VMware Engine IAM roles and permissions

When you add a new member to your project, you can use an Identity and Access Management (IAM) policy to give that member one or more IAM roles. Each IAM role contains permissions that grant the member access to VMware Engine resources.

This document focuses on the IAM permissions relevant to VMware Engine and the IAM roles that grant those permissions. For a detailed description of IAM and its features, see the Identity and Access Management Overview and Granting, changing, and revoking access to resources.

Role types

You grant access to a resource by setting an IAM policy on the resource. The policy binds one or more members, such as a user or a service account, to one or more roles. Each role contains a list of permissions that let the member interact with the resource.

There are three types of roles in IAM:

  • Predefined roles provide granular access for a specific service and are managed by Google Cloud. Predefined roles are designed to support common use cases and access control patterns.
  • Custom roles provide granular access according to a user-specified list of permissions.
  • Basic roles are project-level roles which include broad permissions that apply to all of your Google Cloud resources. Basic roles include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.

We recommend using a predefined role or a custom role whenever possible, as they include more fine-grained permissions that apply only to VMware Engine.

Predefined roles

A predefined role contains a set of permissions that's suitable for a specific task. To view a comprehensive list of predefined roles for VMware Engine, go to the VMware Engine roles reference on the IAM documentation.

Custom roles

If the predefined roles for VMware Engine don't meet your needs, then you can create a custom role that contains only the permissions that you specify. Identify the tasks that you need to perform, then add the permissions that are required for each task to the custom role.

To view a comprehensive list of permissions for VMware Engine, go to the Permissions reference and search for the prefix vmwareengine.

For more details on creating a custom role, see Creating and managing custom roles.

Grant or revoke access to VMware Engine

Roles apply to VMware Engine resources at the project level. A role cannot be applied to an individual private cloud if a project contains multiple private clouds.

Grant access

To add a team member to a project and grant them a VMware Engine role, do the following:

  1. In the Google Cloud console, go to IAM & Admin  > IAM.

    Go to the IAM page

  2. Click Add.

  3. Enter an email address. You can add individuals, service accounts, or Google Groups as members.

  4. Select the VMware Engine Service Viewer or VMware Engine Service Admin role based on the type of access that the user or group needs.

  5. Click Save.

Revoke access

To remove a role and its corresponding permissions from a user or group, do the following:

  1. In the Google Cloud console, go to IAM & Admin  > IAM.

    Go to the IAM page

  2. Locate the user or group from which you want to revoke access and click Edit member.

  3. For each role you want to revoke, click Delete.

  4. Click Save.

VMware Engine permissions

To view a comprehensive list of permissions for VMware Engine, go to the Permissions reference and search for the prefix vmwareengine.

Permissions let users perform specific actions to VMware Engine resources. You don't directly give users permissions; instead, you grant them predefined roles or custom roles, which have one or more permissions associated with them.