VMware Engine IAM roles and permissions
Google Cloud VMware Engine has a specific set of Identity and Access Management (IAM) roles. Each role contains a set of permissions.
When you add a new member to your project, you can use an IAM policy to give that member one or more IAM roles. Each IAM role contains permissions that grant the member access to VMware Engine resources.
Managing access to VMware Engine
This guide describes how to manage access to VMware Engine using the principle of least privilege by granting access to specific parent resources, such as a Google Cloud project or an organization. You grant access to a project by setting an IAM policy on the resource. The policy binds one or more members, such as a user or a service account, to one or more roles. Each role contains a list of permissions that let the member interact with the resource.
There are three types of roles in IAM:
- Basic roles include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
- Predefined roles provide granular access for a specific service and are managed by Google Cloud. Predefined roles are designed to support common use cases and access control patterns.
- Custom roles provide granular access according to a user-specified list of permissions.
VMware Engine permissions
The following table lists VMware Engine permissions and descriptions:
| Permission | Description |
|---|---|
vmwareengine.googleapis.com/services.view |
Read access to VMware Engine portal and resources.* |
vmwareengine.googleapis.com/services.use |
Admin access to VMware Engine portal and resources |
*A role with this permission can also view the sign-in credentials for vCenter and NSX-T.
VMware Engine roles
The following table lists VMware Engine roles and descriptions:
| Role | Description |
|---|---|
VMware Engine Service Viewer |
Read access to VMware Engine portal and resources.* |
VMware Engine Service Admin |
Admin access to VMware Engine portal and resources |
*A role with this permission can also view the sign-in credentials for vCenter and NSX-T.
Basic roles for projects
By default, granting access to a Google Cloud project also grants access to
VMware Engine private clouds. Any user with the project Owner role
can grant, revoke, or change any project role.
| Basic role | Capabilities |
|---|---|
Viewer |
Can view the VMware Engine console, private clouds, and all
resources. This role includes the VMware Engine Service
Viewer role |
Editor |
Same as Viewer, plus:
|
Owner |
Same as Editor. |
Grant or revoke access to VMware Engine
You grant access to the VMware Engine portal using roles, and roles are applied to VMware Engine resources at the project level. A role cannot be applied to an individual private cloud if a project contains multiple private clouds.
Granting access
To add a team member to a project and grant them a VMware Engine role, do the following:
In the Google Cloud console, go to the IAM page.
Click Select a project, choose a project, and click Open.
Click Add.
Enter an email address. You can add individuals, service accounts, or Google Groups as members.
Select a
VMware Engine Service ViewerorVMware Engine Service Adminrole based on the type of access that the user or group needs. Roles give members a specific level of permission.For best-available security, we strongly recommend giving each user or group the least amount of privilege needed. Members with the
Ownerrole can manage all aspects of the VMware Engine resources.Click Save.
Revoking access
To revoke VMware Engine access from a user or group, do the following:
In the Google Cloud console, go to the IAM page.
Click Select a project, choose a project, and click Open.
Locate the user or group from which you want to revoke access and click Edit.
For each role you want to revoke, click Delete, and then click Save.