This page describes the Identity and Access Management (IAM) roles for Parameter Manager users. Each IAM role has associated permissions. These permissions define the level of access that the member receives for resources. Grant the minimum set of permissions that are required to perform a given task.
You can control access to parameters by granting permissions at either the project level for broad access or at the individual resource level for granular control. These permissions allow users or service accounts to create, manage, list, or access parameters. You can't grant IAM roles at a version level.
To learn how to assign IAM roles to a user or service account, read Granting, changing, and revoking access to resources in the IAM documentation.
Roles and permissions
The following table lists the necessary IAM roles and their permissions for Parameter Manager:
| Role Name | Role Description | Permissions |
|---|---|---|
| Parameter Manager Admin ( roles/parametermanager.admin) |
Full access to all Parameter Manager resources. | resourcemanager.projects.get resourcemanager.projects.list parametermanager.* |
| Parameter Manager Parameter Accessor ( roles/parametermanager.parameterAccessor) |
Read access to parameter versions. | resourcemanager.projects.get resourcemanager.projects.list parametermanager.parameterversions.render |
| Parameter Manager Parameter Version Adder ( roles/parametermanager.parameterVersionAdder) |
Create access to parameter versions. | resourcemanager.projects.get resourcemanager.projects.list parametermanager.parameters.get parametermanager.parameters.list parametermanager.parameterversions.create |
| Parameter Manager Parameter Version Manager ( roles/parametermanager.parameterVersionManager) |
Read and write access to parameter versions. Lets users view parameters, and create, update, and delete parameter versions. | resourcemanager.projects.get resourcemanager.projects.list parametermanager.parameters.get parametermanager.parameters.list parametermanager.parameterversions.get parametermanager.parameterversions.list parametermanager.parameterversions.create parametermanager.parameterversions.update parametermanager.parameterversions.delete |
| Parameter Manager Parameter Viewer ( roles/parametermanager.parameterViewer) |
Read access to parameters and parameter versions. | resourcemanager.projects.get resourcemanager.projects.list parametermanager.parameters.get parametermanager.parameters.list parametermanager.parameterversions.get parametermanager.parameterversions.list |
Resources with built-in identities
Some types of IAM resources have built-in identities. Resources with built-in identities can do the following:
- Be granted IAM roles using the resource's principal identifier
- Access other resources without using service agents
The following IAM resource types have built-in identities:
| Resource type | Resource principal identifier |
|---|---|
| Parameters |
principal://parametermanager.googleapis.com/projects/PROJECT_NUMBER/uid/locations/global/parameters/PARAMETER_UID
|