VMware Engine IAM roles and permissions

Google Cloud VMware Engine has a specific set of Identity and Access Management (IAM) roles. Each role contains a set of permissions.

When you add a new member to your project, you can use an IAM policy to give that member one or more IAM roles. Each IAM role contains permissions that grant the member access to VMware Engine resources.

Managing access to VMware Engine

This guide describes how to manage access to VMware Engine using the principle of least privilege by granting access to specific parent resources, such as a Google Cloud project or an organization. You grant access to a project by setting an IAM policy on the resource. The policy binds one or more members, such as a user or a service account, to one or more roles. Each role contains a list of permissions that let the member interact with the resource.

There are three types of roles in IAM:

  • Basic roles include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
  • Predefined roles provide granular access for a specific service and are managed by Google Cloud. Predefined roles are designed to support common use cases and access control patterns.
  • Custom roles provide granular access according to a user-specified list of permissions.

VMware Engine permissions

Permission Description
vmwareengine.googleapis.com/services.view Read access to VMware Engine portal and resources.
vmwareengine.googleapis.com/services.use Admin access to VMware Engine portal and resources

VMware Engine roles

Role Description
VMware Engine Service Viewer Read access to VMware Engine portal and resources.
VMware Engine Service Admin Admin access to VMware Engine portal and resources

Basic roles for projects

By default, granting access to a Cloud project also grants access to VMware Engine private clouds. Any user with the project Owner role can grant, revoke, or change any project role.

Basic role Capabilities
Viewer Can view the VMware Engine console, private clouds, and all resources. This role includes the VMware Engine Service Viewer role
Editor

Same as Viewer, plus:

  • Can create, update, and delete all resources, including all network resources and external IP addresses. The Editor role can also create and add a private cloud and add or remove nodes from a private cloud. This role includes the VMware Engine Service Admin role.
Owner Same as Editor.

Grant or revoke access to VMware Engine

You grant access to the VMware Engine portal using roles, and roles are applied to VMware Engine resources at the project level. A role cannot be applied to an individual private cloud if a project contains multiple private clouds.

Granting access

To add a team member to a project and grant them a VMware Engine role, do the following:

  1. In the Google Cloud Console, go to the IAM page.

    Go to the IAM page

  2. Click Select a project, choose a project, and click Open.

  3. Click Add.

  4. Enter an email address. You can add individuals, service accounts, or Groups as members.

  5. Select a VMware Engine Service Viewer or VMware Engine Service Admin role based on the type of access that the user or group needs. Roles give members a specific level of permission.

    For best-available security, we strongly recommend giving each user or group the least amount of privilege needed. Members with the Owner role can manage all aspects of the VMware Engine resources.

  6. Click Save.

Revoking access

To revoke VMware Engine access from a user or group, do the following:

  1. In the Google Cloud Console, go to the IAM page.

    Go to the IAM page

  2. Click Select a project, choose a project, and click Open.

  3. Locate the user or group from which you want to revoke access and click Edit.

  4. For each role you want to revoke, click Delete, and then click Save.