This page describes the Identity and Access Management (IAM) roles and permissions needed for running Connectivity Tests.
You can grant users or service accounts permissions or predefined roles, or you can create a custom role that uses permissions that you specify.
The IAM permissions use a prefix of networkmanagement.
To get or set IAM policies, or to test IAM permissions with the Network Management API, see Managing access control.
Roles
This section describes how to use predefined and custom roles when granting permissions for Connectivity Tests.
For an explanation of each permission, see the permissions table.
For more information about project roles and Google Cloud resources, see the following documentation:
- Resource Manager documentation
- Identity and Access Management documentation
- Compute Engine documentation describing access control
Predefined roles
Connectivity Tests has the following predefined roles:
networkmanagement.admin: has permission to perform all operations on a test resource.networkmanagement.viewer: has permission to list or get a specific test resource.
The following table lists the predefined roles and the permissions that apply to each role.
| Role | Title | Description | Permissions | Lowest resource |
|---|---|---|---|---|
roles/ |
Network Management Admin | Full access to Network Management resources. |
|
|
roles/ |
Network Management Viewer | Read-only access to Network Management resources. |
|
Custom roles
You can create custom roles by selecting a list of permissions from the permissions table for Connectivity Tests.
For example, you can create a role called reachabilityUsers, and
grant the list, get, and rerun permissions
to this role. A user with this role can rerun existing Connectivity Tests
and view updated test results based on the latest network configuration.
Using project roles to set permissions to Google Cloud resources
Because Connectivity Tests must have read access to the
Google Cloud resource configurations in your Virtual Private Cloud (VPC)
network to run a test, you must grant at least the
compute.networkViewer
role to users or service accounts running a test against those resources.
You can also create a custom role or temporarily authorize permissions associated
with the preceding role for a specific user.
Alternatively, you can grant a user or service account one of the following predefined roles for Google Cloud projects:
project.viewer: has all the permissions of anetworkmanagement.viewerrole.project.editororproject.owner: has all the permissions of thenetworkmanagement.adminrole.
Permissions
This section describes permissions for Connectivity Tests and how to use them when testing different types of network configurations.
Connectivity Tests permissions
Connectivity Tests has the following IAM permissions.
| Permission | Description |
|---|---|
networkmanagement.connectivitytests.list |
Lists all tests configured in the specified project. |
networkmanagement.connectivitytests.get |
Gets the details of a specific test. |
networkmanagement.connectivitytests.create |
Creates a new test object in the specified project with the data that you specify for the test. This permission includes permission to update, rerun, or delete tests. |
networkmanagement.connectivitytests.update |
Updates one or more fields in an existing test. |
networkmanagement.connectivitytests.delete |
Deletes the specified test. |
networkmanagement.connectivitytests.rerun |
Reruns a one-time reachability verification for a specified test. |
Permissions for running and viewing tests
If you don't have permission to create or update a test, you see a
permission denied message.
If you don't have permission to view the Compute Engine resources in the
network path that you are testing, you can still see the overall test result,
but details for the tested resources are hidden. The test results show a
permission denied message for each resource that you don't have
permissions to.
Even if you receive a final state of
Deliver
for your test, the test results show permission denied if you don't
have permissions to the configurations that you're testing.
You can find out which project you need permissions for to see the resource details, but you can't see which resource types are hidden.
Permissions across multiple projects
If the network configuration that you test uses VPC Network Peering or Shared VPC, Connectivity Tests must have sufficient permissions to access configurations in the multiple projects that these networks use.
These permissions enable Connectivity Tests to run one or more full traces of the packet path across different networks and projects. Otherwise, Connectivity Tests can access configurations within only that project.
Permissions for Shared VPC networks
When you run a test from a service project in a Shared VPC network, you
must have the read permission to the network's configuration in
the host project. This is because the firewall and route configurations for the
network are located in the host project. This is true even if the resources
that you are testing exist entirely within a single service project.
When you run a test from a Shared VPC host project to virtual machine (VM) instances in a service project, you must have permission to read the VM configurations in the service project.
If you have permissions to only the host project and you don't provide the
service project ID to the Connectivity Test, the test
result shows an overall reachability result of Unreachable with an
unknown IP address message.
Permissions for VPC Network Peering, Cloud VPN, and Cloud Interconnect
Connectivity Tests must have the read permission to
run a test for VPC Network Peering networks in projects that contain them.
If you have access to only one network in a VPC Network Peering connection, the test results show that the packet was sent to a VPC Network Peering network. However, Connectivity Tests can't provide any additional information for that network.