Access control for Connectivity Tests

This page describes the Identity and Access Management (IAM) roles and permissions needed for running Connectivity Tests.

You can grant users or service accounts permissions or predefined roles, or you can create a custom role that uses permissions that you specify.

The IAM permissions use a prefix of networkmanagement.

To get or set IAM policies, or to test IAM permissions with the Network Management API, see Managing access control.

Roles

This section describes how to use predefined and custom roles when granting permissions for Connectivity Tests.

For an explanation of each permission, see the permissions table.

For more information about project roles and Google Cloud resources, see the following documentation:

Predefined roles

Connectivity Tests has the following predefined roles:

  • networkmanagement.admin: has permission to perform all operations on a test resource.
  • networkmanagement.viewer: has permission to list or get a specific test resource.

The following table lists the predefined roles and the permissions that apply to each role.

Role Title Description Permissions Lowest resource
roles/networkmanagement.admin Network Management Admin Full access to Network Management resources.
  • networkmanagement.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
roles/networkmanagement.viewer Network Management Viewer Read-only access to Network Management resources.
  • networkmanagement.connectivitytests.get
  • networkmanagement.connectivitytests.getIamPolicy
  • networkmanagement.connectivitytests.list
  • networkmanagement.locations.*
  • networkmanagement.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Custom roles

You can create custom roles by selecting a list of permissions from the permissions table for Connectivity Tests.

For example, you can create a role called reachabilityUsers, and grant the list, get, and rerun permissions to this role. A user with this role can rerun existing Connectivity Tests and view updated test results based on the latest network configuration.

Using project roles to set permissions to Google Cloud resources

Because Connectivity Tests must have read access to the Google Cloud resource configurations in your Virtual Private Cloud (VPC) network to run a test, you must grant at least the compute.networkViewer role to users or service accounts running a test against those resources. You can also create a custom role or temporarily authorize permissions associated with the preceding role for a specific user.

Alternatively, you can grant a user or service account one of the following predefined roles for Google Cloud projects:

Permissions

This section describes permissions for Connectivity Tests and how to use them when testing different types of network configurations.

Connectivity Tests permissions

Connectivity Tests has the following IAM permissions.

Permission Description
networkmanagement.connectivitytests.list Lists all tests configured in the specified project.
networkmanagement.connectivitytests.get Gets the details of a specific test.
networkmanagement.connectivitytests.create Creates a new test object in the specified project with the data that you specify for the test. This permission includes permission to update, rerun, or delete tests.
networkmanagement.connectivitytests.update Updates one or more fields in an existing test.
networkmanagement.connectivitytests.delete Deletes the specified test.
networkmanagement.connectivitytests.rerun Reruns a one-time reachability verification for a specified test.

Permissions for running and viewing tests

If you don't have permission to create or update a test, you see a permission denied message.

If you don't have permission to view the Compute Engine resources in the network path that you are testing, you can still see the overall test result, but details for the tested resources are hidden. The test results show a permission denied message for each resource that you don't have permissions to.

Even if you receive a final state of Deliver for your test, the test results show permission denied if you don't have permissions to the configurations that you're testing.

You can find out which project you need permissions for to see the resource details, but you can't see which resource types are hidden.

Permissions across multiple projects

If the network configuration that you test uses VPC Network Peering or Shared VPC, Connectivity Tests must have sufficient permissions to access configurations in the multiple projects that these networks use.

These permissions enable Connectivity Tests to run one or more full traces of the packet path across different networks and projects. Otherwise, Connectivity Tests can access configurations within only that project.

Permissions for Shared VPC networks

When you run a test from a service project in a Shared VPC network, you must have the read permission to the network's configuration in the host project. This is because the firewall and route configurations for the network are located in the host project. This is true even if the resources that you are testing exist entirely within a single service project.

When you run a test from a Shared VPC host project to virtual machine (VM) instances in a service project, you must have permission to read the VM configurations in the service project.

If you have permissions to only the host project and you don't provide the service project ID to the Connectivity Test, the test result shows an overall reachability result of Unreachable with an unknown IP address message.

Permissions for VPC Network Peering, Cloud VPN, and Cloud Interconnect

Connectivity Tests must have the read permission to run a test for VPC Network Peering networks in projects that contain them.

If you have access to only one network in a VPC Network Peering connection, the test results show that the packet was sent to a VPC Network Peering network. However, Connectivity Tests can't provide any additional information for that network.

What's next