Workflows roles and permissions

This page describes the Identity and Access Management (IAM) roles and permissions available to control access to Workflows resources.

Overview

Workflows uses IAM for access control.

To learn more about using IAM for access control, see Manage access to projects, folders, and organizations.

Every Workflows method requires the caller to have the necessary permissions. For a list of the roles Workflows supports and their corresponding permissions, in this document, see the Workflows roles section.

Workflows permissions

This table describes the permissions available in Workflows.

Permission Definition
workflows.callbacks.list List callbacks for a workflow execution.
workflows.callbacks.send Trigger a workflow execution callback.
workflows.executions.cancel Cancel a workflow execution, without deleting traces.
workflows.executions.create Trigger a workflow execution.
workflows.executions.get Get the latest state of workflow execution operations.
workflows.executions.list List the workflow's execution operations.
workflows.locations.get Get the location of a workflow.
workflows.locations.list List the locations where the service is available.
workflows.operations.cancel Cancel long-running operations.
workflows.operations.get Get details of long-running operations.
workflows.operations.list Get a list of long-running operations.
workflows.stepEntries.get Get a step entry for a workflow execution.
workflows.stepEntries.list List step entries for a workflow execution.
workflows.workflows.create Create and deploy a new workflow.
workflows.workflows.delete Delete an existing workflow.
workflows.workflows.get Get a workflow's settings, including source code, labels, and description.
workflows.workflows.list List the workflows in a project.
workflows.workflows.listRevision List a workflow's revisions.
workflows.workflows.update Update a workflow's settings, including its source code, labels, and description.

Workflows roles

The following table lists the Workflows predefined IAM roles with a corresponding list of all the permissions each role includes.

The available roles address most typical use cases. If your use case isn't covered by the available roles, you can create an IAM custom role.

Role Permissions

(roles/workflows.admin)

Full access to workflows and related resources.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.*

  • workflows.callbacks.list
  • workflows.callbacks.send
  • workflows.executions.cancel
  • workflows.executions.create
  • workflows.executions.get
  • workflows.executions.list
  • workflows.locations.get
  • workflows.locations.list
  • workflows.operations.cancel
  • workflows.operations.get
  • workflows.operations.list
  • workflows.stepEntries.get
  • workflows.stepEntries.list
  • workflows.workflows.create
  • workflows.workflows.createTagBinding
  • workflows.workflows.delete
  • workflows.workflows.deleteTagBinding
  • workflows.workflows.get
  • workflows.workflows.list
  • workflows.workflows.listEffectiveTags
  • workflows.workflows.listRevision
  • workflows.workflows.listTagBindings
  • workflows.workflows.update

(roles/workflows.editor)

Read and write access to workflows and related resources, including development and debugging of workflows.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.*

  • workflows.callbacks.list
  • workflows.callbacks.send
  • workflows.executions.cancel
  • workflows.executions.create
  • workflows.executions.get
  • workflows.executions.list
  • workflows.locations.get
  • workflows.locations.list
  • workflows.operations.cancel
  • workflows.operations.get
  • workflows.operations.list
  • workflows.stepEntries.get
  • workflows.stepEntries.list
  • workflows.workflows.create
  • workflows.workflows.createTagBinding
  • workflows.workflows.delete
  • workflows.workflows.deleteTagBinding
  • workflows.workflows.get
  • workflows.workflows.list
  • workflows.workflows.listEffectiveTags
  • workflows.workflows.listRevision
  • workflows.workflows.listTagBindings
  • workflows.workflows.update

(roles/workflows.invoker)

Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.callbacks.*

  • workflows.callbacks.list
  • workflows.callbacks.send

workflows.executions.*

  • workflows.executions.cancel
  • workflows.executions.create
  • workflows.executions.get
  • workflows.executions.list

workflows.stepEntries.*

  • workflows.stepEntries.get
  • workflows.stepEntries.list

(roles/workflows.viewer)

Read-only access to workflows and related resources.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.get

resourcemanager.projects.list

workflows.callbacks.list

workflows.executions.get

workflows.executions.list

workflows.locations.*

  • workflows.locations.get
  • workflows.locations.list

workflows.operations.get

workflows.operations.list

workflows.stepEntries.*

  • workflows.stepEntries.get
  • workflows.stepEntries.list

workflows.workflows.get

workflows.workflows.list

workflows.workflows.listEffectiveTags

workflows.workflows.listRevision

workflows.workflows.listTagBindings

What's next

Create and manage custom roles