.get speech.customClasses.list speech.phraseSets.get speech.phraseSets.list speech.recognizers.get speech.recognizers.list storage.managedFolders.get storage.managedFolders.list storage.objects.create storage.objects.get storage.objects.list |
Discovery Engine Service Agent( Discovery Engine service uploads documents and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects using Cloud Logging, and writes and reads metrics for customer using Cloud Monitoring. |
alloydb.instances.get alloydb.operations.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData bigtable.tables.readRows bigtable.tables.sampleRowKeys cloudsql.databases.get cloudsql.instances.export cloudsql.instances.get datastore.databases.export datastore.databases.get datastore. datastore.operations.get discoveryengine. discoveryengine. discoveryengine. discoveryengine. discoveryengine. logging.logEntries.create monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.* spanner. spanner. spanner.databases.select spanner.sessions.create storage.buckets.create storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
DLP API Service Agent( Gives the Cloud DLP API service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub, and Cloud KMS. |
appengine.applications.get bigquery.config.get bigquery.dataPolicies.create bigquery.dataPolicies.delete bigquery.dataPolicies.get bigquery. bigquery.dataPolicies.list bigquery. bigquery.dataPolicies.update bigquery.datasets.* bigquery.jobs.create bigquery.jobs.get bigquery.jobs.update bigquery.models.* bigquery.readsessions.* bigquery.routines.* bigquery. bigquery. bigquery. bigquery. bigquery. bigquery. bigquery.tables.* cloudasset. cloudasset. cloudkms. cloudkms.locations.get cloudkms.locations.list datacatalog. datacatalog.tagTemplates.* dataform.locations.* dataform.repositories.create dataform.repositories.list datastore.databases.get datastore. datastore.databases.list datastore.entities.* datastore.indexes.list datastore.namespaces.* datastore.statistics.* dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobs.* dlp.kms.encrypt firebase.projects.get orgpolicy.policy.get pubsub.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
DocumentAI Core Service Agent( Gives DocumentAI Core Service Account access to consumer resources. |
automl.models.predict documentai. storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Edge Container Cluster Service Agent( Grants the Edge Container Cluster Service Account access to manage resources. |
gkehub.endpoints.connect gkehub.features.create gkehub.features.get gkehub.features.list gkehub.features.update gkehub.fleet.create gkehub.fleet.delete gkehub.fleet.get gkehub.locations.* gkehub.memberships.create gkehub.memberships.delete gkehub. gkehub.memberships.get gkehub.memberships.list gkehub.memberships.update gkehub.operations.* logging.logEntries.create monitoring.dashboards.* monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.* monitoring. opsconfigmonitoring. resourcemanager.projects.get resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver. storage.buckets.create storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Edge Container Service Agent( Grants the Edge Container Service Account access to manage resources. |
compute. compute. compute. compute. compute.globalOperations.get compute.networks.get compute.networks.updatePolicy compute.regionOperations.get compute.routers.create compute.routers.delete compute.routers.get compute.routers.list compute.routers.update compute.routers.use compute.vpnGateways.create compute.vpnGateways.delete compute.vpnGateways.get compute.vpnGateways.use compute.vpnTunnels.create compute.vpnTunnels.delete compute.vpnTunnels.get gkehub.memberships.create gkehub.memberships.delete gkehub. gkehub.memberships.get gkehub.memberships.update gkehub.operations.cancel gkehub.operations.get |
Cloud Endpoints Service Agent( Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller. |
servicemanagement. servicemanagement.services.get servicemanagement. servicemanagement. |
Endpoints Portal Service Agent( Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content. |
servicemanagement.services.get servicemanagement. source.repos.get |
Enterprise Knowledge Graph Service Agent( Gives Enterprise Knowledge Graph Service Account access to consumer resources. |
bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.readsessions.create bigquery.readsessions.getData bigquery.tables.create bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData dataform.locations.* dataform.repositories.create dataform.repositories.list resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list |
Eventarc Service Agent( Gives Eventarc service account access to managed resources. |
cloudfunctions.functions.get compute. compute.networkAttachments.get compute. compute.regionOperations.get container.clusters.get container.deployments.create container.deployments.delete container.deployments.get container.deployments.list container.deployments.update container.namespaces.create container.namespaces.delete container.namespaces.get container.namespaces.list container. container. container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.list dns. eventarc.channels.publish iam.serviceAccounts.actAs iam. iam. monitoring.timeSeries.create pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub. pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update run.jobs.get run.services.get serviceusage.services.use storage.buckets.get storage.buckets.update workflows.workflows.get |
Cloud Filestore Service Agent( Gives Cloud Filestore service account access to managed resources. |
compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.networks.updatePeering compute.routes.list monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list |
Firebase App Distribution Admin SDK Service Agent( Read and write access to Firebase App Distribution with the Admin SDK |
firebaseappdistro.* |
Firebase Service Management Service Agent( Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services. |
apikeys.keys.create apikeys.keys.get apikeys.keys.list apikeys.keys.update appengine.applications.create appengine.applications.get appengine.applications.update appengine.operations.get appengine.services.list bigquery.datasets.create bigquery.datasets.get bigquery.datasets.update bigquery.transfers.* clientauthconfig.brands.create clientauthconfig.brands.update clientauthconfig. clientauthconfig. clientauthconfig.clients.list clientauthconfig. firebase.clients.create firebase.clients.delete firebase.clients.get firebase.clients.undelete firebase.projects.* firebaseabt.experiments.delete firebaseauth.configs.create firebaseauth.configs.get firebaseauth.configs.update firebaserules.releases.create firebaserules.releases.delete firebaserules.releases.get firebaserules.rulesets.create firebasestorage. iam.roles.get iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager. resourcemanager. servicemanagement. serviceusage.services.enable serviceusage.services.get serviceusage.services.use storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy |
Firebase Realtime Database Service Agent( Access to publish triggers |
pubsub.topics.publish serviceusage.services.use |
Firebase Rules Firestore Service Agent( Grants Firebase Security Rules access to Firestore for providing cross-service Rules. |
datastore.entities.get |
Cloud Storage for Firebase Service Agent( Access to Cloud Storage for Firebase through API and SDK. |
storage.buckets.get storage.buckets.getIamPolicy storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list storage.objects.update |
Firestore Service Agent( Gives Firestore service account access to managed resources. |
storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list |
Cloud Firewall Insights Service Agent( Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf. |
compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.instanceGroups.list compute.instances.get compute.instances.list compute. compute.networks.list compute.projects.get compute. compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.list compute.targetHttpProxies.list compute. compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list |
FleetEngine Service Agent( Grants the FleetEngine Service Account access to manage resources. |
bigquery.config.get bigquery.datasets.get bigquery.jobs.create bigquery.tables.getData dataform.locations.* dataform.repositories.create dataform.repositories.list resourcemanager.projects.get resourcemanager.projects.list |
Game Services Service Agent( Gives Game Services Service Account access to GCP resources. |
container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container. container. container. container. container. container. container. container. container. container. container.clusterRoles.bind container.clusterRoles.create container. container.clusterRoles.get container.clusterRoles.list container.clusterRoles.update container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.componentStatuses.* container.configMaps.* container. container. container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container. container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container. container.ingresses.* container. container.jobs.* container.leases.* container.limitRanges.* container. container. container. container.namespaces.* container.networkPolicies.* container.nodes.* container.operations.* container. container.persistentVolumes.* container.petSets.* container. container.podPresets.* container. container. container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container. container.resourceQuotas.* container.roleBindings.create container.roleBindings.get container.roleBindings.list container.roles.bind container.roles.create container.roles.escalate container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container. container. container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container. container. container.thirdPartyObjects.* container. container.tokenReviews.create container.updateInfos.* container. container.volumeAttachments.* container. container. container.volumeSnapshots.* gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.fleet.getFreeTrial gkehub.locations.* gkehub.membershipbindings.get gkehub.membershipbindings.list gkehub. gkehub.memberships.get gkehub. gkehub.memberships.list gkehub.namespaces.get gkehub.namespaces.list gkehub.operations.get gkehub.operations.list gkehub.rbacrolebindings.get gkehub.rbacrolebindings.list gkehub.scopes.get gkehub.scopes.list gkehub. iam.serviceAccounts.actAs recommender. recommender. recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list |
Genomics Service Agent( Gives Genomics Service Account access to compute resources. Includes access to service accounts. |
compute.acceleratorTypes.* compute. compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute. compute. compute.backendServices.get compute.backendServices.list compute. compute. compute.diskTypes.* compute.disks.* compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.* compute. compute.instanceGroups.* compute.instanceSettings.* compute.instanceTemplates.* compute.instances.* compute.instantSnapshots.* compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkAttachments.get compute. compute. compute.networks.get compute.networks.list compute. compute. compute.networks.use compute.networks.useExternalIp compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.serviceAttachments.get compute. compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute.storagePools.list compute.storagePools.use compute.subnetworks.get compute.subnetworks.list compute. compute. compute.subnetworks.use compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use |
Backup for GKE Service Agent( Grants the Backup for GKE Service Account access to managed resources. |
