IAM Roles for Administering VPC Service Controls

This page describes the Identity and Access Management (IAM) roles required to configure VPC Service Controls.

Required roles

The following curated IAM roles provide the necessary permissions to view or configure service perimeters and access levels using the gcloud command-line tool:

  • Access Context Manager Admin (roles/accesscontextmanager.policyAdmin)
  • Access Context Manager Editor (roles/accesscontextmanager.policyEditor)
  • Access Context Manager Reader (roles/accesscontextmanager.policyReader)

Additionally, to let your users manage VPC Service Controls using the Google Cloud Console, the Resource Manager Organization Viewer (roles/resourcemanager.organizationViewer) role is required.

To grant one of these roles, use the Cloud Console or use the gcloud command-line tool:

Admin allows read-write access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/accesscontextmanager.policyAdmin"

Editor allows read-write access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/accesscontextmanager.policyEditor"

Reader allows read-only access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/accesscontextmanager.policyReader"

Organization Viewer allows access to VPC Service Controls using the Cloud Console

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/resourcemanager.organizationViewer"