Access control

This page describes the Identity and Access Management (IAM) roles and permissions needed to use Network Connectivity Center.

At a high level, you need the following:

Additionally, be aware that if you need to work with Network Connectivity Center in a Shared VPC network, you must have all needed permissions in the host project. A hub, its spokes, and all related resources must reside in the host project.

For information about how to grant permissions, see the IAM overview.

Predefined roles

The following table describes Network Connectivity Center's predefined roles.

Role Title Description Permissions Hub & Spoke Admin Enables full access to hub and spoke resources.


networkconnectivity.spokes.* Spoke Admin

Enables creating spokes and attaching them to an existing hub.

networkconnectivity.spokes.* Hub & Spoke Viewer Enables read-only access to hub and spoke resources.





Additional required permissions

Depending on what actions you need to take in Network Connectivity Center, you might need additional permissions, as described in the following sections.

Permission to create a spoke

To create a spoke, you must have permission to read the spoke's resource type. For example:

  • For all resource types, you need compute.routers.get.
  • To create VPN tunnel spokes, you need compute.vpnTunnels.get.
  • To create VLAN attachment spokes, you need compute.interconnectAttachments.get.
  • To create Router appliance spokes, you need compute.instances.get.

Permission to use Network Connectivity Center in the Cloud Console

To use Network Connectivity Center in the Cloud Console, you need the permissions described in the following table.


Required permissions


Access the Network Connectivity Center page
  • networkconnectivity.hubs.get
  • networkconnectivity.hubs.list
  • networkconnectivity.spokes.list
  • compute.projects.get
Accessing this page is a prerequisite for using the Cloud Console to take any actions with Network Connectivity Center.
Access and use the Add spokes page
  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • compute.networks.list
  • compute.regions.list
  • compute.routers.list
  • compute.zones.list
Add a VPN spoke
  • compute.forwardingRules.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.list
Add a VLAN attachment spoke
  • compute.interconnectAttachments.list

Protecting resources with VPC Service Controls

To further secure your Network Connectivity Center resources, use VPC Service Controls.

VPC Service Controls provides your resources with additional security to help mitigate the risk of data exfiltration. By using VPC Service Controls, you can place Network Connectivity Center resources within service perimeters. VPC Service Controls then protects these resources from requests that originate outside the perimeter.

To learn more about service perimeters, see the Service perimeter configuration page of the VPC Service Controls documentation.

What's next

For more information about project roles and Google Cloud resources, see the following documentation:

For more information about Network Connectivity Center, see the following: