Cloud Fleet Routing service is under specific service terms. See Service specific terms.

Cloud Optimization IAM Roles

Cloud Optimization API uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account.

There are different types of IAM roles that can be used in Cloud Optimization:

  • Predefined roles allow you to grant a set of related permissions to your Cloud Optimization resources at the project level.

  • Basic roles (Owner, Editor, and Viewer) provide access control to your Cloud Optimization resources at the project level, and are common to all Google Cloud services.

  • Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization.

To add, update, or remove these roles in your Cloud Optimization project, see the documentation on granting, changing, and revoking access.

Predefined roles for Cloud Optimization

Role Permissions

Cloud Optimization AI Admin
(roles/cloudoptimization.admin)

Administrator of Cloud Optimization AI resources.

  • cloudoptimization.*

Cloud Optimization AI Editor
(roles/cloudoptimization.editor)

Editor of Cloud Optimization AI resources.

  • cloudoptimization.operations.create
  • cloudoptimization.operations.get

Cloud Optimization AI Viewer
(roles/cloudoptimization.viewer)

Viewer of Cloud Optimization AI resources.

  • cloudoptimization.operations.get

Basic roles

The older Google Cloud basic roles are common to all Google Cloud services. These roles are Owner, Editor, and Viewer.

The basic roles provide permissions across Google Cloud, not just for Cloud Optimization. For this reason, you should use Cloud Optimization roles whenever possible.

Custom roles

If the predefined IAM roles for Cloud Optimization don't meet your needs, you can define custom roles. Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization. For more information, see Understanding IAM custom roles.

About service accounts and service agents

Service accounts

A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. You can create and assign permissions to service accounts to provide specific permissions to a resource or application.

Service accounts are identified by an email address.

Service agents

Service agents are Google-managed service accounts that are automatically provided; they enable a service to access resources on your behalf. Cloud Optimization uses these service agents:

Name Used for Email address
Cloud Optimization Service Agent Cloud Optimization API functionality service-PROJECT_NUMBER@gcp-sa-cloudoptim.iam.gserviceaccount.com

When created, each service agent is granted one of the following predefined roles for your project. Each service agent is granted the role that matches its name.

Role Title Description Permissions
roles/cloudoptimization.serviceAgent Cloud Optimization Service Agent

Grants Cloud Optimization Service Account access to read and write data in the user project.

  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Grant access to Cloud Optimization to resources in your home project

To grant additional roles to a service agent for Cloud Optimization in your home project:

  1. Go to the IAM page of the Google Cloud console for your home project.

    Go to the IAM page

  2. Select the Include Google-provided role grants checkbox.

  3. Determine the service agent you want to grant the permissions to and click the pencil icon.

    You can filter for Principal:@gcp-sa-aiplatform-cc.iam.gserviceaccount.com to find the Cloud Optimization service agents.

  4. Grant the required roles to the service account and save your changes.