Workflows roles and permissions

This page describes the Identity and Access Management (IAM) roles and permissions available to control access to Workflows resources.

Overview

Workflows uses IAM for access control.

To learn more about using IAM for access control, see Manage access to projects, folders, and organizations.

Every Workflows method requires the caller to have the necessary permissions. For a list of the roles Workflows supports and their corresponding permissions, in this document, see the Workflows Roles section.

Workflows permissions

This table describes the permissions available in Workflows.

Permission Definition
workflows.callbacks.send Trigger an execution callback.
workflows.executions.cancel Cancel a workflow execution, without deleting traces.
workflows.executions.create Trigger a workflow execution.
workflows.executions.delete Delete a workflow execution.
workflows.executions.get Get the latest state of workflow execution operations.
workflows.executions.list List the workflow's execution operations.
workflows.locations.get Get the location of a workflow.
workflows.locations.list List the locations where the service is available.
workflows.operations.cancel Cancel long-running operations.
workflows.operations.get Get details of long-running operations.
workflows.operations.list Get a list of long-running operations.
workflows.workflows.create Create and deploy a new workflow.
workflows.workflows.delete Delete an existing workflow.
workflows.workflows.get Get a workflow's settings, including source code, labels, and description.
workflows.workflows.getIamPolicy Get a workflow's IAM policy.
workflows.workflows.list List the workflows in a project.
workflows.workflows.update Update a workflow's settings, including its source code, labels, and description.

Workflows roles

The following table lists the Workflows predefined IAM roles with a corresponding list of all the permissions each role includes.

The available roles address most typical use cases. If your use case isn't covered by the available roles, you can create an IAM custom role.

Role Permissions

Workflows Admin
(roles/workflows.admin)

Full access to workflows and related resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.*

Workflows Editor
(roles/workflows.editor)

Read and write access to workflows and related resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.*

Workflows Invoker
(roles/workflows.invoker)

Access to execute workflows and manage the executions.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.callbacks.send
  • workflows.executions.*

Workflows Viewer
(roles/workflows.viewer)

Read-only access to workflows and related resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.executions.get
  • workflows.executions.list
  • workflows.locations.*
  • workflows.operations.get
  • workflows.operations.list
  • workflows.workflows.get
  • workflows.workflows.list

What's next

Create and manage custom roles