You can configure access control at the project level and at the queue level.
For example, you might grant a user permission to create and add tasks to a
queue, but not delete the queue. Or you might grant access to all
Cloud Tasks resources within a project to a group of users. For
more information, see
Secure queue configuration.
Every Cloud Tasks method requires the caller to have the necessary
permissions. This page describes the permissions and roles that
Cloud Tasks supports. Permissions are also checked when
queue.yaml or queue.xml
is updated or when the Google Cloud console is used.
Enable the Cloud Tasks API
To view and assign IAM roles for Cloud Tasks,
you must enable the Cloud Tasks API for your project. You won't be able
to see the Cloud Tasks roles in the Google Cloud console
until you enable the API.
Console
Enable the Cloud Tasks API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM
role (roles/serviceusage.serviceUsageAdmin), which
contains the serviceusage.services.enable permission. Learn how to grant
roles.
To enable APIs, you need the Service Usage Admin IAM
role (roles/serviceusage.serviceUsageAdmin), which contains the
serviceusage.services.enable permission. Learn how to grant
roles.
gcloudservicesenablecloudtasks.googleapis.com
Predefined roles
The following table lists the Cloud Tasks predefined
IAM roles and their corresponding permissions.
The predefined roles address most typical use cases. If your use case isn't
covered by the predefined roles, you can
create an IAM custom role.
Role
Permissions
Cloud Tasks Admin
Beta
(roles/cloudtasks.admin)
Full access to queues and tasks.
cloudtasks.*
cloudtasks.cmekConfig.get
cloudtasks.cmekConfig.update
cloudtasks.locations.get
cloudtasks.locations.list
cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.pause
cloudtasks.queues.purge
cloudtasks.queues.resume
cloudtasks.queues.setIamPolicy
cloudtasks.queues.update
cloudtasks.tasks.create
cloudtasks.tasks.delete
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
cloudtasks.tasks.run
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Enqueuer
Beta
(roles/cloudtasks.enqueuer)
Access to create tasks.
cloudtasks.tasks.create
cloudtasks.tasks.fullView
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Queue Admin
Beta
(roles/cloudtasks.queueAdmin)
Admin access to queues.
cloudtasks.locations.*
cloudtasks.locations.get
cloudtasks.locations.list
cloudtasks.queues.*
cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.pause
cloudtasks.queues.purge
cloudtasks.queues.resume
cloudtasks.queues.setIamPolicy
cloudtasks.queues.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Service Agent
(roles/cloudtasks.serviceAgent)
Grants Cloud Tasks Service Account access to manage resources.
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
logging.logEntries.create
Cloud Tasks Task Deleter
Beta
(roles/cloudtasks.taskDeleter)
Access to delete tasks.
cloudtasks.tasks.delete
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Task Runner
Beta
(roles/cloudtasks.taskRunner)
Access to run tasks.
cloudtasks.tasks.fullView
cloudtasks.tasks.run
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Viewer
Beta
(roles/cloudtasks.viewer)
Get and list access to tasks, queues, and locations.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-15 UTC."],[],[],null,[]]
