GCP Predefined Roles Finder

1003results

Role	Permissions
Access Approval Approver roles/accessapproval.approver Ability to view or act on access approval requests and view configuration	accessapproval.requests.* accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
Access Approval Config Editor roles/accessapproval.configEditor Ability to update the Access Approval configuration	accessapproval.settings.* resourcemanager.projects.get resourcemanager.projects.list
Access Approval Viewer roles/accessapproval.viewer Ability to view access approval requests and configuration	accessapproval.requests.get accessapproval.requests.list accessapproval.settings.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Access Binding Admin roles/accesscontextmanager.gcpAccessAdmin Create, edit, and change Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.*
Cloud Access Binding Reader roles/accesscontextmanager.gcpAccessReader Read access to Cloud access bindings.	accesscontextmanager.gcpUserAccessBindings.get accesscontextmanager.gcpUserAccessBindings.list
Access Context Manager Admin roles/accesscontextmanager.policyAdmin Full access to policies, access levels, and access zones	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.* accesscontextmanager.accessZones.* accesscontextmanager.policies.* accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Access Context Manager Editor roles/accesscontextmanager.policyEditor Edit access to policies. Create, edit, and change access levels and access zones.	accesscontextmanager.accessLevels.* accesscontextmanager.accessPolicies.create accesscontextmanager.accessPolicies.delete accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.update accesscontextmanager.accessZones.* accesscontextmanager.policies.create accesscontextmanager.policies.delete accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.update accesscontextmanager.servicePerimeters.* cloudasset.assets.searchAllResources resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Access Context Manager Reader roles/accesscontextmanager.policyReader Read access to policies, access levels, and access zones.	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.get accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.get accesscontextmanager.accessZones.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
VPC Service Controls Troubleshooter Viewer roles/accesscontextmanager.vpcScTroubleshooterViewer	accesscontextmanager.accessLevels.get accesscontextmanager.accessLevels.list accesscontextmanager.policies.get accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.get accesscontextmanager.servicePerimeters.list logging.exclusions.get logging.exclusions.list logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.sinks.get logging.sinks.list logging.usage.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Actions Admin roles/actions.Admin Access to edit and deploy an action	actions.* firebase.projects.get firebase.projects.update resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Actions Viewer roles/actions.Viewer Access to view an action	actions.agent.get actions.agentVersions.get actions.agentVersions.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Notebooks Admin roles/notebooks.admin Full access to Notebooks, all resources.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Admin roles/notebooks.legacyAdmin Full access to Notebooks all resources through compute API.	compute.* notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Legacy Viewer roles/notebooks.legacyViewer Read-only access to Notebooks all resources through compute API.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Runner roles/notebooks.runner Restricted access for running scheduled Notebooks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.create notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.create notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.create notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.create notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Notebooks Viewer roles/notebooks.viewer Read-only access to Notebooks, all resources.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* notebooks.environments.get notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.get notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.checkUpgradability notebooks.instances.get notebooks.instances.getHealth notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.* notebooks.operations.get notebooks.operations.list notebooks.runtimes.get notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.get notebooks.schedules.getIamPolicy notebooks.schedules.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
AI Platform Admin roles/ml.admin Provides full access to AI Platform resources, and its jobs, operations, models, and versions.	ml.* resourcemanager.projects.get
AI Platform Developer roles/ml.developer Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.	ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.create ml.models.get ml.models.getIamPolicy ml.models.list ml.models.predict ml.operations.get ml.operations.list ml.projects.* ml.studies.* ml.trials.* ml.versions.get ml.versions.list ml.versions.predict resourcemanager.projects.get
AI Platform Job Owner roles/ml.jobOwner Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.	ml.jobs.*
AI Platform Model Owner roles/ml.modelOwner Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.	ml.models.* ml.versions.*
AI Platform Model User roles/ml.modelUser Provides permissions to read the model and its versions, and use them for prediction.	ml.models.get ml.models.predict ml.versions.get ml.versions.list ml.versions.predict
AI Platform Operation Owner roles/ml.operationOwner Provides full access to all permissions for a particular operation resource.	ml.operations.*
AI Platform Viewer roles/ml.viewer Provides read-only access to AI Platform resources.	ml.jobs.get ml.jobs.list ml.locations.* ml.models.get ml.models.list ml.operations.get ml.operations.list ml.projects.* ml.studies.get ml.studies.getIamPolicy ml.studies.list ml.trials.get ml.trials.list ml.versions.get ml.versions.list resourcemanager.projects.get
Analytics Hub Admin roles/analyticshub.admin Administer Data Exchanges and Listings	analyticshub.dataExchanges.* analyticshub.listings.create analyticshub.listings.delete analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.setIamPolicy analyticshub.listings.update resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Listing Admin roles/analyticshub.listingAdmin Grants full control over the Listing, including updating, deleting and setting ACLs	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.delete analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.setIamPolicy analyticshub.listings.update resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Publisher roles/analyticshub.publisher Can publish to Data Exchanges thus creating Listings	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.create analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Subscriber roles/analyticshub.subscriber Can browse Data Exchanges and subscribe to Listings	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.subscribe resourcemanager.projects.get resourcemanager.projects.list
Analytics Hub Viewer roles/analyticshub.viewer Can browse Data Exchanges and Listings	analyticshub.dataExchanges.get analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.get analyticshub.listings.getIamPolicy analyticshub.listings.list resourcemanager.projects.get resourcemanager.projects.list
Android Management User roles/androidmanagement.user Full access to manage devices.	androidmanagement.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Anthos Multi-cloud Admin roles/gkemulticloud.admin Admin access to Anthos Multi-cloud resources.	gkemulticloud.* resourcemanager.projects.get resourcemanager.projects.list
Anthos Multi-cloud Telemetry Writer roles/gkemulticloud.telemetryWriter Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.	logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create opsconfigmonitoring.resourceMetadata.write
Anthos Multi-cloud Viewer roles/gkemulticloud.viewer Viewer access to Anthos Multi-cloud resources.	gkemulticloud.awsClusters.generateAccessToken gkemulticloud.awsClusters.get gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.get gkemulticloud.awsNodePools.list gkemulticloud.awsServerConfigs.* gkemulticloud.azureClients.get gkemulticloud.azureClients.list gkemulticloud.azureClusters.generateAccessToken gkemulticloud.azureClusters.get gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.get gkemulticloud.azureNodePools.list gkemulticloud.azureServerConfigs.* gkemulticloud.operations.get gkemulticloud.operations.list gkemulticloud.operations.wait resourcemanager.projects.get resourcemanager.projects.list
ApiGateway Admin roles/apigateway.admin Full access to ApiGateway and related resources.	apigateway.* monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list
ApiGateway Viewer roles/apigateway.viewer Read-only access to ApiGateway and related resources.	apigateway.apiconfigs.get apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.get apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.* apigateway.operations.get apigateway.operations.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get serviceusage.services.list
Apigee Organization Admin roles/apigee.admin Full access to all apigee resource features	apigee.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Analytics Agent roles/apigee.analyticsAgent Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization	apigee.environments.getDataLocation apigee.runtimeconfigs.*
Apigee Analytics Editor roles/apigee.analyticsEditor Analytics editor for an Apigee Organization	apigee.datacollectors.* apigee.datastores.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.* apigee.hostqueries.* apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.* apigee.reports.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Analytics Viewer roles/apigee.analyticsViewer Analytics viewer for an Apigee Organization	apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.hostqueries.get apigee.hostqueries.list apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.queries.get apigee.queries.list apigee.reports.get apigee.reports.list resourcemanager.projects.get resourcemanager.projects.list
Apigee API Admin roles/apigee.apiAdminV2 Full read/write access to all apigee API resources	apigee.apiproductattributes.* apigee.apiproducts.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.* apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.* apigee.proxyrevisions.* apigee.sharedflowrevisions.* apigee.sharedflows.* resourcemanager.projects.get resourcemanager.projects.list
Apigee API Reader roles/apigee.apiReaderV2 Reader of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getStats apigee.environments.list apigee.keyvaluemapentries.* apigee.keyvaluemaps.list apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Developer Admin roles/apigee.developerAdmin Developer admin of apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.* apigee.apps.* apigee.datacollectors.* apigee.developerappattributes.* apigee.developerapps.* apigee.developerattributes.* apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developers.* apigee.developersubscriptions.* apigee.environments.get apigee.environments.getStats apigee.hoststats.* apigee.organizations.get apigee.organizations.list apigee.rateplans.get apigee.rateplans.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Environment Admin roles/apigee.environmentAdmin Full read/write access to apigee environment resources, including deployments.	apigee.archivedeployments.* apigee.datacollectors.get apigee.datacollectors.list apigee.deployments.* apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.environments.setIamPolicy apigee.environments.update apigee.flowhooks.* apigee.ingressconfigs.* apigee.keystorealiases.* apigee.keystores.* apigee.keyvaluemaps.* apigee.maskconfigs.* apigee.organizations.get apigee.organizations.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.deploy apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.proxyrevisions.undeploy apigee.references.* apigee.resourcefiles.* apigee.sharedflowrevisions.deploy apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflowrevisions.undeploy apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.* apigee.tracesessions.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Monetization Admin roles/apigee.monetizationAdmin All permissions related to monetization	apigee.apiproducts.get apigee.apiproducts.list apigee.developerbalances.* apigee.developermonetizationconfigs.* apigee.developersubscriptions.* apigee.organizations.get apigee.organizations.list apigee.rateplans.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Portal Admin roles/apigee.portalAdmin Portal admin for an Apigee Organization	apigee.organizations.get apigee.organizations.list apigee.portals.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Read-only Admin roles/apigee.readOnlyAdmin Viewer of all apigee resources	apigee.apiproductattributes.get apigee.apiproductattributes.list apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.get apigee.apps.* apigee.archivedeployments.download apigee.archivedeployments.get apigee.archivedeployments.list apigee.caches.list apigee.canaryevaluations.get apigee.datacollectors.get apigee.datacollectors.list apigee.datastores.get apigee.datastores.list apigee.deployments.get apigee.deployments.list apigee.developerappattributes.get apigee.developerappattributes.list apigee.developerapps.get apigee.developerapps.list apigee.developerattributes.get apigee.developerattributes.list apigee.developerbalances.get apigee.developermonetizationconfigs.get apigee.developers.get apigee.developers.list apigee.developersubscriptions.get apigee.developersubscriptions.list apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.getDataLocation apigee.environments.getIamPolicy apigee.environments.getStats apigee.environments.list apigee.exports.get apigee.exports.list apigee.flowhooks.getSharedFlow apigee.flowhooks.list apigee.hostqueries.get apigee.hostqueries.list apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.hoststats.* apigee.ingressconfigs.* apigee.instanceattachments.get apigee.instanceattachments.list apigee.instances.get apigee.instances.list apigee.keystorealiases.get apigee.keystorealiases.list apigee.keystores.get apigee.keystores.list apigee.keyvaluemapentries.* apigee.keyvaluemaps.list apigee.maskconfigs.get apigee.operations.* apigee.organizations.get apigee.organizations.list apigee.portals.get apigee.portals.list apigee.proxies.get apigee.proxies.list apigee.proxyrevisions.get apigee.proxyrevisions.list apigee.queries.get apigee.queries.list apigee.rateplans.get apigee.rateplans.list apigee.references.get apigee.references.list apigee.reports.get apigee.reports.list apigee.resourcefiles.get apigee.resourcefiles.list apigee.runtimeconfigs.* apigee.securityreports.get apigee.securityreports.list apigee.sharedflowrevisions.get apigee.sharedflowrevisions.list apigee.sharedflows.get apigee.sharedflows.list apigee.targetservers.get apigee.targetservers.list apigee.tracesessions.get apigee.tracesessions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Apigee Runtime Agent roles/apigee.runtimeAgent Curated set of permissions for a runtime agent to access Apigee Organization resources	apigee.canaryevaluations.* apigee.ingressconfigs.* apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.runtimeconfigs.*
Apigee Security Admin roles/apigee.securityAdmin Security admin for an Apigee Organization	apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.* apigee.organizations.get apigee.organizations.list apigee.securityreports.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Security Viewer roles/apigee.securityViewer Security viewer for an Apigee Organization	apigee.envgroupattachments.get apigee.envgroupattachments.list apigee.envgroups.get apigee.envgroups.list apigee.environments.get apigee.environments.list apigee.hostsecurityreports.get apigee.hostsecurityreports.list apigee.organizations.get apigee.organizations.list apigee.securityreports.get apigee.securityreports.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Synchronizer Manager roles/apigee.synchronizerManager Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization	apigee.environments.get apigee.environments.manageRuntime apigee.ingressconfigs.*
Apigee Connect Admin roles/apigeeconnect.Admin Admin of Apigee Connect	apigeeconnect.connections.*
Apigee Connect Agent roles/apigeeconnect.Agent Ability to set up Apigee Connect agent between external clusters and Google.	apigeeconnect.endpoints.*
Cloud Apigee Registry Admin roles/apigeeregistry.admin Full access to Cloud Apigee Registry Registry and Runtime resources.	apigeeregistry.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Apigee Registry Editor roles/apigeeregistry.editor Edit access to Cloud Apigee Registry Registry resources.	apigeeregistry.apis.create apigeeregistry.apis.delete apigeeregistry.apis.get apigeeregistry.apis.getIamPolicy apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry.artifacts.create apigeeregistry.artifacts.delete apigeeregistry.artifacts.get apigeeregistry.artifacts.getIamPolicy apigeeregistry.artifacts.list apigeeregistry.artifacts.update apigeeregistry.deployments.* apigeeregistry.specs.create apigeeregistry.specs.delete apigeeregistry.specs.get apigeeregistry.specs.getIamPolicy apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.create apigeeregistry.versions.delete apigeeregistry.versions.get apigeeregistry.versions.getIamPolicy apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Apigee Registry Viewer roles/apigeeregistry.viewer Read-only access to Cloud Apigee Registry Registry resources.	apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry.deployments.get apigeeregistry.deployments.list apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.versions.get apigeeregistry.versions.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Apigee Registry Worker roles/apigeeregistry.worker The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.	apigeeregistry.apis.get apigeeregistry.apis.list apigeeregistry.apis.update apigeeregistry.artifacts.create apigeeregistry.artifacts.delete apigeeregistry.artifacts.get apigeeregistry.artifacts.list apigeeregistry.artifacts.update apigeeregistry.deployments.get apigeeregistry.deployments.list apigeeregistry.deployments.update apigeeregistry.specs.get apigeeregistry.specs.list apigeeregistry.specs.update apigeeregistry.versions.get apigeeregistry.versions.list apigeeregistry.versions.update resourcemanager.projects.get resourcemanager.projects.list
App Engine Admin roles/appengine.appAdmin Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have the Service Account User (roles/iam.serviceAccountUser) role on the App Engine default service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list
App Engine Creator roles/appengine.appCreator Ability to create the App Engine resource for the project.	appengine.applications.create resourcemanager.projects.get resourcemanager.projects.list
App Engine Viewer roles/appengine.appViewer Read-only access to all application configuration and settings.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Code Viewer roles/appengine.codeViewer Read-only access to all application configuration, settings, and deployed source code.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.getFileContents appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Deployer roles/appengine.deployer Read-only access to all application configuration and settings. To deploy new versions, you must also have the Service Account User (roles/iam.serviceAccountUser) role on the App Engine default service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project. Cannot modify existing versions other than deleting versions that are not receiving traffic.	appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list resourcemanager.projects.get resourcemanager.projects.list
App Engine Service Admin roles/appengine.serviceAdmin Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version.	appengine.applications.get appengine.instances.* appengine.operations.* appengine.services.* appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update resourcemanager.projects.get resourcemanager.projects.list
Artifact Registry Administrator roles/artifactregistry.admin Administrator access to create and manage repositories.	artifactregistry.*
Artifact Registry Reader roles/artifactregistry.reader Access to read repository items.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list
Artifact Registry Repository Administrator roles/artifactregistry.repoAdmin Access to manage artifacts in repositories.	artifactregistry.aptartifacts.* artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.* artifactregistry.repositories.deleteArtifacts artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.* artifactregistry.versions.* artifactregistry.yumartifacts.*
Artifact Registry Writer roles/artifactregistry.writer Access to read and write repository items.	artifactregistry.aptartifacts.* artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.*
Assured Workloads Administrator roles/assuredworkloads.admin Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Editor roles/assuredworkloads.editor Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration	assuredworkloads.* orgpolicy.policy.* resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.list
Assured Workloads Reader roles/assuredworkloads.reader Grants read access to all Assured Workloads resources and CRM resources - project/folder	assuredworkloads.operations.* assuredworkloads.violations.* assuredworkloads.workload.get assuredworkloads.workload.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
AutoML Admin roles/automl.admin Full access to all AutoML resources	automl.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
AutoML Editor roles/automl.editor Editor of all AutoML resources	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
AutoML Predictor roles/automl.predictor Predict using models	automl.models.predict resourcemanager.projects.get resourcemanager.projects.list
AutoML Viewer roles/automl.viewer Viewer of all AutoML resources	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list
Backup for GKE Admin roles/gkebackup.admin Full access to all Backup for GKE resources.	gkebackup.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Backup Admin roles/gkebackup.backupAdmin Allows administrators to manage all BackupPlan and Backup resources.	gkebackup.backupPlans.* gkebackup.backups.* gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.volumeBackups.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Delegated Backup Admin roles/gkebackup.delegatedBackupAdmin Allows administrators to manage Backup resources for specific BackupPlans	gkebackup.backupPlans.get gkebackup.backups.* gkebackup.volumeBackups.*
Backup for GKE Delegated Restore Admin roles/gkebackup.delegatedRestoreAdmin Allows administrators to manage Restore resources for specific RestorePlans	gkebackup.restorePlans.get gkebackup.restores.* gkebackup.volumeRestores.*
Backup for GKE Restore Admin roles/gkebackup.restoreAdmin Allows administrators to manage all RestorePlan and Restore resources.	gkebackup.backupPlans.get gkebackup.backupPlans.list gkebackup.backups.get gkebackup.backups.list gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.restorePlans.* gkebackup.restores.* gkebackup.volumeBackups.* gkebackup.volumeRestores.* resourcemanager.projects.get resourcemanager.projects.list
Backup for GKE Viewer roles/gkebackup.viewer Read-only access to all Backup for GKE resources.	gkebackup.backupPlans.get gkebackup.backupPlans.getIamPolicy gkebackup.backupPlans.list gkebackup.backups.get gkebackup.backups.list gkebackup.locations.* gkebackup.operations.get gkebackup.operations.list gkebackup.restorePlans.get gkebackup.restorePlans.getIamPolicy gkebackup.restorePlans.list gkebackup.restores.get gkebackup.restores.list gkebackup.volumeBackups.* gkebackup.volumeRestores.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Admin roles/bigquery.admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.* bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.overrideTimeTravelRestrictions bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration.translation.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Connection Admin roles/bigquery.connectionAdmin	bigquery.connections.*
BigQuery Connection User roles/bigquery.connectionUser	bigquery.connections.get bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.use
BigQuery Data Editor roles/bigquery.dataEditor When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.models.* bigquery.routines.* bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Owner roles/bigquery.dataOwner When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.	bigquery.config.get bigquery.dataPolicies.* bigquery.datasets.* bigquery.models.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Data Viewer roles/bigquery.dataViewer When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Filtered Data Viewer roles/bigquery.filteredDataViewer Access to view filtered table data defined by a row access policy	bigquery.rowAccessPolicies.getFilteredData
BigQuery Job User roles/bigquery.jobUser Provides permissions to run jobs, including queries, within the project.	bigquery.config.get bigquery.jobs.create resourcemanager.projects.get resourcemanager.projects.list