compute.disks.create compute.disks.createSnapshot compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.useReadOnly compute.globalOperations.get compute.regionOperations.get compute.snapshots.delete compute.snapshots.get compute.zoneOperations.get container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container. container. container. container. container. container. container. container. container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.clusters.update container.componentStatuses.* container.configMaps.* container. container. container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container. container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container. container.ingresses.* container. container.jobs.* container.leases.* container.limitRanges.* container. container. container. container. container.namespaces.* container.networkPolicies.* container.nodes.* container.operations.* container. container.persistentVolumes.* container.petSets.* container. container.podPresets.* container. container. container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container. container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container. container. container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container. container. container.thirdPartyObjects.* container. container.tokenReviews.create container.updateInfos.* container. container. container.volumeAttachments.* container. container. container.volumeSnapshots.* gkebackup.operations.get recommender. recommender. recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list resourcemanager. |
Warp Run Service Agent( Gives the Warp Run service agent access to Cloud Platform resources. |
resourcemanager.projects.get resourcemanager.projects.list |
GKE Hub Cross Project Service Agent( Gives the GKE Hub service agent permission to manage the project for cross-project fleet registration. |
resourcemanager. resourcemanager. |
GKE Hub Service Agent( Gives the GKE Hub service agent access to Cloud Platform resources. |
container. container.clusterRoles.* container.clusters.get container.clusters.update container. container. container. container. container. container.namespaces.get container.operations.get container.thirdPartyObjects.* gkehub.features.create gkehub.features.get gkehub.features.list gkehub.fleet.create gkehub.fleet.get gkehub.locations.* gkehub.memberships.create gkehub. gkehub.memberships.get gkehub.memberships.list gkehub.operations.get gkemulticloud.awsClusters.get gkemulticloud. gkeonprem. gkeonprem.vmwareClusters.get logging.buckets.create logging.buckets.get logging.buckets.list logging.buckets.update logging.exclusions.* logging.sinks.* logging.views.create logging.views.get logging.views.list logging.views.update monitoring.metricsScopes.link resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list |
Anthos Multi-Cloud Container Service Agent( Grants the Anthos Multi-Cloud Container Service Account access to manage resources. |
binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization. binaryauthorization.policy.get cloudnotifications. kubernetesmetadata.* logging.logEntries.create logging.logEntries.route monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.* monitoring. monitoring. opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use stackdriver.projects.get stackdriver. |
Anthos Multi-Cloud Control Plane Machine Service Agent( Grants the Anthos Multi-Cloud Control Plane Machine Service Account access to manage resources. |
artifactregistry. artifactregistry. artifactregistry. serviceusage.services.use |
Anthos Multi-Cloud Node Pool Machine Service Agent( Grants the Anthos Multi-Cloud Node Pool Machine Service Account access to manage resources. |
artifactregistry. artifactregistry. artifactregistry. serviceusage.services.use |
Anthos Multi-Cloud Service Agent( Grants the Anthos Multi-Cloud Service Account access to manage resources. |
gkehub.features.* gkehub.fleet.* gkehub.locations.* gkehub.membershipbindings.* gkehub.memberships.* gkehub.namespaces.* gkehub.operations.* gkehub.rbacrolebindings.* gkehub.scopes.create gkehub.scopes.delete gkehub.scopes.get gkehub.scopes.getIamPolicy gkehub.scopes.list gkehub. gkehub.scopes.update gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. gkemulticloud. resourcemanager.projects.get resourcemanager.projects.list |
GKE On-Prem Service Agent( Gives the GKE On-Prem service agent access to Cloud Platform resources. |
gkehub.memberships.delete gkehub.memberships.get gkehub.memberships.update gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem.operations.get gkeonprem.operations.list gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem. gkeonprem.vmwareClusters.get gkeonprem. gkeonprem. gkeonprem.vmwareNodePools.get gkeonprem. |
Healthcare Service Agent( Gives the Healthcare Service Account access to networks,Kubernetes engine, and pubsub resources. |
cloudnotifications. monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.* monitoring. monitoring. opsconfigmonitoring. pubsub.snapshots.seek pubsub.subscriptions.consume pubsub. pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get stackdriver. |
Identity Platform Service Agent( Gives Identity Platform service account access to customer project resources. |
recaptchaenterprise. recaptchaenterprise. recaptchaenterprise. recaptchaenterprise.keys.get |
Application Integration Service Agent( Service agent that grants access to execute an integration. |
cloudfunctions. cloudscheduler.jobs.create cloudscheduler.jobs.delete cloudscheduler.jobs.enable cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.pause cloudscheduler.jobs.run cloudscheduler.jobs.update cloudscheduler.locations.* connectors.actions.* connectors. connectors.connections.get connectors.entities.* connectors.entityTypes.list iam. iam. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations. integrations.authConfigs.* integrations.certificates.* integrations.executions.list integrations. integrations. integrations. integrations. integrations. integrations. integrations.integrations.* integrations.sfdcChannels.* integrations.sfdcInstances.* integrations.suspensions.* pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub. pubsub.topics.create pubsub.topics.delete pubsub. pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list run.jobs.run run.routes.invoke serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.create storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.get storage.objects.list storage.objects.update |
KRM API Hosting AnthosApiEndpoint Service Agent( Grants permissions to resources managed by AnthosApiEndpoint. |
compute. container.* gkehub.features.* gkehub.fleet.* gkehub.gateway.* gkehub.locations.* gkehub.membershipbindings.* gkehub.memberships.* gkehub.namespaces.* gkehub.operations.* gkehub.rbacrolebindings.* gkehub.scopes.create gkehub.scopes.delete gkehub.scopes.get gkehub.scopes.getIamPolicy gkehub.scopes.list gkehub. gkehub.scopes.update iam.serviceAccounts.actAs meshconfig.projects.init recommender. recommender. recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list resourcemanager. serviceusage.services.enable serviceusage.services.get serviceusage.services.list serviceusage.services.use |
KRM API Hosting Service Agent( Gives KRM API Hosting service account access to managed resource. |
compute. compute.regions.get container.* iam.serviceAccounts.actAs recommender. recommender. recommender.locations.* recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use |
KubeRun Events Control Plane Service Agent( Service account role used to setup authentication for the control plane used by KubeRun Events. |
cloudscheduler.jobs.create cloudscheduler.jobs.delete cloudscheduler.jobs.get logging.sinks.create logging.sinks.delete logging.sinks.get pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub. pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.setIamPolicy resourcemanager.projects.get storage.buckets.get storage.buckets.update |
KubeRun Events Data Plane Service Agent( Service account role used to setup authentication for the data plane used by KubeRun Events. |
cloudtrace.traces.patch monitoring.timeSeries.create pubsub.subscriptions.consume pubsub.subscriptions.get pubsub.topics.get pubsub.topics.publish resourcemanager.projects.get |
Cloud Life Sciences Service Agent( Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts. |
compute.acceleratorTypes.* compute. compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute. compute. compute.backendServices.get compute.backendServices.list compute. compute. compute.diskTypes.* compute.disks.* compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.* compute. compute.instanceGroups.* compute.instanceSettings.* compute.instanceTemplates.* compute.instances.* compute.instantSnapshots.* compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkAttachments.get compute. compute. compute.networks.get compute.networks.list compute. compute. compute.networks.use compute.networks.useExternalIp compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute.regionOperations.list compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.serviceAttachments.get compute. compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute.storagePools.list compute.storagePools.use compute.subnetworks.get compute.subnetworks.list compute. compute. compute.subnetworks.use compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use |
Live Stream Service Agent( Uploads media files to customer Cloud Storage buckets. |
storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Cloud Logging Service Agent( Grants a Cloud Logging Service Account the ability to create and link datasets. |
bigquery.datasets.create bigquery.datasets.get bigquery.datasets.link |
Looker Service Agent( Gives the Looker service account permission to manage customer resources |
bigquery.config.get bigquery.datasets.get bigquery.jobs.create bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list compute.globalAddresses.get looker.backups.create resourcemanager.projects.get serviceusage.services.use |
Cloud Managed Identities Service Agent( Gives Managed Identities service account access to managed resources. |
compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.list dns.managedZones.update dns. dns. dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.get dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list |
Media Asset Service Agent( Downloads and uploads media files from and to customer Cloud Storage buckets. |
pubsub.topics.get pubsub.topics.publish storage.objects.create storage.objects.delete storage.objects.get transcoder.jobs.create transcoder.jobs.delete transcoder.jobs.get |
Cloud Memorystore Memcached Service Agent( Gives Cloud Memorystore Memcached service account access to managed resource |
compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list |
Mesh Config Service Agent( Apply mesh configuration |
compute.backendServices.create compute.backendServices.delete compute.backendServices.get compute.backendServices.list compute. compute.backendServices.update compute.backendServices.use compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.list compute.firewalls.update compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute.globalOperations.list compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.list compute.healthChecks.update compute.healthChecks.use compute. compute. compute. compute. compute.networks.get compute.networks.updatePolicy compute.networks.use compute. compute.subnetworks.use compute. compute. compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute.targetHttpProxies.use compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute. compute.targetHttpsProxies.use compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute. compute.targetSslProxies.use compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute.targetTcpProxies.use compute.urlMaps.create compute.urlMaps.delete compute.urlMaps.get compute. compute.urlMaps.list compute.urlMaps.update compute.urlMaps.use compute.urlMaps.validate networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networksecurity. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. networkservices. |
