Cloud Optimization API uses Identity and Access Management (IAM) to manage access to resources. To grant access to a resource, assign one or more roles to a user, group, or service account.
There are different types of IAM roles that can be used in Cloud Optimization:
Predefined roles allow you to grant a set of related permissions to your Cloud Optimization resources at the project level.
Basic roles (Owner, Editor, and Viewer) provide access control to your Cloud Optimization resources at the project level, and are common to all Google Cloud services.
Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization.
To add, update, or remove these roles in your Cloud Optimization project, see the documentation on granting, changing, and revoking access.
Predefined roles for Cloud Optimization
| Role | Permissions |
|---|---|
|
Cloud Optimization AI Admin
Administrator of Cloud Optimization AI resources. |
|
|
Cloud Optimization AI Editor
Editor of Cloud Optimization AI resources. |
|
|
Cloud Optimization AI Viewer
Viewer of Cloud Optimization AI resources. |
|
Basic roles
The older Google Cloud basic roles are common to all Google Cloud services. These roles are Owner, Editor, and Viewer.
The basic roles provide permissions across Google Cloud, not just for Cloud Optimization. For this reason, you should use Cloud Optimization roles whenever possible.
Custom roles
If the predefined IAM roles for Cloud Optimization don't meet your needs, you can define custom roles. Custom roles enable you to choose a specific set of permissions, create your own role with those permissions, and grant the role to users in your organization. For more information, see Understanding IAM custom roles.
About service accounts and service agents
Service accounts
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. You can create and assign permissions to service accounts to provide specific permissions to a resource or application.
Service accounts are identified by an email address.
Service agents
Service agents are Google-managed service accounts that are automatically provided; they enable a service to access resources on your behalf. Cloud Optimization uses these service agents:
| Name | Used for | Email address |
|---|---|---|
| Cloud Optimization Service Agent | Cloud Optimization API functionality | service-PROJECT_NUMBER@gcp-sa-cloudoptim.iam.gserviceaccount.com |
When created, each service agent is granted one of the following predefined roles for your project. Each service agent is granted the role that matches its name.
| Role | Permissions |
|---|---|
Cloud Optimization Service Agent( Grants Cloud Optimization Service Account access to read and write data in the user project. |
|
Grant access to Cloud Optimization to resources in your home project
To grant additional roles to a service agent for Cloud Optimization in your home project:
Go to the IAM page of the Google Cloud console for your home project.
Select the Include Google-provided role grants checkbox.
Determine the service agent you want to grant the permissions to and click the pencil icon.
You can filter for Principal:@gcp-sa-aiplatform-cc.iam.gserviceaccount.com to find the Cloud Optimization service agents.
Grant the required roles to the service account and save your changes.