VMware Engine IAM roles and permissions

Google Cloud VMware Engine has a specific set of Identity and Access Management (IAM) roles. Each role contains a set of permissions.

When you add a new member to your project, you can use an IAM policy to give that member one or more IAM roles. Each IAM role contains permissions that grant the member access to VMware Engine resources.

Managing access to VMware Engine

This guide describes how to manage access to VMware Engine using the principle of least privilege by granting access to specific parent resources, such as a Google Cloud project or an organization. You grant access to a project by setting an IAM policy on the resource. The policy binds one or more members, such as a user or a service account, to one or more roles. Each role contains a list of permissions that let the member interact with the resource.

There are three types of roles in IAM:

  • Basic roles include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
  • Predefined roles provide granular access for a specific service and are managed by Google Cloud. Predefined roles are designed to support common use cases and access control patterns.
  • Custom roles provide granular access according to a user-specified list of permissions.

VMware Engine permissions

Permission Description
vmwareengine.googleapis.com/services.view Read access to VMware Engine portal and resources.
vmwareengine.googleapis.com/services.use Admin access to VMware Engine portal and resources

VMware Engine roles

Role Description
VMware Engine Service Viewer Read access to VMware Engine portal and resources.
VMware Engine Service Admin Admin access to VMware Engine portal and resources

Basic roles for projects

By default, granting access to a Cloud project also grants access to VMware Engine private clouds. Any user with the project Owner role can grant, revoke, or change any project role.

Basic role Capabilities
Viewer Can view the VMware Engine console, private clouds, and all resources. This role includes the VMware Engine Service Viewer role

Same as Viewer, plus:

  • Can create, update, and delete all resources, including all network resources and external IP addresses. The Editor role can also create and add a private cloud and add or remove nodes from a private cloud. This role includes the VMware Engine Service Admin role.
Owner Same as Editor.

Granting or revoking access to VMware Engine

You grant access to the VMware Engine portal using roles, and roles are applied to VMware Engine resources at the project level. A role cannot be applied to an individual private cloud if a project contains multiple private clouds.

For steps on how to grant or revoke access to VMware Engine, see Grant or revoke access to VMware Engine.

What's next