Mesh Managed Control Plane Service Agent( Anthos Service Mesh Managed Control Plane Agent |
container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container. container. container.clusterRoles.* container.clusters.get container. container.clusters.list container.clusters.update container.componentStatuses.* container.configMaps.* container. container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container. container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container. container.hostServiceAgent.use container.ingresses.* container. container.jobs.* container.leases.* container.limitRanges.* container. container. container. container.namespaces.* container.networkPolicies.* container.nodes.* container.operations.* container. container.persistentVolumes.* container.petSets.* container. container.podPresets.* container. container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container. container.resourceQuotas.* container.roleBindings.* container.roles.* container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container. container. container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container. container. container.thirdPartyObjects.* container. container.tokenReviews.create container.updateInfos.* container. container.volumeAttachments.* container. container. container.volumeSnapshots.* gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.fleet.getFreeTrial gkehub.gateway.* gkehub.locations.* gkehub.membershipbindings.get gkehub.membershipbindings.list gkehub. gkehub.memberships.get gkehub. gkehub.memberships.list gkehub.namespaces.get gkehub.namespaces.list gkehub.operations.get gkehub.operations.list gkehub.rbacrolebindings.get gkehub.rbacrolebindings.list gkehub.scopes.get gkehub.scopes.list gkehub. logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.use trafficdirector.* |
Mesh Data Plane Service Agent( Run user-space Istio components |
cloudtrace.traces.patch compute.forwardingRules.get compute. logging.logEntries.create logging.logEntries.route monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create serviceusage.services.use |
Dataproc Metastore Service Agent( Gives the Dataproc Metastore service account access to managed resources. |
compute. compute. compute.addresses.get compute.addresses.use compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute. compute. compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute.globalOperations.get compute.globalOperations.list compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.regionOperations.get compute.subnetworks.get compute.subnetworks.use dns.changes.create dns.changes.get dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.list dns. dns. dns.resourceRecordSets.* metastore.databases.get metastore. metastore.databases.update metastore.services.get metastore.tables.get metastore.tables.setIamPolicy metastore.tables.update servicedirectory. servicedirectory. servicedirectory. servicedirectory. storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Migration Center Service Agent( Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products. |
storage.objects.get vmmigration. |
AI Platform Service Agent( AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator. |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.updateData firebase.projects.get iam.serviceAccounts.get iam. iam. iam. iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create logging.logEntries.route orgpolicy.policy.get recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
Monitoring Service Agent( Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project. |
cloudfunctions.functions.get cloudtrace.traces.patch monitoring. monitoring. monitoring. monitoring.timeSeries.list run.routes.invoke servicedirectory. servicedirectory. serviceusage.services.use |
Multi Cluster Ingress Service Agent( Gives the Multi Cluster Ingress service agent access to CloudPlatform resources. |
certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager.certs.get certificatemanager. certificatemanager.certs.list certificatemanager. certificatemanager.certs.use certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. compute.addresses.create compute. compute.addresses.delete compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.backendServices.* compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.create compute.globalAddresses.delete compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute. compute.healthChecks.* compute. compute. compute. compute.networks.updatePolicy compute.networks.use compute. compute.regionHealthChecks.* compute. compute. compute. compute.regionUrlMaps.* compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.use compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.urlMaps.* container.backendConfigs.* container.clusters.get container. container. container. container. container. container.deployments.* container.events.create container.events.update container.frontendConfigs.* container.namespaces.list container.secrets.get container.secrets.list container.services.* container.thirdPartyObjects.* gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list serviceusage.services.get serviceusage.services.list serviceusage.services.use |
Multi-cluster metering Service Agent( Gives the Multi-cluster metering service agent access to CloudPlatform resources. |
gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list |
Multi-Cluster Service Discovery Service Agent( Gives the Multi-Cluster Service Discovery service access to Cloud Platform resources. |
compute.backendServices.* compute.firewalls.* compute.forwardingRules.* compute. compute.globalOperations.get compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute. compute.networks.get compute.networks.list compute.networks.updatePolicy compute.networks.use compute. compute.regions.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetTcpProxies.* compute.urlMaps.* container.clusters.get container.clusters.list container. dns.changes.* dns.dnsKeys.* dns.gkeClusters.* dns.managedZoneOperations.* dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.getIamPolicy dns.managedZones.list dns.managedZones.update dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.getIamPolicy dns.policies.list dns.policies.update dns.projects.get dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list resourcemanager.projects.get resourcemanager.projects.list |
Network Actions Service Agent( Gives Network Actions service account access to read required resources. |
artifactregistry. |
Network Connectivity Service Agent( Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources. |
compute.addresses.create compute. compute.addresses.delete compute. compute.addresses.get compute.addresses.use compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute. compute. compute. compute. compute. compute.instances.get compute. compute.networks.get compute.networks.use compute.projects.get compute.regionOperations.get compute.routers.get compute.subnetworks.get compute. compute.subnetworks.list compute. compute.subnetworks.use compute.vpnTunnels.get dns.managedZones.create dns. networkconnectivity. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. |
GCP Network Management Service Agent( Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine. |
cloudsql.instances.get cloudsql.instances.list compute.addresses.get compute.addresses.list compute.backendServices.get compute.backendServices.list compute. compute. compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute. compute. compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.list compute. compute. compute.networks.get compute. compute.networks.list compute. compute.packetMirrorings.get compute.packetMirrorings.list compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute. compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list container.clusters.get container.clusters.list container.nodes.get container.nodes.list |
AI Platform Notebooks Service Agent( Provide access for notebooks service agent to manage notebook instances in user projects |
aiplatform.customJobs.cancel aiplatform.customJobs.create aiplatform.customJobs.get aiplatform.customJobs.list compute.acceleratorTypes.* compute. compute. compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute. compute.backendBuckets.list compute. compute. compute.backendServices.get compute. compute.backendServices.list compute. compute. compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.* compute. compute. compute.firewallPolicies.get compute. compute.firewallPolicies.list compute. compute. compute.firewalls.get compute.firewalls.list compute. compute. compute.forwardingRules.get compute.forwardingRules.list compute. compute. compute.futureReservations.get compute. compute. compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute. compute. compute. compute. compute. compute. compute.globalOperations.get compute. compute.globalOperations.list compute. compute. compute.healthChecks.get compute.healthChecks.list compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute. compute. compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute. compute. compute.images.* compute. compute.instanceGroups.* compute.instanceSettings.* compute.instanceTemplates.* compute.instances.* compute.instantSnapshots.* compute. compute. compute. compute. compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute. compute. compute. compute.networkAttachments.get compute. compute. compute. compute. compute. compute.networks.get compute. compute. compute.networks.list compute. compute. compute. compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute. compute.nodeGroups.list compute.nodeTemplates.get compute. compute.nodeTemplates.list compute.nodeTypes.* compute. compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionHealthChecks.get compute. compute. compute. compute. compute. compute. compute.regionOperations.get compute. compute.regionOperations.list compute. compute. compute. compute. compute. compute. compute. compute. compute.regionSslPolicies.get compute.regionSslPolicies.list compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute. compute.regionUrlMaps.get compute.regionUrlMaps.list compute. compute. compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute. compute.routes.get compute.routes.list compute. compute.routes.listTagBindings compute.securityPolicies.get compute. compute.securityPolicies.list compute. compute. compute.serviceAttachments.get compute. compute. compute.snapshotSettings.get compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute. compute. compute.sslPolicies.get compute.sslPolicies.list compute. compute. compute. compute.storagePools.get compute. compute.storagePools.list compute.storagePools.use compute.subnetworks.get compute. compute.subnetworks.list compute. compute. compute.subnetworks.use compute. compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute. compute. compute.targetHttpsProxies.get compute. compute. compute. compute.targetInstances.get compute.targetInstances.list compute. compute. compute.targetPools.get compute.targetPools.list compute. compute. compute.targetSslProxies.get compute.targetSslProxies.list compute. compute. compute.targetTcpProxies.get compute.targetTcpProxies.list compute. compute. compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute. compute. compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute. compute.zoneOperations.list compute.zones.* dataproc.clusters.get dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update iam.serviceAccounts.actAs iam.serviceAccounts.get iam. iam.serviceAccounts.list ml.jobs.create ml.jobs.get ml.jobs.list notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
On-Demand Scanning Service Agent( Gives the On-Demand Scanning API the access it needs to function. |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list |
Cloud OS Config Service Agent( Grants OS Config Service Account access to Google Compute Engine instances. |