BigQuery Metadata Viewer roles/bigquery.metadataViewer When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs.	bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.get bigquery.tables.getIamPolicy bigquery.tables.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery Read Session User roles/bigquery.readSessionUser Access to create and use read sessions	bigquery.readsessions.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Admin roles/bigquery.resourceAdmin Administer all BigQuery resources.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservations.* recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Editor roles/bigquery.resourceEditor Manage all BigQuery resources, but cannot make purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.* bigquery.reservations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Resource Viewer roles/bigquery.resourceViewer View all BigQuery resources but cannot make changes or purchasing decisions.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list resourcemanager.projects.get resourcemanager.projects.list
BigQuery User roles/bigquery.user When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get bigquerymigration.translation.* resourcemanager.projects.get resourcemanager.projects.list
Billing Account Administrator roles/billing.admin Provides access to see and manage all aspects of billing accounts.	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* commerceoffercatalog.* consumerprocurement.accounts.* consumerprocurement.orderAttributions.* consumerprocurement.orders.* dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* recommender.commitmentUtilizationInsights.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment
Billing Account Costs Manager roles/billing.costsManager Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.updateUsageExportSpec billing.budgets.* billing.resourceAssociations.list
Billing Account Creator roles/billing.creator Provides access to create billing accounts.	billing.accounts.create resourcemanager.organizations.get
Project Billing Manager roles/billing.projectManager When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment
Billing Account User roles/billing.user When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create
Billing Account Viewer roles/billing.viewer View billing account cost and pricing information, transactions, and billing and commitment recommendations.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list commerceoffercatalog.* consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orderAttributions.get consumerprocurement.orderAttributions.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list
Binary Authorization Attestor Admin roles/binaryauthorization.attestorsAdmin Administrator of Binary Authorization Attestors	binaryauthorization.attestors.* resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Editor roles/binaryauthorization.attestorsEditor Editor of Binary Authorization Attestors	binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Image Verifier roles/binaryauthorization.attestorsVerifier Caller of Binary Authorization Attestors VerifyImageAttested	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Attestor Viewer roles/binaryauthorization.attestorsViewer Viewer of Binary Authorization Attestors	binaryauthorization.attestors.get binaryauthorization.attestors.list resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Administrator roles/binaryauthorization.policyAdmin Administrator of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.* binaryauthorization.platformPolicies.* binaryauthorization.policy.* resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Editor roles/binaryauthorization.policyEditor Editor of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.continuousValidationConfig.update binaryauthorization.platformPolicies.* binaryauthorization.policy.evaluatePolicy binaryauthorization.policy.get binaryauthorization.policy.update resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Evaluator roles/binaryauthorization.policyEvaluator Evaluator of Binary Authorization Policy	binaryauthorization.platformPolicies.evaluatePolicy binaryauthorization.platformPolicies.get binaryauthorization.platformPolicies.list binaryauthorization.policy.evaluatePolicy binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Policy Viewer roles/binaryauthorization.policyViewer Viewer of Binary Authorization Policy	binaryauthorization.continuousValidationConfig.get binaryauthorization.platformPolicies.get binaryauthorization.platformPolicies.list binaryauthorization.policy.get resourcemanager.projects.get resourcemanager.projects.list
CA Service Admin roles/privateca.admin Full access to all CA Service resources.	privateca.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Auditor roles/privateca.auditor Read-only access to all CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Operation Manager roles/privateca.caManager Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.	privateca.caPools.create privateca.caPools.delete privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.update privateca.certificateAuthorities.create privateca.certificateAuthorities.delete privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.update privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.update privateca.certificateTemplates.create privateca.certificateTemplates.delete privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificateTemplates.update privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.update privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.create privateca.reusableConfigs.delete privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.update resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
CA Service Certificate Manager roles/privateca.certificateManager Create certificates and read-only access for CA Service resources.	privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.create privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.* privateca.operations.get privateca.operations.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list resourcemanager.projects.get resourcemanager.projects.list
CA Service Certificate Requester roles/privateca.certificateRequester Request certificates from CA Service.	privateca.certificates.create
CA Service Certificate Template User roles/privateca.templateUser Read, list and use certificate templates.	privateca.certificateTemplates.get privateca.certificateTemplates.list privateca.certificateTemplates.use
CA Service Workload Certificate Requester roles/privateca.workloadCertificateRequester Request certificates from CA Service with caller's identity.	privateca.certificates.createForSelf
Certificate Manager Editor roles/certificatemanager.editor Edit access to Certificate Manager all resources.	certificatemanager.certmapentries.create certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmapentries.update certificatemanager.certmaps.create certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certmaps.update certificatemanager.certmaps.use certificatemanager.certs.create certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.certs.update certificatemanager.certs.use certificatemanager.dnsauthorizations.create certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.dnsauthorizations.update certificatemanager.dnsauthorizations.use certificatemanager.locations.* certificatemanager.operations.get certificatemanager.operations.list resourcemanager.projects.get resourcemanager.projects.list
Certificate Manager Owner roles/certificatemanager.owner Full access to Certificate Manager all resources.	certificatemanager.* resourcemanager.projects.get resourcemanager.projects.list
Certificate Manager Viewer roles/certificatemanager.viewer Read-only access to Certificate Manager all resources.	certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.locations.* certificatemanager.operations.get certificatemanager.operations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Asset Owner roles/cloudasset.owner Full access to cloud assets metadata	cloudasset.* recommender.cloudAssetInsights.* recommender.locations.*
Cloud Asset Viewer roles/cloudasset.viewer Read only access to cloud assets metadata	cloudasset.assets.* recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.*
Bigtable Administrator roles/bigtable.admin Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.	bigtable.* monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable Reader roles/bigtable.reader Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable User roles/bigtable.user Provides read-write access to the data stored within tables. Intended for application developers or service accounts.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.keyvisualizer.* bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list bigtable.tables.mutateRows bigtable.tables.readRows bigtable.tables.sampleRowKeys monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Bigtable Viewer roles/bigtable.viewer Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Bigtable.	bigtable.appProfiles.get bigtable.appProfiles.list bigtable.backups.get bigtable.backups.list bigtable.clusters.get bigtable.clusters.list bigtable.instances.get bigtable.instances.list bigtable.locations.* bigtable.tables.checkConsistency bigtable.tables.generateConsistencyToken bigtable.tables.get bigtable.tables.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.list resourcemanager.projects.get
Cloud Build Approver roles/cloudbuild.builds.approver Can approve or reject pending builds.	cloudbuild.builds.approve cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Service Account roles/cloudbuild.builds.builder Provides access to perform builds.	artifactregistry.aptartifacts.* artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create logging.logEntries.list logging.privateLogEntries.* logging.views.access pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Build Editor roles/cloudbuild.builds.editor Provides access to create and cancel builds.	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Viewer roles/cloudbuild.builds.viewer Provides access to view builds.	cloudbuild.builds.get cloudbuild.builds.list remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Editor roles/cloudbuild.integrationsEditor Can update Integrations	cloudbuild.integrations.get cloudbuild.integrations.list cloudbuild.integrations.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Owner roles/cloudbuild.integrationsOwner Can create/delete Integrations	cloudbuild.integrations.* compute.firewalls.create compute.firewalls.get compute.firewalls.list compute.networks.get compute.networks.updatePolicy compute.regions.get compute.subnetworks.get compute.subnetworks.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Build Integrations Viewer roles/cloudbuild.integrationsViewer Can view Integrations	cloudbuild.integrations.get cloudbuild.integrations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool Editor roles/cloudbuild.workerPoolEditor Can update and view WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool Owner roles/cloudbuild.workerPoolOwner Can create, delete, update, and view WorkerPools	cloudbuild.workerpools.create cloudbuild.workerpools.delete cloudbuild.workerpools.get cloudbuild.workerpools.list cloudbuild.workerpools.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Build WorkerPool User roles/cloudbuild.workerPoolUser Can run builds in the WorkerPool	cloudbuild.workerpools.use
Cloud Build WorkerPool Viewer roles/cloudbuild.workerPoolViewer Can view WorkerPools	cloudbuild.workerpools.get cloudbuild.workerpools.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Composer v2 API Service Agent Extension roles/composer.ServiceAgentV2Ext Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.	iam.serviceAccounts.getIamPolicy iam.serviceAccounts.setIamPolicy
Composer Administrator roles/composer.admin Provides full control of Cloud Composer resources.	composer.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Environment and Storage Object Administrator roles/composer.environmentAndStorageObjectAdmin Provides full control of Cloud Composer resources and of the objects in all project buckets.	composer.* orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.multipartUploads.* storage.objects.*
Environment User and Storage Object Viewer roles/composer.environmentAndStorageObjectViewer Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.	composer.dags.* composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list
Composer Shared VPC Agent roles/composer.sharedVpcAgent Role that should be assigned to Composer Agent service account in Shared VPC host project	compute.networks.access compute.networks.addPeering compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.*
Composer User roles/composer.user Provides the permissions necessary to list and get Cloud Composer environments and operations.	composer.dags.* composer.environments.get composer.environments.list composer.imageversions.* composer.operations.get composer.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Composer Worker roles/composer.worker Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.	artifactregistry.* cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use composer.environments.get container.* containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update logging.logEntries.create logging.logEntries.list logging.privateLogEntries.* logging.views.access monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* orgpolicy.policy.get pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.multipartUploads.* storage.objects.*
Connector Admin roles/connectors.admin Full access to all resources of Connectors Service.	connectors.* resourcemanager.projects.get resourcemanager.projects.list
Connectors Viewer roles/connectors.viewer Read-only access to Connectors all resources.	connectors.connections.get connectors.connections.getConnectionSchemaMetadata connectors.connections.getIamPolicy connectors.connections.getRuntimeActionSchema connectors.connections.getRuntimeEntitySchema connectors.connections.list connectors.connectors.* connectors.locations.* connectors.operations.get connectors.operations.list connectors.providers.* connectors.runtimeconfig.* connectors.versions.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Data Fusion Admin roles/datafusion.admin Full access to Cloud Data Fusion Instances, Namespaces and related resources.	datafusion.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Data Fusion Runner roles/datafusion.runner Access to Cloud Data Fusion runtime resources.	datafusion.instances.runtime
Cloud Data Fusion Viewer roles/datafusion.viewer Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.	datafusion.instances.get datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.runtime datafusion.locations.* datafusion.operations.get datafusion.operations.list resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Admin roles/datalabeling.admin Full access to all Data Labeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Editor roles/datalabeling.editor Editor of all Data Labeling resources	datalabeling.* resourcemanager.projects.get resourcemanager.projects.list
Data Labeling Service Viewer roles/datalabeling.viewer Viewer of all Data Labeling resources	datalabeling.annotateddatasets.get datalabeling.annotateddatasets.list datalabeling.annotationspecsets.get datalabeling.annotationspecsets.list datalabeling.dataitems.* datalabeling.datasets.get datalabeling.datasets.list datalabeling.examples.* datalabeling.instructions.get datalabeling.instructions.list datalabeling.operations.get datalabeling.operations.list resourcemanager.projects.get resourcemanager.projects.list
Dataplex Administrator roles/dataplex.admin Full access to all Dataplex resources.	dataplex.assetActions.* dataplex.assets.create dataplex.assets.delete dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.setIamPolicy dataplex.assets.update dataplex.content.* dataplex.entities.* dataplex.environments.* dataplex.lakeActions.* dataplex.lakes.* dataplex.locations.* dataplex.operations.* dataplex.partitions.* dataplex.tasks.* dataplex.zoneActions.* dataplex.zones.* resourcemanager.projects.get resourcemanager.projects.list
Dataplex Data Owner roles/dataplex.dataOwner Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	dataplex.assets.ownData dataplex.assets.readData dataplex.assets.writeData
Dataplex Data Reader roles/dataplex.dataReader Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	dataplex.assets.readData
Dataplex Data Writer roles/dataplex.dataWriter Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.	dataplex.assets.writeData
Dataplex Developer roles/dataplex.developer Allows running data analytics workloads in a lake.	dataplex.content.* dataplex.environments.execute dataplex.environments.get dataplex.environments.list dataplex.tasks.cancel dataplex.tasks.create dataplex.tasks.delete dataplex.tasks.get dataplex.tasks.list dataplex.tasks.update
Dataplex Editor roles/dataplex.editor Write access to Dataplex resources.	dataplex.assetActions.* dataplex.assets.create dataplex.assets.delete dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.update dataplex.content.delete dataplex.content.get dataplex.content.getIamPolicy dataplex.content.list dataplex.environments.create dataplex.environments.delete dataplex.environments.get dataplex.environments.getIamPolicy dataplex.environments.list dataplex.environments.update dataplex.lakeActions.* dataplex.lakes.create dataplex.lakes.delete dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.lakes.update dataplex.operations.* dataplex.tasks.cancel dataplex.tasks.create dataplex.tasks.delete dataplex.tasks.get dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.tasks.update dataplex.zoneActions.* dataplex.zones.create dataplex.zones.delete dataplex.zones.get dataplex.zones.getIamPolicy dataplex.zones.list dataplex.zones.update
Dataplex Metadata Reader roles/dataplex.metadataReader Read only access to metadata.	dataplex.assets.get dataplex.assets.list dataplex.entities.get dataplex.entities.list dataplex.partitions.get dataplex.partitions.list dataplex.zones.get dataplex.zones.list
Dataplex Metadata Writer roles/dataplex.metadataWriter Read and write access to metadata.	dataplex.assets.get dataplex.assets.list dataplex.entities.* dataplex.partitions.* dataplex.zones.get dataplex.zones.list
Dataplex Storage Data Owner roles/dataplex.storageDataOwner Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	bigquery.datasets.get bigquery.models.create bigquery.models.delete bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.models.updateData bigquery.models.updateMetadata bigquery.routines.create bigquery.routines.delete bigquery.routines.get bigquery.routines.list bigquery.routines.update bigquery.tables.create bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Dataplex Storage Data Reader roles/dataplex.storageDataReader Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	bigquery.datasets.get bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list storage.buckets.get storage.objects.get storage.objects.list
Dataplex Storage Data Writer roles/dataplex.storageDataWriter Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.	bigquery.tables.updateData storage.objects.create storage.objects.delete storage.objects.update
Dataplex Viewer roles/dataplex.viewer Read access to Dataplex resources.	dataplex.assetActions.* dataplex.assets.get dataplex.assets.getIamPolicy dataplex.assets.list dataplex.content.get dataplex.content.getIamPolicy dataplex.content.list dataplex.environments.get dataplex.environments.getIamPolicy dataplex.environments.list dataplex.lakeActions.* dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.operations.get dataplex.operations.list dataplex.tasks.get dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.zoneActions.* dataplex.zones.get dataplex.zones.getIamPolicy dataplex.zones.list
Cloud Debugger Agent roles/clouddebugger.agent Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.	clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create
Cloud Debugger User roles/clouddebugger.user Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).	clouddebugger.breakpoints.create clouddebugger.breakpoints.delete clouddebugger.breakpoints.get clouddebugger.breakpoints.list clouddebugger.debuggees.list
Cloud Deploy Admin roles/clouddeploy.admin Full control of Cloud Deploy resources.	clouddeploy.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Approver roles/clouddeploy.approver Permission to approve or reject rollouts.	clouddeploy.locations.* clouddeploy.operations.* clouddeploy.rollouts.approve clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Developer roles/clouddeploy.developer Permission to manage deployment configuration without permission to access operational resources, such as targets.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.get clouddeploy.rollouts.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Runner roles/clouddeploy.jobRunner Permission to execute Cloud Deploy work without permission to deliver to a target.	logging.logEntries.create storage.objects.create storage.objects.get storage.objects.list
Cloud Deploy Operator roles/clouddeploy.operator Permission to manage deployment configuration.	clouddeploy.deliveryPipelines.create clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.update clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.* clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.create clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list clouddeploy.targets.update resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Releaser roles/clouddeploy.releaser Permission to create Cloud Deploy releases and rollouts.	clouddeploy.deliveryPipelines.get clouddeploy.locations.* clouddeploy.operations.* clouddeploy.releases.create clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.create clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Deploy Viewer roles/clouddeploy.viewer Can view Cloud Deploy resources.	clouddeploy.config.* clouddeploy.deliveryPipelines.get clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.locations.* clouddeploy.operations.get clouddeploy.operations.list clouddeploy.releases.get clouddeploy.releases.list clouddeploy.rollouts.get clouddeploy.rollouts.list clouddeploy.targets.get clouddeploy.targets.getIamPolicy clouddeploy.targets.list resourcemanager.projects.get resourcemanager.projects.list
DLP Administrator roles/dlp.admin Administer DLP including jobs and templates.	dlp.* serviceusage.services.use
DLP Analyze Risk Templates Editor roles/dlp.analyzeRiskTemplatesEditor Edit DLP analyze risk templates.	dlp.analyzeRiskTemplates.*
DLP Analyze Risk Templates Reader roles/dlp.analyzeRiskTemplatesReader Read DLP analyze risk templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list
DLP Column Data Profiles Reader roles/dlp.columnDataProfilesReader Read DLP column profiles.	dlp.columnDataProfiles.*
DLP Data Profiles Reader roles/dlp.dataProfilesReader Read DLP profiles.	dlp.columnDataProfiles.* dlp.projectDataProfiles.* dlp.tableDataProfiles.*
DLP De-identify Templates Editor roles/dlp.deidentifyTemplatesEditor Edit DLP de-identify templates.	dlp.deidentifyTemplates.*
DLP De-identify Templates Reader roles/dlp.deidentifyTemplatesReader Read DLP de-identify templates.	dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list
DLP Cost Estimation roles/dlp.estimatesAdmin Manage DLP Cost Estimates.	dlp.estimates.*
DLP Inspect Findings Reader roles/dlp.inspectFindingsReader Read DLP stored findings.	dlp.inspectFindings.*
DLP Inspect Templates Editor roles/dlp.inspectTemplatesEditor Edit DLP inspect templates.	dlp.inspectTemplates.*
DLP Inspect Templates Reader roles/dlp.inspectTemplatesReader Read DLP inspect templates.	dlp.inspectTemplates.get dlp.inspectTemplates.list
DLP Job Triggers Editor roles/dlp.jobTriggersEditor Edit job triggers configurations.	dlp.jobTriggers.*
DLP Job Triggers Reader roles/dlp.jobTriggersReader Read job triggers.	dlp.jobTriggers.get dlp.jobTriggers.list
DLP Jobs Editor roles/dlp.jobsEditor Edit and create jobs	dlp.jobs.* dlp.kms.*
DLP Jobs Reader roles/dlp.jobsReader Read jobs	dlp.jobs.get dlp.jobs.list
DLP Organization Data Profiles Driver roles/dlp.orgdriver Permissions needed by the DLP service account to generate data profiles within an organization or folder.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration.translation.* cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP Project Data Profiles Reader roles/dlp.projectDataProfilesReader Read DLP project profiles.	dlp.projectDataProfiles.*
DLP Project Data Profiles Driver roles/dlp.projectdriver Permissions needed by the DLP service account to generate data profiles within a project.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.connections.updateTag bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.listAll bigquery.jobs.listExecutionMetadata bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration.translation.* cloudasset.assets.* datacatalog.categories.fineGrainedGet datacatalog.entries.updateTag datacatalog.tagTemplates.create datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use dlp.* pubsub.topics.updateTag recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
DLP Reader roles/dlp.reader Read DLP entities, such as jobs and templates.	dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectFindings.* dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobTriggers.get dlp.jobTriggers.list dlp.jobs.get dlp.jobs.list dlp.locations.* dlp.storedInfoTypes.get dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor roles/dlp.storedInfoTypesEditor Edit DLP stored info types.	dlp.storedInfoTypes.*
DLP Stored InfoTypes Reader roles/dlp.storedInfoTypesReader Read DLP stored info types.	dlp.storedInfoTypes.get dlp.storedInfoTypes.list
DLP Table Data Profiles Reader roles/dlp.tableDataProfilesReader Read DLP table profiles.	dlp.tableDataProfiles.*
DLP User roles/dlp.user Inspect, Redact, and De-identify Content	dlp.kms.* dlp.locations.* serviceusage.services.use
Cloud Domains Admin roles/domains.admin Full access to Cloud Domains Registrations and related resources.	domains.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Domains Viewer roles/domains.viewer Read-only access to Cloud Domains Registrations and related resources.	domains.locations.* domains.operations.get domains.operations.list domains.registrations.get domains.registrations.getIamPolicy domains.registrations.list domains.registrations.listTagBindings resourcemanager.projects.get resourcemanager.projects.list
Cloud Filestore Editor roles/file.editor Read-write access to Filestore instances and related resources.	file.*
