Stay organized with collections
Save and categorize content based on your preferences.
Identity and Access Management (IAM) lets you give access to specific resources.
To give access to a resource, you grant a specific role to a user, which gives
the user certain permissions.
Required roles
Every Workload Manager API method requires the necessary
IAM permissions. Permissions are assigned by granting roles to
a user, group, or service account. For information about how to grant access to
resources, see Manage access.
The following table shows the Workload Manager
IAM roles and the permissions granted by those roles.
Workload Manager roles
Permissions
Workload Manager Admin
Beta
(roles/workloadmanager.admin)
Full access to Workload Manager all resources.
compute.acceleratorTypes.list
compute.diskTypes.list
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regions.list
compute.subnetworks.list
compute.zones.list
dns.managedZones.list
iam.serviceAccounts.list
monitoring.timeSeries.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
storage.buckets.list
storage.objects.list
workloadmanager.*
Workload Manager Deployment Admin
Beta
(roles/workloadmanager.deploymentAdmin)
Full access to Workload Manager deployment resources.
compute.acceleratorTypes.list
compute.diskTypes.list
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regions.list
compute.subnetworks.list
compute.zones.list
dns.managedZones.list
iam.serviceAccounts.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
storage.buckets.list
storage.objects.list
workloadmanager.actuations.*
workloadmanager.deployments.*
workloadmanager.locations.*
workloadmanager.operations.*
Workload Manager Deployment Viewer
Beta
(roles/workloadmanager.deploymentViewer)
Read-only access to Workload Manager deployment resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.actuations.get
workloadmanager.actuations.list
workloadmanager.deployments.get
workloadmanager.deployments.list
Workload Manager Evaluation Admin
Beta
(roles/workloadmanager.evaluationAdmin)
Full access to Workload Manager evaluation resources.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.evaluations.*
workloadmanager.executions.*
workloadmanager.locations.*
workloadmanager.operations.*
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Evaluation Viewer
Beta
(roles/workloadmanager.evaluationViewer)
Read-only access to Workload Manager evaluation resources.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.evaluations.get
workloadmanager.evaluations.list
workloadmanager.executions.get
workloadmanager.executions.list
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Evaluation Worker
Beta
(roles/workloadmanager.evaluationWorker)
The role used by Workload Manager application runners to read and update workloads.
workloadmanager.evaluations.*
workloadmanager.executions.*
Workload Manager Insights Writer
Beta
(roles/workloadmanager.insightWriter)
The role used to write data to WLM data warehouse.
workloadmanager.insights.write
Workload Manager Viewer
Beta
(roles/workloadmanager.viewer)
Read-only access to Workload Manager all resources.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.actuations.get
workloadmanager.actuations.list
workloadmanager.deployments.get
workloadmanager.deployments.list
workloadmanager.evaluations.get
workloadmanager.evaluations.list
workloadmanager.executions.get
workloadmanager.executions.list
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Worker
Beta
(roles/workloadmanager.worker)
The role used by Workload Manager application runners to read and update workloads.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.actuations.*
workloadmanager.deployments.*
workloadmanager.evaluations.*
workloadmanager.executions.*
workloadmanager.insights.write
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Service Agent
(roles/workloadmanager.serviceAgent)
Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring.