compute.instances.get compute. compute.instances.list compute.instances.setMetadata compute.zones.* containeranalysis. containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update containeranalysis. containeranalysis. containeranalysis. containeranalysis. containeranalysis. iam.serviceAccounts.actAs resourcemanager.projects.get resourcemanager.projects.list |
Parallelstore Service Agent( Gives the Parallelstore service agent ability to access customer resources. |
resourcemanager.projects.get resourcemanager.projects.list |
Privileged Access Manager Folder Service Agent( Gives privileged access manager service account access to modify IAM policies on GCP folders |
resourcemanager.folders.get resourcemanager. resourcemanager. |
Privileged Access Manager Organization Service Agent( Gives privileged access manager service account access to modify IAM policies on GCP organizations |
resourcemanager. |
Privileged Access Manager Project Service Agent( Gives privileged access manager service account access to modify IAM policies on GCP projects |
resourcemanager.projects.get resourcemanager. resourcemanager. |
Privileged Access Manager Service Agent Alpha( Gives privileged access manager service account access to modify IAM policies on GCP resources |
resourcemanager.folders.get resourcemanager. resourcemanager. resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager. |
Cloud Pub/Sub Service Agent( Grants Cloud Pub/Sub Service Account access to manage resources. |
iam.serviceAccounts.get iam. iam. iam. iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt resourcemanager.projects.get resourcemanager.projects.list |
Pub/Sub Lite Service Agent( Grants Pub/Sub Lite Service Agent access to project resources. |
pubsub.topics.publish pubsublite.subscriptions.get pubsublite. pubsublite. pubsublite. pubsublite. pubsublite. pubsublite.topics.publish pubsublite.topics.subscribe |
RMA Service Agent( Gives RMA service account access to MC resources. |
autoscaling.sites.writeMetrics cloudasset. cloudasset.feeds.create logging.logEntries.create migrationcenter.assets.list migrationcenter. migrationcenter.importJobs.get migrationcenter. migrationcenter.sources.* monitoring. monitoring. monitoring.timeSeries.create resourcemanager.projects.get |
Cloud Memorystore Redis Service Agent( Gives Cloud Memorystore Redis service account access to managed resource |
compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.projects.get compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list |
Remote Build Execution Service Agent( Gives Remote Build Execution service account access to managed resources. |
remotebuildexecution. remotebuildexecution.blobs.* remotebuildexecution. remotebuildexecution. remotebuildexecution. |
Retail Service Agent( Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Google Cloud Observability metrics for customer projects. |
bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData cloudnotifications. dataflow.jobs.* dataflow.messages.list dataflow.metrics.get logging.logEntries.create logging.logEntries.route monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring. monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.* monitoring. monitoring. opsconfigmonitoring. resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get stackdriver. storage.buckets.create storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
Risk Manager Service Agent( Service agent that grants Risk Manager service access to fetch findings for generating Reports |
cloudasset.assets.* recommender. recommender. recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.group securitycenter.assets.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.findings.group securitycenter.findings.list securitycenter. securitycenter. securitycenter. securitycenter.muteconfigs.get securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.sources.get securitycenter.sources.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. |
Route Optimization Service Agent( Grants Route Optimization Service Account access to read and write GCS objects in the host project. |
storage.buckets.get storage.objects.create storage.objects.get storage.objects.list storage.objects.update |
Cloud Run Service Agent( Gives Cloud Run service account access to managed resources. |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list binaryauthorization. binaryauthorization. clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get compute. compute. compute.addresses.get compute.addresses.list compute.globalOperations.get compute.networks.access compute.networks.get compute.subnetworks.get compute.subnetworks.use iam.serviceAccounts.actAs iam. iam. iam.serviceAccounts.signBlob resourcemanager.projects.get resourcemanager. resourcemanager.projects.list run.routes.invoke serviceusage.services.use storage.managedFolders.get storage.managedFolders.list storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use |
Serverless Integrations Service Agent( Gives Serverless Integrations Service Account access to customer project resources. |
cloudbuild.builds.create cloudbuild.builds.get cloudsql.databases.get cloudsql.instances.get cloudsql.users.get compute.backendServices.get compute.backendServices.list compute.globalAddresses.get compute.globalAddresses.list compute. compute. compute.networks.get compute.networks.list compute. compute. compute.sslCertificates.get compute.sslCertificates.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute. compute.urlMaps.get compute.urlMaps.list firebasehosting.sites.get iam.serviceAccounts.actAs redis.instances.get redis.instances.list run.jobs.get run.jobs.list run.services.get run.services.list serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.list |
Secured Landing Zone Service Agent( Grants Secured Landing Zone service account permissions to manage resources in the customer project |
cloudasset. cloudasset. cloudasset.feeds.create cloudasset.feeds.delete cloudasset.feeds.update logging.logEntries.list pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub. pubsub.topics.create pubsub.topics.delete pubsub. pubsub.topics.getIamPolicy pubsub.topics.setIamPolicy resourcemanager.projects.get securitycenter. securitycenter.findings.list securitycenter.findings.update securitycenter.sources.list securitycenter.sources.update serviceusage.services.use |
Attack Surface Management Scanner Service Agent( Gives Mandiant Attack Surface Management the ability to scan Cloud Platform resources. |
apigateway.apiconfigs.get cloudasset.assets.listResource dns.managedZones.list dns.resourceRecordSets.list resourcemanager.projects.get |
Security Center Automation Service Agent( Security Center automation service agent can configure GCP resources to enable security scanning. |
cloudasset.feeds.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list serviceusage.services.enable serviceusage.services.get |
Security Center Control Service Agent( Security Center Control service agent can monitor and configure GCP resources and import security findings. |
bigquery.datasets.get binaryauthorization.policy.get cloudasset.assets.* cloudasset.feeds.* cloudsql.instances.connect cloudsql.users.list compute.disks.useReadOnly compute.globalOperations.get compute.instances.get compute.instances.list compute. compute.projects.get container.clusters.get iam.denypolicies.get iam.denypolicies.list iam.googleapis. iam.googleapis. logging.logEntries.list monitoring.alertPolicies.list monitoring.timeSeries.list orgpolicy.policies.list orgpolicy.policy.get recommender. recommender. recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list resourcemanager.tagValues.get securitycenter.assets.list securitycenter. securitycenter.findings.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.sources.list securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. serviceusage.operations.* serviceusage.quotas.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list |
Security Center Integration Executor Service Agent( Gives Security Center access to execute Integrations. |
integrations. integrations. integrations. |
Security Center Notification Service Agent( Security Center service agent can publish notifications to Pub/Sub topics. |
pubsub.topics.publish |
Security Health Analytics Service Agent( Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities. |
bigquery.datasets.get binaryauthorization.policy.get cloudasset.assets.* cloudasset.feeds.* cloudsql.instances.connect cloudsql.users.list compute.globalOperations.get compute.instances.get compute.instances.list compute. compute.projects.get container.clusters.get monitoring.alertPolicies.list orgpolicy.policy.get recommender. recommender. recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list securitycenter. serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get |
Google Cloud Security Response Service Agent( Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks |
compute. compute.instances.get compute.instances.setMetadata iam.serviceAccounts.actAs pubsub.topics.publish securitycenter.findings.list storage.buckets.get storage.buckets.update |
Security Center Service Agent( Security Center service agent can scan GCP resources and import security scans. |
bigquery.datasets.get binaryauthorization.policy.get cloudasset.assets.* cloudasset.feeds.* cloudsql.instances.connect cloudsql.users.list compute.disks.useReadOnly compute.globalOperations.get compute.instances.get compute.instances.list compute. compute.projects.get container.clusters.get iam.denypolicies.get iam.denypolicies.list iam.googleapis. iam.googleapis. logging.logEntries.list monitoring.alertPolicies.list monitoring.timeSeries.list orgpolicy.policies.list orgpolicy.policy.get recommender. recommender. recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager. resourcemanager.projects.list resourcemanager.tagValues.get securitycenter.assets.list securitycenter. securitycenter.findings.list securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter. securitycenter.sources.list securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. securitycentermanagement. serviceusage.operations.* serviceusage.quotas.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list |
Service Directory Service Agent( Give the Service Directory service agent access to Cloud Platform resources. |
container.clusters.get gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list resourcemanager.projects.get resourcemanager.projects.list servicedirectory. servicedirectory. servicedirectory.endpoints.get servicedirectory. servicedirectory. servicedirectory. servicedirectory.locations.* servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory.services.bind servicedirectory. servicedirectory. servicedirectory.services.get servicedirectory. servicedirectory.services.list servicedirectory. servicedirectory. |
Service Networking Service Agent( Gives permission to manage network configuration, such as establishing network peering, necessary for service producers |
compute.globalAddresses.get compute.globalAddresses.list compute.globalOperations.get compute.networks.addPeering compute.networks.create compute.networks.delete compute.networks.get compute.networks.list compute. compute.networks.removePeering compute.networks.update compute.networks.updatePeering compute.networks.updatePolicy compute.projects.get compute.regionOperations.get compute.routers.get compute.routers.list compute.routes.list compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.list dns.changes.* dns.dnsKeys.* dns.gkeClusters.* dns.managedZoneOperations.* dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.getIamPolicy dns.managedZones.list dns.managedZones.update dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.getIamPolicy dns.policies.list dns.policies.update dns.projects.get dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* resourcemanager.projects.get resourcemanager.projects.list |
Cloud Source Repositories Service Agent( Allow Cloud Source Repositories to integrate with other Cloud services. |
