Access control (IAM)

Google Cloud offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the IAM roles for reCAPTCHA Enterprise.

To learn how to assign IAM roles to a user or service account, read Managing policies in the IAM documentation.

Permissions and roles

This section summarizes the permissions and roles reCAPTCHA Enterprise supports.

API permissions

The following table lists the permissions that the caller must have to call each method in the reCAPTCHA Enterprise API,

Method (REST/RPC) Required Permission(s) For resource type
recaptchaenterprise.assessments.annotate / AnnotateAssessmentRequest recaptchaenterprise.assessments.annotate project
recaptchaenterprise.assessments.create / CreateAssessmentRequest recaptchaenterprise.assessments.create project
recaptchaenterprise.keys.create / CreateKeyRequest recaptchaenterprise.keys.create project
recaptchaenterprise.keys.delete / DeleteKeyRequest recaptchaenterprise.keys.delete project
recaptchaenterprise.keys.get / GetKeyRequest recaptchaenterprise.keys.get project
recaptchaenterprise.keys.list / ListKeysRequest recaptchaenterprise.keys.list project
recaptchaenterprise.keys.update / UpdateKeyRequest recaptchaenterprise.keys.update project


IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for reCAPTCHA Enterprise:

Role name reCAPTCHA Enterprise permissions Description
Cloud reCAPTCHA Enterprise Agent
Access to create and annotate reCAPTCHA Enterprise assessments.
Cloud reCAPTCHA Enterprise Viewer
Access to view reCAPTCHA Enterprise keys.
Cloud reCAPTCHA Enterprise Admin
Permissions in recaptchaenterprise.viewer, plus:
Access to view and modify reCAPTCHA Enterprise keys.

Custom roles

To create a custom role that includes reCAPTCHA Enterprise permissions, do the following:

  • For a role granting permissions only for the reCAPTCHA Enterprise API, choose from the permissions in the preceding section, API permissions.
  • For a role granting permissions for the reCAPTCHA Enterprise API and console, choose permission groups in the preceding section, Console permissions.
  • To grant the ability to create and annotate assessments, include the permission(s) in the role roles/recaptchaenterprise.agent in the section Roles.

For more information on custom roles, go to Creating and managing custom roles.