Cloud Filestore Viewer roles/file.viewer Read-only access to Filestore instances and related resources.	file.backups.get file.backups.list file.backups.listTagBindings file.instances.get file.instances.list file.instances.listTagBindings file.locations.* file.operations.get file.operations.list file.snapshots.listTagBindings
Cloud Functions Admin roles/cloudfunctions.admin Full access to functions, operations and locations.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.* eventarc.* recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Functions Developer roles/cloudfunctions.developer Read and write access to all functions-related resources.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.update cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.* eventarc.locations.* eventarc.operations.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Functions Invoker roles/cloudfunctions.invoker Ability to invoke HTTP functions with restricted access.	cloudfunctions.functions.invoke
Cloud Functions Viewer roles/cloudfunctions.viewer Read-only access to functions and locations.	cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.* eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Game Services API Admin roles/gameservices.admin Full access to Game Services API and related resources.	gameservices.* resourcemanager.projects.get resourcemanager.projects.list
Game Services API Viewer roles/gameservices.viewer Read-only access to Game Services API and related resources.	gameservices.gameServerClusters.get gameservices.gameServerClusters.list gameservices.gameServerConfigs.get gameservices.gameServerConfigs.list gameservices.gameServerDeployments.get gameservices.gameServerDeployments.list gameservices.locations.* gameservices.operations.get gameservices.operations.list gameservices.realms.get gameservices.realms.list resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Editor roles/healthcare.annotationEditor Create, delete, update, read and list annotations.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Reader roles/healthcare.annotationReader Read and list annotations in an Annotation store.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.annotations.get healthcare.annotations.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Administrator roles/healthcare.annotationStoreAdmin Administer Annotation stores.	healthcare.annotationStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Annotation Store Viewer roles/healthcare.annotationStoreViewer List Annotation Stores in a dataset.	healthcare.annotationStores.get healthcare.annotationStores.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Attribute Definition Editor roles/healthcare.attributeDefinitionEditor Edit AttributeDefinition objects.	healthcare.attributeDefinitions.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Attribute Definition Reader roles/healthcare.attributeDefinitionReader Read AttributeDefinition objects in a consent store.	healthcare.attributeDefinitions.get healthcare.attributeDefinitions.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Administrator roles/healthcare.consentArtifactAdmin Administer ConsentArtifact objects.	healthcare.consentArtifacts.* healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Editor roles/healthcare.consentArtifactEditor Edit ConsentArtifact objects.	healthcare.consentArtifacts.create healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Artifact Reader roles/healthcare.consentArtifactReader Read ConsentArtifact objects in a consent store.	healthcare.consentArtifacts.get healthcare.consentArtifacts.list healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Editor roles/healthcare.consentEditor Edit Consent objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Reader roles/healthcare.consentReader Read Consent objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.consents.get healthcare.consents.list healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Store Administrator roles/healthcare.consentStoreAdmin Administer Consent stores.	healthcare.consentStores.* healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Consent Store Viewer roles/healthcare.consentStoreViewer List Consent Stores in a dataset.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare Dataset Administrator roles/healthcare.datasetAdmin Administer Healthcare Datasets.	healthcare.datasets.* healthcare.locations.* healthcare.operations.* resourcemanager.projects.get resourcemanager.projects.list
Healthcare Dataset Viewer roles/healthcare.datasetViewer List the Healthcare Datasets in a project.	healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Editor roles/healthcare.dicomEditor Edit DICOM images individually and in bulk.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.dicomWebRead healthcare.dicomStores.dicomWebWrite healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.import healthcare.dicomStores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Store Administrator roles/healthcare.dicomStoreAdmin Administer DICOM stores.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.create healthcare.dicomStores.deidentify healthcare.dicomStores.delete healthcare.dicomStores.dicomWebDelete healthcare.dicomStores.get healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.dicomStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Store Viewer roles/healthcare.dicomStoreViewer List DICOM Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare DICOM Viewer roles/healthcare.dicomViewer Retrieve DICOM images from a DICOM store.	healthcare.datasets.get healthcare.datasets.list healthcare.dicomStores.dicomWebRead healthcare.dicomStores.export healthcare.dicomStores.get healthcare.dicomStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Resource Editor roles/healthcare.fhirResourceEditor Create, delete, update, read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.create healthcare.fhirResources.delete healthcare.fhirResources.get healthcare.fhirResources.patch healthcare.fhirResources.translateConceptMap healthcare.fhirResources.update healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Resource Reader roles/healthcare.fhirResourceReader Read and search FHIR resources.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.get healthcare.fhirResources.translateConceptMap healthcare.fhirStores.executeBundle healthcare.fhirStores.get healthcare.fhirStores.list healthcare.fhirStores.searchResources healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Store Administrator roles/healthcare.fhirStoreAdmin Administer FHIR resource stores.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirResources.purge healthcare.fhirStores.configureSearch healthcare.fhirStores.create healthcare.fhirStores.deidentify healthcare.fhirStores.delete healthcare.fhirStores.export healthcare.fhirStores.get healthcare.fhirStores.getIamPolicy healthcare.fhirStores.import healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.fhirStores.update healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare FHIR Store Viewer roles/healthcare.fhirStoreViewer List FHIR Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.fhirStores.get healthcare.fhirStores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Message Consumer roles/healthcare.hl7V2Consumer List and read HL7v2 messages, update message labels, and publish new messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.create healthcare.hl7V2Messages.get healthcare.hl7V2Messages.list healthcare.hl7V2Messages.update healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Message Editor roles/healthcare.hl7V2Editor Read, write, and delete access to HL7v2 messages.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.* healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Message Ingest roles/healthcare.hl7V2Ingest Ingest HL7v2 messages received from a source network.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Messages.ingest healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Store Administrator roles/healthcare.hl7V2StoreAdmin Administer HL7v2 Stores.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.* healthcare.locations.* healthcare.operations.cancel healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare HL7v2 Store Viewer roles/healthcare.hl7V2StoreViewer View HL7v2 Stores in a dataset.	healthcare.datasets.get healthcare.datasets.list healthcare.hl7V2Stores.get healthcare.hl7V2Stores.list healthcare.locations.* healthcare.operations.get resourcemanager.projects.get resourcemanager.projects.list
Healthcare NLP Service Viewer roles/healthcare.nlpServiceViewer Extract and analyze medical entities from a given text.	healthcare.locations.* healthcare.nlpservice.* resourcemanager.projects.get resourcemanager.projects.list
Healthcare User Data Mapping Editor roles/healthcare.userDataMappingEditor Edit UserDataMapping objects.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.* resourcemanager.projects.get resourcemanager.projects.list
Healthcare User Data Mapping Reader roles/healthcare.userDataMappingReader Read UserDataMapping objects in a consent store.	healthcare.consentStores.checkDataAccess healthcare.consentStores.evaluateUserConsents healthcare.consentStores.get healthcare.consentStores.list healthcare.consentStores.queryAccessibleData healthcare.datasets.get healthcare.datasets.list healthcare.locations.* healthcare.operations.get healthcare.userDataMappings.get healthcare.userDataMappings.list resourcemanager.projects.get resourcemanager.projects.list
IAP Policy Admin roles/iap.admin Provides full access to Identity-Aware Proxy resources.	iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy
IAP-secured Web App User roles/iap.httpsResourceAccessor Provides permission to access HTTPS resources which use Identity-Aware Proxy.	iap.webServiceVersions.accessViaIAP
IAP Settings Admin roles/iap.settingsAdmin Administrator of IAP Settings.	iap.projects.* iap.web.getSettings iap.web.updateSettings iap.webServiceVersions.getSettings iap.webServiceVersions.updateSettings iap.webServices.getSettings iap.webServices.updateSettings iap.webTypes.getSettings iap.webTypes.updateSettings
IAP-secured Tunnel User roles/iap.tunnelResourceAccessor Access Tunnel resources which use Identity-Aware Proxy	iap.tunnelInstances.accessViaIAP
Cloud IDS Admin roles/ids.admin Full access to Cloud IDS all resources.	ids.* resourcemanager.projects.get resourcemanager.projects.list
Cloud IDS Viewer roles/ids.viewer Read-only access to Cloud IDS all resources.	ids.endpoints.get ids.endpoints.getIamPolicy ids.endpoints.list ids.locations.* ids.operations.get ids.operations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud IoT Admin roles/cloudiot.admin Full control of all Cloud IoT resources and permissions.	cloudiot.* cloudiottoken.*
Cloud IoT Device Controller roles/cloudiot.deviceController Access to update the device configuration, but not to create or delete devices.	cloudiot.devices.get cloudiot.devices.list cloudiot.devices.sendCommand cloudiot.devices.updateConfig cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get
Cloud IoT Editor roles/cloudiot.editor Read-write access to all Cloud IoT resources.	cloudiot.devices.* cloudiot.registries.create cloudiot.registries.delete cloudiot.registries.get cloudiot.registries.list cloudiot.registries.update cloudiottoken.*
Cloud IoT Provisioner roles/cloudiot.provisioner Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry.	cloudiot.devices.* cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get
Cloud IoT Viewer roles/cloudiot.viewer Read-only access to all Cloud IoT resources.	cloudiot.devices.get cloudiot.devices.list cloudiot.registries.get cloudiot.registries.list cloudiottoken.tokensettings.get
Cloud KMS Admin roles/cloudkms.admin Provides full access to Cloud KMS resources, except encrypt and decrypt operations.	cloudkms.cryptoKeyVersions.create cloudkms.cryptoKeyVersions.destroy cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeyVersions.restore cloudkms.cryptoKeyVersions.update cloudkms.cryptoKeyVersions.useToDecryptViaDelegation cloudkms.cryptoKeyVersions.useToEncryptViaDelegation cloudkms.cryptoKeys.* cloudkms.ekmConnections.* cloudkms.importJobs.* cloudkms.keyRings.* cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Decrypter roles/cloudkms.cryptoKeyDecrypter Provides ability to use Cloud KMS resources for decrypt operations only.	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Decrypter Via Delegation roles/cloudkms.cryptoKeyDecrypterViaDelegation Enables Decrypt operations via other GCP services	cloudkms.cryptoKeyVersions.useToDecryptViaDelegation cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud KMS CryptoKey Encrypter roles/cloudkms.cryptoKeyEncrypter Provides ability to use Cloud KMS resources for encrypt operations only.	cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Encrypter/Decrypter roles/cloudkms.cryptoKeyEncrypterDecrypter Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation Enables Encrypt and Decrypt operations via other GCP services	cloudkms.cryptoKeyVersions.useToDecryptViaDelegation cloudkms.cryptoKeyVersions.useToEncryptViaDelegation cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud KMS CryptoKey Encrypter Via Delegation roles/cloudkms.cryptoKeyEncrypterViaDelegation Enables Encrypt operations via other GCP services	cloudkms.cryptoKeyVersions.useToEncryptViaDelegation cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud KMS Crypto Operator roles/cloudkms.cryptoOperator Enables all Crypto Operations.	cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.useToVerify cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.* resourcemanager.projects.get
Cloud KMS Expert Raw PKCS#1 Key Manager roles/cloudkms.expertRawPKCS1 Enables raw PKCS#1 keys management.	cloudkms.cryptoKeyVersions.manageRawPKCS1Keys cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud KMS Importer roles/cloudkms.importer Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations	cloudkms.importJobs.create cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.importJobs.useToImport cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Public Key Viewer roles/cloudkms.publicKeyViewer Enables GetPublicKey operations	cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Signer roles/cloudkms.signer Enables Sign operations	cloudkms.cryptoKeyVersions.useToSign cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Signer/Verifier roles/cloudkms.signerVerifier Enables Sign, Verify, and GetPublicKey operations	cloudkms.cryptoKeyVersions.useToSign cloudkms.cryptoKeyVersions.useToVerify cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS CryptoKey Verifier roles/cloudkms.verifier Enables Verify and GetPublicKey operations	cloudkms.cryptoKeyVersions.useToVerify cloudkms.cryptoKeyVersions.viewPublicKey cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud KMS Viewer roles/cloudkms.viewer Enables Get and List operations.	cloudkms.cryptoKeyVersions.get cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.get cloudkms.cryptoKeys.list cloudkms.ekmConnections.get cloudkms.ekmConnections.list cloudkms.importJobs.get cloudkms.importJobs.list cloudkms.keyRings.get cloudkms.keyRings.list cloudkms.locations.get cloudkms.locations.list resourcemanager.projects.get
Cloud Life Sciences Admin roles/lifesciences.admin Full control of Cloud Life Sciences resources.	lifesciences.*
Cloud Life Sciences Editor roles/lifesciences.editor Access to read and edit Cloud Life Sciences resources.	lifesciences.*
Cloud Life Sciences Viewer roles/lifesciences.viewer Access to read Cloud Life Sciences resources.	lifesciences.operations.get lifesciences.operations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Life Sciences Workflows Runner roles/lifesciences.workflowsRunner Full access to operate on Cloud Life Sciences workflows.	lifesciences.*
Google Cloud Managed Identities Admin roles/managedidentities.admin Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.	managedidentities.* resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Backup Admin roles/managedidentities.backupAdmin Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level	managedidentities.backups.* managedidentities.domains.get managedidentities.locations.* managedidentities.operations.* resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Backup Viewer roles/managedidentities.backupViewer Read-only access to Google Cloud Managed Identities Backup and related resources.	managedidentities.backups.get managedidentities.backups.getIamPolicy managedidentities.backups.list managedidentities.domains.get managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Domain Admin roles/managedidentities.domainAdmin Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.	managedidentities.backups.* managedidentities.domains.attachTrust managedidentities.domains.createTagBinding managedidentities.domains.delete managedidentities.domains.deleteTagBinding managedidentities.domains.detachTrust managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.listTagBindings managedidentities.domains.reconfigureTrust managedidentities.domains.resetpassword managedidentities.domains.restore managedidentities.domains.update managedidentities.domains.updateLDAPSSettings managedidentities.domains.validateTrust managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list managedidentities.sqlintegrations.* resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Domain Controller Operator roles/managedidentities.domaincontrollerOperator Operator access for Managed AD Domain Controllers	pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list
Google Cloud Managed Identities Peering Admin roles/managedidentities.peeringAdmin Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level	managedidentities.locations.* managedidentities.operations.* managedidentities.peerings.* resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Peering Viewer roles/managedidentities.peeringViewer Read-only access to Google Cloud Managed Identities Peering and related resources.	managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list managedidentities.peerings.get managedidentities.peerings.getIamPolicy managedidentities.peerings.list resourcemanager.projects.get resourcemanager.projects.list
Google Cloud Managed Identities Viewer roles/managedidentities.viewer Read-only access to Google Cloud Managed Identities Domains and related resources.	managedidentities.backups.get managedidentities.backups.getIamPolicy managedidentities.backups.list managedidentities.domains.get managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.domains.listTagBindings managedidentities.locations.* managedidentities.operations.get managedidentities.operations.list managedidentities.peerings.get managedidentities.peerings.getIamPolicy managedidentities.peerings.list managedidentities.sqlintegrations.* resourcemanager.projects.get resourcemanager.projects.list
Commerce Offer Catalog Offers Viewer roles/commerceoffercatalog.offersViewer Allows viewing offers	commerceoffercatalog.*
Commerce Price Management Private Offers Admin roles/commercepricemanagement.privateOffersAdmin Allows managing private offers	commerceprice.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Commerce Price Management Viewer roles/commercepricemanagement.viewer Allows viewing offers, free trials, skus	commerceprice.privateoffers.get commerceprice.privateoffers.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Consumer Procurement Entitlement Manager roles/consumerprocurement.entitlementManager Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.	consumerprocurement.entitlements.* consumerprocurement.freeTrials.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.operations.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list
Consumer Procurement Entitlement Viewer roles/consumerprocurement.entitlementViewer Allows inspecting entitlements and service states for a consumer project.	consumerprocurement.entitlements.* consumerprocurement.freeTrials.get consumerprocurement.freeTrials.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Consumer Procurement Order Administrator roles/consumerprocurement.orderAdmin Allows managing purchases.	commerceoffercatalog.* consumerprocurement.accounts.* consumerprocurement.orderAttributions.* consumerprocurement.orders.*
Consumer Procurement Order Viewer roles/consumerprocurement.orderViewer Allows inspecting purchases.	commerceoffercatalog.* consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orderAttributions.get consumerprocurement.orderAttributions.list consumerprocurement.orders.get consumerprocurement.orders.list
Velostrata Manager roles/cloudmigration.inframanager Ability to create and manage Compute VMs to run Velostrata Infrastructure	cloudmigration.* compute.addresses.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalOperations.get compute.images.get compute.images.list compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setScheduling compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.update compute.instances.updateNetworkInterface compute.instances.updateShieldedInstanceConfig compute.instances.use compute.licenseCodes.get compute.licenseCodes.list compute.licenseCodes.update compute.licenseCodes.use compute.licenses.get compute.licenses.list compute.machineTypes.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.list compute.nodeTemplates.list compute.projects.get compute.regionOperations.get compute.regions.* compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.* gkehub.endpoints.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update
Velostrata Storage Access roles/cloudmigration.storageaccess Ability to access migration storage	storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Velostrata Manager Connection Agent roles/cloudmigration.velostrataconnect Ability to set up connection between Velostrata Manager and Google	cloudmigration.* gkehub.endpoints.*
VM Migration Administrator roles/vmmigration.admin Ability to view and edit all VM Migration objects	vmmigration.*
VM Migration Viewer roles/vmmigration.viewer Ability to view all VM Migration objects	vmmigration.cloneJobs.get vmmigration.cloneJobs.list vmmigration.cutoverJobs.get vmmigration.cutoverJobs.list vmmigration.datacenterConnectors.get vmmigration.datacenterConnectors.list vmmigration.deployments.get vmmigration.deployments.list vmmigration.groups.get vmmigration.groups.list vmmigration.locations.* vmmigration.migratingVms.get vmmigration.migratingVms.list vmmigration.operations.get vmmigration.operations.list vmmigration.sources.get vmmigration.sources.list vmmigration.targets.get vmmigration.targets.list vmmigration.utilizationReports.get vmmigration.utilizationReports.list
Catalog Consumer roles/cloudprivatecatalog.consumer Can browse catalogs in the target resource context.	cloudprivatecatalog.* resourcemanager.projects.get resourcemanager.projects.list
Catalog Admin roles/cloudprivatecatalogproducer.admin Can manage catalog and view its associations.	cloudprivatecatalog.* cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogAssociations.* cloudprivatecatalogproducer.catalogs.* cloudprivatecatalogproducer.producerCatalogs.* cloudprivatecatalogproducer.products.* cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Catalog Manager roles/cloudprivatecatalogproducer.manager Can manage associations between a catalog and a target resource.	cloudprivatecatalog.* cloudprivatecatalogproducer.associations.* cloudprivatecatalogproducer.catalogAssociations.* cloudprivatecatalogproducer.catalogs.get cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.producerCatalogs.get cloudprivatecatalogproducer.producerCatalogs.list cloudprivatecatalogproducer.targets.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Catalog Org Admin roles/cloudprivatecatalogproducer.orgAdmin Can manage catalog org settings.	cloudprivatecatalog.* cloudprivatecatalogproducer.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Profiler Agent roles/cloudprofiler.agent Cloud Profiler agents are allowed to register and provide the profiling data.	cloudprofiler.profiles.create cloudprofiler.profiles.update
Cloud Profiler User roles/cloudprofiler.user Cloud Profiler users are allowed to query and view the profiling data.	cloudprofiler.profiles.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud Run Admin roles/run.admin Full control over all Cloud Run resources.	recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list run.*
Cloud Run Developer roles/run.developer Read and write access to all Cloud Run resources.	recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update
Cloud Run Invoker roles/run.invoker Can invoke a Cloud Run service.	run.routes.invoke
Cloud Run Viewer roles/run.viewer Can view the state of all Cloud Run resources, including IAM policies.	recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list run.configurations.* run.locations.* run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings
Cloud Scheduler Admin roles/cloudscheduler.admin Full access to jobs and executions. Note that a Cloud Scheduler Admin (or any custom role with the permission cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the project.	appengine.applications.get cloudscheduler.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Cloud Scheduler Job Runner roles/cloudscheduler.jobRunner Access to run jobs.	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.run resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Cloud Scheduler Viewer roles/cloudscheduler.viewer Get and list access to jobs, executions, and locations.	appengine.applications.get cloudscheduler.jobs.fullView cloudscheduler.jobs.get cloudscheduler.jobs.list cloudscheduler.locations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
Web Security Scanner Editor roles/cloudsecurityscanner.editor Full access to all Web Security Scanner resources	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Web Security Scanner Runner roles/cloudsecurityscanner.runner Read access to Scan and ScanRun, plus the ability to start scans	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.list cloudsecurityscanner.scanruns.stop cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list cloudsecurityscanner.scans.run