iam. pubsub.topics.publish |
Cloud Spanner API Service Agent( Cloud Spanner API Service Agent |
aiplatform.endpoints.get aiplatform.endpoints.list aiplatform.endpoints.predict aiplatform.models.get aiplatform.models.list |
Cloud Speech-to-Text Service Agent( Gives Speech-to-Text service account access to Cloud Storage resources. |
storage.buckets.get storage.buckets.list storage.objects.create storage.objects.get storage.objects.list storage.objects.update |
StorageInsights Service Agent( Permissions for Insights to write reports into customer project |
bigquery.datasets.create serviceusage.services.use storageinsights. |
Storage Transfer Service Agent( Grants Storage Transfer Service Agent permissions required to run transfers |
pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.update pubsub. pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.publish pubsub.topics.update |
Stream Service Agent( Gives Immersive Stream for XR access to the required resources. |
resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.get storage.objects.create storage.objects.get storage.objects.list |
Cloud TPU API Service Agent( Give Cloud TPUs service account access to managed resources |
compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.zones.* monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list |
Transcoder Service Agent( Downloads and uploads media files from and to customer Cloud Storage buckets. Publishes status updates to customer Pub/Sub. |
pubsub.topics.publish storage.objects.create storage.objects.delete storage.objects.get transcoder.jobs.delete |
Cloud Vision AI Service Agent( Grants Cloud Vision AI service account permissions to manage resources in consumer project |
aiplatform.models.export aiplatform.models.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.models.export bigquery.readsessions.create bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.update bigquery.tables.updateData bigtable.tables.get bigtable.tables.list bigtable.tables.readRows cloudfunctions.functions.get cloudfunctions. cloudfunctions.functions.list compute.machineTypes.get logging.logEntries.create monitoring. monitoring. monitoring. monitoring. monitoring.timeSeries.create pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub. pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update run.jobs.run run.routes.invoke serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update visionai.analyses.create visionai.analyses.delete visionai.analyses.get visionai.analyses.list visionai.analyses.update visionai.annotations.* visionai.applications.* visionai.assets.* visionai.clusters.create visionai.clusters.delete visionai.clusters.get visionai.clusters.list visionai.clusters.update visionai.clusters.watch visionai.corpora.* visionai.dataSchemas.* visionai.drafts.* visionai.events.create visionai.events.delete visionai.events.get visionai.events.list visionai.events.update visionai.indexEndpoints.* visionai.indexes.* visionai.instances.* visionai.operations.get visionai.operations.list visionai.operators.create visionai.operators.delete visionai.operators.get visionai.operators.list visionai.operators.update visionai.processors.create visionai.processors.delete visionai.processors.get visionai.processors.list visionai.processors.update visionai.searchConfigs.* visionai.series.acquireLease visionai.series.create visionai.series.delete visionai.series.get visionai.series.list visionai.series.receive visionai.series.releaseLease visionai.series.renewLease visionai.series.send visionai.series.update visionai.streams.create visionai.streams.delete visionai.streams.get visionai.streams.list visionai.streams.receive visionai.streams.send visionai.streams.update visionai.uistreams.* |
Visual Inspection AI Service Agent( Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs. |
aiplatform.* artifactregistry. artifactregistry. artifactregistry.files.* artifactregistry. artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.* artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.* artifactregistry.versions.* artifactregistry. firebase.projects.get orgpolicy.policy.get recommender. recommender. resourcemanager.projects.get resourcemanager.projects.list storage.anywhereCaches.* storage.bucketOperations.* storage.buckets.* storage.managedFolders.* storage.multipartUploads.* storage.objects.* |
VM Migration Service Agent( Grants VM Migration Service Account access to create migrated VMs, disks and images in the user project. |
compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.disks.create compute.disks.delete compute.disks.get compute.disks.setLabels compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.globalOperations.list compute.images.create compute.images.get compute.images.setLabels compute.images.useReadOnly compute.instances.create compute.instances.delete compute.instances.get compute.instances.setLabels compute.instances.setMetadata compute. compute.instances.setTags compute.subnetworks.use compute. compute.zoneOperations.get compute.zoneOperations.list |
VMware Engine Service Agent( Gives permission to manage network configuration, such as establishing network peering, necessary for GCVE |
compute.globalAddresses.get compute.globalAddresses.list compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.list compute. compute.networks.removePeering compute.networks.update compute.networks.updatePeering compute.networks.updatePolicy compute.projects.get compute.regionOperations.get compute.routers.get compute.routers.list compute.routes.list compute.subnetworks.get compute.subnetworks.list dns.changes.* dns.dnsKeys.* dns.gkeClusters.* dns.managedZoneOperations.* dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.getIamPolicy dns.managedZones.list dns.managedZones.update dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.getIamPolicy dns.policies.list dns.policies.update dns.projects.get dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* resourcemanager.projects.get resourcemanager.projects.list vmwareengine. vmwareengine. vmwareengine.nodes.* |
Serverless VPC Access Service Agent( Can create and manage resources to support serverless application to connect to virtual private cloud. |
billing.accounts.get compute.autoscalers.* compute.disks.create compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.list compute.firewalls.update compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.list compute.healthChecks.update compute.healthChecks.use compute. compute. compute. compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpHealthChecks.use compute. compute. compute. compute.httpsHealthChecks.get compute. compute.httpsHealthChecks.use compute. compute.images.get compute.images.useReadOnly compute. compute. compute. compute. compute. compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.update compute. compute. compute.instanceTemplates.get compute. compute.instances.create compute.instances.delete compute.instances.get compute. compute.instances.list compute.instances.reset compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.use compute.machineTypes.get compute.networks.get compute.networks.use compute.projects.get compute. compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.zoneOperations.get compute.zoneOperations.list compute.zones.* deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager. deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager. deploymentmanager. logging.logEntries.create logging.logMetrics.create logging.logMetrics.delete logging.logMetrics.get logging.logMetrics.update resourcemanager.projects.get |
Cloud Web Security Scanner Service Agent( Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details. |
appengine.applications.get cloudasset.assets.listResource compute.addresses.list compute.backendServices.get compute.forwardingRules.get compute. compute.sslCertificates.list compute.targetHttpProxies.get compute.targetHttpsProxies.get compute.urlMaps.get |
Cloud Workflows Service Agent( Gives Cloud Workflows service account access to managed resources. |
iam.serviceAccounts.get iam. iam. serviceusage.services.use |
Workload Certificate Service Agent( Gives the Workload Certificate service agent access to Cloud Platform resources. |
container. container. container.clusters.get container.clusters.update container. container. container. container.operations.get container. gkehub.features.get gkehub.fleet.create gkehub.fleet.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list gkehub.operations.get serviceconsumermanagement. serviceconsumermanagement. serviceconsumermanagement. serviceconsumermanagement. serviceusage.services.use workloadcertificate. workloadcertificate. |
Workload Manager Service Agent( Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring. |
cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. cloudasset. config.deployments.create config.deployments.delete config.deployments.get config.deployments.list config.deployments.update config.locations.* config.operations.* config.resources.list config.revisions.get config.revisions.list monitoring. monitoring. monitoring. monitoring.timeSeries.list workloadmanager. |
Workstations Service Agent( Grants the Workstations Service Account access to manage resources in consumer project. |
compute.addresses.create compute. compute.addresses.delete compute. compute.addresses.get compute.addresses.use compute.disks.create compute.disks.createSnapshot compute.disks.createTagBinding compute.disks.delete compute.disks.deleteTagBinding compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.use compute.disks.useReadOnly compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.update compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute. compute. compute.globalOperations.get compute.instances.attachDisk compute.instances.create compute. compute.instances.delete compute. compute.instances.detachDisk compute.instances.get compute. compute.instances.setLabels compute.instances.setMetadata compute. compute.instances.setTags compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.regionOperations.get compute.regions.get compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.use compute. compute.zoneOperations.get dns. dns. iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager. servicedirectory. servicedirectory. servicedirectory. servicedirectory. |
Service Consumer Management roles |
Permissions |
Admin of Tenancy Units Beta( Administrate tenancy units |
serviceconsumermanagement. |
Viewer of Tenancy Units Beta( View tenancy units |
serviceconsumermanagement. |
Service Directory roles |
Permissions |
Service Directory Admin( Full control of all Service Directory resources and permissions. |
resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.* servicedirectory.locations.* servicedirectory.namespaces.* servicedirectory. servicedirectory.services.* |
Service Directory Editor( Edit Service Directory resources. |
resourcemanager.projects.get resourcemanager.projects.list servicedirectory. servicedirectory. servicedirectory.endpoints.get servicedirectory. servicedirectory. servicedirectory. servicedirectory.locations.* servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory. servicedirectory.services.bind servicedirectory. servicedirectory. servicedirectory.services.get servicedirectory. servicedirectory.services.list servicedirectory. servicedirectory. |
Service Directory Network Attacher( Gives access to attach VPC Networks to Service Directory Endpoints |
resourcemanager.projects.get resourcemanager.projects.list servicedirectory. |
Private Service Connect Authorized Service( Gives access to VPC Networks via Service Directory |
resourcemanager.projects.get resourcemanager.projects.list servicedirectory. |
Service Directory Viewer( View Service Directory resources. |
resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.get servicedirectory. servicedirectory. servicedirectory.locations.* servicedirectory. servicedirectory. servicedirectory. servicedirectory.services.get servicedirectory. servicedirectory.services.list servicedirectory. |
