IAM roles and permissions

This document lists the roles and permissions you need on different projects to use Workload Manager evaluation and to automatically create Workload Manager service accounts for running the evaluation.

Workload Manager projects

Workload Manager evaluations scan resources across multiple projects which are called target projects, but the evaluation is stored in only one project called a consumer project.

You use the consumer project to access Workload Manager in the Google Cloud console, and to create and run evaluations. When you create an evaluation using the Google Cloud console, in the Evaluation scope section of the workflow, you specify the target projects that hold the resources you want to evaluate.

If the resources to evaluate are present in the same project where you create a Workload Manager evaluation, then the consumer project is also considered as one of your target projects.

Summary of required permissions to create and run an evaluation

The following table summarizes the permissions required for users in the consumer and target projects to create and run evaluations using Workload Manager. To get the permission that you need, ask your administrator to grant you a role that includes the required permission or create a custom role.

Action	Consumer project	Target project
Enable Workload Manager API	Permission: `serviceusage.services.enable` Predefined role that includes the permission: `roles/serviceusage.serviceUsageAdmin`	None
Create an evaluation	1. Permission to create a service account: `resourcemanager.projects.setIamPolicy` Predefined role that includes the permission: `roles/resourcemanager.projectIamAdmin` Required only when you create the first evaluation. 2. Predefined role that grants permission to create an evaluation: `roles/workloadmanager.evaluationAdmin`	Permission to create a service account: `resourcemanager.projects.setIamPolicy` Predefined role that includes the permission: `roles/resourcemanager.projectIamAdmin` Required only when you create the first evaluation.
Run an evaluation	Permission: `workloadmanager.evaluations.run` Predefined role that includes the permission: `roles/workloadmanager.evaluationAdmin`	None
View evaluation results	Permission: `workloadmanager.results.list` Predefined role that includes the permission: `roles/workloadmanager.evaluationAdmin` or `roles/workloadmanager.evaluationViewer`	None

Workload Manager service agents

Workload Manager uses service agents to control access and communication between resources and the associated projects.

You can use the Google Cloud console or the Workload Manager API to evaluate workloads. If you use the Google Cloud console, Workload Manager creates all required service agents automatically. If you use the Workload Manager API, you must manually create the service agents.

Required roles

To get the permission that you need to create a service agent, ask your administrator to grant you the Project IAM Admin (roles/resourcemanager.projectIamAdmin) IAM role on each target project in scope. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the resourcemanager.projects.setIamPolicy permission, which is required to create a service agent.

You might also be able to get this permission with custom roles or other predefined roles.

Create and grant roles to service agents

Google Cloud console

If you use the Google Cloud console to evaluate workloads, then Workload Manager creates service agents in the consumer projects automatically.

The email address for this service agent is service-PROJECT_NUMBER@gcp-sa-workloadmanager.iam.gserviceaccount.com, and it is called Workload Manager Service Account.

Workload Manager service agents require the following roles to run evaluations. If prompted, grant these roles to the service agents.

Workload Manager Service Agent (roles/workloadmanager.serviceAgent): required in the target projects.
Workload Manager Worker (roles/workloadmanager.worker): required in the consumer project only if you set a frequency for the evaluation.

Workload Manager API

If you use the Workload Manager API to evaluate workloads, then you must manually create the Workload Manager service agent in the consumer projects before you create an evaluation. To create a service agent, use the gcloud beta services identity createcommand:

  gcloud beta services identity create --service=workloadmanager.googleapis.com  \
      --project=PROJECT_NUMBER

Replace PROJECT_NUMBER with the numeric ID of the consumer project in which you want to create the service agent.

After creating the service agent, you must grant the following roles to the service agent:

Workload Manager Service Agent (roles/workloadmanager.serviceAgent): required in the target projects.
Workload Manager Worker (roles/workloadmanager.worker): required in the consumer project only if you set a frequency for the evaluation.

For more information, see Grant a role to the service agent.

Additional Workload Manager roles

Users require additional Workload Manager roles to control further access to Workload Manager evaluations and resources.

For more information, see Workload Manager: Access control with IAM.

What's next

Create and run an evaluation