Access control with IAM

Identity and Access Management (IAM) lets you give access to specific resources. To give access to a resource, you grant a specific role to a user, which gives the user certain permissions.

Required roles

Every Workload Manager API method requires the necessary IAM permissions. Permissions are assigned by granting roles to a user, group, or service account. For information about how to grant access to resources, see Manage access.

The following table shows the Workload Manager IAM roles and the permissions granted by those roles.

Permissions

(roles/workloadmanager.admin)

Full access to Workload Manager all resources.

compute.acceleratorTypes.list

compute.diskTypes.list

compute.machineTypes.list

compute.networks.list

compute.projects.get

compute.regions.list

compute.subnetworks.list

compute.zones.list

dns.managedZones.list

iam.serviceAccounts.list

monitoring.timeSeries.list

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

storage.buckets.list

storage.objects.list

workloadmanager.*

(roles/workloadmanager.deploymentAdmin)

Full access to Workload Manager deployment resources.

compute.acceleratorTypes.list

compute.diskTypes.list

compute.machineTypes.list

compute.networks.list

compute.projects.get

compute.regions.list

compute.subnetworks.list

compute.zones.list

dns.managedZones.list

iam.serviceAccounts.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

storage.buckets.list

storage.objects.list

workloadmanager.actuations.*

workloadmanager.deployments.*

workloadmanager.locations.*

workloadmanager.operations.*

(roles/workloadmanager.deploymentViewer)

Read-only access to Workload Manager deployment resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.get

workloadmanager.actuations.list

workloadmanager.deployments.get

workloadmanager.deployments.list

(roles/workloadmanager.evaluationAdmin)

Full access to Workload Manager evaluation resources.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.evaluations.*

workloadmanager.executions.*

workloadmanager.locations.*

workloadmanager.operations.*

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.evaluationViewer)

Read-only access to Workload Manager evaluation resources.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.evaluations.get

workloadmanager.evaluations.list

workloadmanager.executions.get

workloadmanager.executions.list

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.insightWriter)

The role used to write data to WLM data warehouse.

workloadmanager.insights.write

(roles/workloadmanager.viewer)

Read-only access to Workload Manager all resources.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.get

workloadmanager.actuations.list

workloadmanager.deployments.get

workloadmanager.deployments.list

workloadmanager.discoveredprofiles.*

workloadmanager.evaluations.get

workloadmanager.evaluations.list

workloadmanager.executions.get

workloadmanager.executions.list

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.worker)

The role used by Workload Manager application runners to read and update workloads.

orgpolicy.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.actuations.*

workloadmanager.deployments.*

workloadmanager.discoveredprofiles.*

workloadmanager.evaluations.*

workloadmanager.executions.*

workloadmanager.insights.write

workloadmanager.results.list

workloadmanager.rules.list

(roles/workloadmanager.workloadViewer)

The role used to view the workload related data.

resourcemanager.projects.get

resourcemanager.projects.list

workloadmanager.discoveredprofiles.*

(roles/workloadmanager.serviceAgent)

Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring.

cloudasset.assets.exportAccessPolicy

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportOSInventories

cloudasset.assets.exportOrgPolicy

cloudasset.assets.exportResource

cloudasset.assets.listAccessPolicy

cloudasset.assets.listIamPolicy

cloudasset.assets.listOSInventories

cloudasset.assets.listOrgPolicy

cloudasset.assets.listResource

cloudasset.assets.searchAllResources

config.deployments.create

config.deployments.delete

config.deployments.get

config.deployments.list

config.deployments.update

config.locations.*

  • config.locations.get
  • config.locations.list

config.operations.*

  • config.operations.cancel
  • config.operations.delete
  • config.operations.get
  • config.operations.list

config.resources.list

config.revisions.get

config.revisions.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.list

serviceusage.services.use

workloadmanager.insights.export

workloadmanager.insights.listSapSystems

For more information about the Workload Manager API, see the Workload Manager API reference.

What's next