Access control for projects using IAM

Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies, which grant specific roles that contain certain permissions.

This page explains the IAM permissions and roles that you can use to manage access to projects. For a detailed description of IAM, read the IAM documentation. In particular, see Granting, changing, and revoking access.

Permissions and roles

To control access to resources, Google Cloud requires that accounts making API requests have appropriate IAM roles. IAM roles include permissions that allow users to perform specific actions on Google Cloud resources. For example, the resourcemanager.organizations.list permission allows a user to list the organizations they own, while resourcemanager.projects.delete allows a user to delete a project.

You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them. You grant these roles on a particular resource, but they also apply to all of that resource's descendants in the resource hierarchy.

Permissions

To manage projects, the caller must have a role that includes the following permissions. The role is granted on the organization or folder that contains the projects:

Method Required permission(s)
resourcemanager.projects.create resourcemanager.projects.create
resourcemanager.projects.delete resourcemanager.projects.delete
resourcemanager.projects.get resourcemanager.projects.get
Granting this permission will also grant access to get the name of the billing account associated with the project through the Billing API method billing.projects.getBillingInfo .
resourcemanager.projects.getIamPolicy resourcemanager.projects.getIamPolicy
resourcemanager.projects.list resourcemanager.projects.list
resourcemanager.projects.search resourcemanager.projects.search
resourcemanager.projects.setIamPolicy resourcemanager.projects.setIamPolicy
resourcemanager.projects.testIamPermissions Does not require any permission.
resourcemanager.projects.undelete resourcemanager.projects.undelete
resourcemanager.projects.patch To update a project's metadata, requires resourcemanager.projects.update permission. To update a project's parent and move the project into an organization, requires resourcemanager.projects.create permission on the organization.
projects.move projects.move

Using predefined roles

IAM predefined roles allow you to carefully manage the set of permissions that your users have access to. For a full list of the roles that can be granted at the project level, see Understanding Roles.

The following table lists the predefined roles that you can use to grant access to a project. Each role includes a description of what the role does, and the permissions included in that role.

Role Role name Description Permissions
roles/resourcemanager.projectCreator Project Creator

Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.

  • resourcemanager.organizations.get
  • resourcemanager.projects.create
roles/resourcemanager.projectDeleter Project Deleter

Provides access to delete Google Cloud projects.

  • resourcemanager.projects.delete
roles/resourcemanager.projectMover Project Mover

Provides access to update and move projects.

  • resourcemanager.projects.get
  • resourcemanager.projects.move
  • resourcemanager.projects.update
roles/resourcemanager.projectIamAdmin Project IAM Admin

Provides permissions to administer IAM policies on projects.

  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
roles/browser Browser

Read access to browse the hierarchy for a project, including the folder, organization, and IAM policy. This role doesn't include permission to view resources in the project.

  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Basic roles

Avoid using basic roles except when absolutely necessary. These roles are very powerful, and include a large number of permissions across all Google Cloud services. For more details on when you should use basic roles, see the Identity and Access Management FAQ.

Role Description Permissions
roles/owner Full access to all resources. All permissions for all resources.
roles/editor Edit access to all resources. Create and update access for all resources.
roles/viewer Read access to all resources. Get and list access for all resources.

Creating Custom Roles

In addition to the predefined roles described in this topic, you can also create Custom Roles that are collections of permissions that you tailor to your needs. When creating a Custom Role for use with Resource Manager, be aware of the following points:
  • List and get permissions, such as resourcemanager.projects.get/list, should always be granted as a pair.
  • When your Custom Role includes the folders.list and folders.get permissions, it should also include projects.list and projects.get.
  • Be aware that the setIamPolicy permission for organizations, folders, and projects allows the user to grant all other permissions, and so should be assigned with care.

Access control at the project level

You can grant roles to users at the project level using the Google Cloud Console, the Resource Manager API, and the gcloud command-line tool. For instructions, see Granting, Changing, and Revoking Access to Project Members.

Default roles

When you create a project, you are granted the roles/owner role for the project to provide you full control as the creator. This default role can be changed as normal in an IAM policy.

VPC Service Controls

VPC Service Controls can provide additional security when using the Resource Manager API. To learn more about VPC Service Controls, see the VPC Service Controls overview.

To learn about the current limitations in using Resource Manager with VPC Service Controls, see the supported products and limitations page.