Web Security Scanner Viewer roles/cloudsecurityscanner.viewer Read access to all Web Security Scanner resources	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Service Broker Admin roles/servicebroker.admin Full access to ServiceBroker resources.	servicebroker.*
Service Broker Operator roles/servicebroker.operator Operational access to the ServiceBroker resources.	servicebroker.bindingoperations.* servicebroker.bindings.create servicebroker.bindings.delete servicebroker.bindings.get servicebroker.bindings.list servicebroker.catalogs.create servicebroker.catalogs.delete servicebroker.catalogs.get servicebroker.catalogs.list servicebroker.instanceoperations.* servicebroker.instances.create servicebroker.instances.delete servicebroker.instances.get servicebroker.instances.list servicebroker.instances.update
Cloud Spanner Admin roles/spanner.admin Has complete access to all Cloud Spanner resources in a Google Cloud project. A principal with this role can: Grant and revoke permissions to other principals for all Cloud Spanner resources in the project. Allocate and delete chargeable Cloud Spanner resources. Issue get/list/modify operations on Cloud Spanner resources. Read from and write to all Cloud Spanner databases in the project. Fetch project metadata.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.*
Cloud Spanner Backup Admin roles/spanner.backupAdmin A principal with this role can: Create, view, update, and delete backups. View and manage a backup's IAM policy. This role cannot restore a database from a backup.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.backupOperations.* spanner.backups.create spanner.backups.delete spanner.backups.get spanner.backups.getIamPolicy spanner.backups.list spanner.backups.setIamPolicy spanner.backups.update spanner.databases.createBackup spanner.databases.get spanner.databases.list spanner.instances.get spanner.instances.list
Cloud Spanner Backup Writer roles/spanner.backupWriter This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them.	spanner.backupOperations.get spanner.backupOperations.list spanner.backups.create spanner.backups.get spanner.backups.list spanner.databases.createBackup spanner.databases.get spanner.databases.list spanner.instances.get
Cloud Spanner Database Admin roles/spanner.databaseAdmin A principal with this role can: Get/list all Cloud Spanner instances in the project. Create/list/drop databases in an instance. Grant/revoke access to databases in the project. Read from and write to all Cloud Spanner databases in the project.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginPartitionedDmlTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.create spanner.databases.drop spanner.databases.get spanner.databases.getDdl spanner.databases.getIamPolicy spanner.databases.list spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.databases.setIamPolicy spanner.databases.update spanner.databases.updateDdl spanner.databases.write spanner.instances.get spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.*
Cloud Spanner Database Reader roles/spanner.databaseReader A principal with this role can: Read from the Cloud Spanner database. Execute SQL queries on the database. View schema for the database.	spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.instances.get spanner.sessions.*
Cloud Spanner Database User roles/spanner.databaseUser A principal with this role can: Read from and write to the Cloud Spanner database. Execute SQL queries on the database, including DML and Partitioned DML. View and update schema for the database.	spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginPartitionedDmlTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instances.get spanner.sessions.*
Cloud Spanner Restore Admin roles/spanner.restoreAdmin A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.backups.get spanner.backups.list spanner.backups.restoreDatabase spanner.databaseOperations.cancel spanner.databaseOperations.get spanner.databaseOperations.list spanner.databases.create spanner.databases.get spanner.databases.list spanner.instances.get spanner.instances.list
Cloud Spanner Viewer roles/spanner.viewer A principal with this role can: View all Cloud Spanner instances (but cannot modify instances). View all Cloud Spanner databases (but cannot modify or read from databases). For example, you can combine this role with the roles/spanner.databaseUser role to grant a user with access to a specific database, but only view access to other instances and databases. This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud Console.	monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list spanner.databases.list spanner.instanceConfigs.* spanner.instances.get spanner.instances.list
Cloud SQL Admin roles/cloudsql.admin Provides full control of Cloud SQL resources.	cloudsql.* recommender.cloudsqlIdleInstanceRecommendations.* recommender.cloudsqlInstanceActivityInsights.* recommender.cloudsqlInstanceCpuUsageInsights.* recommender.cloudsqlInstanceDiskUsageTrendInsights.* recommender.cloudsqlInstanceMemoryUsageInsights.* recommender.cloudsqlInstanceOutOfDiskRecommendations.* recommender.cloudsqlOverprovisionedInstanceRecommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud SQL Client roles/cloudsql.client Provides connectivity access to Cloud SQL instances.	cloudsql.instances.connect cloudsql.instances.get
Cloud SQL Editor roles/cloudsql.editor Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.	cloudsql.backupRuns.create cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.create cloudsql.databases.get cloudsql.databases.list cloudsql.databases.update cloudsql.instances.addServerCa cloudsql.instances.connect cloudsql.instances.export cloudsql.instances.failover cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.instances.listTagBindings cloudsql.instances.restart cloudsql.instances.rotateServerCa cloudsql.instances.truncateLog cloudsql.instances.update cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list recommender.cloudsqlIdleInstanceRecommendations.* recommender.cloudsqlInstanceActivityInsights.* recommender.cloudsqlInstanceCpuUsageInsights.* recommender.cloudsqlInstanceDiskUsageTrendInsights.* recommender.cloudsqlInstanceMemoryUsageInsights.* recommender.cloudsqlInstanceOutOfDiskRecommendations.* recommender.cloudsqlOverprovisionedInstanceRecommendations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud SQL Instance User roles/cloudsql.instanceUser Role allowing access to a Cloud SQL instance	cloudsql.instances.get cloudsql.instances.login
Cloud SQL Viewer roles/cloudsql.viewer Provides read-only access to Cloud SQL resources.	cloudsql.backupRuns.get cloudsql.backupRuns.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.export cloudsql.instances.get cloudsql.instances.list cloudsql.instances.listServerCas cloudsql.instances.listTagBindings cloudsql.sslCerts.get cloudsql.sslCerts.list cloudsql.users.list recommender.cloudsqlIdleInstanceRecommendations.get recommender.cloudsqlIdleInstanceRecommendations.list recommender.cloudsqlInstanceActivityInsights.get recommender.cloudsqlInstanceActivityInsights.list recommender.cloudsqlInstanceCpuUsageInsights.get recommender.cloudsqlInstanceCpuUsageInsights.list recommender.cloudsqlInstanceDiskUsageTrendInsights.get recommender.cloudsqlInstanceDiskUsageTrendInsights.list recommender.cloudsqlInstanceMemoryUsageInsights.get recommender.cloudsqlInstanceMemoryUsageInsights.list recommender.cloudsqlInstanceOutOfDiskRecommendations.get recommender.cloudsqlInstanceOutOfDiskRecommendations.list recommender.cloudsqlOverprovisionedInstanceRecommendations.get recommender.cloudsqlOverprovisionedInstanceRecommendations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Storage Admin roles/storage.admin Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.	firebase.projects.get orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Storage HMAC Key Admin roles/storage.hmacKeyAdmin Full control of Cloud Storage HMAC keys.	firebase.projects.get orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.hmacKeys.*
Storage Object Admin roles/storage.objectAdmin Grants full control of objects, including listing, creating, viewing, and deleting objects.	orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.multipartUploads.* storage.objects.*
Storage Object Creator roles/storage.objectCreator Allows users to create objects. Does not give permission to view, delete, or overwrite objects.	orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.multipartUploads.abort storage.multipartUploads.create storage.multipartUploads.listParts storage.objects.create
Storage Object Viewer roles/storage.objectViewer Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.	resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Storage Transfer Admin roles/storagetransfer.admin Create, update and manage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.*
Storage Transfer Agent roles/storagetransfer.transferAgent Perform transfers from an agent.	pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.get pubsub.topics.list pubsub.topics.publish storagetransfer.agentpools.report storagetransfer.operations.assign storagetransfer.operations.get storagetransfer.operations.report
Storage Transfer User roles/storagetransfer.user Create and update storage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.agentpools.create storagetransfer.agentpools.get storagetransfer.agentpools.list storagetransfer.agentpools.report storagetransfer.agentpools.update storagetransfer.jobs.create storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.jobs.run storagetransfer.jobs.update storagetransfer.operations.* storagetransfer.projects.*
Storage Transfer Viewer roles/storagetransfer.viewer Read access to storage transfer jobs and operations.	resourcemanager.projects.get resourcemanager.projects.list storagetransfer.agentpools.get storagetransfer.agentpools.list storagetransfer.jobs.get storagetransfer.jobs.list storagetransfer.operations.get storagetransfer.operations.list storagetransfer.projects.*
Storage Legacy Bucket Owner roles/storage.legacyBucketOwner Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding IAM policies, when listing; and read and edit bucket metadata, including IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.	storage.buckets.createTagBinding storage.buckets.deleteTagBinding storage.buckets.get storage.buckets.getIamPolicy storage.buckets.listTagBindings storage.buckets.setIamPolicy storage.buckets.update storage.multipartUploads.* storage.objects.create storage.objects.delete storage.objects.list
Storage Legacy Bucket Reader roles/storage.legacyBucketReader Grants permission to list a bucket's contents and read bucket metadata, excluding IAM policies. Also grants permission to read object metadata, excluding IAM policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.	storage.buckets.get storage.multipartUploads.list storage.objects.list
Storage Legacy Bucket Writer roles/storage.legacyBucketWriter Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding IAM policies, when listing; and read bucket metadata, excluding IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.	storage.buckets.get storage.multipartUploads.* storage.objects.create storage.objects.delete storage.objects.list
Storage Legacy Object Owner roles/storage.legacyObjectOwner Grants permission to view and edit objects and their metadata, including ACLs.	storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update
Storage Legacy Object Reader roles/storage.legacyObjectReader Grants permission to view objects and their metadata, excluding ACLs.	storage.objects.get
Admin roles/cloudjobdiscovery.admin Access to Cloud Talent Solution Self-Service Tools.	cloudjobdiscovery.tools.* iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
Job Editor roles/cloudjobdiscovery.jobsEditor Write access to all job data in Cloud Talent Solution.	cloudjobdiscovery.companies.* cloudjobdiscovery.events.* cloudjobdiscovery.jobs.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
Job Viewer roles/cloudjobdiscovery.jobsViewer Read access to all job data in Cloud Talent Solution.	cloudjobdiscovery.companies.get cloudjobdiscovery.companies.list cloudjobdiscovery.jobs.get cloudjobdiscovery.jobs.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list
Profile Editor roles/cloudjobdiscovery.profilesEditor Write access to all profile data in Cloud Talent Solution.	cloudjobdiscovery.events.* cloudjobdiscovery.profiles.* cloudjobdiscovery.tenants.* resourcemanager.projects.get resourcemanager.projects.list
Profile Viewer roles/cloudjobdiscovery.profilesViewer Read access to all profile data in Cloud Talent Solution.	cloudjobdiscovery.profiles.get cloudjobdiscovery.profiles.search cloudjobdiscovery.tenants.get resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Admin roles/cloudtasks.admin Full access to queues and tasks.	cloudtasks.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Enqueuer roles/cloudtasks.enqueuer Access to create tasks.	cloudtasks.tasks.create cloudtasks.tasks.fullView resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Queue Admin roles/cloudtasks.queueAdmin Admin access to queues.	cloudtasks.locations.* cloudtasks.queues.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Task Deleter roles/cloudtasks.taskDeleter Access to delete tasks.	cloudtasks.tasks.delete resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Task Runner roles/cloudtasks.taskRunner Access to run tasks.	cloudtasks.tasks.fullView cloudtasks.tasks.run resourcemanager.projects.get resourcemanager.projects.list
Cloud Tasks Viewer roles/cloudtasks.viewer Get and list access to tasks, queues, and locations.	cloudtasks.locations.* cloudtasks.queues.get cloudtasks.queues.list cloudtasks.tasks.fullView cloudtasks.tasks.get cloudtasks.tasks.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.list
TPU Admin roles/tpu.admin Full access to TPU nodes and related resources.	resourcemanager.projects.get resourcemanager.projects.list tpu.*
TPU Viewer roles/tpu.viewer Read-only access to TPU nodes and related resources.	resourcemanager.projects.get resourcemanager.projects.list tpu.acceleratortypes.* tpu.locations.* tpu.nodes.get tpu.nodes.list tpu.operations.* tpu.tensorflowversions.*
TPU Shared VPC Agent roles/tpu.xpnAgent Can use shared VPC network (XPN) for the TPU VMs.	compute.addresses.use compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.update compute.globalOperations.get compute.networks.get compute.networks.list compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get
Cloud Trace Admin roles/cloudtrace.admin Provides full access to the Trace console and read-write access to traces.	cloudtrace.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Trace Agent roles/cloudtrace.agent For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.	cloudtrace.traces.patch
Cloud Trace User roles/cloudtrace.user Provides full access to the Trace console and read access to traces.	cloudtrace.insights.* cloudtrace.stats.* cloudtrace.tasks.* cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Translation API Admin roles/cloudtranslate.admin Full access to all Cloud Translation resources	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Translation API Editor roles/cloudtranslate.editor Editor of all Cloud Translation resources	automl.models.get automl.models.predict cloudtranslate.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Translation API User roles/cloudtranslate.user User of Cloud Translation and AutoML models	automl.models.get automl.models.predict cloudtranslate.generalModels.* cloudtranslate.glossaries.batchDocPredict cloudtranslate.glossaries.batchPredict cloudtranslate.glossaries.docPredict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict cloudtranslate.languageDetectionModels.* cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list
Cloud Translation API Viewer roles/cloudtranslate.viewer Viewer of all Translation resources	automl.models.get cloudtranslate.generalModels.get cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.locations.* cloudtranslate.operations.get cloudtranslate.operations.list cloudtranslate.operations.wait resourcemanager.projects.get resourcemanager.projects.list
Compute Admin roles/compute.admin Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.	compute.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Image User roles/compute.imageUser Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.	compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Instance Admin (beta) roles/compute.instanceAdmin Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VM settings. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role. For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionNetworkEndpointGroups.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Instance Admin (v1) roles/compute.instanceAdmin.v1 Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances.	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Load Balancer Admin roles/compute.loadBalancerAdmin Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.	certificatemanager.certmaps.get certificatemanager.certmaps.list certificatemanager.certmaps.use compute.addresses.* compute.backendBuckets.* compute.backendServices.* compute.disks.listTagBindings compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.listTagBindings compute.instanceGroups.* compute.instances.get compute.instances.list compute.instances.use compute.instances.useReadOnly compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.projects.get compute.regionBackendServices.* compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionSslCertificates.* compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.snapshots.listTagBindings compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.use networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Load Balancer Services User roles/compute.loadBalancerServiceUser Permissions to use services from a load balancer in other projects.	compute.backendServices.get compute.backendServices.list compute.backendServices.use compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionBackendServices.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Network Admin roles/compute.networkAdmin Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group. Or, if you have a combined team that manages both security and networking, then grant this role as well as the roles/compute.securityAdmin role to the combined team's group.	compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.* compute.backendServices.* compute.disks.listTagBindings compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalNetworkEndpointGroups.use compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.instances.updateSecurity compute.instances.use compute.instances.useReadOnly compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.machineTypes.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionFirewallPolicies.get compute.regionFirewallPolicies.list compute.regionFirewallPolicies.use compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNetworkEndpointGroups.use compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* networkconnectivity.locations.* networkconnectivity.operations.* networksecurity.* networkservices.* resourcemanager.projects.get resourcemanager.projects.list servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.*
Compute Network User roles/compute.networkUser Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.	compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.useInternal compute.externalVpnGateways.get compute.externalVpnGateways.list compute.externalVpnGateways.use compute.firewalls.get compute.firewalls.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.interconnects.use compute.networks.access compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetVpnGateways.get compute.targetVpnGateways.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnGateways.use compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networkconnectivity.locations.* networkconnectivity.operations.get networkconnectivity.operations.list networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.authorizationPolicies.use networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.use networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.use networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.use networkservices.endpointPolicies.get networkservices.endpointPolicies.list networkservices.endpointPolicies.use networkservices.gateways.get networkservices.gateways.list networkservices.gateways.use networkservices.grpcRoutes.get networkservices.grpcRoutes.list networkservices.grpcRoutes.use networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpFilters.use networkservices.httpRoutes.get networkservices.httpRoutes.list networkservices.httpRoutes.use networkservices.httpfilters.get networkservices.httpfilters.list networkservices.httpfilters.use networkservices.locations.* networkservices.meshes.get networkservices.meshes.list networkservices.meshes.use networkservices.operations.get networkservices.operations.list networkservices.serviceBindings.get networkservices.serviceBindings.list networkservices.tcpRoutes.get networkservices.tcpRoutes.list networkservices.tcpRoutes.use resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Network Viewer roles/compute.networkViewer Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* networkconnectivity.locations.* networkconnectivity.operations.get networkconnectivity.operations.list networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointPolicies.get networkservices.endpointPolicies.list networkservices.gateways.get networkservices.gateways.list networkservices.grpcRoutes.get networkservices.grpcRoutes.list networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpRoutes.get networkservices.httpRoutes.list networkservices.httpfilters.get networkservices.httpfilters.list networkservices.locations.* networkservices.meshes.get networkservices.meshes.list networkservices.operations.get networkservices.operations.list networkservices.serviceBindings.get networkservices.serviceBindings.list networkservices.tcpRoutes.get networkservices.tcpRoutes.list resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.*
Compute Organization Firewall Policy Admin roles/compute.orgFirewallPolicyAdmin Full control of Compute Engine Organization Firewall Policies.	compute.firewallPolicies.cloneRules compute.firewallPolicies.create compute.firewallPolicies.delete compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewallPolicies.move compute.firewallPolicies.setIamPolicy compute.firewallPolicies.update compute.firewallPolicies.use compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.regionFirewallPolicies.* compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionOperations.setIamPolicy resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Organization Firewall Policy User roles/compute.orgFirewallPolicyUser View or use Compute Engine Firewall Policies to associate with the organization or folders.	compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.projects.get compute.regionFirewallPolicies.get compute.regionFirewallPolicies.list compute.regionFirewallPolicies.use compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Organization Security Policy Admin roles/compute.orgSecurityPolicyAdmin Full control of Compute Engine Organization Security Policies.	compute.firewallPolicies.* compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Organization Security Policy User roles/compute.orgSecurityPolicyUser View or use Compute Engine Security Policies to associate with the organization or folders.	compute.firewallPolicies.addAssociation compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.removeAssociation compute.firewallPolicies.use compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.projects.get compute.securityPolicies.addAssociation compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.removeAssociation compute.securityPolicies.use resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Organization Resource Admin roles/compute.orgSecurityResourceAdmin Full control of Compute Engine Firewall Policy associations to the organization or folders.	compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.organizations.listAssociations compute.organizations.setFirewallPolicy compute.organizations.setSecurityPolicy compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute OS Admin Login roles/compute.osAdminLogin Access to log in to a Compute Engine instance as an administrator user.	compute.disks.listTagBindings compute.images.listTagBindings compute.instances.get compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.projects.get compute.snapshots.listTagBindings resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute OS Login roles/compute.osLogin Access to log in to a Compute Engine instance as a standard user.	compute.disks.listTagBindings compute.images.listTagBindings compute.instances.get compute.instances.list compute.instances.osLogin compute.projects.get compute.snapshots.listTagBindings resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute OS Login External User roles/compute.osLoginExternalUser Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.	compute.oslogin.*
Compute packet mirroring admin roles/compute.packetMirroringAdmin Specify resources to be mirrored.	compute.instances.updateSecurity compute.networks.mirror compute.projects.get compute.subnetworks.mirror resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute packet mirroring user roles/compute.packetMirroringUser Use Compute Engine packet mirrorings.	compute.packetMirrorings.* compute.projects.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Public IP Admin roles/compute.publicIpAdmin Full control of public IP address management for Compute Engine.	compute.addresses.* compute.globalAddresses.* compute.globalPublicDelegatedPrefixes.* compute.publicAdvertisedPrefixes.* compute.publicDelegatedPrefixes.* resourcemanager.projects.get resourcemanager.projects.list
