This page describes the Identity and Access Management (IAM) roles and permissions needed to use Network Connectivity Center.
At a high level, you need the following:
- Predefined Network Connectivity Center permissions, which are described in Predefined roles.
- Certain additional permissions, depending on what you are doing:
- If you need to create spokes, permission to read the relevant spoke resource types, as described in Permission to create a spoke.
- If you need to work with hubs and spokes in the Google Cloud Console, permissions to see the appropriate pages, as described in Permission to use Network Connectivity Center in the Cloud Console.
Additionally, be aware that if you need to work with Network Connectivity Center in a Shared VPC network, you must have all needed permissions in the host project. A hub, its spokes, and all related resources must reside in the host project.
For information about how to grant permissions, see the IAM overview.
The following table describes Network Connectivity Center's predefined roles.
||Hub & Spoke Admin||Enables full access to hub and spoke resources.||
Enables creating spokes and attaching them to an existing hub.
||Hub & Spoke Viewer||Enables read-only access to hub and spoke resources.||
Additional required permissions
Depending on what actions you need to take in Network Connectivity Center, you might need additional permissions, as described in the following sections.
Permission to create a spoke
To create a spoke, you must have permission to read the spoke's resource type. For example:
- For all resource types, you need
- To create VPN tunnel spokes, you need
- To create VLAN attachment spokes, you need
- To create Router appliance spokes, you need
Permission to use Network Connectivity Center in the Cloud Console
To use Network Connectivity Center in the Cloud Console, you need the permissions described in the following table.
|Access the Network Connectivity Center page||
||Accessing this page is a prerequisite for using the Cloud Console to take any actions with Network Connectivity Center.|
|Access and use the Add spokes page||
|Add a VPN spoke||
|Add a VLAN attachment spoke||
Protecting resources with VPC Service Controls
To further secure your Network Connectivity Center resources, use VPC Service Controls.
VPC Service Controls provides your resources with additional security to help mitigate the risk of data exfiltration. By using VPC Service Controls, you can place Network Connectivity Center resources within service perimeters. VPC Service Controls then protects these resources from requests that originate outside the perimeter.
To learn more about service perimeters, see the Service perimeter configuration page of the VPC Service Controls documentation.
For more information about project roles and Google Cloud resources, see the following documentation:
- Access control for projects using IAM (Resource Manager documentation)
- Understanding Identity and Access Management role types
- Compute Engine IAM roles and permissions
For more information about Network Connectivity Center, see the following:
- Network Connectivity Center overview
- Working with hubs and spokes
- Connecting two branch offices using Cloud VPN spokes