Access control with IAM

Stay organized with collections Save and categorize content based on your preferences.

Identity and Access Management (IAM) lets you give access to specific resources. To give access to a resource, you grant a specific role to a user, which gives the user certain permissions.

Required roles

Every Workload Manager API method requires the necessary IAM permissions. Permissions are assigned by granting roles to a user, group, or service account. For information about how to grant access to resources, see Manage access.

The following table shows the Workload Manager IAM roles and the permissions granted by those roles.

Role Permissions

(roles/workloadmanager.admin)

Full access to Workload Manager all resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.*

  • workloadmanager.evaluations.create
  • workloadmanager.evaluations.delete
  • workloadmanager.evaluations.get
  • workloadmanager.evaluations.list
  • workloadmanager.evaluations.run
  • workloadmanager.evaluations.update
  • workloadmanager.executions.delete
  • workloadmanager.executions.get
  • workloadmanager.executions.list
  • workloadmanager.locations.get
  • workloadmanager.locations.list
  • workloadmanager.operations.cancel
  • workloadmanager.operations.delete
  • workloadmanager.operations.get
  • workloadmanager.operations.list
  • workloadmanager.results.list
  • workloadmanager.rules.list

(roles/workloadmanager.viewer)

Read-only access to Workload Manager all resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.evaluations.get

workloadmanager.evaluations.list

workloadmanager.executions.get

workloadmanager.executions.list

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.worker)

The role used by Workload Manager application runners to read and update workloads.

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.evaluations.*

  • workloadmanager.evaluations.create
  • workloadmanager.evaluations.delete
  • workloadmanager.evaluations.get
  • workloadmanager.evaluations.list
  • workloadmanager.evaluations.run
  • workloadmanager.evaluations.update

workloadmanager.executions.*

  • workloadmanager.executions.delete
  • workloadmanager.executions.get
  • workloadmanager.executions.list

workloadmanager.results.list

workloadmanager.rules.list

For more information about the Workload Manager API, see the Workload Manager API reference.

What's next