Roles and permissions

Google Cloud offers Identity and Access Management (IAM) to let you provide more granular access to specific Google Cloud resources and prevent access to other resources. This page describes the roles and permissions for Service Extensions.

IAM lets you adopt the security principle of least privilege so that you need to grant only the necessary access to your resources.

Roles are collections of IAM permissions. To make permissions available to principals, including users, groups, and service accounts, you grant roles to the principals. You can control who has what permissions to which resources by setting IAM policies. IAM policies grant specific roles to principals, thereby giving them certain permissions.

For detailed information about IAM roles, see Roles and permissions.

Predefined roles and permissions for Service Extensions

Service Extensions supports IAM permissions at the project level.

The following table lists Service Extensions IAM roles and the permissions that each role includes.

Roles Permissions

Service Extensions Admin

(roles/networkservices.serviceExtensionsAdmin)

For plugins:
networkservices.wasmPlugins.get
networkservices.wasmPlugins.list
networkservices.wasmPlugins.create
networkservices.wasmPlugins.update
networkservices.wasmPlugins.delete
networkservices.wasmPlugins.use
networkservices.wasmActions.get
networkservices.wasmActions.list
networkservices.wasmActions.create
networkservices.wasmActions.delete
networkservices.wasmPluginVersions.get
networkservices.wasmPluginVersions.list
networkservices.wasmPluginVersons.create
networkservices.wasmPluginVersions.delete

For callouts:
networkservices.authzExtensions.create
networkservices.authzExtensions.delete
networkservices.authzExtensions.get
networkservices.authzExtensions.list
networkservices.authzExtensions.update
networkservices.authzExtensions.use
networkservices.lbRouteExtensions.create
networkservices.lbRouteExtensions.delete
networkservices.lbRouteExtensions.get
networkservices.lbRouteExtensions.list
networkservices.lbRouteExtensions.update
networkservices.lbTrafficExtensions.create
networkservices.lbTrafficExtensions.delete
networkservices.lbTrafficExtensions.get
networkservices.lbTrafficExtensions.list
networkservices.lbTrafficExtensions.update

Service Extensions Viewer

(roles/networkservices.serviceExtensionsViewer)

For plugins:
networkservices.wasmPlugins.get
networkservices.wasmPlugins.list
networkservices.wasmActions.get
networkservices.wasmActions.list
networkservices.wasmPluginVersions.get
networkservices.wasmPluginVersions.list

For callouts:
networkservices.authzExtensions.get
networkservices.authzExtensions.list
networkservices.lbRouteExtensions.get
networkservices.lbRouteExtensions.list
networkservices.lbTrafficExtensions.get
networkservices.lbTrafficExtensions.list

Ensure that you have the required permissions for the other Google Cloud products that you use with Service Extensions.

Manage access control

To set access controls at the project level, follow these steps:

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. Select your project.

  3. Click Add.

  4. In New principals, enter the email address of a new principal.

  5. Select the required role.

  6. Click Save.

  7. Verify that the principal is listed with the role that you granted.

Identify the permissions in a role

To determine whether one or more permissions are included in a role, you can use one of the following methods:

What's next