Roles and permissions

This page describes the Identity and Access Management (IAM) roles and permissions needed to use Network Connectivity Center.

At a high level, you need the following:

Be aware that if you need to work with Network Connectivity Center in a Shared VPC network, you must have all needed permissions in the host project. A hub, its spokes, and all related resources must be in the host project.

For information about how to grant permissions, see the IAM overview.

Predefined roles

The following table describes Network Connectivity Center's predefined roles.

Role Permissions

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.hubs.*

  • networkconnectivity.hubs.create
  • networkconnectivity.hubs.delete
  • networkconnectivity.hubs.get
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.setIamPolicy
  • networkconnectivity.hubs.update

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.*

  • networkconnectivity.operations.cancel
  • networkconnectivity.operations.delete
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

  • Project

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

  • networkconnectivity.locations.get
  • networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

  • networkconnectivity.spokes.create
  • networkconnectivity.spokes.delete
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Additional required permissions

Depending on what actions you need to take in Network Connectivity Center, you might need the permissions described in the following sections.

Permission to create a spoke

To create a spoke, you must have permission to read the spoke's resource type. For example:

  • For all resource types, you need compute.routers.get.
  • To create Router appliance spokes, you need compute.instances.get. Also, before you can use a Router appliance spoke, you must set up peering between the Cloud Router and the router appliance instance. To establish peering, you need the following permissions:
    • compute.instances.use
    • compute.routers.update
  • To create VLAN attachment spokes, you need compute.interconnectAttachments.get.
  • To create VPN tunnel spokes, you need compute.vpnTunnels.get.

Permission to use Network Connectivity Center in the Google Cloud console

To use Network Connectivity Center in the Google Cloud console, you need a role—such as Compute Network Viewer (roles/compute.networkViewer)—that includes the permissions described in the following table.

Task

Required permissions
Access the Network Connectivity Center page
  • compute.projects.get
Access and use the Add spokes page
  • compute.networks.list
  • compute.regions.list
  • compute.routers.list
  • compute.zones.list
Add a VLAN attachment spoke
  • compute.interconnectAttachments.list
Add a VPN spoke
  • compute.forwardingRules.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.list

Protecting resources with VPC Service Controls

To further secure your Network Connectivity Center resources, use VPC Service Controls.

VPC Service Controls provides your resources with additional security to help mitigate the risk of data exfiltration. By using VPC Service Controls, you can place Network Connectivity Center resources within service perimeters. VPC Service Controls then protects these resources from requests that originate outside the perimeter.

To learn more about service perimeters, see the Service perimeter configuration page of the VPC Service Controls documentation.

What's next

For more information about project roles and Google Cloud resources, see the following documentation:

For more information about Network Connectivity Center, see the following: