Control access using IAM

Cloud Tasks uses Identity and Access Management (IAM) for access control.

Access control can be configured at the project level and at the queue level. For example: You can grant access with limited capabilities, like to create and add tasks to a queue, but not to delete the queue. Or you can grant access to all Cloud Tasks resources within a project to a group of developers.

For a detailed description of IAM and its features, see the IAM documentation. In particular, see its Manage access to projects, folders, and organizations section.

Every Cloud Tasks method requires the caller to have the necessary permissions. See below for a list of the permissions and roles supported. The Cloud Tasks IAM permissions are also checked when queue.yaml/xml is updated or when the Google Cloud console is used.

Roles

The following table lists the Cloud Tasks IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

Cloud Tasks roles

Role Permissions

Role	Permissions
Cloud Tasks Admin ^Beta (`roles/cloudtasks.admin`) Full access to queues and tasks.	`cloudtasks.*` `cloudtasks.cmekConfig.get` `cloudtasks.cmekConfig.update` `cloudtasks.locations.get` `cloudtasks.locations.list` `cloudtasks.queues.create` `cloudtasks.queues.delete` `cloudtasks.queues.get` `cloudtasks.queues.getIamPolicy` `cloudtasks.queues.list` `cloudtasks.queues.pause` `cloudtasks.queues.purge` `cloudtasks.queues.resume` `cloudtasks.queues.setIamPolicy` `cloudtasks.queues.update` `cloudtasks.tasks.create` `cloudtasks.tasks.delete` `cloudtasks.tasks.fullView` `cloudtasks.tasks.get` `cloudtasks.tasks.list` `cloudtasks.tasks.run` `monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Tasks Enqueuer ^Beta (`roles/cloudtasks.enqueuer`) Access to create tasks.	`cloudtasks.tasks.create` `cloudtasks.tasks.fullView` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Tasks Queue Admin ^Beta (`roles/cloudtasks.queueAdmin`) Admin access to queues.	`cloudtasks.locations.` `cloudtasks.locations.get` `cloudtasks.locations.list` `cloudtasks.queues.` `cloudtasks.queues.create` `cloudtasks.queues.delete` `cloudtasks.queues.get` `cloudtasks.queues.getIamPolicy` `cloudtasks.queues.list` `cloudtasks.queues.pause` `cloudtasks.queues.purge` `cloudtasks.queues.resume` `cloudtasks.queues.setIamPolicy` `cloudtasks.queues.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Tasks Task Deleter ^Beta (`roles/cloudtasks.taskDeleter`) Access to delete tasks.	`cloudtasks.tasks.delete` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Tasks Task Runner ^Beta (`roles/cloudtasks.taskRunner`) Access to run tasks.	`cloudtasks.tasks.fullView` `cloudtasks.tasks.run` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud Tasks Viewer ^Beta (`roles/cloudtasks.viewer`) Get and list access to tasks, queues, and locations.	`cloudtasks.cmekConfig.get` `cloudtasks.locations.*` `cloudtasks.locations.get` `cloudtasks.locations.list` `cloudtasks.queues.get` `cloudtasks.queues.list` `cloudtasks.tasks.fullView` `cloudtasks.tasks.get` `cloudtasks.tasks.list` `monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Cloud Tasks Admin ^Beta

(roles/cloudtasks.admin)

Full access to queues and tasks.

cloudtasks.*

cloudtasks.cmekConfig.get
cloudtasks.cmekConfig.update
cloudtasks.locations.get
cloudtasks.locations.list
cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.pause
cloudtasks.queues.purge
cloudtasks.queues.resume
cloudtasks.queues.setIamPolicy
cloudtasks.queues.update
cloudtasks.tasks.create
cloudtasks.tasks.delete
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
cloudtasks.tasks.run

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks Enqueuer ^Beta

(roles/cloudtasks.enqueuer)

Access to create tasks.

cloudtasks.tasks.create

cloudtasks.tasks.fullView

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks Queue Admin ^Beta

(roles/cloudtasks.queueAdmin)

Admin access to queues.

cloudtasks.locations.*

cloudtasks.locations.get
cloudtasks.locations.list

cloudtasks.queues.*

cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.pause
cloudtasks.queues.purge
cloudtasks.queues.resume
cloudtasks.queues.setIamPolicy
cloudtasks.queues.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks Task Deleter ^Beta

(roles/cloudtasks.taskDeleter)

Access to delete tasks.

cloudtasks.tasks.delete

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks Task Runner ^Beta

(roles/cloudtasks.taskRunner)

Access to run tasks.

cloudtasks.tasks.fullView

cloudtasks.tasks.run

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Tasks Viewer ^Beta

(roles/cloudtasks.viewer)

Get and list access to tasks, queues, and locations.

cloudtasks.cmekConfig.get

cloudtasks.locations.*

cloudtasks.locations.get
cloudtasks.locations.list

cloudtasks.queues.get

cloudtasks.queues.list

cloudtasks.tasks.fullView

cloudtasks.tasks.get

cloudtasks.tasks.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

Control access using IAM

Roles

Cloud Tasks Admin Beta

Cloud Tasks Enqueuer Beta

Cloud Tasks Queue Admin Beta

Cloud Tasks Task Deleter Beta

Cloud Tasks Task Runner Beta

Cloud Tasks Viewer Beta

Cloud Tasks Admin ^Beta

Cloud Tasks Enqueuer ^Beta

Cloud Tasks Queue Admin ^Beta

Cloud Tasks Task Deleter ^Beta

Cloud Tasks Task Runner ^Beta

Cloud Tasks Viewer ^Beta