Stay organized with collections
Save and categorize content based on your preferences.
When you use Cloud Load Balancing, you make API requests. Each API request requires
that the Identity and Access Management (IAM) principal who
makes the request has appropriate permission to create, modify, or delete the
associated resources.
In IAM, permission to access a Google Cloud resource
isn't granted directly to the end user. Instead, permissions are grouped
into roles, and roles are granted to authenticated principals. Principals can be
of the following types: a user, group, service account, or Google domain.
An IAM policy defines and enforces what roles are
granted to which principals, and this policy is then attached to a resource.
This page provides an overview of relevant IAM roles and
permissions for Cloud Load Balancing. For a detailed description of
IAM, see the IAM documentation.
Roles and permissions
To follow the examples in the load balancing how-to guides, principals
need to create instances, firewall rules, and VPC networks. You
can provide the necessary permissions in one of the following ways:
Grant the predefined roles that are related to load
balancing.
To view the specific permissions included in the predefined roles, see the
following sections:
Use basic roles, making the principals project owners
or editors. Whenever possible, avoid using the basic roles; they grant a
large number of permissions, which violates the principle of least privilege.
Role change latency
Cloud Load Balancing caches IAM permissions for five minutes,
so it takes up to five minutes for a role change to become effective.
Managing Access Control for Cloud Load Balancing using IAM
You can get and set IAM policies using the Google Cloud console, the
IAM API, or the Google Cloud CLI. See Granting,
changing, and revoking access for details.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Roles and permissions\n\nWhen you use Cloud Load Balancing, you make API requests. Each API request requires\nthat the [Identity and Access Management (IAM) principal](/iam/docs/overview#how_cloud_iam_works) who\nmakes the request has appropriate permission to create, modify, or delete the\nassociated resources.\n\nIn IAM, permission to access a Google Cloud resource\nisn't granted directly to the end user. Instead, permissions are grouped\ninto roles, and roles are granted to authenticated principals. Principals can be\nof the following types: a user, group, service account, or Google domain.\nAn IAM policy defines and enforces what roles are\ngranted to which principals, and this policy is then attached to a resource.\n\nThis page provides an overview of relevant IAM roles and\npermissions for Cloud Load Balancing. For a detailed description of\nIAM, see the [IAM documentation](/iam/docs).\n\nRoles and permissions\n---------------------\n\nTo follow the examples in the load balancing [how-to guides](/load-balancing/docs/how-to), principals\nneed to create instances, firewall rules, and VPC networks. You\ncan provide the necessary permissions in one of the following ways:\n\n- Grant the [predefined roles](/compute/docs/access/iam) that are related to load\n balancing.\n To view the specific permissions included in the predefined roles, see the\n following sections:\n\n - Compute Load Balancer Admin role ([`roles/compute.loadBalancerAdmin`](/compute/docs/access/iam#compute.loadBalancerAdmin))\n - Compute Network Admin role ([`roles/compute.networkAdmin`](/compute/docs/access/iam#compute.networkAdmin))\n - Compute Security Admin role ([`roles/compute.securityAdmin`](/compute/docs/access/iam#compute.securityAdmin))\n - Compute Instance Admin role ([`roles/compute.instanceAdmin`](/compute/docs/access/iam#compute.instanceAdmin))\n- [Create and grant custom roles](/iam/docs/creating-custom-roles) that at least contain the\n permissions included in the predefined roles.\n\n- Use [basic roles](/iam/docs/understanding-roles#basic), making the principals project owners\n or editors. Whenever possible, avoid using the basic roles; they grant a\n large number of permissions, which violates the principle of least privilege.\n\nRole change latency\n-------------------\n\nCloud Load Balancing caches IAM permissions for five minutes,\nso it takes up to five minutes for a role change to become effective.\n\nManaging Access Control for Cloud Load Balancing using IAM\n----------------------------------------------------------\n\nYou can get and set IAM policies using the Google Cloud console, the\nIAM API, or the Google Cloud CLI. See [Granting,\nchanging, and revoking access](/iam/docs/granting-changing-revoking-access) for details.\n\nWhat's next\n-----------\n\n- Learn more about [IAM](/iam/docs).\n- [Grant IAM roles](/iam/docs/granting-changing-revoking-access).\n- Learn about [IAM Conditions for forwarding\n rules](/load-balancing/docs/access-control/iam-conditions).\n- Learn about [organization policy constraints for Cloud Load\n Balancing](/load-balancing/docs/org-policy-constraints)."]]
