Viewing the Grantable Roles on Resources

Before you grant an IAM role to a user for a resource, you might want to know what roles are available to grant on a particular resource. This page describes how to list all grantable roles for a resource using the gcloud command-line tool.

Listing the roles that are grantable on a resource

Use the list-grantable-roles command to list all the roles that you can grant on a resource. This command only list roles for the services that you have enabled in a project.

In the following example, the project has Google Compute Engine, Google App Engine, Cloud Storage, Cloud Logging, and Cloud Dataflow enabled.

gcloud iam list-grantable-roles [PROJECT_ID]

where:

  • [PROJECT_ID] is the ID of the project to return information about, in the form: //cloudresourcemanager.googleapis.com/projects/PROJECT_ID.

The command outputs all the roles that you can grant on the project specified by [PROJECT_ID].


    ---
    description: Ability to view App Engine app status.
    name: roles/appengine.appViewer
    title: App Engine Viewer
    ---
    description: Read and use image resources.
    name: roles/compute.imageUser
    title: Compute Image User
    ---
    description: Full control of Compute Engine instance resources.
    name: roles/compute.instanceAdmin.v1
    title: Compute Instance Admin
    ---
    description: Read and Write access to all Deployment Manager resources.
    name: roles/deploymentmanager.editor
    title: Deployment Manager Editor
    ---
    description: Edit access to all resources.
    name: roles/editor
    title: Editor
    ---
    description: Access to obtain credentials for a service account.
    name: roles/iam.serviceAccountActor
    title: Service Account Actor
    ---
    description: Full access to all resources.
    name: roles/owner
    title: Owner
    ---
    description: Full control of Google Cloud Storage objects.
    name: roles/storage.objectAdmin
    title: Storage Object Admin
    ---
    description: Read access to all resources.
    name: roles/viewer
    title: Viewer
    ---
    description: Full management of App Engine apps (but not storage).
    name: roles/appengine.appAdmin
    title: App Engine Admin
    ---
    description: Necessary permissions to deploy new code to App Engine, and remove old
    versions.
    name: roles/appengine.deployer
    title: App Engine Deployer
    ---
    description: Can view and change traffic splits, scaling settings, and delete old
    versions; cannot create new versions.
    name: roles/appengine.serviceAdmin
    title: App Engine Service Admin
    ---
    description: Authorized to see and manage all aspects of billing accounts.
    name: roles/billing.admin
    title: Billing Account Administrator
    ---
    description: Read access to browse the hierarchy for a project, including
    the folder, organization, and IAM policy. This role doesn't include
    permission to view resources in the project.
    name: roles/browser
    title: Browser
    ---
    description: Full control of Compute Engine networking resources.
    name: roles/compute.networkAdmin
    title: Compute Network Admin
    ---
    description: Read-only access to Compute Engine networking resources.
    name: roles/compute.networkViewer
    title: Compute Network Viewer
    ---
    description: Full control of Compute Engine security resources.
    name: roles/compute.securityAdmin
    title: Compute Security Admin
    ---
    description: Full control of Compute Engine storage resources.
    name: roles/compute.storageAdmin
    title: Compute Storage Admin
    ---
    description: Full operational access to Dataflow jobs.
    name: roles/dataflow.developer
    title: Dataflow Developer
    ---
    description: Read only access to Dataflow jobs.
    name: roles/dataflow.viewer
    title: Dataflow Viewer
    ---
    description: Worker access to Dataflow.  Intended for service accounts.
    name: roles/dataflow.worker
    title: Dataflow Worker
    ---
    description: Security reviewer role, with permissions to get any IAM policy.
    name: roles/iam.securityReviewer
    title: Security Reviewer
    ---
    description: Access to configure log exporting and metrics.
    name: roles/logging.configWriter
    title: Logs Configuration Writer
    ---
    description: Access to write logs.
    name: roles/logging.logWriter
    title: Logs Writer
    ---
    description: Access to view all logs, including logs with private contents.
    name: roles/logging.privateLogViewer
    title: Private Logs Viewer
    ---
    description: Access to view logs, except for logs with private contents.
    name: roles/logging.viewer
    title: Logs Viewer
    ---
    description: Full access to topics and subscriptions.
    name: roles/pubsub.admin
    title: Pub/Sub Admin
    ---
    description: Modify topics and subscriptions, publish and consume messages.
    name: roles/pubsub.editor
    title: Pub/Sub Editor
    ---
    description: Access to publish messages to a topic.
    name: roles/pubsub.publisher
    title: Pub/Sub Publisher
    ---
    description: Access to consume messages from a subscription and to attach subscriptions
    to a topic.
    name: roles/pubsub.subscriber
    title: Pub/Sub Subscriber
    ---
    description: Can view topics and subscriptions.
    name: roles/pubsub.viewer
    title: Pub/Sub Viewer
    ---
    description: Runtime control of checking and reporting usage of a service.
    name: roles/servicemanagement.runtimeController
    title: Service Runtime Controller
    ---
    description: Admin access to all repos in a project
    name: roles/source.admin
    title: Source Repository Administrator
    ---
    description: Read access to all repos in a project
    name: roles/source.reader
    title: Source Repository Reader
    ---
    description: Read / Write access to all repos in a project
    name: roles/source.writer
    title: Source Repository Writer
    ---
    description: Full control of Google Cloud Storage resources.
    name: roles/storage.admin
    title: Storage Admin
    ---
    description: Access to create objects in Google Cloud Storage.
    name: roles/storage.objectCreator
    title: Storage Object Creator
    ---
    description: Read-Only access to Google Cloud Storage objects.
    name: roles/storage.objectViewer
    title: Storage Object Viewer

What's next

Send feedback about...

Cloud Identity and Access Management Documentation