Workflows roles and permissions

This page describes the Identity and Access Management (IAM) roles and permissions available to control access to Workflows resources.

Overview

Workflows uses IAM for access control.

To learn more about using IAM for access control, see Manage access to projects, folders, and organizations.

Every Workflows method requires the caller to have the necessary permissions. For a list of the roles Workflows supports and their corresponding permissions, in this document, see the Workflows roles section.

Workflows permissions

This table describes the permissions available in Workflows.

Permission	Definition
`workflows.callbacks.list`	List callbacks for a workflow execution.
`workflows.callbacks.send`	Trigger a workflow execution callback.
`workflows.executions.cancel`	Cancel a workflow execution, without deleting traces.
`workflows.executions.create`	Trigger a workflow execution.
`workflows.executions.get`	Get the latest state of workflow execution operations.
`workflows.executions.list`	List the workflow's execution operations.
`workflows.locations.get`	Get the location of a workflow.
`workflows.locations.list`	List the locations where the service is available.
`workflows.operations.cancel`	Cancel long-running operations.
`workflows.operations.get`	Get details of long-running operations.
`workflows.operations.list`	Get a list of long-running operations.
`workflows.stepEntries.get`	Get a step entry for a workflow execution.
`workflows.stepEntries.list`	List step entries for a workflow execution.
`workflows.workflows.create`	Create and deploy a new workflow.
`workflows.workflows.delete`	Delete an existing workflow.
`workflows.workflows.get`	Get a workflow's settings, including source code, labels, and description.
`workflows.workflows.list`	List the workflows in a project.
`workflows.workflows.listRevision`	List a workflow's revisions.
`workflows.workflows.update`	Update a workflow's settings, including its source code, labels, and description.

Workflows roles

The following table lists the Workflows predefined IAM roles with a corresponding list of all the permissions each role includes.

The available roles address most typical use cases. If your use case isn't covered by the available roles, you can create an IAM custom role.

Role Permissions

Role	Permissions
Workflows Admin (`roles/workflows.admin`) Full access to workflows and related resources. Lowest-level resources where you can grant this role: Project	`resourcemanager.projects.get` `resourcemanager.projects.list` `workflows.*` `workflows.callbacks.list` `workflows.callbacks.send` `workflows.executions.cancel` `workflows.executions.create` `workflows.executions.get` `workflows.executions.list` `workflows.locations.get` `workflows.locations.list` `workflows.operations.cancel` `workflows.operations.get` `workflows.operations.list` `workflows.stepEntries.get` `workflows.stepEntries.list` `workflows.workflows.create` `workflows.workflows.delete` `workflows.workflows.get` `workflows.workflows.list` `workflows.workflows.listRevision` `workflows.workflows.update`
Workflows Editor (`roles/workflows.editor`) Read and write access to workflows and related resources, including development and debugging of workflows. Lowest-level resources where you can grant this role: Project	`resourcemanager.projects.get` `resourcemanager.projects.list` `workflows.*` `workflows.callbacks.list` `workflows.callbacks.send` `workflows.executions.cancel` `workflows.executions.create` `workflows.executions.get` `workflows.executions.list` `workflows.locations.get` `workflows.locations.list` `workflows.operations.cancel` `workflows.operations.get` `workflows.operations.list` `workflows.stepEntries.get` `workflows.stepEntries.list` `workflows.workflows.create` `workflows.workflows.delete` `workflows.workflows.get` `workflows.workflows.list` `workflows.workflows.listRevision` `workflows.workflows.update`
Workflows Invoker (`roles/workflows.invoker`) Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows. Lowest-level resources where you can grant this role: Project	`resourcemanager.projects.get` `resourcemanager.projects.list` `workflows.callbacks.` `workflows.callbacks.list` `workflows.callbacks.send` `workflows.executions.` `workflows.executions.cancel` `workflows.executions.create` `workflows.executions.get` `workflows.executions.list` `workflows.stepEntries.*` `workflows.stepEntries.get` `workflows.stepEntries.list`
Workflows Viewer (`roles/workflows.viewer`) Read-only access to workflows and related resources. Lowest-level resources where you can grant this role: Project	`resourcemanager.projects.get` `resourcemanager.projects.list` `workflows.callbacks.list` `workflows.executions.get` `workflows.executions.list` `workflows.locations.` `workflows.locations.get` `workflows.locations.list` `workflows.operations.get` `workflows.operations.list` `workflows.stepEntries.` `workflows.stepEntries.get` `workflows.stepEntries.list` `workflows.workflows.get` `workflows.workflows.list` `workflows.workflows.listRevision`

Workflows Admin

(roles/workflows.admin)

Full access to workflows and related resources.

Lowest-level resources where you can grant this role:

Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.*

workflows.callbacks.list
workflows.callbacks.send
workflows.executions.cancel
workflows.executions.create
workflows.executions.get
workflows.executions.list
workflows.locations.get
workflows.locations.list
workflows.operations.cancel
workflows.operations.get
workflows.operations.list
workflows.stepEntries.get
workflows.stepEntries.list
workflows.workflows.create
workflows.workflows.delete
workflows.workflows.get
workflows.workflows.list
workflows.workflows.listRevision
workflows.workflows.update

Workflows Editor

(roles/workflows.editor)

Read and write access to workflows and related resources, including development and debugging of workflows.

Lowest-level resources where you can grant this role:

Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.*

workflows.callbacks.list
workflows.callbacks.send
workflows.executions.cancel
workflows.executions.create
workflows.executions.get
workflows.executions.list
workflows.locations.get
workflows.locations.list
workflows.operations.cancel
workflows.operations.get
workflows.operations.list
workflows.stepEntries.get
workflows.stepEntries.list
workflows.workflows.create
workflows.workflows.delete
workflows.workflows.get
workflows.workflows.list
workflows.workflows.listRevision
workflows.workflows.update

Workflows Invoker

(roles/workflows.invoker)

Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows.

Lowest-level resources where you can grant this role:

Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.callbacks.*

workflows.callbacks.list
workflows.callbacks.send

workflows.executions.*

workflows.executions.cancel
workflows.executions.create
workflows.executions.get
workflows.executions.list

workflows.stepEntries.*

workflows.stepEntries.get
workflows.stepEntries.list

Workflows Viewer

(roles/workflows.viewer)

Read-only access to workflows and related resources.

Lowest-level resources where you can grant this role:

Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.callbacks.list

workflows.executions.get

workflows.executions.list

workflows.locations.*

workflows.locations.get
workflows.locations.list

workflows.operations.get

workflows.operations.list

workflows.stepEntries.*

workflows.stepEntries.get
workflows.stepEntries.list

workflows.workflows.get

workflows.workflows.list

workflows.workflows.listRevision

What's next

Create and manage custom roles