When you use Cloud Load Balancing, you make API requests. Each API request requires that the Identity and Access Management (IAM) member who makes the request has appropriate permission to create, modify, or delete the associated resources.
In IAM, permission to access a Google Cloud resource isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to authenticated members. Members can be of the following types: a user, group, service account, or Google domain. An IAM policy defines and enforces what roles are granted to which members, and this policy is then attached to a resource.
This page provides an overview of relevant IAM roles and permissions for Cloud Load Balancing. For a detailed description of IAM, see the IAM documentation.
Roles and permissions
To follow the examples in the load balancing how-to guides, members need to create instances, firewall rules, and VPC networks. You can provide the necessary permissions in one of the following ways:
Grant the predefined roles that are related to load balancing. To view the specific permissions included in the predefined roles, see the following sections:
Create and grant custom roles that at least contain the permissions included in the predefined roles.
Use basic roles, making the members project owners or editors. Whenever possible, avoid using the basic roles; they grant a large number of permissions, which violates the principle of least privilege.
Role change latency
Cloud Load Balancing caches IAM permissions for five minutes, so it takes up to five minutes for a role change to become effective.
Managing Access Control for Cloud Load Balancing using IAM
You can get and set IAM policies using the Google Cloud Console, the
IAM API, or the
gcloud command-line tool. See Granting,
changing, and revoking access to project members for details.
- Learn more about IAM.
- Grant IAM roles.
- Learn about IAM Conditions for forwarding rules.
- Learn about organization policy constraints for Cloud Load Balancing.