This page describes the Identity and Access Management (IAM) roles required to configure VPC Service Controls.
Required roles
The following predefined IAM roles provide the necessary permissions to view or configure service perimeters and access levels:
- Access Context Manager Admin (
roles/accesscontextmanager.policyAdmin) - Access Context Manager Editor (
roles/accesscontextmanager.policyEditor) - Access Context Manager Reader (
roles/accesscontextmanager.policyReader)
To grant one of these roles, use the Cloud Console or run
one of the following commands in the gcloud tool. Replace
ORGANIZATION_ID with the ID of your Google Cloud
organization.
Grant Manager Admin role to allow read-write access
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="user:example@customer.org" \
--role="roles/accesscontextmanager.policyAdmin"
Grant Manager Editor role to allow read-write access
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="user:example@customer.org" \
--role="roles/accesscontextmanager.policyEditor"
Grant Manager Reader role to allow read-only access
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="user:example@customer.org" \
--role="roles/accesscontextmanager.policyReader"