Service Management roles |
Permissions |
Cloud Run Service Agent( Gives Cloud Run service account access to managed resources. |
artifactregistry. artifactregistry.files.* artifactregistry.locations.* artifactregistry. artifactregistry.npmpackages.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry. artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list binaryauthorization. binaryauthorization. clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get compute. compute. compute.addresses.get compute.addresses.list compute.globalOperations.get compute.networks.access compute.networks.get compute.subnetworks.get compute.subnetworks.use iam.serviceAccounts.actAs iam. iam. iam.serviceAccounts.signBlob pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub. pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish resourcemanager.projects.get resourcemanager. resourcemanager.projects.list run.routes.invoke serviceusage.services.use storage.managedFolders.get storage.managedFolders.list storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use |
Service Management Administrator( Full control of Google Service Management resources. |
monitoring.timeSeries.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list serviceconsumermanagement.* servicemanagement.* serviceusage.quotas.get serviceusage.services.get |
Service Config Editor( Access to update the service config and create rollouts. |
servicemanagement.services.get servicemanagement. |
Quota Administrator Beta( Provides access to administer service quotas. Lowest-level resources where you can grant this role:
|
cloudquotas.* monitoring.alertPolicies.* monitoring.timeSeries.list resourcemanager. resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.* serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list |
Quota Viewer Beta( Provides access to view service quotas. Lowest-level resources where you can grant this role:
|
cloudquotas.quotas.get monitoring.timeSeries.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Service Reporter( Can report usage of a service during runtime. |
servicemanagement. |
Service Consumer( Can enable the service. |
servicemanagement. |
Service Controller( Can check preconditions and report usage of a service during runtime. Lowest-level resources where you can grant this role:
|
servicemanagement. servicemanagement.services.get servicemanagement. servicemanagement. |
Service Networking roles |
Permissions |
Service Networking Admin Beta( Full control of service networking with projects. |
servicenetworking.* |
Service Usage roles |
Permissions |
API Keys Admin( Ability to create, delete, update, get and list API keys for a project. |
apikeys.* serviceusage.apiKeys.* serviceusage.operations.get |
API Keys Viewer( Ability to get and list API keys for a project. |
apikeys.keys.get apikeys.keys.getKeyString apikeys.keys.list apikeys.keys.lookup |
Service Usage Admin( Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project. |
monitoring.timeSeries.list serviceusage.operations.* serviceusage.quotas.* serviceusage.services.* |
Service Usage Consumer( Ability to inspect service states and operations, and consume quota and billing for a consumer project. |
monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use |
Service Usage Viewer( Ability to inspect service states and operations for a consumer project. |
monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Source roles |
Permissions |
Source Repository Administrator( Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies. Lowest-level resources where you can grant this role:
|
source.* |
Source Repository Reader( Provides permissions to list, clone, fetch, and browse repositories. Lowest-level resources where you can grant this role:
|
source.repos.get source.repos.list |
Source Repository Writer( Provides permissions to list, clone, fetch, browse, and update repositories. Lowest-level resources where you can grant this role:
|
source.repos.get source.repos.list source.repos.update |
Stackdriver roles |
Permissions |
Stackdriver Accounts Editor( Read/write access to manage Stackdriver account structure. |
resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable serviceusage.services.get stackdriver.projects.* |
Stackdriver Accounts Viewer( Read-only access to get and list information about Stackdriver account structure. |
resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get |
Stackdriver Resource Metadata Writer Beta( Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata. |
stackdriver. |
Stream roles |
Permissions |
Stream Admin( Full access to Stream all resources. |
resourcemanager.projects.get resourcemanager.projects.list stream.* |
Stream Content Admin( Full access to all StreamContent resources. |
resourcemanager.projects.get resourcemanager.projects.list stream.streamContents.* |
Stream Content Builder( Read and build access to StreamContent resources. |
resourcemanager.projects.get resourcemanager.projects.list stream.streamContents.build stream.streamContents.get stream.streamContents.list |
Stream Instance Admin( Full access to all StreamInstance resources and Read access to all StreamContent resources. |
resourcemanager.projects.get resourcemanager.projects.list stream.streamContents.get stream.streamContents.list stream.streamInstances.* |
Stream Viewer( Read-only access to Stream all resources. |
resourcemanager.projects.get resourcemanager.projects.list stream.locations.* stream.operations.get stream.operations.list stream.streamContents.get stream.streamContents.list stream.streamInstances.get stream.streamInstances.list |
Support roles |
Permissions |
Support Account Administrator( Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information. Lowest-level resources where you can grant this role:
|
cloudsupport.accounts.* cloudsupport.operations.get cloudsupport.properties.get resourcemanager. |
Tech Support Editor( Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support). See the Cloud Support documentation for more information. |
cloudasset. cloudsupport.properties.get cloudsupport.techCases.* resourcemanager.projects.get resourcemanager.projects.list |
Tech Support Viewer( Read-only access to technical support cases (applicable for GCP Customer Care and Maps support). See the Cloud Support documentation for more information. |
cloudsupport.properties.get cloudsupport.techCases.get cloudsupport.techCases.list resourcemanager.projects.get resourcemanager.projects.list |
Support Account Viewer( Read-only access to details of a support account. This does not allow viewing cases. See the Cloud Support documentation for more information. Lowest-level resources where you can grant this role:
|
cloudsupport.accounts.get cloudsupport. cloudsupport.accounts.list cloudsupport.properties.get |
Third-party Partner roles |
Permissions |
Dell EMC Cloud OneFS Admin Beta( This role is managed by Dell EMC, not Google. |
cloudonefs.isiloncloud.com/* resourcemanager.projects.get resourcemanager.projects.list |
Dell EMC Cloud OneFS User Beta( This role is managed by Dell EMC, not Google. |
cloudonefs.isiloncloud. cloudonefs.isiloncloud. cloudonefs.isiloncloud. cloudonefs.isiloncloud. cloudonefs.isiloncloud. cloudonefs.isiloncloud. resourcemanager.projects.get resourcemanager.projects.list |
Dell EMC Cloud OneFS Viewer Beta( This role is managed by Dell EMC, not Google. |
cloudonefs.isiloncloud. cloudonefs.isiloncloud. cloudonefs.isiloncloud. cloudonefs.isiloncloud. resourcemanager.projects.get resourcemanager.projects.list |
NetApp Cloud Volumes Admin Beta( This role is managed by NetApp, not Google. |
cloudvolumesgcp-api. resourcemanager.projects.get resourcemanager.projects.list |
NetApp Cloud Volumes Viewer Beta( This role is managed by NetApp, not Google. |
cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. cloudvolumesgcp-api.netapp. resourcemanager.projects.get resourcemanager.projects.list |
Redis Enterprise Cloud Admin Beta( This role is managed by Redis Labs, not Google. |
gcp.redisenterprise.com/* resourcemanager.projects.get resourcemanager.projects.list |
Redis Enterprise Cloud Viewer Beta( This role is managed by Redis Labs, not Google. |
gcp.redisenterprise. gcp.redisenterprise. gcp.redisenterprise. gcp.redisenterprise. resourcemanager.projects.get resourcemanager.projects.list |
Transcoder roles |
Permissions |
Transcoder Admin( Full access to all transcoder resources. |
resourcemanager.projects.get resourcemanager.projects.list transcoder.* |
Transcoder Viewer( Viewer of all transcoder resources. |
resourcemanager.projects.get resourcemanager.projects.list transcoder.jobTemplates.get transcoder.jobTemplates.list transcoder.jobs.get transcoder.jobs.list |
Transfer Appliance roles |
Permissions |
Transfer Appliance Admin Beta( Full access to Transfer Appliance all resources. |
resourcemanager.projects.get resourcemanager.projects.list transferappliance.* |
Transfer Appliance Viewer Beta( Read-only access to Transfer Appliance all resources. |
resourcemanager.projects.get resourcemanager.projects.list transferappliance. transferappliance. transferappliance.locations.* transferappliance. transferappliance. transferappliance.orders.get transferappliance.orders.list transferappliance. transferappliance. |
Vertex AI roles |
Permissions |
Vertex AI Administrator( Grants full access to all resources in Vertex AI |
aiplatform.* resourcemanager.projects.get resourcemanager.projects.list |
Colab Enterprise Admin( Admin role of using colab enterprise. |
aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.notebookRuntimes.* aiplatform.operations.list aiplatform.pipelineJobs.create aiplatform.schedules.* compute.reservations.get compute.reservations.list dataform.* resourcemanager.projects.get resourcemanager.projects.list |
Colab Enterprise User( User role of using colab enterprise. |
aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.operations.list aiplatform.pipelineJobs.create aiplatform.schedules.* dataform.locations.* dataform.repositories.create dataform.repositories.list resourcemanager.projects.get resourcemanager.projects.list |
Vertex AI Feature Store EntityType owner( Provides full access to all permissions for a particular entity type resource. Lowest-level resources where you can grant this role:
|
aiplatform.entityTypes.delete aiplatform. aiplatform. aiplatform.entityTypes.get aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.entityTypes.update aiplatform. aiplatform.featureGroups.get aiplatform.featureGroups.list aiplatform. aiplatform. aiplatform.featureViewSyncs.* aiplatform. aiplatform.featureViews.get aiplatform.featureViews.list aiplatform. aiplatform.features.* aiplatform. resourcemanager.projects.get resourcemanager.projects.list |
Vertex AI Feature Store Admin( Grants full access to all resources in Vertex AI Feature Store Lowest-level resources where you can grant this role:
|
aiplatform.entityTypes.* aiplatform.featureGroups.* aiplatform. aiplatform.featureViewSyncs.* aiplatform.featureViews.* aiplatform.features.* aiplatform.featurestores.* aiplatform.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Vertex AI Feature Store Data Viewer( This role provides permissions to read Feature data. Lowest-level resources where you can grant this role:
|
aiplatform. aiplatform.entityTypes.get aiplatform. aiplatform. aiplatform.featureGroups.get aiplatform.featureGroups.list aiplatform. aiplatform. aiplatform.featureViewSyncs.* aiplatform. aiplatform.featureViews.get aiplatform.featureViews.list aiplatform. aiplatform.features.get aiplatform.features.list aiplatform. resourcemanager.projects.get resourcemanager.projects.list |
Vertex AI Feature Store Data Writer( This role provides permissions to read and write Feature data. Lowest-level resources where you can grant this role:
|