Compute Security Admin roles/compute.securityAdmin Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VM settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group.	compute.firewallPolicies.* compute.firewalls.* compute.globalOperations.get compute.globalOperations.list compute.instances.getEffectiveFirewalls compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.updateSecurity compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.updatePolicy compute.packetMirrorings.* compute.projects.get compute.regionFirewallPolicies.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.* compute.regions.* compute.routes.get compute.routes.list compute.securityPolicies.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.get compute.subnetworks.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Sole Tenant Viewer roles/compute.soleTenantViewer Permissions to view sole tenancy node groups	compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.*
Compute Storage Admin roles/compute.storageAdmin Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.	compute.diskTypes.* compute.disks.* compute.globalOperations.get compute.globalOperations.list compute.images.* compute.licenseCodes.* compute.licenses.* compute.projects.get compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.resourcePolicies.* compute.snapshots.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Viewer roles/compute.viewer Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.	compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Compute Shared VPC Admin roles/compute.xpnAdmin Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin. Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (roles/compute.networkUser) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.	compute.globalOperations.get compute.globalOperations.list compute.organizations.administerXpn compute.organizations.disableXpnHost compute.organizations.disableXpnResource compute.organizations.enableXpnHost compute.organizations.enableXpnResource compute.projects.get compute.subnetworks.getIamPolicy compute.subnetworks.setIamPolicy resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
GuestPolicy Admin roles/osconfig.guestPolicyAdmin Full admin access to GuestPolicies	osconfig.guestPolicies.* resourcemanager.projects.get resourcemanager.projects.list
GuestPolicy Editor roles/osconfig.guestPolicyEditor Editor of GuestPolicy resources	osconfig.guestPolicies.get osconfig.guestPolicies.list osconfig.guestPolicies.update resourcemanager.projects.get resourcemanager.projects.list
GuestPolicy Viewer roles/osconfig.guestPolicyViewer Viewer of GuestPolicy resources	osconfig.guestPolicies.get osconfig.guestPolicies.list resourcemanager.projects.get resourcemanager.projects.list
InstanceOSPoliciesCompliance Viewer roles/osconfig.instanceOSPoliciesComplianceViewer Viewer of OS Policies Compliance of VM instances	osconfig.instanceOSPoliciesCompliances.* resourcemanager.projects.get resourcemanager.projects.list
OS Inventory Viewer roles/osconfig.inventoryViewer Viewer of OS Inventories	osconfig.inventories.* resourcemanager.projects.get resourcemanager.projects.list
OSPolicyAssignment Admin roles/osconfig.osPolicyAssignmentAdmin Full admin access to OS Policy Assignments	osconfig.osPolicyAssignments.* resourcemanager.projects.get resourcemanager.projects.list
OSPolicyAssignment Editor roles/osconfig.osPolicyAssignmentEditor Editor of OS Policy Assignments	osconfig.osPolicyAssignments.get osconfig.osPolicyAssignments.list osconfig.osPolicyAssignments.update resourcemanager.projects.get resourcemanager.projects.list
OSPolicyAssignmentReport Viewer roles/osconfig.osPolicyAssignmentReportViewer Viewer of OS policy assignment reports for VM instances	osconfig.osPolicyAssignmentReports.* resourcemanager.projects.get resourcemanager.projects.list
OSPolicyAssignment Viewer roles/osconfig.osPolicyAssignmentViewer Viewer of OS Policy Assignments	osconfig.osPolicyAssignments.get osconfig.osPolicyAssignments.list resourcemanager.projects.get resourcemanager.projects.list
PatchDeployment Admin roles/osconfig.patchDeploymentAdmin Full admin access to PatchDeployments	osconfig.patchDeployments.* resourcemanager.projects.get resourcemanager.projects.list
PatchDeployment Viewer roles/osconfig.patchDeploymentViewer Viewer of PatchDeployment resources	osconfig.patchDeployments.get osconfig.patchDeployments.list resourcemanager.projects.get resourcemanager.projects.list
Patch Job Executor roles/osconfig.patchJobExecutor Access to execute Patch Jobs.	osconfig.patchJobs.* resourcemanager.projects.get resourcemanager.projects.list
Patch Job Viewer roles/osconfig.patchJobViewer Get and list Patch Jobs.	osconfig.patchJobs.get osconfig.patchJobs.list resourcemanager.projects.get resourcemanager.projects.list
OS VulnerabilityReport Viewer roles/osconfig.vulnerabilityReportViewer Viewer of OS VulnerabilityReports	osconfig.vulnerabilityReports.* resourcemanager.projects.get resourcemanager.projects.list
Container Analysis Admin roles/containeranalysis.admin Access to all Container Analysis resources.	containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.notes.setIamPolicy containeranalysis.notes.update containeranalysis.occurrences.* resourcemanager.projects.get resourcemanager.projects.list
Container Analysis Notes Attacher roles/containeranalysis.notes.attacher Can attach Container Analysis Occurrences to Notes.	containeranalysis.notes.attachOccurrence containeranalysis.notes.get
Container Analysis Notes Editor roles/containeranalysis.notes.editor Can edit Container Analysis Notes.	containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update resourcemanager.projects.get resourcemanager.projects.list
Container Analysis Occurrences for Notes Viewer roles/containeranalysis.notes.occurrences.viewer Can view all Container Analysis Occurrences attached to a Note.	containeranalysis.notes.get containeranalysis.notes.listOccurrences
Container Analysis Notes Viewer roles/containeranalysis.notes.viewer Can view Container Analysis Notes.	containeranalysis.notes.get containeranalysis.notes.list resourcemanager.projects.get resourcemanager.projects.list
Container Analysis Occurrences Editor roles/containeranalysis.occurrences.editor Can edit Container Analysis Occurrences.	containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list
Container Analysis Occurrences Viewer roles/containeranalysis.occurrences.viewer Can view Container Analysis Occurrences.	containeranalysis.occurrences.get containeranalysis.occurrences.list resourcemanager.projects.get resourcemanager.projects.list
Data Catalog Admin roles/datacatalog.admin Full access to all DataCatalog resources	bigquery.connections.get bigquery.connections.updateTag bigquery.datasets.get bigquery.datasets.updateTag bigquery.models.getMetadata bigquery.models.updateTag bigquery.routines.get bigquery.routines.updateTag bigquery.tables.get bigquery.tables.updateTag datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.* datacatalog.entryGroups.* datacatalog.tagTemplates.* datacatalog.taxonomies.* pubsub.topics.get pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list
Policy Tag Admin roles/datacatalog.categoryAdmin Manage taxonomies	datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.taxonomies.* resourcemanager.projects.get resourcemanager.projects.list
Fine-Grained Reader roles/datacatalog.categoryFineGrainedReader Read access to sub-resources tagged by a policy tag, for example, BigQuery columns	datacatalog.categories.fineGrainedGet
DataCatalog EntryGroup Creator roles/datacatalog.entryGroupCreator Can create new entryGroups	datacatalog.entryGroups.create datacatalog.entryGroups.get datacatalog.entryGroups.list resourcemanager.projects.get resourcemanager.projects.list
DataCatalog entryGroup Owner roles/datacatalog.entryGroupOwner Full access to entryGroups	datacatalog.entries.* datacatalog.entryGroups.* resourcemanager.projects.get resourcemanager.projects.list
DataCatalog entry Owner roles/datacatalog.entryOwner Full access to entries	datacatalog.entries.* datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
DataCatalog Entry Viewer roles/datacatalog.entryViewer Read access to entries	datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get resourcemanager.projects.get resourcemanager.projects.list
Data Catalog Tag Editor roles/datacatalog.tagEditor Provides access to modify tags on Google Cloud assets for BigQuery and Pub/Sub	bigquery.connections.updateTag bigquery.datasets.updateTag bigquery.models.updateTag bigquery.routines.updateTag bigquery.tables.updateTag datacatalog.entries.updateTag pubsub.topics.updateTag
Data Catalog TagTemplate Creator roles/datacatalog.tagTemplateCreator Access to create new tag templates	datacatalog.tagTemplates.create datacatalog.tagTemplates.get
Data Catalog TagTemplate Owner roles/datacatalog.tagTemplateOwner Full access to tag templates	datacatalog.tagTemplates.* resourcemanager.projects.get resourcemanager.projects.list
Data Catalog TagTemplate User roles/datacatalog.tagTemplateUser Access to use templates to tag resources	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.tagTemplates.use resourcemanager.projects.get resourcemanager.projects.list
Data Catalog TagTemplate Viewer roles/datacatalog.tagTemplateViewer Read access to templates and tags created using the templates	datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag resourcemanager.projects.get resourcemanager.projects.list
Data Catalog Viewer roles/datacatalog.viewer Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub	bigquery.connections.get bigquery.datasets.get bigquery.models.getMetadata bigquery.routines.get bigquery.tables.get datacatalog.entries.get datacatalog.entries.list datacatalog.entryGroups.get datacatalog.entryGroups.list datacatalog.tagTemplates.get datacatalog.tagTemplates.getTag datacatalog.taxonomies.get datacatalog.taxonomies.list pubsub.topics.get resourcemanager.projects.get resourcemanager.projects.list
Connector Admin roles/dataconnectors.connectorAdmin Full access to Data Connectors.	dataconnectors.* resourcemanager.projects.get resourcemanager.projects.list
Connector User roles/dataconnectors.connectorUser Access to use Data Connectors.	dataconnectors.connectors.get dataconnectors.connectors.getIamPolicy dataconnectors.connectors.list dataconnectors.connectors.use
Database Migration Admin roles/datamigration.admin Full access to all resources of Database Migration.	datamigration.* resourcemanager.projects.get resourcemanager.projects.list
Data pipelines Admin roles/datapipelines.admin Administrator of Data pipelines resources	datapipelines.* resourcemanager.projects.get resourcemanager.projects.list
Data pipelines Invoker roles/datapipelines.invoker Invoker of Data pipelines jobs	datapipelines.pipelines.run resourcemanager.projects.get resourcemanager.projects.list
Data pipelines Viewer roles/datapipelines.viewer Viewer of Data pipelines resources	datapipelines.jobs.* datapipelines.pipelines.get datapipelines.pipelines.list resourcemanager.projects.get resourcemanager.projects.list
Dataflow Admin roles/dataflow.admin Minimal role for creating and managing dataflow jobs.	compute.machineTypes.get compute.projects.get compute.regions.list compute.zones.list dataflow.jobs.* dataflow.messages.* dataflow.metrics.* dataflow.snapshots.* recommender.dataflowDiagnosticsInsights.* resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.create storage.objects.get storage.objects.list
Dataflow Developer roles/dataflow.developer Provides the permissions necessary to execute and manipulate Dataflow jobs.	compute.projects.get compute.regions.list compute.zones.list dataflow.jobs.* dataflow.messages.* dataflow.metrics.* dataflow.snapshots.* recommender.dataflowDiagnosticsInsights.* resourcemanager.projects.get resourcemanager.projects.list
Dataflow Viewer roles/dataflow.viewer Provides read-only access to all Dataflow-related resources.	dataflow.jobs.get dataflow.jobs.list dataflow.messages.* dataflow.metrics.* dataflow.snapshots.get dataflow.snapshots.list recommender.dataflowDiagnosticsInsights.get recommender.dataflowDiagnosticsInsights.list resourcemanager.projects.get resourcemanager.projects.list
Dataflow Worker roles/dataflow.worker Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline.	autoscaling.sites.readRecommendations autoscaling.sites.writeMetrics autoscaling.sites.writeState compute.instanceGroupManagers.update compute.instances.delete compute.instances.setDiskAutoDelete dataflow.jobs.get dataflow.shuffle.* dataflow.streamingWorkItems.* dataflow.workItems.* logging.logEntries.create storage.buckets.get storage.objects.create storage.objects.get
Dataprep User roles/dataprep.projects.user Use of Dataprep.	dataprep.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Dataproc Administrator roles/dataproc.admin Full control of Dataproc resources.	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.* dataproc.batches.* dataproc.clusters.* dataproc.jobs.* dataproc.operations.* dataproc.workflowTemplates.* resourcemanager.projects.get resourcemanager.projects.list
Dataproc Editor roles/dataproc.editor Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones.	compute.machineTypes.* compute.networks.get compute.networks.list compute.projects.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.batches.* dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.start dataproc.clusters.stop dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.cancel dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update resourcemanager.projects.get resourcemanager.projects.list
Dataproc Hub Agent roles/dataproc.hubAgent Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.	compute.instances.get compute.instances.setMetadata compute.instances.setTags compute.zoneOperations.get compute.zones.list dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.use dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.update dataproc.operations.cancel dataproc.operations.delete dataproc.operations.get dataproc.operations.list iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.locations.* logging.logEntries.create logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.* logging.views.get logging.views.list resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.objects.get storage.objects.list
Dataproc Viewer roles/dataproc.viewer Provides read-only access to Dataproc resources.	compute.machineTypes.get compute.regions.* compute.zones.* dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.batches.get dataproc.batches.list dataproc.clusters.get dataproc.clusters.list dataproc.jobs.get dataproc.jobs.list dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.get dataproc.workflowTemplates.list resourcemanager.projects.get resourcemanager.projects.list
Dataproc Worker roles/dataproc.worker Provides worker access to Dataproc resources. Intended for service accounts.	dataproc.agents.* dataproc.tasks.* logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create storage.buckets.get storage.multipartUploads.* storage.objects.*
Dataproc Metastore Admin roles/metastore.admin Full access to all Dataproc Metastore resources.	metastore.backups.* metastore.imports.* metastore.locations.* metastore.operations.* metastore.services.create metastore.services.delete metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.restore metastore.services.setIamPolicy metastore.services.update resourcemanager.projects.get resourcemanager.projects.list
Dataproc Metastore Editor roles/metastore.editor Read and write access to all Dataproc Metastore resources.	metastore.backups.* metastore.imports.* metastore.locations.* metastore.operations.* metastore.services.create metastore.services.delete metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.restore metastore.services.update resourcemanager.projects.get resourcemanager.projects.list
Dataproc Metastore Metadata Editor roles/metastore.metadataEditor Access to read and modify the metadata of databases and tables under those databases.	metastore.databases.create metastore.databases.delete metastore.databases.get metastore.databases.getIamPolicy metastore.databases.list metastore.databases.update metastore.services.get metastore.services.use metastore.tables.create metastore.tables.delete metastore.tables.get metastore.tables.getIamPolicy metastore.tables.list metastore.tables.update
Dataproc Metastore Metadata Operator roles/metastore.metadataOperator Read-only access to Dataproc Metastore resources with additional metadata operations permission.	metastore.backups.* metastore.imports.* metastore.locations.* metastore.operations.get metastore.operations.list metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.restore resourcemanager.projects.get resourcemanager.projects.list
Dataproc Metastore Data Owner roles/metastore.metadataOwner Full access to the metadata of databases and tables under those databases.	metastore.databases.* metastore.services.get metastore.services.getIamPolicy metastore.services.list metastore.services.use metastore.tables.*
Dataproc Metastore Metadata User roles/metastore.metadataUser Access to the Dataproc Metastore gRPC endpoint	metastore.databases.get metastore.databases.list metastore.services.get metastore.services.use
Dataproc Metastore Metadata Viewer roles/metastore.metadataViewer Access to read the metadata of databases and tables under those databases	metastore.databases.get metastore.databases.getIamPolicy metastore.databases.list metastore.services.get metastore.services.use metastore.tables.get metastore.tables.getIamPolicy metastore.tables.list
Dataproc Metastore Viewer roles/metastore.user Read-only access to all Dataproc Metastore resources.	metastore.backups.get metastore.backups.list metastore.imports.get metastore.imports.list metastore.locations.* metastore.operations.get metastore.operations.list metastore.services.export metastore.services.get metastore.services.getIamPolicy metastore.services.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore Import Export Admin roles/datastore.importExportAdmin Provides full access to manage imports and exports.	appengine.applications.get datastore.databases.export datastore.databases.getMetadata datastore.databases.import datastore.operations.cancel datastore.operations.get datastore.operations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore Index Admin roles/datastore.indexAdmin Provides full access to manage index definitions.	appengine.applications.get datastore.databases.getMetadata datastore.indexes.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore Key Visualizer Viewer roles/datastore.keyVisualizerViewer Full access to Key Visualizer scans.	datastore.databases.getMetadata datastore.keyVisualizerScans.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore Owner roles/datastore.owner Provides full access to Datastore resources.	appengine.applications.get datastore.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore User roles/datastore.user Provides read/write access to data in a Datastore database.	appengine.applications.get datastore.databases.get datastore.databases.getMetadata datastore.entities.* datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Datastore Viewer roles/datastore.viewer Provides read access to Datastore resources.	appengine.applications.get datastore.databases.get datastore.databases.getMetadata datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* resourcemanager.projects.get resourcemanager.projects.list
Datastream Admin roles/datastream.admin Full access to all Datastream resources.	datastream.* resourcemanager.projects.get resourcemanager.projects.list
Datastream Viewer roles/datastream.viewer Read-only access to all Datastream resources.	datastream.connectionProfiles.destinationTypes datastream.connectionProfiles.discover datastream.connectionProfiles.get datastream.connectionProfiles.getIamPolicy datastream.connectionProfiles.list datastream.connectionProfiles.listStaticServiceIps datastream.connectionProfiles.sourceTypes datastream.locations.* datastream.objects.get datastream.objects.list datastream.operations.get datastream.operations.list datastream.privateConnections.get datastream.privateConnections.getIamPolicy datastream.privateConnections.list datastream.routes.get datastream.routes.getIamPolicy datastream.routes.list datastream.streams.fetchErrors datastream.streams.get datastream.streams.getIamPolicy datastream.streams.list resourcemanager.projects.get resourcemanager.projects.list
Deployment Manager Editor roles/deploymentmanager.editor Provides the permissions necessary to create and manage deployments.	deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Deployment Manager Type Editor roles/deploymentmanager.typeEditor Provides read and write access to all Type Registry resources.	deploymentmanager.compositeTypes.* deploymentmanager.operations.get deploymentmanager.typeProviders.* deploymentmanager.types.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get
Deployment Manager Type Viewer roles/deploymentmanager.typeViewer Provides read-only access to all Type Registry resources.	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get
Deployment Manager Viewer roles/deploymentmanager.viewer Provides read-only access to all Deployment Manager-related resources.	deploymentmanager.compositeTypes.get deploymentmanager.compositeTypes.list deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.get deploymentmanager.typeProviders.getType deploymentmanager.typeProviders.list deploymentmanager.typeProviders.listTypes deploymentmanager.types.get deploymentmanager.types.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
AAM Admin roles/dialogflow.aamAdmin An admin has access to all resources and can perform all administrative actions in an AAM project.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.* dialogflow.modelEvaluations.* dialogflow.operations.* dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list
AAM Conversational Architect roles/dialogflow.aamConversationalArchitect A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.* dialogflow.modelEvaluations.* dialogflow.operations.* dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list
AAM Dialog Designer roles/dialogflow.aamDialogDesigner A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.* dialogflow.modelEvaluations.* dialogflow.operations.* dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list
AAM Lead Dialog Designer roles/dialogflow.aamLeadDialogDesigner A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.* dialogflow.modelEvaluations.* dialogflow.operations.* dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list
AAM Viewer roles/dialogflow.aamViewer A user can view the taxonomy and data reports in an AAM project.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.* dialogflow.modelEvaluations.* dialogflow.operations.* dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get resourcemanager.projects.list
Dialogflow API Admin roles/dialogflow.admin Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control.	dialogflow.* resourcemanager.projects.get
Dialogflow API Client roles/dialogflow.client Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control.	dialogflow.contexts.* dialogflow.conversations.* dialogflow.messages.* dialogflow.participants.* dialogflow.sessionEntityTypes.* dialogflow.sessions.*
Dialogflow Console Agent Editor roles/dialogflow.consoleAgentEditor Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control.	actions.agentVersions.create dialogflow.* resourcemanager.projects.get
Dialogflow Console Simulator User roles/dialogflow.consoleSimulatorUser Can perform query of dialogflow suggestions in the simulator in web console.	dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.* dialogflow.documents.get dialogflow.documents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.participants.* dialogflow.sessions.detectIntent resourcemanager.projects.get resourcemanager.projects.list
Dialogflow Console Smart Messaging Allowlist Editor roles/dialogflow.consoleSmartMessagingAllowlistEditor Can edit allowlist for smart messaging associated with conversation model in the agent assist console	dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.list dialogflow.documents.get dialogflow.documents.list dialogflow.operations.* dialogflow.smartMessagingEntries.* resourcemanager.projects.get resourcemanager.projects.list
Dialogflow Conversation Manager roles/dialogflow.conversationManager Can manage all the resources related to Dialogflow Conversations.	dialogflow.conversationProfiles.* dialogflow.conversations.* dialogflow.participants.*
Dialogflow Entity Type Admin roles/dialogflow.entityTypeAdmin Can read & write entity types.	dialogflow.entityTypes.*
Dialogflow Environment editor roles/dialogflow.environmentEditor Can read & update environment and its sub-resources.	dialogflow.environments.get dialogflow.environments.getHistory dialogflow.environments.list dialogflow.environments.lookupHistory dialogflow.environments.update
Dialogflow Flow editor roles/dialogflow.flowEditor Can read & update flow and its sub-resources.	dialogflow.flows.get dialogflow.flows.list dialogflow.flows.train dialogflow.flows.update dialogflow.flows.validate dialogflow.pages.* dialogflow.transitionRouteGroups.* dialogflow.versions.*
Dialogflow Integration Manager roles/dialogflow.integrationManager Can add, remove, enable and disable Dialogflow integrations.	dialogflow.integrations.*
Dialogflow Intent Admin roles/dialogflow.intentAdmin Can read & write intents.	dialogflow.intents.*
Dialogflow API Reader roles/dialogflow.reader Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control.	dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.get dialogflow.contexts.list dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.get dialogflow.conversations.list dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.* dialogflow.modelEvaluations.* dialogflow.operations.* dialogflow.pages.get dialogflow.pages.list dialogflow.participants.get dialogflow.participants.list dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.get dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list resourcemanager.projects.get
Dialogflow Test Case Admin roles/dialogflow.testCaseAdmin Can read & write test cases.
