This page describes the Identity and Access Management (IAM) roles and permissions needed to run Network Connectivity Center.
You can grant users or service accounts permissions in the following ways:
- Assign them individual permissions.
- Assign them predefined roles.
- Create and assign them a custom role that uses permissions that you specify.
IAM permissions for Network Connectivity Center use a prefix of
The following table lists predefined roles for Network Connectivity Center and the permissions that apply to each role.
||Enables full access to hub and spoke resources.||
Enables creating spokes and attaching them to an existing hub.
In Shared VPC networks, a user must have permissions in the host project to create a spoke. A spoke and its related resources must reside in the host project.
||Enables read-only access to hub and spoke resources.||
For more information about project roles and Google Cloud resources, see the following documentation:
- Access control for projects using IAM (Resource Manager documentation)
- Understanding Identity and Access Management role types
- Compute Engine IAM roles and permissions
- To learn more about Network Connectivity Center, see the Network Connectivity Center overview.
- To create hubs and spokes, see Working with hubs and spokes.
- To work through a tutorial, see Connecting two branch offices using Cloud VPN spokes.