Access control

This page describes how to control access to Workflows resources.

Overview

Workflows uses Identity and Access Management (IAM) for access control.

For a detailed description of IAM and its features, see the IAM overview page. To learn more about using IAM for access control, see Granting, changing, and revoking access to resources.

Every Workflows method requires the caller to have the necessary permissions. For a list of the permissions and roles Workflows supports, see the Roles section.

Workflows permissions

This table describes the permissions available in Workflows.

Permission Definition
workflows.workflows.create Create and deploy a new workflow.
workflows.workflows.delete Delete an existing workflow.
workflows.workflows.list List the workflows in a project.
workflows.workflows.get Get a workflow's settings, including source code, labels, and description.
workflows.workflows.update Update a workflow's settings, including its source code, labels, and description.
workflows.workflows.getIamPolicy Get a workflow's IAM policy.
workflows.workflows.setIamPolicy Set a workflow's IAM policy.
workflows.locations.list List the locations where the service is available.
workflows.locations.get Get the location of a workflow.
workflows.executions.get Get the latest state of workflow execution operations.
workflows.executions.create Trigger a workflow execution.
workflows.executions.list List the workflow's execution operations.
workflows.executions.cancel Cancel a workflow execution, without deleting traces.
workflows.operations.list Get a list of long running operations.
workflows.operations.get Get details of long running operations.

Roles

The following table lists the Workflows predefined IAM roles with a corresponding list of all the permissions each role includes.

The available roles address most typical use cases. If your use case isn't covered by the available roles, you can create a IAM custom role.

Role Permissions Descriptions
roles/workflows.viewer workflows.workflows.list
workflows.workflows.get
workflows.locations.list
workflows.locations.get
workflows.operations.get
workflows.operations.list
workflows.executions.get
workflows.executions.list
workflows.workflows.getIamPolicy
View workflows, including the source code, without any write permissions.
roles/workflows.editor workflows.workflows.create
workflows.workflows.delete
workflows.workflows.list
workflows.workflows.get
workflows.workflows.update
workflows.locations.list
workflows.locations.get
workflows.executions.create
workflows.executions.get
workflows.executions.list
workflows.executions.cancel
workflows.executions.delete
workflows.operations.get
workflows.operations.list
workflows.operations.cancel
workflows.workflows.getIamPolicy
Create and update a workflow definition, including changing the source code.
roles/workflows.invoker workflows.executions.create
workflows.executions.cancel
workflows.executions.get
workflows.executions.list
workflows.operations.get
workflows.operations.list
workflows.operations.cancel
Trigger workflow execution and see results in the logs.
roles/workflows.admin workflows.* Administers all workflows within a project. Can create new workflows and set IAM policies. Intended for project administrators.

What's next