Dialogflow Webhook Admin roles/dialogflow.webhookAdmin Can read & write webhooks.	dialogflow.webhooks.*
DNS Administrator roles/dns.admin Provides read-write access to all Cloud DNS resources.	compute.networks.get compute.networks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* resourcemanager.projects.get resourcemanager.projects.list
DNS Peer roles/dns.peer Access to target networks with DNS peering zones	dns.networks.targetWithPeeringZone
DNS Reader roles/dns.reader Provides read-only access to all Cloud DNS resources.	compute.networks.get dns.changes.get dns.changes.list dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list dns.projects.* dns.resourceRecordSets.get dns.resourceRecordSets.list dns.responsePolicies.get dns.responsePolicies.list dns.responsePolicyRules.get dns.responsePolicyRules.list resourcemanager.projects.get resourcemanager.projects.list
Document AI Administrator. roles/documentai.admin Grants full access to all resources in Document AI	documentai.* resourcemanager.projects.get resourcemanager.projects.list
Document AI API User roles/documentai.apiUser Grants access to process documents in Document AI	documentai.humanReviewConfigs.review documentai.operations.* documentai.processorVersions.processBatch documentai.processorVersions.processOnline documentai.processors.processBatch documentai.processors.processOnline
Document AI Editor roles/documentai.editor Grants access to use all resources in Document AI	documentai.* resourcemanager.projects.get resourcemanager.projects.list
Document AI Viewer roles/documentai.viewer Grants access to view all resources and process documents in Document AI	documentai.datasetSchemas.get documentai.datasets.get documentai.evaluations.get documentai.evaluations.list documentai.humanReviewConfigs.get documentai.humanReviewConfigs.review documentai.labelerPools.get documentai.labelerPools.list documentai.locations.* documentai.operations.* documentai.processorTypes.* documentai.processorVersions.get documentai.processorVersions.list documentai.processorVersions.processBatch documentai.processorVersions.processOnline documentai.processors.fetchHumanReviewDetails documentai.processors.get documentai.processors.list documentai.processors.processBatch documentai.processors.processOnline resourcemanager.projects.get resourcemanager.projects.list
Earth Engine Resource Admin roles/earthengine.admin Full access to all Earth Engine resource features	earthengine.* resourcemanager.projects.get resourcemanager.projects.list
Earth Engine Apps Publisher roles/earthengine.appsPublisher Publisher of Earth Engine Apps	iam.serviceAccounts.create iam.serviceAccounts.disable iam.serviceAccounts.enable iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.setIamPolicy resourcemanager.projects.get serviceusage.services.get
Earth Engine Resource Viewer roles/earthengine.viewer Viewer of all Earth Engine resources	earthengine.assets.get earthengine.assets.getIamPolicy earthengine.assets.list earthengine.computations.* earthengine.filmstripthumbnails.get earthengine.maps.get earthengine.operations.get earthengine.operations.list earthengine.tables.get earthengine.thumbnails.get earthengine.videothumbnails.get resourcemanager.projects.get resourcemanager.projects.list
Earth Engine Resource Writer roles/earthengine.writer Writer of all Earth Engine resources	earthengine.assets.create earthengine.assets.delete earthengine.assets.get earthengine.assets.getIamPolicy earthengine.assets.list earthengine.assets.update earthengine.computations.* earthengine.exports.* earthengine.filmstripthumbnails.* earthengine.imports.* earthengine.maps.* earthengine.operations.* earthengine.tables.* earthengine.thumbnails.* earthengine.videothumbnails.* resourcemanager.projects.get resourcemanager.projects.list
Edge Container Admin roles/edgecontainer.admin Full access to Edge Container all resources.	edgecontainer.* resourcemanager.projects.get resourcemanager.projects.list
Edge Container Machine User roles/edgecontainer.machineUser Access to use Edge Container Machine resources.	edgecontainer.machines.get edgecontainer.machines.getIamPolicy edgecontainer.machines.list edgecontainer.machines.use resourcemanager.projects.get resourcemanager.projects.list
Edge Container Viewer roles/edgecontainer.viewer Read-only access to Edge Container all resources.	edgecontainer.clusters.generateAccessToken edgecontainer.clusters.get edgecontainer.clusters.getIamPolicy edgecontainer.clusters.list edgecontainer.locations.* edgecontainer.machines.get edgecontainer.machines.getIamPolicy edgecontainer.machines.list edgecontainer.nodePools.get edgecontainer.nodePools.getIamPolicy edgecontainer.nodePools.list edgecontainer.operations.get edgecontainer.operations.list edgecontainer.vpnConnections.get edgecontainer.vpnConnections.getIamPolicy edgecontainer.vpnConnections.list resourcemanager.projects.get resourcemanager.projects.list
Endpoints Portal Admin roles/endpoints.portalAdmin Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the Cloud Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page.	endpoints.* resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.get
Error Reporting Admin roles/errorreporting.admin Provides full access to Error Reporting data.	cloudnotifications.* errorreporting.* logging.notificationRules.* resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Error Reporting User roles/errorreporting.user Provides the permissions to read and write Error Reporting data, except for sending new error events.	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.delete errorreporting.errorEvents.list errorreporting.groupMetadata.* errorreporting.groups.* logging.notificationRules.* resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Error Reporting Viewer roles/errorreporting.viewer Provides read-only access to Error Reporting data.	cloudnotifications.* errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groupMetadata.get errorreporting.groups.* logging.notificationRules.get logging.notificationRules.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Error Reporting Writer roles/errorreporting.writer Provides the permissions to send error events to Error Reporting.	errorreporting.errorEvents.create
Eventarc Admin roles/eventarc.admin Full control over all Eventarc resources.	eventarc.* resourcemanager.projects.get resourcemanager.projects.list
Eventarc Developer roles/eventarc.developer Access to read and write Eventarc resources.	eventarc.locations.* eventarc.operations.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update resourcemanager.projects.get resourcemanager.projects.list
Eventarc Event Receiver roles/eventarc.eventReceiver Can receive events from all event providers.	eventarc.events.*
Eventarc Viewer roles/eventarc.viewer Can view the state of all Eventarc resources, including IAM policies.	eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Admin roles/firebase.admin Full access to Firebase products.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.delete clientauthconfig.clients.get clientauthconfig.clients.list clientauthconfig.clients.update cloudbuild.builds.get cloudbuild.builds.list cloudconfig.* cloudfunctions.* cloudmessaging.* cloudnotifications.* cloudtestservice.* cloudtoolresults.* datastore.* errorreporting.groups.* eventarc.* fcmdata.* firebase.* firebaseabt.* firebaseanalytics.* firebaseappcheck.* firebaseappdistro.* firebaseauth.* firebasecrash.* firebasecrashlytics.* firebasedatabase.* firebasedynamiclinks.* firebaseextensions.* firebasehosting.* firebaseinappmessaging.* firebaseml.* firebasenotifications.* firebaseperformance.* firebasepredictions.* firebaserules.* firebasestorage.* logging.logEntries.list monitoring.timeSeries.list orgpolicy.policy.get recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.* runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Firebase Analytics Admin roles/firebase.analyticsAdmin Full access to Google Analytics for Firebase.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.* firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Firebase Analytics Viewer roles/firebase.analyticsViewer Read access to Google Analytics for Firebase.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseextensions.configs.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Firebase Develop Admin roles/firebase.developAdmin Full access to Firebase Develop products and Analytics.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get automl.* clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.brands.update clientauthconfig.clients.get clientauthconfig.clients.list cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.* cloudnotifications.* datastore.* errorreporting.groups.* eventarc.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.* firebaseappcheck.* firebaseauth.* firebasedatabase.* firebaseextensions.configs.list firebasehosting.* firebaseml.* firebaserules.* firebasestorage.* logging.logEntries.list monitoring.timeSeries.list orgpolicy.policy.get recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.* runtimeconfig.configs.create runtimeconfig.configs.delete runtimeconfig.configs.get runtimeconfig.configs.list runtimeconfig.configs.update runtimeconfig.operations.* runtimeconfig.variables.create runtimeconfig.variables.delete runtimeconfig.variables.get runtimeconfig.variables.list runtimeconfig.variables.update runtimeconfig.variables.watch runtimeconfig.waiters.create runtimeconfig.waiters.delete runtimeconfig.waiters.get runtimeconfig.waiters.list runtimeconfig.waiters.update serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Firebase Develop Viewer roles/firebase.developViewer Read access to Firebase Develop products and Analytics.	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.* cloudnotifications.* datastore.databases.get datastore.databases.getIamPolicy datastore.databases.getMetadata datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappcheck.appAttestConfig.get firebaseappcheck.debugTokens.get firebaseappcheck.deviceCheckConfig.get firebaseappcheck.recaptchaConfig.get firebaseappcheck.recaptchaEnterpriseConfig.get firebaseappcheck.safetyNetConfig.get firebaseappcheck.services.get firebaseauth.configs.get firebaseauth.users.get firebasedatabase.instances.get firebasedatabase.instances.list firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list firebasestorage.buckets.get firebasestorage.buckets.list logging.logEntries.list monitoring.timeSeries.list recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.configurations.* run.locations.* run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list
Firebase Grow Admin roles/firebase.growthAdmin Full access to Firebase Grow products and Analytics.	clientauthconfig.clients.get clientauthconfig.clients.list cloudconfig.* cloudmessaging.* cloudnotifications.* fcmdata.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseabt.* firebaseanalytics.* firebasedynamiclinks.* firebaseextensions.configs.list firebaseinappmessaging.* firebasenotifications.* firebasepredictions.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Firebase Grow Viewer roles/firebase.growthViewer Read access to Firebase Grow products and Analytics.	cloudconfig.configs.get cloudnotifications.* fcmdata.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebasenotifications.messages.get firebasenotifications.messages.list firebasepredictions.predictions.list monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Firebase Quality Admin roles/firebase.qualityAdmin Full access to Firebase Quality products and Analytics.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.* firebaseappdistro.* firebasecrash.* firebasecrashlytics.* firebaseextensions.configs.list firebaseperformance.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Firebase Quality Viewer roles/firebase.qualityViewer Read access to Firebase Quality products and Analytics.	cloudnotifications.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebaseextensions.configs.list firebaseperformance.data.* monitoring.timeSeries.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Firebase Viewer roles/firebase.viewer Read-only access to Firebase products.	automl.annotationSpecs.get automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.get automl.columnSpecs.list automl.datasets.get automl.datasets.list automl.examples.get automl.examples.list automl.humanAnnotationTasks.get automl.humanAnnotationTasks.list automl.locations.get automl.locations.list automl.modelEvaluations.get automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.operations.list automl.tableSpecs.get automl.tableSpecs.list clientauthconfig.brands.get clientauthconfig.brands.list cloudbuild.builds.get cloudbuild.builds.list cloudconfig.configs.get cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.* cloudfunctions.operations.* cloudfunctions.runtimes.* cloudnotifications.* cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list datastore.databases.get datastore.databases.getIamPolicy datastore.databases.getMetadata datastore.databases.list datastore.entities.get datastore.entities.list datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.statistics.* errorreporting.groups.* eventarc.locations.* eventarc.operations.get eventarc.operations.list eventarc.providers.* eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list fcmdata.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.links.list firebase.playLinks.get firebase.playLinks.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* firebaseanalytics.resources.googleAnalyticsReadAndAnalyze firebaseappcheck.appAttestConfig.get firebaseappcheck.debugTokens.get firebaseappcheck.deviceCheckConfig.get firebaseappcheck.recaptchaConfig.get firebaseappcheck.recaptchaEnterpriseConfig.get firebaseappcheck.safetyNetConfig.get firebaseappcheck.services.get firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebaseauth.configs.get firebaseauth.users.get firebasecrash.reports.* firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* firebasedatabase.instances.get firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* firebaseextensions.configs.list firebasehosting.sites.get firebasehosting.sites.list firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list firebasenotifications.messages.get firebasenotifications.messages.list firebaseperformance.data.* firebasepredictions.predictions.list firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list firebasestorage.buckets.get firebasestorage.buckets.list logging.logEntries.list monitoring.timeSeries.list recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.configurations.* run.locations.* run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.objects.get storage.objects.getIamPolicy storage.objects.list
Firebase Remote Config Admin roles/cloudconfig.admin Full access to Firebase Remote Config resources.	cloudconfig.* firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
Firebase Remote Config Viewer roles/cloudconfig.viewer Read access to Firebase Remote Config resources.	cloudconfig.configs.get firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list
Firebase Test Lab Admin roles/cloudtestservice.testAdmin Full access to all Test Lab features	cloudtestservice.* cloudtoolresults.* firebase.billingPlans.get firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.get storage.buckets.update storage.objects.create storage.objects.get storage.objects.list
Firebase Test Lab Viewer roles/cloudtestservice.testViewer Read access to Test Lab features	cloudtestservice.environmentcatalog.* cloudtestservice.matrices.get cloudtoolresults.executions.get cloudtoolresults.executions.list cloudtoolresults.histories.get cloudtoolresults.histories.list cloudtoolresults.settings.get cloudtoolresults.steps.get cloudtoolresults.steps.list firebase.clients.get firebase.clients.list firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Firebase A/B Testing Admin roles/firebaseabt.admin Full read/write access to Firebase A/B Testing resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseabt.* resourcemanager.projects.get resourcemanager.projects.list
Firebase A/B Testing Viewer roles/firebaseabt.viewer Read-only access to Firebase A/B Testing resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseabt.experimentresults.* firebaseabt.experiments.get firebaseabt.experiments.list firebaseabt.projectmetadata.* resourcemanager.projects.get resourcemanager.projects.list
Firebase App Check Admin roles/firebaseappcheck.admin Full management of Firebase App Check.	firebaseappcheck.*
Firebase App Check Viewer roles/firebaseappcheck.viewer Read-only access for Firebase App Check.	firebaseappcheck.appAttestConfig.get firebaseappcheck.debugTokens.get firebaseappcheck.deviceCheckConfig.get firebaseappcheck.recaptchaConfig.get firebaseappcheck.recaptchaEnterpriseConfig.get firebaseappcheck.safetyNetConfig.get firebaseappcheck.services.get
Firebase App Distribution Admin roles/firebaseappdistro.admin Full read/write access to Firebase App Distribution resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseappdistro.* resourcemanager.projects.get resourcemanager.projects.list
Firebase App Distribution Viewer roles/firebaseappdistro.viewer Read-only access to Firebase App Distribution resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Authentication Admin roles/firebaseauth.admin Full read/write access to Firebase Authentication resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseauth.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Authentication Viewer roles/firebaseauth.viewer Read-only access to Firebase Authentication resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseauth.configs.get firebaseauth.users.get resourcemanager.projects.get resourcemanager.projects.list
Firebase Crashlytics Admin roles/firebasecrashlytics.admin Full read/write access to Firebase Crashlytics resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasecrashlytics.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Crashlytics Viewer roles/firebasecrashlytics.viewer Read-only access to Firebase Crashlytics resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasecrashlytics.config.get firebasecrashlytics.data.* firebasecrashlytics.issues.get firebasecrashlytics.issues.list firebasecrashlytics.sessions.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Realtime Database Admin roles/firebasedatabase.admin Full read/write access to Firebase Realtime Database resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasedatabase.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Realtime Database Viewer roles/firebasedatabase.viewer Read-only access to Firebase Realtime Database resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasedatabase.instances.get firebasedatabase.instances.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Dynamic Links Admin roles/firebasedynamiclinks.admin Full read/write access to Firebase Dynamic Links resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasedynamiclinks.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Dynamic Links Viewer roles/firebasedynamiclinks.viewer Read-only access to Firebase Dynamic Links resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.get firebasedynamiclinks.domains.list firebasedynamiclinks.links.get firebasedynamiclinks.links.list firebasedynamiclinks.stats.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Hosting Admin roles/firebasehosting.admin Full read/write access to Firebase Hosting resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasehosting.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Hosting Viewer roles/firebasehosting.viewer Read-only access to Firebase Hosting resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasehosting.sites.get firebasehosting.sites.list resourcemanager.projects.get resourcemanager.projects.list
Firebase In-App Messaging Admin roles/firebaseinappmessaging.admin Full read/write access to Firebase In-App Messaging resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseinappmessaging.* resourcemanager.projects.get resourcemanager.projects.list
Firebase In-App Messaging Viewer roles/firebaseinappmessaging.viewer Read-only access to Firebase In-App Messaging resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseinappmessaging.campaigns.get firebaseinappmessaging.campaigns.list resourcemanager.projects.get resourcemanager.projects.list
Firebase ML Kit Admin roles/firebaseml.admin Full read/write access to Firebase ML Kit resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseml.* resourcemanager.projects.get resourcemanager.projects.list
Firebase ML Kit Viewer roles/firebaseml.viewer Read-only access to Firebase ML Kit resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseml.compressionjobs.get firebaseml.compressionjobs.list firebaseml.models.get firebaseml.models.list firebaseml.modelversions.get firebaseml.modelversions.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Cloud Messaging Admin roles/firebasenotifications.admin Full read/write access to Firebase Cloud Messaging resources.	fcmdata.* firebase.clients.get firebase.clients.list firebase.projects.get firebasenotifications.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Cloud Messaging Viewer roles/firebasenotifications.viewer Read-only access to Firebase Cloud Messaging resources.	fcmdata.* firebase.clients.get firebase.clients.list firebase.projects.get firebasenotifications.messages.get firebasenotifications.messages.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Performance Reporting Admin roles/firebaseperformance.admin Full access to firebaseperformance resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseperformance.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Performance Reporting Viewer roles/firebaseperformance.viewer Read-only access to firebaseperformance resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebaseperformance.data.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Predictions Admin roles/firebasepredictions.admin Full read/write access to Firebase Predictions resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasepredictions.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Predictions Viewer roles/firebasepredictions.viewer Read-only access to Firebase Predictions resources.	firebase.clients.get firebase.clients.list firebase.projects.get firebasepredictions.predictions.list resourcemanager.projects.get resourcemanager.projects.list
Firebase Rules Admin roles/firebaserules.admin Full management of Firebase Rules.	firebaserules.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Rules Viewer roles/firebaserules.viewer Read-only access on all resources with the ability to test Rulesets.	firebaserules.releases.get firebaserules.releases.list firebaserules.rulesets.get firebaserules.rulesets.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Storage for Firebase Admin roles/firebasestorage.admin Full management of Cloud Storage for Firebase.	firebase.clients.get firebase.clients.list firebase.projects.get firebasestorage.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Storage for Firebase Viewer roles/firebasestorage.viewer Read-only access for Cloud Storage for Firebase.	firebasestorage.buckets.get firebasestorage.buckets.list resourcemanager.projects.get resourcemanager.projects.list
