IAM Roles for Administering VPC Service Controls

This page describes the Identity and Access Management (IAM) roles required to configure VPC Service Controls.

Required roles

The following predefined IAM roles provide the necessary permissions to view or configure service perimeters and access levels:

  • Access Context Manager Admin (roles/accesscontextmanager.policyAdmin)
  • Access Context Manager Editor (roles/accesscontextmanager.policyEditor)
  • Access Context Manager Reader (roles/accesscontextmanager.policyReader)

To grant one of these roles, use the Cloud Console or run one of the following commands in the gcloud tool. Replace ORGANIZATION_ID with the ID of your Google Cloud organization.

Grant Manager Admin role to allow read-write access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="user:example@customer.org" \
    --role="roles/accesscontextmanager.policyAdmin"

Grant Manager Editor role to allow read-write access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="user:example@customer.org" \
    --role="roles/accesscontextmanager.policyEditor"

Grant Manager Reader role to allow read-only access

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="user:example@customer.org" \
    --role="roles/accesscontextmanager.policyReader"