This page describes the Cloud Identity and Access Management (Cloud IAM) roles required to configure VPC Service Controls.
Required roles
The following curated Cloud IAM roles provide the necessary permissions
to view or configure service perimeters and access levels using the gcloud
command-line tool:
- Access Context Manager Admin (roles/accesscontextmanager.policyAdmin)
- Access Context Manager Editor (roles/accesscontextmanager.policyEditor)
- Access Context Manager Reader (roles/accesscontextmanager.policyReader)
Additionally, to let your users manage VPC Service Controls using the Google Cloud Console, the Resource Manager Organization Viewer (roles/resourcemanager.organizationViewer) role is required.
To grant one of these roles, use the Cloud Console or
use the gcloud command-line tool:
Admin allows read-write access
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/accesscontextmanager.policyAdmin"
Editor allows read-write access
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/accesscontextmanager.policyEditor"
Reader allows read-only access
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/accesscontextmanager.policyReader"
Organization Viewer allows access to VPC Service Controls using the Cloud Console
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/resourcemanager.organizationViewer"