Cloud Tasks uses Google Cloud Identity and Access Management (IAM) for access control.
Access control can be configured at the project level and at the queue level. For example: You can grant access with limited capabilities, like to create and add tasks to a queue, but not to delete the queue. Or you can grant access to all Cloud Tasks resources within a project to a group of developers.
For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management documentation. In particular, see its Granting, Changing, and Revoking Access to Project Members section.
Every Cloud Tasks method requires the caller to have the necessary permissions.
See below for a list of the permissions and roles supported. The Cloud Tasks
IAM permissions are also checked when queue.yaml/xml is updated and or when the Cloud Console
is used.
Permissions
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permission(s) |
|---|---|
| ListQueues | cloudtasks.queues.list on the specified project |
| GetQueue | cloudtasks.queues.get on the specified queue |
| CreateQueue | cloudtasks.queues.create on the specified queue |
| UpdateQueue | cloudtasks.queues.update on the specified queue |
| PurgeQueue | cloudtasks.queues.purge on the specified queue |
| DeleteQueue | cloudtasks.queues.delete on the specified queue |
| PauseQueue | cloudtasks.queues.pause on the specified queue |
| ResumeQueue | cloudtasks.queues.resume on the specified queue |
| GetIamPolicy | cloudtasks.queues.getIamPolicy on the specified queue |
| SetIamPolicy | cloudtasks.queues.setIamPolicy on the specified queue |
| ListTasks | cloudtasks.tasks.list on the specified queue |
| GetTask | cloudtasks.tasks.get on the specified queue |
| CreateTask | cloudtasks.tasks.create on the specified queue |
| DeleteTask | cloudtasks.tasks.delete on the specified queue |
| RunTask | cloudtasks.tasks.run on the specified task |
| ListLocations | cloudtasks.locations.list on the specified project |
| GetLocation | cloudtasks.locations.get on the specified project |
Roles
The following table lists the Cloud Tasks IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.
| Role | Includes permission(s): |
|---|---|
| roles/cloudtasks.admin | cloudtasks.locations.list cloudtasks.locations.get cloudtasks.queues.list cloudtasks.queues.get cloudtasks.queues.create cloudtasks.queues.update cloudtasks.queues.purge cloudtasks.queues.delete cloudtasks.queues.pause cloudtasks.queues.resume cloudtasks.queues.getIamPolicy cloudtasks.queues.setIamPolicy cloudtasks.tasks.list cloudtasks.tasks.get cloudtasks.tasks.create cloudtasks.tasks.delete cloudtasks.tasks.run cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list |
| roles/cloudtasks.queueAdmin | cloudtasks.locations.list cloudtasks.locations.get cloudtasks.queues.list cloudtasks.queues.get cloudtasks.queues.create cloudtasks.queues.update cloudtasks.queues.purge cloudtasks.queues.delete cloudtasks.queues.pause cloudtasks.queues.resume cloudtasks.queues.getIamPolicy cloudtasks.queues.setIamPolicy resourcemanager.projects.get resourcemanager.projects.list |
| roles/cloudtasks.viewer | cloudtasks.locations.list cloudtasks.locations.get cloudtasks.queues.list cloudtasks.queues.get cloudtasks.tasks.list cloudtasks.tasks.get cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list |
| roles/cloudtasks.enqueuer | cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list |
| roles/cloudtasks.taskRunner | cloudtasks.tasks.run cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list |
| roles/cloudtasks.taskDeleter | cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list |