Control access using IAM

Cloud Tasks uses Identity and Access Management (IAM) for access control.

Access control can be configured at the project level and at the queue level. For example: You can grant access with limited capabilities, like to create and add tasks to a queue, but not to delete the queue. Or you can grant access to all Cloud Tasks resources within a project to a group of developers.

For a detailed description of IAM and its features, see the IAM documentation. In particular, see its Manage access to projects, folders, and organizations section.

Every Cloud Tasks method requires the caller to have the necessary permissions. See below for a list of the permissions and roles supported. The Cloud Tasks IAM permissions are also checked when queue.yaml/xml is updated or when the Cloud console is used.

Permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
ListQueues cloudtasks.queues.list on the specified project
GetQueue cloudtasks.queues.get on the specified queue
CreateQueue cloudtasks.queues.create on the specified queue
UpdateQueue cloudtasks.queues.update on the specified queue
PurgeQueue cloudtasks.queues.purge on the specified queue
DeleteQueue cloudtasks.queues.delete on the specified queue
PauseQueue cloudtasks.queues.pause on the specified queue
ResumeQueue cloudtasks.queues.resume on the specified queue
GetIamPolicy cloudtasks.queues.getIamPolicy on the specified queue
SetIamPolicy cloudtasks.queues.setIamPolicy on the specified queue
ListTasks cloudtasks.tasks.list on the specified queue
GetTask cloudtasks.tasks.get on the specified queue
CreateTask cloudtasks.tasks.create on the specified queue
DeleteTask cloudtasks.tasks.delete on the specified queue
RunTask cloudtasks.tasks.run on the specified task
ListLocations cloudtasks.locations.list on the specified project
GetLocation cloudtasks.locations.get on the specified project

Roles

The following table lists the Cloud Tasks IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Role Includes permission(s):
roles/cloudtasks.admin cloudtasks.locations.list
cloudtasks.locations.get

cloudtasks.queues.list
cloudtasks.queues.get
cloudtasks.queues.create
cloudtasks.queues.update
cloudtasks.queues.purge
cloudtasks.queues.delete
cloudtasks.queues.pause
cloudtasks.queues.resume
cloudtasks.queues.getIamPolicy
cloudtasks.queues.setIamPolicy

cloudtasks.tasks.list
cloudtasks.tasks.get
cloudtasks.tasks.create
cloudtasks.tasks.delete
cloudtasks.tasks.run
cloudtasks.tasks.fullView

resourcemanager.projects.get
resourcemanager.projects.list
roles/cloudtasks.queueAdmin cloudtasks.locations.list
cloudtasks.locations.get

cloudtasks.queues.list
cloudtasks.queues.get
cloudtasks.queues.create
cloudtasks.queues.update
cloudtasks.queues.purge
cloudtasks.queues.delete
cloudtasks.queues.pause
cloudtasks.queues.resume
cloudtasks.queues.getIamPolicy
cloudtasks.queues.setIamPolicy

resourcemanager.projects.get
resourcemanager.projects.list
roles/cloudtasks.viewer cloudtasks.locations.list
cloudtasks.locations.get

cloudtasks.queues.list
cloudtasks.queues.get

cloudtasks.tasks.list
cloudtasks.tasks.get
cloudtasks.tasks.fullView

resourcemanager.projects.get
resourcemanager.projects.list
roles/cloudtasks.enqueuer cloudtasks.tasks.create
cloudtasks.tasks.fullView

resourcemanager.projects.get
resourcemanager.projects.list
roles/cloudtasks.taskRunner cloudtasks.tasks.run
cloudtasks.tasks.fullView

resourcemanager.projects.get
resourcemanager.projects.list
roles/cloudtasks.taskDeleter cloudtasks.tasks.delete

resourcemanager.projects.get
resourcemanager.projects.list