Viewing the Grantable Roles on Resources

Before you grant an IAM role to a user for a resource, you might want to know what roles are available to grant on a particular resource. This page describes how to list all grantable roles for a resource using the gcloud command-line tool.

Listing the roles that are grantable on a resource

Use the list-grantable-roles command to list all the roles that you can grant on a resource. This command only list roles for the services that you have enabled in a project.

In the following example, the project has Google Compute Engine, Google App Engine, Cloud Storage, Cloud Logging, and Cloud Dataflow enabled.

gcloud iam list-grantable-roles [PROJECT_ID]

where:

  • [PROJECT_ID] is the ID of the project to return information about, in the form: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID.

The command outputs all the roles that you can grant on the project specified by [PROJECT_ID].


    ---
    description: Ability to view App Engine app status.
    name: roles/appengine.appViewer
    title: App Engine Viewer
    ---
    description: Read and use image resources.
    name: roles/compute.imageUser
    title: Compute Image User
    ---
    description: Full control of Compute Engine instance resources.
    name: roles/compute.instanceAdmin.v1
    title: Compute Instance Admin
    ---
    description: Read and Write access to all Deployment Manager resources.
    name: roles/deploymentmanager.editor
    title: Deployment Manager Editor
    ---
    description: Edit access to all resources.
    name: roles/editor
    title: Editor
    ---
    description: Access to obtain credentials for a service account.
    name: roles/iam.serviceAccountActor
    title: Service Account Actor
    ---
    description: Full access to all resources.
    name: roles/owner
    title: Owner
    ---
    description: Full control of Google Cloud Storage objects.
    name: roles/storage.objectAdmin
    title: Storage Object Admin
    ---
    description: Read access to all resources.
    name: roles/viewer
    title: Viewer
    ---
    description: Full management of App Engine apps (but not storage).
    name: roles/appengine.appAdmin
    title: App Engine Admin
    ---
    description: Necessary permissions to deploy new code to App Engine, and remove old
    versions.
    name: roles/appengine.deployer
    title: App Engine Deployer
    ---
    description: Can view and change traffic splits, scaling settings, and delete old
    versions; cannot create new versions.
    name: roles/appengine.serviceAdmin
    title: App Engine Service Admin
    ---
    description: Authorized to see and manage all aspects of billing accounts.
    name: roles/billing.admin
    title: Billing Account Administrator
    ---
    description: Read access to browse the hierarchy for a project, including
    the folder, organization, and IAM policy. This role doesn't include
    permission to view resources in the project.
    name: roles/browser
    title: Browser
    ---
    description: Full control of Compute Engine networking resources.
    name: roles/compute.networkAdmin
    title: Compute Network Admin
    ---
    description: Read-only access to Compute Engine networking resources.
    name: roles/compute.networkViewer
    title: Compute Network Viewer
    ---
    description: Full control of Compute Engine security resources.
    name: roles/compute.securityAdmin
    title: Compute Security Admin
    ---
    description: Full control of Compute Engine storage resources.
    name: roles/compute.storageAdmin
    title: Compute Storage Admin
    ---
    description: Full operational access to Dataflow jobs.
    name: roles/dataflow.developer
    title: Dataflow Developer
    ---
    description: Read only access to Dataflow jobs.
    name: roles/dataflow.viewer
    title: Dataflow Viewer
    ---
    description: Worker access to Dataflow.  Intended for service accounts.
    name: roles/dataflow.worker
    title: Dataflow Worker
    ---
    description: Security reviewer role, with permissions to get any IAM policy.
    name: roles/iam.securityReviewer
    title: Security Reviewer
    ---
    description: Access to configure log exporting and metrics.
    name: roles/logging.configWriter
    title: Logs Configuration Writer
    ---
    description: Access to write logs.
    name: roles/logging.logWriter
    title: Logs Writer
    ---
    description: Access to view all logs, including logs with private contents.
    name: roles/logging.privateLogViewer
    title: Private Logs Viewer
    ---
    description: Access to view logs, except for logs with private contents.
    name: roles/logging.viewer
    title: Logs Viewer
    ---
    description: Full access to topics and subscriptions.
    name: roles/pubsub.admin
    title: Pub/Sub Admin
    ---
    description: Modify topics and subscriptions, publish and consume messages.
    name: roles/pubsub.editor
    title: Pub/Sub Editor
    ---
    description: Access to publish messages to a topic.
    name: roles/pubsub.publisher
    title: Pub/Sub Publisher
    ---
    description: Access to consume messages from a subscription and to attach subscriptions
    to a topic.
    name: roles/pubsub.subscriber
    title: Pub/Sub Subscriber
    ---
    description: Can view topics and subscriptions.
    name: roles/pubsub.viewer
    title: Pub/Sub Viewer
    ---
    description: Runtime control of checking and reporting usage of a service.
    name: roles/servicemanagement.runtimeController
    title: Service Runtime Controller
    ---
    description: Admin access to all repos in a project
    name: roles/source.admin
    title: Source Repository Administrator
    ---
    description: Read access to all repos in a project
    name: roles/source.reader
    title: Source Repository Reader
    ---
    description: Read / Write access to all repos in a project
    name: roles/source.writer
    title: Source Repository Writer
    ---
    description: Full control of Google Cloud Storage resources.
    name: roles/storage.admin
    title: Storage Admin
    ---
    description: Access to create objects in Google Cloud Storage.
    name: roles/storage.objectCreator
    title: Storage Object Creator
    ---
    description: Read-Only access to Google Cloud Storage objects.
    name: roles/storage.objectViewer
    title: Storage Object Viewer

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud Identity and Access Management Documentation