Fleet Engine Consumer SDK User roles/fleetengine.consumerSdkUser Limited read access to Fleet Engine resources	fleetengine.trips.get fleetengine.vehicles.get fleetengine.vehicles.search fleetengine.vehicles.searchFuzzed
Fleet Engine Delivery Consumer User roles/fleetengine.deliveryConsumer Limited read access to Fleet Engine Delivery resources	fleetengine.tasks.searchWithTrackingId
Fleet Engine Delivery Fleet Reader User roles/fleetengine.deliveryFleetReader Grants read access to all Fleet Engine Delivery resources	fleetengine.deliveryvehicles.get fleetengine.deliveryvehicles.list fleetengine.tasks.get fleetengine.tasks.list fleetengine.tasks.searchWithTrackingId
Fleet Engine Delivery Super User roles/fleetengine.deliverySuperUser Full access to Fleet Engine DeliveryVehicles and Tasks resources.	fleetengine.deliveryvehicles.* fleetengine.tasks.* resourcemanager.projects.get resourcemanager.projects.list
Fleet Engine Delivery Trusted Driver User roles/fleetengine.deliveryTrustedDriver Read and write access to Fleet Engine Delivery resources	fleetengine.deliveryvehicles.create fleetengine.deliveryvehicles.get fleetengine.deliveryvehicles.update fleetengine.deliveryvehicles.updateLocation fleetengine.deliveryvehicles.updateVehicleStops fleetengine.tasks.create fleetengine.tasks.update
Fleet Engine Delivery Untrusted Driver User roles/fleetengine.deliveryUntrustedDriver Limited write access to Fleet Engine Delivery Vehicle resources	fleetengine.deliveryvehicles.get fleetengine.deliveryvehicles.updateLocation
Fleet Engine Driver SDK User roles/fleetengine.driverSdkUser Read and limited update access to Fleet Engine resources	fleetengine.trips.get fleetengine.trips.search fleetengine.trips.update fleetengine.vehicles.get fleetengine.vehicles.updateLocation
Fleet Engine Service Super User roles/fleetengine.serviceSuperUser Full access to all Fleet Engine resources.	fleetengine.* resourcemanager.projects.get resourcemanager.projects.list
Genomics Admin roles/genomics.admin Full access to genomics datasets and operations.	genomics.*
Genomics Editor roles/genomics.editor Access to read and edit genomics datasets and operations.	genomics.datasets.create genomics.datasets.delete genomics.datasets.get genomics.datasets.list genomics.datasets.update genomics.operations.*
Genomics Pipelines Runner roles/genomics.pipelinesRunner Full access to operate on genomics pipelines.	genomics.operations.*
Genomics Viewer roles/genomics.viewer Access to view genomics datasets and operations.	genomics.datasets.get genomics.datasets.list genomics.operations.get genomics.operations.list
GKE Hub Admin roles/gkehub.admin Full access to GKE Hub resources.	gkehub.features.* gkehub.fleet.* gkehub.locations.* gkehub.memberships.* gkehub.operations.* resourcemanager.projects.get resourcemanager.projects.list
GKE Connect Agent roles/gkehub.connect Ability to set up GKE Connect between external clusters and Google.	gkehub.endpoints.*
GKE Hub Editor roles/gkehub.editor Edit access to GKE Hub resources.	gkehub.features.create gkehub.features.delete gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.features.update gkehub.fleet.* gkehub.locations.* gkehub.memberships.create gkehub.memberships.delete gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.memberships.update gkehub.operations.* resourcemanager.projects.get resourcemanager.projects.list
Connect Gateway Admin roles/gkehub.gatewayAdmin Full access to Connect Gateway.	gkehub.gateway.* serviceusage.services.get
Connect Gateway Reader roles/gkehub.gatewayReader Read-only access to Connect Gateway.	gkehub.gateway.get serviceusage.services.get
GKE Hub Viewer roles/gkehub.viewer Read-only access to GKE Hubs and related resources.	gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list resourcemanager.projects.get resourcemanager.projects.list
GKE on-prem Admin roles/gkeonprem.admin Full access to GKE on-prem all resources.	gkeonprem.* resourcemanager.projects.get resourcemanager.projects.list
GKE on-prem Viewer roles/gkeonprem.viewer Read-only access to GKE on-prem all resources.	gkeonprem.locations.* gkeonprem.operations.get gkeonprem.operations.list gkeonprem.vmwareClusters.get gkeonprem.vmwareClusters.getIamPolicy gkeonprem.vmwareClusters.list gkeonprem.vmwareNodePools.get gkeonprem.vmwareNodePools.getIamPolicy gkeonprem.vmwareNodePools.list resourcemanager.projects.get resourcemanager.projects.list
Google Workspace Add-ons Developer roles/gsuiteaddons.developer Full access to Google Workspace Add-ons resources	gsuiteaddons.* resourcemanager.projects.get resourcemanager.projects.list
Google Workspace Add-ons Reader roles/gsuiteaddons.reader Read-only access to Google Workspace Add-ons resources	gsuiteaddons.authorizations.* gsuiteaddons.deployments.get gsuiteaddons.deployments.list resourcemanager.projects.get resourcemanager.projects.list
Google Workspace Add-ons Tester roles/gsuiteaddons.tester Testing execution access to Google Workspace Add-ons resources	gsuiteaddons.deployments.execute gsuiteaddons.deployments.install gsuiteaddons.deployments.installStatus gsuiteaddons.deployments.uninstall resourcemanager.projects.get resourcemanager.projects.list
Chat Bots Owner roles/chat.owner Can view and modify bot configurations	chat.*
Chat Bots Viewer roles/chat.reader Can view bot configurations	chat.bots.get
Deny Admin roles/iam.denyAdmin Deny admin role, with permissions to read and modify deny policies	iam.denypolicies.*
Deny Reviewer roles/iam.denyReviewer Deny Reviewer role, with permissions to read deny policies	iam.denypolicies.get iam.denypolicies.list
Security Admin roles/iam.securityAdmin Security admin role, with permissions to get and set any IAM policy.	accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessPolicies.setIamPolicy accesscontextmanager.accessZones.list accesscontextmanager.gcpUserAccessBindings.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.policies.setIamPolicy accesscontextmanager.servicePerimeters.list actions.agentVersions.list advisorynotifications.notifications.list aiplatform.annotationSpecs.list aiplatform.annotations.list aiplatform.artifacts.list aiplatform.batchPredictionJobs.list aiplatform.contexts.list aiplatform.customJobs.list aiplatform.dataItems.list aiplatform.dataLabelingJobs.list aiplatform.datasets.list aiplatform.deploymentResourcePools.list aiplatform.edgeDeploymentJobs.list aiplatform.edgeDevices.list aiplatform.endpoints.list aiplatform.entityTypes.list aiplatform.executions.list aiplatform.features.list aiplatform.featurestores.list aiplatform.humanInTheLoops.list aiplatform.hyperparameterTuningJobs.list aiplatform.indexEndpoints.list aiplatform.indexes.list aiplatform.locations.list aiplatform.metadataSchemas.list aiplatform.metadataStores.list aiplatform.modelDeploymentMonitoringJobs.list aiplatform.modelEvaluationSlices.list aiplatform.modelEvaluations.list aiplatform.models.list aiplatform.nasJobs.list aiplatform.operations.* aiplatform.pipelineJobs.list aiplatform.specialistPools.list aiplatform.studies.list aiplatform.tensorboardExperiments.list aiplatform.tensorboardRuns.list aiplatform.tensorboardTimeSeries.list aiplatform.tensorboards.list aiplatform.trainingPipelines.list aiplatform.trials.list analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.dataExchanges.setIamPolicy analyticshub.listings.getIamPolicy analyticshub.listings.list analyticshub.listings.setIamPolicy apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apiconfigs.setIamPolicy apigateway.apis.getIamPolicy apigateway.apis.list apigateway.apis.setIamPolicy apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.gateways.setIamPolicy apigateway.locations.list apigateway.operations.list apigee.apiproductattributes.list apigee.apiproducts.list apigee.apps.list apigee.archivedeployments.list apigee.caches.list apigee.datacollectors.list apigee.datastores.list apigee.deployments.list apigee.developerappattributes.list apigee.developerapps.list apigee.developerattributes.list apigee.developers.list apigee.developersubscriptions.list apigee.envgroupattachments.list apigee.envgroups.list apigee.environments.getIamPolicy apigee.environments.list apigee.environments.setIamPolicy apigee.exports.list apigee.flowhooks.list apigee.hostqueries.list apigee.hostsecurityreports.list apigee.instanceattachments.list apigee.instances.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemapentries.* apigee.keyvaluemaps.list apigee.operations.list apigee.organizations.list apigee.portals.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.rateplans.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.securityreports.list apigee.sharedflowrevisions.list apigee.sharedflows.list apigee.targetservers.list apigee.tracesessions.list apigeeconnect.connections.* apigeeregistry.apis.getIamPolicy apigeeregistry.apis.list apigeeregistry.apis.setIamPolicy apigeeregistry.artifacts.getIamPolicy apigeeregistry.artifacts.list apigeeregistry.artifacts.setIamPolicy apigeeregistry.deployments.list apigeeregistry.locations.list apigeeregistry.operations.list apigeeregistry.specs.getIamPolicy apigeeregistry.specs.list apigeeregistry.specs.setIamPolicy apigeeregistry.versions.getIamPolicy apigeeregistry.versions.list apigeeregistry.versions.setIamPolicy apikeys.keys.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list artifactregistry.dockerimages.list artifactregistry.files.list artifactregistry.packages.list artifactregistry.repositories.getIamPolicy artifactregistry.repositories.list artifactregistry.repositories.setIamPolicy artifactregistry.tags.list artifactregistry.versions.list assuredworkloads.operations.list assuredworkloads.violations.list assuredworkloads.workload.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.datasets.setIamPolicy automl.examples.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.locations.setIamPolicy automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.models.setIamPolicy automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.list autoscaling.sites.getIamPolicy autoscaling.sites.setIamPolicy baremetalsolution.instances.list baremetalsolution.luns.list baremetalsolution.networks.list baremetalsolution.nfsshares.list baremetalsolution.snapshotschedulepolicies.list baremetalsolution.volumes.list baremetalsolution.volumesnapshots.list bigquery.capacityCommitments.list bigquery.connections.getIamPolicy bigquery.connections.list bigquery.connections.setIamPolicy bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.dataPolicies.setIamPolicy bigquery.datasets.getIamPolicy bigquery.datasets.setIamPolicy bigquery.jobs.list bigquery.models.list bigquery.reservationAssignments.list bigquery.reservations.list bigquery.routines.list bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.savedqueries.list bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.setIamPolicy bigquerymigration.locations.list bigquerymigration.subtasks.list bigquerymigration.workflows.list bigtable.appProfiles.list bigtable.backups.getIamPolicy bigtable.backups.list bigtable.backups.setIamPolicy bigtable.clusters.list bigtable.instances.getIamPolicy bigtable.instances.list bigtable.instances.setIamPolicy bigtable.keyvisualizer.list bigtable.locations.* bigtable.tables.getIamPolicy bigtable.tables.list bigtable.tables.setIamPolicy billing.accounts.getIamPolicy billing.accounts.list billing.accounts.setIamPolicy billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.list binaryauthorization.attestors.getIamPolicy binaryauthorization.attestors.list binaryauthorization.attestors.setIamPolicy binaryauthorization.continuousValidationConfig.getIamPolicy binaryauthorization.continuousValidationConfig.setIamPolicy binaryauthorization.platformPolicies.list binaryauthorization.policy.getIamPolicy binaryauthorization.policy.setIamPolicy certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmapentries.setIamPolicy certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certmaps.setIamPolicy certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.certs.setIamPolicy certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.dnsauthorizations.setIamPolicy certificatemanager.locations.list certificatemanager.operations.list clientauthconfig.brands.list clientauthconfig.clients.list cloudasset.assets.searchAllResources cloudasset.feeds.list cloudasset.savedqueries.list cloudbuild.builds.list cloudbuild.integrations.list cloudbuild.workerpools.list clouddebugger.breakpoints.list clouddebugger.debuggees.list clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.deliveryPipelines.setIamPolicy clouddeploy.locations.list clouddeploy.operations.list clouddeploy.releases.list clouddeploy.rollouts.list clouddeploy.targets.getIamPolicy clouddeploy.targets.list clouddeploy.targets.setIamPolicy cloudfunctions.functions.getIamPolicy cloudfunctions.functions.list cloudfunctions.functions.setIamPolicy cloudfunctions.locations.list cloudfunctions.operations.list cloudfunctions.runtimes.* cloudiot.devices.list cloudiot.registries.getIamPolicy cloudiot.registries.list cloudiot.registries.setIamPolicy cloudjobdiscovery.companies.list cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.cryptoKeys.setIamPolicy cloudkms.ekmConnections.getIamPolicy cloudkms.ekmConnections.list cloudkms.ekmConnections.setIamPolicy cloudkms.importJobs.getIamPolicy cloudkms.importJobs.list cloudkms.importJobs.setIamPolicy cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudkms.keyRings.setIamPolicy cloudkms.locations.list cloudnotifications.* cloudonefs.isiloncloud.com/clusters.list cloudonefs.isiloncloud.com/fileshares.list cloudprivatecatalogproducer.associations.list cloudprivatecatalogproducer.catalogAssociations.list cloudprivatecatalogproducer.catalogs.getIamPolicy cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.catalogs.setIamPolicy cloudprivatecatalogproducer.producerCatalogs.getIamPolicy cloudprivatecatalogproducer.producerCatalogs.list cloudprivatecatalogproducer.producerCatalogs.setIamPolicy cloudprivatecatalogproducer.products.getIamPolicy cloudprivatecatalogproducer.products.list cloudprivatecatalogproducer.products.setIamPolicy cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.list cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.list cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport.accounts.getIamPolicy cloudsupport.accounts.list cloudsupport.accounts.setIamPolicy cloudsupport.techCases.list cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.queues.setIamPolicy cloudtasks.tasks.list cloudtoolresults.executions.list cloudtoolresults.histories.list cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate.glossaries.list cloudtranslate.locations.list cloudtranslate.operations.list cloudvolumesgcp-api.netapp.com/activeDirectories.list cloudvolumesgcp-api.netapp.com/ipRanges.* cloudvolumesgcp-api.netapp.com/jobs.list cloudvolumesgcp-api.netapp.com/regions.* cloudvolumesgcp-api.netapp.com/serviceLevels.* cloudvolumesgcp-api.netapp.com/snapshots.list cloudvolumesgcp-api.netapp.com/volumes.list commerceprice.privateoffers.list composer.dags.list composer.environments.list composer.imageversions.* composer.operations.list compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute.backendBuckets.list compute.backendServices.getIamPolicy compute.backendServices.list compute.backendServices.setIamPolicy compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.disks.setIamPolicy compute.externalVpnGateways.list compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewallPolicies.setIamPolicy compute.firewalls.list compute.forwardingRules.list compute.globalAddresses.list compute.globalForwardingRules.list compute.globalNetworkEndpointGroups.list compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalOperations.setIamPolicy compute.globalPublicDelegatedPrefixes.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.images.setIamPolicy compute.instanceGroupManagers.list compute.instanceGroups.list compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instanceTemplates.setIamPolicy compute.instances.getIamPolicy compute.instances.list compute.instances.setIamPolicy compute.interconnectAttachments.list compute.interconnectLocations.list compute.interconnects.list compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenseCodes.setIamPolicy compute.licenses.getIamPolicy compute.licenses.list compute.licenses.setIamPolicy compute.machineImages.getIamPolicy compute.machineImages.list compute.machineImages.setIamPolicy compute.machineTypes.list compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.maintenancePolicies.setIamPolicy compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.setIamPolicy compute.networks.list compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeGroups.setIamPolicy compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTemplates.setIamPolicy compute.nodeTypes.list compute.packetMirrorings.list compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.list compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionBackendServices.setIamPolicy compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionFirewallPolicies.setIamPolicy compute.regionHealthCheckServices.list compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.list compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionOperations.setIamPolicy compute.regionSslCertificates.list compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.list compute.regionUrlMaps.list compute.regions.list compute.reservations.list compute.resourcePolicies.list compute.routers.list compute.routes.list compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.securityPolicies.setIamPolicy compute.serviceAttachments.list compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.setIamPolicy compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.setIamPolicy compute.targetGrpcProxies.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zoneOperations.setIamPolicy compute.zones.list connectors.connections.getIamPolicy connectors.connections.list connectors.connections.setIamPolicy connectors.connectors.list connectors.locations.list connectors.operations.list connectors.providers.list connectors.versions.list consumerprocurement.accounts.list consumerprocurement.entitlements.list consumerprocurement.freeTrials.list consumerprocurement.orderAttributions.list consumerprocurement.orders.list contactcenterinsights.analyses.list contactcenterinsights.conversations.list contactcenterinsights.issueModels.list contactcenterinsights.issues.list contactcenterinsights.operations.list contactcenterinsights.phraseMatchers.list container.apiServices.list container.auditSinks.list container.backendConfigs.list container.bindings.list container.certificateSigningRequests.list container.clusterRoleBindings.list container.clusterRoles.list container.clusters.list container.componentStatuses.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.csiDrivers.list container.csiNodeInfos.list container.csiNodes.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpointSlices.list container.endpoints.list container.events.list container.frontendConfigs.list container.horizontalPodAutoscalers.list container.ingresses.list container.initializerConfigurations.list container.jobs.list container.leases.list container.limitRanges.list container.localSubjectAccessReviews.list container.managedCertificates.list container.mutatingWebhookConfigurations.list container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container.persistentVolumeClaims.list container.persistentVolumes.list container.petSets.list container.podDisruptionBudgets.list container.podPresets.list container.podSecurityPolicies.list container.podTemplates.list container.pods.list container.priorityClasses.list container.replicaSets.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.runtimeClasses.list container.scheduledJobs.list container.selfSubjectAccessReviews.list container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.storageStates.list container.storageVersionMigrations.list container.subjectAccessReviews.list container.thirdPartyObjects.list container.thirdPartyResources.list container.updateInfos.list container.validatingWebhookConfigurations.list container.volumeAttachments.list container.volumeSnapshotClasses.list container.volumeSnapshotContents.list container.volumeSnapshots.list containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.notes.setIamPolicy containeranalysis.occurrences.getIamPolicy containeranalysis.occurrences.list containeranalysis.occurrences.setIamPolicy contentwarehouse.documentSchemas.list contentwarehouse.documents.getIamPolicy contentwarehouse.documents.setIamPolicy contentwarehouse.ruleSets.list contentwarehouse.synonymSets.list datacatalog.categories.getIamPolicy datacatalog.categories.setIamPolicy datacatalog.entries.getIamPolicy datacatalog.entries.list datacatalog.entries.setIamPolicy datacatalog.entryGroups.getIamPolicy datacatalog.entryGroups.list datacatalog.entryGroups.setIamPolicy datacatalog.tagTemplates.getIamPolicy datacatalog.tagTemplates.setIamPolicy datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.list datacatalog.taxonomies.setIamPolicy dataconnectors.connectors.getIamPolicy dataconnectors.connectors.list dataconnectors.connectors.setIamPolicy dataconnectors.locations.list dataconnectors.operations.list dataflow.jobs.list dataflow.messages.* dataflow.snapshots.list datafusion.instances.getIamPolicy datafusion.instances.list datafusion.instances.setIamPolicy datafusion.locations.list datafusion.operations.list datalabeling.annotateddatasets.list datalabeling.annotationspecsets.list datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list datamigration.connectionprofiles.getIamPolicy datamigration.connectionprofiles.list datamigration.connectionprofiles.setIamPolicy datamigration.locations.list datamigration.migrationjobs.getIamPolicy datamigration.migrationjobs.list datamigration.migrationjobs.setIamPolicy datamigration.operations.list datapipelines.jobs.* datapipelines.pipelines.list dataplex.assetActions.* dataplex.assets.getIamPolicy dataplex.assets.list dataplex.assets.setIamPolicy dataplex.content.getIamPolicy dataplex.content.list dataplex.content.setIamPolicy dataplex.entities.list dataplex.environments.getIamPolicy dataplex.environments.list dataplex.environments.setIamPolicy dataplex.lakeActions.* dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.lakes.setIamPolicy dataplex.locations.list dataplex.operations.list dataplex.partitions.list dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.tasks.setIamPolicy dataplex.zoneActions.