This document lists the roles and permissions you need on different projects to use Workload Manager evaluation and to automatically create Workload Manager service accounts for running the evaluation.
Workload Manager projects
Workload Manager evaluations scan resources across multiple projects which are called target projects, but the evaluation is stored in only one project called a consumer project.
You use the consumer project to access Workload Manager in the Google Cloud console, and to create and run evaluations. When you create an evaluation using the Google Cloud console, in the Evaluation scope section of the workflow, you specify the target projects that hold the resources you want to evaluate.
If the resources to evaluate are present in the same project where you create a Workload Manager evaluation, then the consumer project is also considered as one of your target projects.
Summary of required permissions to create and run an evaluation
The following table summarizes the permissions required for users in the consumer and target projects to create and run evaluations using Workload Manager. To get the permission that you need, ask your administrator to grant you a role that includes the required permission or create a custom role.
| Action | Consumer project | Target project |
|---|---|---|
| Enable Workload Manager API |
Permission: serviceusage.services.enablePredefined role that includes the permission: roles/serviceusage.serviceUsageAdmin
|
None |
| Create an evaluation |
1. Permission to create a service account: resourcemanager.projects.setIamPolicyPredefined role that includes the permission: roles/resourcemanager.projectIamAdmin
Required only when you create the first evaluation.
2. Predefined role that grants permission to create an evaluation: |
Permission to create a service account: resourcemanager.projects.setIamPolicyPredefined role that includes the permission: roles/resourcemanager.projectIamAdmin
Required only when you create the first evaluation. |
| Run an evaluation |
Permission: workloadmanager.evaluations.runPredefined role that includes the permission: roles/workloadmanager.admin
|
None |
| View evaluation results |
Permission: workloadmanager.results.listPredefined role that includes the permission: roles/workloadmanager.adminor roles/workloadmanager.viewer
|
None |
Workload Manager service accounts
Workload Manager uses Google-managed service accounts to control access and communication between resources and the associated projects. Workload Manager creates all required service accounts automatically when you create an evaluation.
To get the permission that you need to automatically create a service account when you create the
first evaluation,
ask your administrator to grant you the
Project IAM Admin (roles/resourcemanager.projectIamAdmin) IAM role on each target project in scope.
For more information about granting roles, see Manage access.
This predefined role contains the
resourcemanager.projects.setIamPolicy permission, which is
required to automatically create a service account when you create the
first evaluation.
You might also be able to get this permission with custom roles or other predefined roles.
Workload Manager service accounts are given the following roles required to run evaluations in the target projects if they don't already exist:
- Cloud Asset Inventory Viewer (
roles/cloudasset.viewer) - Cloud Monitoring Viewer (
roles/monitoring.viewer) - Workload Manager Worker (
roles/workloadmanager.worker)
Additional Workload Manager roles
Users require additional Workload Manager roles to control further access to Workload Manager evaluations and resources.
For more information, see Workload Manager: Access control with IAM.