aiplatform. aiplatform. aiplatform.entityTypes.get aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.featureGroups.get aiplatform.featureGroups.list aiplatform. aiplatform. aiplatform.featureViewSyncs.* aiplatform. aiplatform.featureViews.get aiplatform.featureViews.list aiplatform. aiplatform.features.get aiplatform.features.list aiplatform. resourcemanager.projects.get resourcemanager.projects.list |
Vertex AI Feature Store Instance Creator( Administrator of Featurestore resources, but not the child resources under Featurestores. Lowest-level resources where you can grant this role:
|
aiplatform. aiplatform. aiplatform.featurestores.get aiplatform.featurestores.list aiplatform. |
Vertex AI Feature Store Resource Viewer( Viewer of all resources in Vertex AI Feature Store but cannot make changes. Lowest-level resources where you can grant this role:
|
aiplatform.entityTypes.get aiplatform.entityTypes.list aiplatform.featureGroups.get aiplatform.featureGroups.list aiplatform. aiplatform. aiplatform.featureViewSyncs.* aiplatform.featureViews.get aiplatform.featureViews.list aiplatform.features.get aiplatform.features.list aiplatform.featurestores.get aiplatform.featurestores.list aiplatform.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Vertex AI Feature Store User Beta( Deprecated. Use featurestoreAdmin instead. |
aiplatform.entityTypes.* aiplatform.features.* aiplatform.featurestores.* aiplatform.operations.list resourcemanager.projects.get resourcemanager.projects.list |
Vertex AI Migration Service User( Grants access to use migration service in Vertex AI |
aiplatform. |
Notebook Executor User Beta( Grants users full access to schedules and notebook execution jobs. |
aiplatform.operations.list aiplatform.pipelineJobs.create aiplatform.schedules.* |
Notebook Runtime Admin( Grants full access to all runtime templates and runtimes in Notebook Service. |
aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.notebookRuntimes.* aiplatform.operations.list compute.reservations.get compute.reservations.list |
Notebook Runtime User( Grants users permissions to create runtime resources using a runtime template and manage the runtime resources they created. |
aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.operations.list |
Vertex AI Tensorboard Web App User Beta( Grants access to the Vertex AI TensorBoard web app. |
aiplatform. |
Vertex AI User( Grants access to use all resource in Vertex AI |
aiplatform.annotationSpecs.* aiplatform.annotations.* aiplatform.artifacts.* aiplatform. aiplatform.contexts.* aiplatform.customJobs.* aiplatform.dataItems.* aiplatform.dataLabelingJobs.* aiplatform.datasetVersions.* aiplatform.datasets.* aiplatform. aiplatform. aiplatform. aiplatform.edgeDevices.* aiplatform.endpoints.create aiplatform.endpoints.delete aiplatform.endpoints.deploy aiplatform.endpoints.explain aiplatform.endpoints.get aiplatform.endpoints.list aiplatform.endpoints.predict aiplatform.endpoints.undeploy aiplatform.endpoints.update aiplatform.entityTypes.create aiplatform.entityTypes.delete aiplatform. aiplatform. aiplatform.entityTypes.get aiplatform. aiplatform.entityTypes.list aiplatform. aiplatform. aiplatform.entityTypes.update aiplatform. aiplatform.executions.* aiplatform.extensions.* aiplatform.featureGroups.* aiplatform. aiplatform.featureViewSyncs.* aiplatform.featureViews.* aiplatform.features.* aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.featurestores.get aiplatform. aiplatform.featurestores.list aiplatform. aiplatform. aiplatform. aiplatform.humanInTheLoops.* aiplatform. aiplatform.indexEndpoints.* aiplatform.indexes.* aiplatform.locations.* aiplatform.metadataSchemas.* aiplatform.metadataStores.* aiplatform. aiplatform. aiplatform.modelEvaluations.* aiplatform.models.* aiplatform.nasJobs.* aiplatform.nasTrialDetails.* aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.notebookRuntimes.* aiplatform.operations.list aiplatform. aiplatform. aiplatform.pipelineJobs.* aiplatform.schedules.* aiplatform.specialistPools.* aiplatform.studies.* aiplatform. aiplatform.tensorboardRuns.* aiplatform. aiplatform.tensorboards.create aiplatform.tensorboards.delete aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.tensorboards.update aiplatform.trainingPipelines.* aiplatform.trials.* resourcemanager.projects.get resourcemanager.projects.list |
Vertex AI Viewer( Grants access to view all resource in Vertex AI |
aiplatform.annotationSpecs.get aiplatform. aiplatform.annotations.get aiplatform.annotations.list aiplatform.artifacts.get aiplatform.artifacts.list aiplatform. aiplatform. aiplatform.contexts.get aiplatform.contexts.list aiplatform. aiplatform.customJobs.get aiplatform.customJobs.list aiplatform.dataItems.get aiplatform.dataItems.list aiplatform. aiplatform. aiplatform.datasetVersions.get aiplatform. aiplatform.datasets.get aiplatform.datasets.list aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.edgeDevices.get aiplatform.edgeDevices.list aiplatform.endpoints.get aiplatform.endpoints.list aiplatform.entityTypes.get aiplatform.entityTypes.list aiplatform.executions.get aiplatform.executions.list aiplatform. aiplatform.extensions.get aiplatform.extensions.list aiplatform.featureGroups.get aiplatform.featureGroups.list aiplatform. aiplatform. aiplatform.featureViewSyncs.* aiplatform. aiplatform.featureViews.get aiplatform.featureViews.list aiplatform. aiplatform.features.get aiplatform.features.list aiplatform.featurestores.get aiplatform.featurestores.list aiplatform.humanInTheLoops.get aiplatform. aiplatform. aiplatform. aiplatform.indexEndpoints.get aiplatform.indexEndpoints.list aiplatform. aiplatform.indexes.get aiplatform.indexes.list aiplatform.locations.* aiplatform.metadataSchemas.get aiplatform. aiplatform.metadataStores.get aiplatform.metadataStores.list aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.models.get aiplatform.models.list aiplatform.nasJobs.get aiplatform.nasJobs.list aiplatform.nasTrialDetails.* aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.operations.list aiplatform. aiplatform. aiplatform.pipelineJobs.get aiplatform.pipelineJobs.list aiplatform.schedules.get aiplatform.schedules.list aiplatform.specialistPools.get aiplatform. aiplatform. aiplatform.studies.get aiplatform.studies.list aiplatform. aiplatform. aiplatform.tensorboardRuns.get aiplatform. aiplatform. aiplatform. aiplatform. aiplatform. aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform. aiplatform. aiplatform.trials.get aiplatform.trials.list resourcemanager.projects.get resourcemanager.projects.list |
Video Stitcher roles |
Permissions |
Video Stitcher Admin( Full access to all video stitcher resources. |
resourcemanager.projects.get resourcemanager.projects.list videostitcher.* |
Video Stitcher User( Full access to video stitcher sessions. |
resourcemanager.projects.get resourcemanager.projects.list videostitcher.liveSessions.* videostitcher.vodSessions.* |
Video Stitcher Viewer( Read-only access to video stitcher resources. |
resourcemanager.projects.get resourcemanager.projects.list videostitcher.cdnKeys.get videostitcher.cdnKeys.list videostitcher. videostitcher.liveConfigs.get videostitcher.liveConfigs.list videostitcher.liveSessions.get videostitcher.slates.get videostitcher.slates.list videostitcher. videostitcher.vodSessions.get videostitcher. |
Vision AI roles |
Permissions |
VisionAI Admin Beta( Full access to Vision AI all resources. |
resourcemanager.projects.get resourcemanager.projects.list visionai.* |
Vision AI Analysis Editor Beta( Access to read and write Vision AI Analyses. |
visionai.analyses.create visionai.analyses.delete visionai.analyses.get visionai.analyses.list visionai.analyses.update |
Vision AI Analysis Viewer Beta( Access to read Vision AI Analyses. |
visionai.analyses.get visionai.analyses.list |
VisionAI Warehouse Annotation Editor Beta( Grants access to edit media asset annotations into the Warehouse. |
visionai.annotations.* |
VisionAI Warehouse Annotation Viewer Beta( Grants access to view media asset annotations into the Warehouse. |
visionai.annotations.get visionai.annotations.list |
Vision AI Application Editor Beta( Access to read and write Vision AI Applications. |
visionai.applications.* visionai.drafts.* visionai.instances.* |
Vision AI Application Viewer Beta( Access to read Vision AI Applications. |
visionai.applications.get visionai.applications.list visionai.drafts.get visionai.drafts.list visionai.instances.* |
VisionAI Warehouse Asset Creator Beta( Grants access to ingest media assets into the Warehouse. |
visionai.assets.create visionai.assets.ingest |
VisionAI Warehouse Asset Editor Beta( Grants access to edit media assets into the Warehouse. |
visionai.assets.* |
VisionAI Warehouse Asset Viewer Beta( Grants access to view media assets into the Warehouse. |
visionai.assets.get visionai.assets.list visionai.assets.search |
Vision AI Cluster Editor Beta( Access to read and write Vision AI Cluster. |
visionai.clusters.create visionai.clusters.delete visionai.clusters.get visionai.clusters.list visionai.clusters.update visionai.clusters.watch |
Vision AI Cluster Viewer Beta( Access to read Vision AI Clusters. |
visionai.clusters.get visionai.clusters.list |
VisionAI Warehouse Corpus Administrator Beta( Full control to everything in a corpus including corpus access control. |
visionai.annotations.* visionai.assets.* visionai.corpora.* visionai.dataSchemas.* visionai.indexes.* visionai.operations.get visionai.operations.list visionai.searchConfigs.* |
VisionAI Warehouse Corpus Editor Beta( Read-write access to everything in a corpus. |
visionai.annotations.* visionai.assets.* visionai.corpora.* visionai.dataSchemas.* visionai.indexes.* visionai.operations.get visionai.operations.list visionai.searchConfigs.* |
VisionAI Warehouse Corpus Viewer Beta( Grants access to view everything in a corpus. |
visionai.annotations.get visionai.annotations.list visionai.assets.clip visionai.assets.generateHlsUri visionai.assets.get visionai.assets.list visionai.assets.search visionai.corpora.get visionai.corpora.list visionai.corpora.suggest visionai.dataSchemas.get visionai.dataSchemas.list visionai.dataSchemas.validate visionai.indexes.get visionai.indexes.list visionai.indexes.viewAssets visionai.operations.get visionai.operations.list visionai.searchConfigs.get visionai.searchConfigs.list |
VisionAI Warehouse Corpus Writer Beta( Grants access to create/update/delete everything in a corpus. |
visionai.annotations.* visionai.assets.* visionai.corpora.analyze visionai.corpora.delete visionai.corpora.import visionai.corpora.update visionai.dataSchemas.create visionai.dataSchemas.delete visionai.dataSchemas.update visionai.indexes.create visionai.indexes.delete visionai.indexes.update visionai.operations.get visionai.operations.list visionai.searchConfigs.create visionai.searchConfigs.delete visionai.searchConfigs.update |
VisionAI Editor Beta( Edit access to Vision AI all resources. |
resourcemanager.projects.get resourcemanager.projects.list visionai.analyses.create visionai.analyses.delete visionai.analyses.get visionai.analyses.getIamPolicy visionai.analyses.list visionai.analyses.update visionai.annotations.* visionai.applications.* visionai.assets.* visionai.clusters.create visionai.clusters.delete visionai.clusters.get visionai.clusters.getIamPolicy visionai.clusters.list visionai.clusters.update visionai.clusters.watch visionai.corpora.* visionai.dataSchemas.* visionai.drafts.* visionai.events.create visionai.events.delete visionai.events.get visionai.events.getIamPolicy visionai.events.list visionai.events.update visionai.indexEndpoints.* visionai.indexes.* visionai.instances.* visionai.locations.* visionai.operations.* visionai.operators.create visionai.operators.delete visionai.operators.get visionai. visionai.operators.list visionai.operators.update visionai.processors.* visionai.searchConfigs.* visionai.series.acquireLease visionai.series.create visionai.series.delete visionai.series.get visionai.series.getIamPolicy visionai.series.list visionai.series.receive visionai.series.releaseLease visionai.series.renewLease visionai.series.send visionai.series.update visionai.streams.create visionai.streams.delete visionai.streams.get visionai.streams.getIamPolicy visionai.streams.list visionai.streams.receive visionai.streams.send visionai.streams.update visionai.uistreams.* |
