When you use Cloud Load Balancing, you make API requests. Each API request requires that the Cloud IAM member who makes the request has appropriate permission to create, modify, or delete the associated resources.
This page provides an overview of relevant Cloud IAM roles and permissions for Cloud Load Balancing. For a detailed description of Cloud IAM, see the Cloud IAM documentation.
Roles and permissions
You assign permissions by setting policies on a project. The policies that grant roles to an Cloud IAM member — a user, group, service account, or Google domain.
To follow the examples in the load balancing how-to guides, members need to create instances, firewall rules, and VPC networks. You can provide the necessary permissions in one of the following ways:
Grant the predefined roles that are related to load balancing. To view the specific permissions included in the predefined roles, see the following sections:
Create and grant custom roles that at least contain the permissions included in the predefined roles.
Use primitive roles, making the members project owners or editors. Whenever possible, avoid using the primitive roles; they grant a large number of permissions, which violates the principle of least privilege.
Role change latency
Cloud Load Balancing caches Cloud IAM permissions for five minutes, so it takes up to five minutes for a role change to become effective.
Managing Access Control for Cloud Load Balancing using Cloud IAM
You can get and set Cloud IAM policies using the Google Cloud Console, the
Cloud IAM API, or the
gcloud command-line tool. See Granting,
changing, and revoking access to project members for details.
- Learn more about IAM.
- Grant IAM roles.
- Learn about Cloud IAM Conditions for forwarding rules.