Permissions required to install Anthos Service Mesh

The following table describes the roles that are required to install Anthos Service Mesh.

Role name Role ID Description
GKE Hub Admin roles/gkehub.admin Full access to GKE Hubs and related resources.
Kubernetes Engine Admin roles/container.admin Provides access to full management of Container Clusters and their Kubernetes API objects.
Mesh Config Admin roles/meshconfig.admin Provides permissions required to initialize managed components of Anthos Service Mesh, such as Google-managed control plane and backend permission that allows workloads to talk to Stackdriver without each being individually authorized (for both Google-managed and in-cluster control planes).
Project IAM Admin roles/resourcemanager.projectIamAdmin Provides permissions to administer IAM policies on projects.
Service Account Admin roles/iam.serviceAccountAdmin Authenticate as a service account.
Service Management Admin roles/servicemanagement.admin Full control of Google Service Management resources.
Service Usage Admin roles/serviceusage.serviceUsageAdmin Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.
CA Service Admin Beta roles/privateca.admin Full access to all Certificate Authority Service resources.

What's next