Vision AI Event Editor Beta( Access to read and write Vision AI Events. |
visionai.events.create visionai.events.delete visionai.events.get visionai.events.list visionai.events.update |
Vision AI Event Viewer Beta( Access to read Vision AI Events. |
visionai.events.get visionai.events.list |
VisionAI Warehouse IndexEndpoint Administrator Beta( Full control of all Media Warehouse resources and permissions. |
visionai.indexEndpoints.* |
VisionAI Warehouse IndexEndpoint Editor Beta( Read, write and create access to all index endpoints level resources. |
visionai.indexEndpoints.* |
VisionAI Warehouse IndexEndpoint Viewer Beta( Grants access to view all index endpoint resources and be able to search on them. (ReadOnly) |
visionai.indexEndpoints.get visionai.indexEndpoints.list visionai.indexEndpoints.search |
VisionAI Warehouse IndexEndpoint Writer Beta( Grants access to perform update, delete, deploy and undeploy operations on the index endpoint. |
visionai.indexEndpoints.delete visionai.indexEndpoints.deploy visionai. visionai.indexEndpoints.update |
Vision AI Operator Editor Beta( Access to read and write Vision AI Operators. |
visionai.operators.create visionai.operators.delete visionai.operators.get visionai.operators.list visionai.operators.update |
Vision AI Operator Viewer Beta( Access to read Vision AI Operators. |
visionai.operators.get visionai.operators.list |
Vision AI Packet Receiver Beta( Access to read Vision AI Series. |
visionai.clusters.watch visionai.series.acquireLease visionai.series.receive visionai.series.releaseLease visionai.series.renewLease visionai.streams.receive |
Vision AI Packet Sender Beta( Packet sender to the series. |
visionai.series.acquireLease visionai.series.releaseLease visionai.series.renewLease visionai.series.send visionai.streams.send |
Vision AI Processor Editor Beta( Access to read and write Vision AI Processors. |
visionai.processors.* |
Vision AI Processor Viewer Beta( Access to read Vision AI Processors. |
visionai.processors.get visionai.processors.list visionai. |
Vision AI RetailCatalog Editor Beta( Access to read and write Vision AI RetailCatalogs. |
|
Vision AI RetailCatalog Viewer Beta( Access to read Vision AI RetailCatalogs. |
|
Vision AI RetailEndpoint Editor Beta( Access to read and write Vision AI RetailEndpoints. |
|
Vision AI RetailEndpoint Viewer Beta( Access to read Vision AI RetailEndpoints. |
|
Vision AI Series Editor Beta( Access to read and write Vision AI Series. |
visionai.clusters.watch visionai.series.acquireLease visionai.series.create visionai.series.delete visionai.series.get visionai.series.list visionai.series.receive visionai.series.releaseLease visionai.series.renewLease visionai.series.send visionai.series.update visionai.streams.receive visionai.streams.send |
Vision AI Series Viewer Beta( Access to read Vision AI Series. |
visionai.series.get visionai.series.list |
Vision AI Stream Editor Beta( Access to read and write Vision AI Streams. |
visionai.clusters.watch visionai.series.acquireLease visionai.series.receive visionai.series.releaseLease visionai.series.renewLease visionai.series.send visionai.streams.create visionai.streams.delete visionai.streams.get visionai.streams.list visionai.streams.receive visionai.streams.send visionai.streams.update |
Vision AI Stream Viewer Beta( Access to read Vision AI Streams. |
visionai.streams.get visionai.streams.list |
Vision AI UI Stream Editor Beta( Access to read & write Vision AI UI Streams. |
visionai.uistreams.* |
Vision AI UI Stream Viewer Beta( Access to read Vision AI UI Streams. |
visionai.uistreams.get visionai.uistreams.list |
VisionAI Viewer Beta( View access to Vision AI all resources. |
resourcemanager.projects.get resourcemanager.projects.list visionai.analyses.get visionai.analyses.getIamPolicy visionai.analyses.list visionai.annotations.get visionai.annotations.list visionai.applications.get visionai.applications.list visionai.assets.clip visionai.assets.generateHlsUri visionai.assets.get visionai.assets.list visionai.assets.search visionai.clusters.get visionai.clusters.getIamPolicy visionai.clusters.list visionai.corpora.get visionai.corpora.list visionai.corpora.suggest visionai.dataSchemas.get visionai.dataSchemas.list visionai.dataSchemas.validate visionai.drafts.get visionai.drafts.list visionai.events.get visionai.events.getIamPolicy visionai.events.list visionai.indexEndpoints.get visionai.indexEndpoints.list visionai.indexEndpoints.search visionai.indexes.get visionai.indexes.list visionai.indexes.viewAssets visionai.instances.* visionai.locations.* visionai.operations.get visionai.operations.list visionai.operators.get visionai. visionai.operators.list visionai.processors.get visionai.processors.list visionai. visionai.searchConfigs.get visionai.searchConfigs.list visionai.series.get visionai.series.getIamPolicy visionai.series.list visionai.streams.get visionai.streams.getIamPolicy visionai.streams.list visionai.uistreams.get visionai.uistreams.list |
VMwareEngine roles |
Permissions |
VMware Engine Service Admin( Admin has full access to VMware Engine Service |
resourcemanager.projects.get resourcemanager.projects.list vmwareengine.* |
VMware Engine Service Viewer( Viewer has read-only access to VMware Engine Service |
resourcemanager.projects.get resourcemanager.projects.list vmwareengine.clusters.get vmwareengine. vmwareengine.clusters.list vmwareengine. vmwareengine.dnsForwarding.get vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine.locations.* vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine.nodeTypes.* vmwareengine.nodes.* vmwareengine.operations.get vmwareengine.operations.list vmwareengine.privateClouds.get vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine. vmwareengine.services.view vmwareengine.subnets.get vmwareengine.subnets.list vmwareengine. vmwareengine. |
Workflows roles |
Permissions |
Workflows Admin( Full access to workflows and related resources. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.list workflows.* |
Workflows Editor( Read and write access to workflows and related resources, including development and debugging of workflows. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.list workflows.* |
Workflows Invoker( Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.list workflows.callbacks.* workflows.executions.* workflows.stepEntries.* |
Workflows Viewer( Read-only access to workflows and related resources. Lowest-level resources where you can grant this role:
|
resourcemanager.projects.get resourcemanager.projects.list workflows.callbacks.list workflows.executions.get workflows.executions.list workflows.locations.* workflows.operations.get workflows.operations.list workflows.stepEntries.* workflows.workflows.get workflows.workflows.list workflows. |
Workforce Pools roles |
Permissions |
IAM Workforce Pool Admin( Full rights to create and manage all workforce pools in the org, along with the ability to delegate permissions to other admins. |
iam. iam.workforcePoolProviders.* iam.workforcePoolSubjects.* iam.workforcePools.* |
IAM Workforce Pool Editor( Rights to edit a particular instance of a workforce pool. |
iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.workforcePoolProviders.* |
IAM Workforce Pool Viewer( Rights to read workforce pool. |
iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. |
Workload Certificate roles |
Permissions |
Workload Certificate Admin Beta( Full access to all Workload Certificate API resources. |
resourcemanager.projects.get resourcemanager.projects.list workloadcertificate.* |
Workload Certificate Registration Admin Beta( Full access to WorkloadRegistration resources. |
resourcemanager.projects.get resourcemanager.projects.list workloadcertificate. workloadcertificate. workloadcertificate. |
Workload Certificate Registration Viewer Beta( Read-only access to WorkloadRegistration resources. |
resourcemanager.projects.get resourcemanager.projects.list workloadcertificate. workloadcertificate. workloadcertificate. workloadcertificate. workloadcertificate. |
Workload Certificate Viewer Beta( Read-only access to Workload Certificate all resources. |
resourcemanager.projects.get resourcemanager.projects.list workloadcertificate. workloadcertificate. workloadcertificate. workloadcertificate. workloadcertificate. workloadcertificate. |
Workload Identity Pools roles |
Permissions |
IAM Workload Identity Pool Admin Beta( Full rights to create and manage workload identity pools. |
iam. iam. iam.workloadIdentityPools.* resourcemanager.projects.get resourcemanager.projects.list |
IAM Workload Identity Pool Viewer Beta( Read access to workload identity pools. |
iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. iam.googleapis. resourcemanager.projects.get resourcemanager.projects.list |
Workload Manager roles |
Permissions |
Workload Manager Admin Beta( Full access to Workload Manager all resources. |
compute.acceleratorTypes.list compute.diskTypes.list compute.machineTypes.list compute.networks.list compute.projects.get compute.regions.list compute.subnetworks.list compute.zones.list dns.managedZones.list iam.serviceAccounts.list monitoring.timeSeries.list orgpolicy.policy.get resourcemanager.projects.get resourcemanager. resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get storage.buckets.list storage.objects.list workloadmanager.* |
Workload Manager Deployment Admin Beta( Full access to Workload Manager deployment resources. |
compute.acceleratorTypes.list compute.diskTypes.list compute.machineTypes.list compute.networks.list compute.projects.get compute.regions.list compute.subnetworks.list compute.zones.list dns.managedZones.list iam.serviceAccounts.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager. resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get storage.buckets.list storage.objects.list workloadmanager.actuations.* workloadmanager.deployments.* workloadmanager.locations.* workloadmanager.operations.* |
Workload Manager Deployment Viewer Beta( Read-only access to Workload Manager deployment resources. |
resourcemanager.projects.get resourcemanager.projects.list workloadmanager.actuations.get workloadmanager. workloadmanager. workloadmanager. |
Workload Manager Evaluation Admin Beta( Full access to Workload Manager evaluation resources. |
orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list workloadmanager.evaluations.* workloadmanager.executions.* workloadmanager.locations.* workloadmanager.operations.* workloadmanager.results.list workloadmanager.rules.list |
Workload Manager Evaluation Viewer Beta( Read-only access to Workload Manager evaluation resources. |
orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list workloadmanager. workloadmanager. workloadmanager.executions.get workloadmanager. workloadmanager.results.list workloadmanager.rules.list |
Workload Manager Evaluation Worker Beta( The role used by Workload Manager application runners to read and update workloads. |
workloadmanager.evaluations.* workloadmanager.executions.* |
Workload Manager Insights Writer Beta( The role used to write data to WLM data warehouse. |
workloadmanager.insights.write |
Workload Manager Viewer Beta( Read-only access to Workload Manager all resources. |
orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list workloadmanager.actuations.get workloadmanager. workloadmanager. workloadmanager. workloadmanager. workloadmanager. workloadmanager.executions.get workloadmanager. workloadmanager.results.list workloadmanager.rules.list |
Workload Manager Worker Beta( The role used by Workload Manager application runners to read and update workloads. |
orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list workloadmanager.actuations.* workloadmanager.deployments.* workloadmanager.evaluations.* workloadmanager.executions.* workloadmanager.insights.write workloadmanager.results.list workloadmanager.rules.list |