* dataplex.zones.getIamPolicy dataplex.zones.list dataplex.zones.setIamPolicy dataproc.agents.list dataproc.autoscalingPolicies.getIamPolicy dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.setIamPolicy dataproc.batches.list dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.clusters.setIamPolicy dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.jobs.setIamPolicy dataproc.operations.getIamPolicy dataproc.operations.list dataproc.operations.setIamPolicy dataproc.workflowTemplates.getIamPolicy dataproc.workflowTemplates.list dataproc.workflowTemplates.setIamPolicy dataprocessing.datasources.list dataprocessing.featurecontrols.list dataprocessing.groupcontrols.list datastore.databases.getIamPolicy datastore.databases.list datastore.databases.setIamPolicy datastore.entities.list datastore.indexes.list datastore.keyVisualizerScans.list datastore.locations.list datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.namespaces.setIamPolicy datastore.operations.list datastore.statistics.list datastream.connectionProfiles.getIamPolicy datastream.connectionProfiles.list datastream.connectionProfiles.setIamPolicy datastream.locations.list datastream.objects.list datastream.operations.list datastream.privateConnections.getIamPolicy datastream.privateConnections.list datastream.privateConnections.setIamPolicy datastream.routes.getIamPolicy datastream.routes.list datastream.routes.setIamPolicy datastream.streams.getIamPolicy datastream.streams.list datastream.streams.setIamPolicy deploymentmanager.compositeTypes.list deploymentmanager.deployments.getIamPolicy deploymentmanager.deployments.list deploymentmanager.deployments.setIamPolicy deploymentmanager.manifests.list deploymentmanager.operations.list deploymentmanager.resources.list deploymentmanager.typeProviders.list deploymentmanager.types.list dialogflow.agents.list dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.list dialogflow.contexts.list dialogflow.conversationDatasets.list dialogflow.conversationModels.list dialogflow.conversationProfiles.list dialogflow.conversations.list dialogflow.documents.list dialogflow.entityTypes.list dialogflow.environments.list dialogflow.flows.list dialogflow.integrations.list dialogflow.intents.list dialogflow.knowledgeBases.list dialogflow.messages.* dialogflow.modelEvaluations.list dialogflow.pages.list dialogflow.participants.list dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.list dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.list dialogflow.versions.list dialogflow.webhooks.list dlp.analyzeRiskTemplates.list dlp.columnDataProfiles.list dlp.deidentifyTemplates.list dlp.estimates.list dlp.inspectFindings.* dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.locations.list dlp.projectDataProfiles.list dlp.storedInfoTypes.list dlp.tableDataProfiles.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.list dns.policies.getIamPolicy dns.policies.list dns.policies.setIamPolicy dns.resourceRecordSets.list dns.responsePolicies.list dns.responsePolicyRules.list documentai.evaluations.list documentai.labelerPools.list documentai.locations.list documentai.processorTypes.list documentai.processorVersions.list documentai.processors.list domains.locations.list domains.operations.list domains.registrations.getIamPolicy domains.registrations.list domains.registrations.setIamPolicy earlyaccesscenter.campaigns.list earlyaccesscenter.customerAllowlists.list earthengine.assets.getIamPolicy earthengine.assets.list earthengine.assets.setIamPolicy earthengine.operations.list edgecontainer.clusters.getIamPolicy edgecontainer.clusters.list edgecontainer.clusters.setIamPolicy edgecontainer.locations.list edgecontainer.machines.getIamPolicy edgecontainer.machines.list edgecontainer.machines.setIamPolicy edgecontainer.nodePools.getIamPolicy edgecontainer.nodePools.list edgecontainer.nodePools.setIamPolicy edgecontainer.operations.list edgecontainer.vpnConnections.getIamPolicy edgecontainer.vpnConnections.list edgecontainer.vpnConnections.setIamPolicy errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groups.* essentialcontacts.contacts.list eventarc.locations.list eventarc.operations.list eventarc.providers.list eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.setIamPolicy fcmdata.* file.backups.list file.instances.list file.locations.list file.operations.list firebase.clients.list firebase.links.list firebase.playLinks.list firebaseabt.experiments.list firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrashlytics.issues.list firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.list firebasedynamiclinks.links.list firebaseextensions.configs.list firebasehosting.sites.list firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.list firebaseml.models.list firebaseml.modelversions.list firebasenotifications.messages.list firebasepredictions.predictions.list firebaserules.releases.list firebaserules.rulesets.list firebasestorage.buckets.list fleetengine.deliveryvehicles.list fleetengine.tasks.list fleetengine.vehicles.list gameservices.gameServerClusters.list gameservices.gameServerConfigs.list gameservices.gameServerDeployments.list gameservices.locations.list gameservices.operations.list gameservices.realms.list gcp.redisenterprise.com/databases.list gcp.redisenterprise.com/subscriptions.list genomics.datasets.getIamPolicy genomics.datasets.list genomics.datasets.setIamPolicy genomics.operations.list gkebackup.backupPlans.getIamPolicy gkebackup.backupPlans.list gkebackup.backupPlans.setIamPolicy gkebackup.backups.list gkebackup.locations.list gkebackup.operations.list gkebackup.restorePlans.getIamPolicy gkebackup.restorePlans.list gkebackup.restorePlans.setIamPolicy gkebackup.restores.list gkebackup.volumeBackups.list gkebackup.volumeRestores.list gkehub.features.getIamPolicy gkehub.features.list gkehub.features.setIamPolicy gkehub.gateway.getIamPolicy gkehub.gateway.setIamPolicy gkehub.locations.list gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.memberships.setIamPolicy gkehub.operations.list gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.list gkemulticloud.azureClients.list gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.list gkemulticloud.operations.list gkeonprem.locations.list gkeonprem.operations.list gkeonprem.vmwareClusters.getIamPolicy gkeonprem.vmwareClusters.list gkeonprem.vmwareClusters.setIamPolicy gkeonprem.vmwareNodePools.getIamPolicy gkeonprem.vmwareNodePools.list gkeonprem.vmwareNodePools.setIamPolicy gsuiteaddons.deployments.list healthcare.annotationStores.getIamPolicy healthcare.annotationStores.list healthcare.annotationStores.setIamPolicy healthcare.annotations.list healthcare.attributeDefinitions.list healthcare.consentArtifacts.list healthcare.consentStores.getIamPolicy healthcare.consentStores.list healthcare.consentStores.setIamPolicy healthcare.consents.list healthcare.datasets.getIamPolicy healthcare.datasets.list healthcare.datasets.setIamPolicy healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.dicomStores.setIamPolicy healthcare.fhirStores.getIamPolicy healthcare.fhirStores.list healthcare.fhirStores.setIamPolicy healthcare.hl7V2Messages.list healthcare.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.list healthcare.hl7V2Stores.setIamPolicy healthcare.locations.list healthcare.operations.list healthcare.userDataMappings.list iam.denypolicies.list iam.googleapis.com/workloadIdentityPoolProviders.list iam.googleapis.com/workloadIdentityPools.list iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iap.tunnel.* iap.tunnelInstances.getIamPolicy iap.tunnelInstances.setIamPolicy iap.tunnelZones.* iap.web.getIamPolicy iap.web.setIamPolicy iap.webServiceVersions.getIamPolicy iap.webServiceVersions.setIamPolicy iap.webServices.getIamPolicy iap.webServices.setIamPolicy iap.webTypes.getIamPolicy iap.webTypes.setIamPolicy ids.endpoints.getIamPolicy ids.endpoints.list ids.endpoints.setIamPolicy ids.locations.list ids.operations.list integrations.apigeeAuthConfigs.list integrations.apigeeCertificates.list integrations.apigeeExecutions.* integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.list integrations.apigeeSfdcChannels.list integrations.apigeeSfdcInstances.list integrations.apigeeSuspensions.list integrations.securityAuthConfigs.list integrations.securityExecutions.list integrations.securityIntegTempVers.list integrations.securityIntegrationVers.list integrations.securityIntegrations.list krmapihosting.krmApiHosts.getIamPolicy krmapihosting.krmApiHosts.list krmapihosting.krmApiHosts.setIamPolicy krmapihosting.locations.list krmapihosting.operations.list lifesciences.operations.list livestream.channels.list livestream.events.list livestream.inputs.list livestream.locations.list livestream.operations.list logging.buckets.list logging.exclusions.list logging.locations.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.notificationRules.list logging.operations.list logging.privateLogEntries.* logging.queries.list logging.sinks.list logging.views.list managedidentities.backups.getIamPolicy managedidentities.backups.list managedidentities.backups.setIamPolicy managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.domains.setIamPolicy managedidentities.locations.list managedidentities.operations.list managedidentities.peerings.getIamPolicy managedidentities.peerings.list managedidentities.peerings.setIamPolicy managedidentities.sqlintegrations.list memcache.instances.list memcache.locations.list memcache.operations.list metastore.backups.list metastore.databases.getIamPolicy metastore.databases.list metastore.databases.setIamPolicy metastore.imports.list metastore.locations.list metastore.operations.list metastore.services.getIamPolicy metastore.services.list metastore.services.setIamPolicy metastore.tables.getIamPolicy metastore.tables.list metastore.tables.setIamPolicy ml.jobs.getIamPolicy ml.jobs.list ml.jobs.setIamPolicy ml.locations.list ml.models.getIamPolicy ml.models.list ml.models.setIamPolicy ml.operations.list ml.studies.getIamPolicy ml.studies.list ml.studies.setIamPolicy ml.trials.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.list monitoring.publicWidgets.list monitoring.services.list monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.list networkconnectivity.hubs.getIamPolicy networkconnectivity.hubs.list networkconnectivity.hubs.setIamPolicy networkconnectivity.locations.list networkconnectivity.operations.list networkconnectivity.spokes.getIamPolicy networkconnectivity.spokes.list networkconnectivity.spokes.setIamPolicy networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.connectivitytests.setIamPolicy networkmanagement.locations.list networkmanagement.operations.list networksecurity.authorizationPolicies.getIamPolicy networksecurity.authorizationPolicies.list networksecurity.authorizationPolicies.setIamPolicy networksecurity.clientTlsPolicies.getIamPolicy networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.setIamPolicy networksecurity.locations.list networksecurity.operations.list networksecurity.serverTlsPolicies.getIamPolicy networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.setIamPolicy networkservices.endpointConfigSelectors.getIamPolicy networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.setIamPolicy networkservices.endpointPolicies.getIamPolicy networkservices.endpointPolicies.list networkservices.endpointPolicies.setIamPolicy networkservices.gateways.list networkservices.grpcRoutes.getIamPolicy networkservices.grpcRoutes.list networkservices.grpcRoutes.setIamPolicy networkservices.httpFilters.getIamPolicy networkservices.httpFilters.list networkservices.httpFilters.setIamPolicy networkservices.httpRoutes.getIamPolicy networkservices.httpRoutes.list networkservices.httpRoutes.setIamPolicy networkservices.httpfilters.getIamPolicy networkservices.httpfilters.list networkservices.httpfilters.setIamPolicy networkservices.locations.list networkservices.meshes.getIamPolicy networkservices.meshes.list networkservices.meshes.setIamPolicy networkservices.operations.list networkservices.serviceBindings.list networkservices.tcpRoutes.getIamPolicy networkservices.tcpRoutes.list networkservices.tcpRoutes.setIamPolicy notebooks.environments.getIamPolicy notebooks.environments.list notebooks.environments.setIamPolicy notebooks.executions.getIamPolicy notebooks.executions.list notebooks.executions.setIamPolicy notebooks.instances.getIamPolicy notebooks.instances.list notebooks.instances.setIamPolicy notebooks.locations.list notebooks.operations.list notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.runtimes.setIamPolicy notebooks.schedules.getIamPolicy notebooks.schedules.list notebooks.schedules.setIamPolicy ondemandscanning.operations.list opsconfigmonitoring.resourceMetadata.list orgpolicy.constraints.* orgpolicy.policies.list osconfig.guestPolicies.list osconfig.instanceOSPoliciesCompliances.list osconfig.inventories.list osconfig.osPolicyAssignmentReports.list osconfig.osPolicyAssignments.list osconfig.patchDeployments.list osconfig.patchJobs.list osconfig.vulnerabilityReports.list paymentsresellersubscription.products.* paymentsresellersubscription.promotions.* policysimulator.* privateca.caPools.getIamPolicy privateca.caPools.list privateca.caPools.setIamPolicy privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateAuthorities.setIamPolicy privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.setIamPolicy privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificateTemplates.setIamPolicy privateca.certificates.getIamPolicy privateca.certificates.list privateca.certificates.setIamPolicy privateca.locations.list privateca.operations.list privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.setIamPolicy proximitybeacon.attachments.list proximitybeacon.beacons.getIamPolicy proximitybeacon.beacons.list proximitybeacon.beacons.setIamPolicy proximitybeacon.namespaces.getIamPolicy proximitybeacon.namespaces.list proximitybeacon.namespaces.setIamPolicy pubsub.schemas.getIamPolicy pubsub.schemas.list pubsub.schemas.setIamPolicy pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.snapshots.setIamPolicy pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list pubsub.subscriptions.setIamPolicy pubsub.topics.getIamPolicy pubsub.topics.list pubsub.topics.setIamPolicy pubsublite.operations.list pubsublite.reservations.list pubsublite.subscriptions.list pubsublite.topics.list recaptchaenterprise.keys.list recaptchaenterprise.relatedaccountgroupmemberships.* recaptchaenterprise.relatedaccountgroups.* recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.list recommender.cloudAssetInsights.list recommender.cloudsqlIdleInstanceRecommendations.list recommender.cloudsqlInstanceActivityInsights.list recommender.cloudsqlInstanceCpuUsageInsights.list recommender.cloudsqlInstanceDiskUsageTrendInsights.list recommender.cloudsqlInstanceMemoryUsageInsights.list recommender.cloudsqlInstanceOutOfDiskRecommendations.list recommender.cloudsqlOverprovisionedInstanceRecommendations.list recommender.commitmentUtilizationInsights.list recommender.computeAddressIdleResourceInsights.list recommender.computeAddressIdleResourceRecommendations.list recommender.computeDiskIdleResourceInsights.list recommender.computeDiskIdleResourceRecommendations.list recommender.computeFirewallInsights.list recommender.computeImageIdleResourceInsights.list recommender.computeImageIdleResourceRecommendations.list recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.list recommender.dataflowDiagnosticsInsights.list recommender.errorReportingInsights.list recommender.errorReportingRecommendations.list recommender.iamPolicyInsights.list recommender.iamPolicyLateralMovementInsights.list recommender.iamPolicyRecommendations.list recommender.iamServiceAccountInsights.list recommender.locations.list recommender.loggingProductSuggestionContainerInsights.list recommender.loggingProductSuggestionContainerRecommendations.list recommender.monitoringProductSuggestionComputeInsights.list recommender.monitoringProductSuggestionComputeRecommendations.list recommender.resourcemanagerProjectUtilizationInsights.list recommender.resourcemanagerProjectUtilizationRecommendations.list recommender.usageCommitmentRecommendations.list redis.instances.list redis.locations.list redis.operations.list remotebuildexecution.instances.list remotebuildexecution.workerpools.list resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.hierarchyNodes.listTagBindings resourcemanager.organizations.getIamPolicy resourcemanager.organizations.setIamPolicy resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy resourcemanager.tagHolds.list resourcemanager.tagKeys.getIamPolicy resourcemanager.tagKeys.list resourcemanager.tagKeys.setIamPolicy resourcemanager.tagValues.getIamPolicy resourcemanager.tagValues.list resourcemanager.tagValues.setIamPolicy resourcesettings.settings.list retail.catalogs.list retail.controls.list retail.models.list retail.operations.list retail.products.list retail.servingConfigs.list riskmanager.operations.list riskmanager.policies.list riskmanager.reports.list run.configurations.list run.locations.* run.operations.list run.revisions.list run.routes.list run.services.getIamPolicy run.services.list run.services.setIamPolicy runtimeconfig.configs.getIamPolicy runtimeconfig.configs.list runtimeconfig.configs.setIamPolicy runtimeconfig.operations.list runtimeconfig.variables.getIamPolicy runtimeconfig.variables.list runtimeconfig.variables.setIamPolicy runtimeconfig.waiters.getIamPolicy runtimeconfig.waiters.list runtimeconfig.waiters.setIamPolicy secretmanager.locations.list secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.secrets.setIamPolicy secretmanager.versions.list securitycenter.assets.list securitycenter.bigQueryExports.list securitycenter.findings.list securitycenter.muteconfigs.list securitycenter.notificationconfig.list securitycenter.sources.getIamPolicy securitycenter.sources.list securitycenter.sources.setIamPolicy servicebroker.bindingoperations.list servicebroker.bindings.getIamPolicy servicebroker.bindings.list servicebroker.bindings.setIamPolicy servicebroker.catalogs.getIamPolicy servicebroker.catalogs.list servicebroker.catalogs.setIamPolicy servicebroker.instanceoperations.list servicebroker.instances.getIamPolicy servicebroker.instances.list servicebroker.instances.setIamPolicy serviceconsumermanagement.tenancyu.list servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.endpoints.setIamPolicy servicedirectory.locations.list servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.namespaces.setIamPolicy servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.setIamPolicy servicemanagement.services.getIamPolicy servicemanagement.services.list servicemanagement.services.setIamPolicy servicenetworking.operations.list serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list source.repos.setIamPolicy spanner.backupOperations.list spanner.backups.getIamPolicy spanner.backups.list spanner.backups.setIamPolicy spanner.databaseOperations.list spanner.databases.getIamPolicy spanner.databases.list spanner.databases.setIamPolicy spanner.instanceConfigs.list spanner.instanceOperations.list spanner.instances.getIamPolicy spanner.instances.list spanner.instances.setIamPolicy spanner.sessions.list speech.customClasses.list speech.phraseSets.list storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy storage.hmacKeys.list storage.multipartUploads.list storage.objects.getIamPolicy storage.objects.list storage.objects.setIamPolicy storagetransfer.agentpools.list storagetransfer.jobs.list storagetransfer.operations.list tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.tensorflowversions.list transcoder.jobTemplates.list transcoder.jobs.list translationhub.portals.list videostitcher.cdnKeys.list videostitcher.liveAdTagDetails.list videostitcher.slates.list videostitcher.vodAdTagDetails.list videostitcher.vodStitchDetails.list visualinspection.annotationSets.list visualinspection.annotationSpecs.list visualinspection.annotations.list visualinspection.datasets.list visualinspection.images.list visualinspection.locations.list visualinspection.modelEvaluations.list visualinspection.models.list visualinspection.modules.list visualinspection.operations.list visualinspection.solutionArtifacts.list visualinspection.solutions.list vmmigration.cloneJobs.list vmmigration.cutoverJobs.list vmmigration.datacenterConnectors.list vmmigration.deployments.list vmmigration.groups.list vmmigration.locations.list vmmigration.migratingVms.list vmmigration.operations.list vmmigration.sources.list vmmigration.targets.list vmmigration.utilizationReports.list vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.list workflows.executions.list workflows.locations.list workflows.operations.list workflows.workflows.list
Security Reviewer roles/iam.securityReviewer Provides permissions to list all resources and IAM policies on them.	accessapproval.requests.list accesscontextmanager.accessLevels.list accesscontextmanager.accessPolicies.getIamPolicy accesscontextmanager.accessPolicies.list accesscontextmanager.accessZones.list accesscontextmanager.gcpUserAccessBindings.list accesscontextmanager.policies.getIamPolicy accesscontextmanager.policies.list accesscontextmanager.servicePerimeters.list actions.agentVersions.list advisorynotifications.notifications.list aiplatform.annotationSpecs.list aiplatform.annotations.list aiplatform.artifacts.list aiplatform.batchPredictionJobs.list aiplatform.contexts.list aiplatform.customJobs.list aiplatform.dataItems.list aiplatform.dataLabelingJobs.list aiplatform.datasets.list aiplatform.deploymentResourcePools.list aiplatform.edgeDeploymentJobs.list aiplatform.edgeDevices.list aiplatform.endpoints.list aiplatform.entityTypes.list aiplatform.executions.list aiplatform.features.list aiplatform.featurestores.list aiplatform.humanInTheLoops.list aiplatform.hyperparameterTuningJobs.list aiplatform.indexEndpoints.list aiplatform.indexes.list aiplatform.locations.list aiplatform.metadataSchemas.list aiplatform.metadataStores.list aiplatform.modelDeploymentMonitoringJobs.list aiplatform.modelEvaluationSlices.list aiplatform.modelEvaluations.list aiplatform.models.list aiplatform.nasJobs.list aiplatform.operations.* aiplatform.pipelineJobs.list aiplatform.specialistPools.list aiplatform.studies.list aiplatform.tensorboardExperiments.list aiplatform.tensorboardRuns.list aiplatform.tensorboardTimeSeries.list aiplatform.tensorboards.list aiplatform.trainingPipelines.list aiplatform.trials.list analyticshub.dataExchanges.getIamPolicy analyticshub.dataExchanges.list analyticshub.listings.getIamPolicy analyticshub.listings.list apigateway.apiconfigs.getIamPolicy apigateway.apiconfigs.list apigateway.apis.getIamPolicy apigateway.apis.list apigateway.gateways.getIamPolicy apigateway.gateways.list apigateway.locations.list apigateway.operations.list apigee.apiproductattributes.list apigee.apiproducts.list apigee.apps.list apigee.archivedeployments.list apigee.caches.list apigee.datacollectors.list apigee.datastores.list apigee.deployments.list apigee.developerappattributes.list apigee.developerapps.list apigee.developerattributes.list apigee.developers.list apigee.developersubscriptions.list apigee.envgroupattachments.list apigee.envgroups.list apigee.environments.getIamPolicy apigee.environments.list apigee.exports.list apigee.flowhooks.list apigee.hostqueries.list apigee.hostsecurityreports.list apigee.instanceattachments.list apigee.instances.list apigee.keystorealiases.list apigee.keystores.list apigee.keyvaluemapentries.* apigee.keyvaluemaps.list apigee.operations.list apigee.organizations.list apigee.portals.list apigee.proxies.list apigee.proxyrevisions.list apigee.queries.list apigee.rateplans.list apigee.references.list apigee.reports.list apigee.resourcefiles.list apigee.securityreports.list apigee.sharedflowrevisions.list apigee.sharedflows.list apigee.targetservers.list apigee.tracesessions.list apigeeconnect.connections.* apigeeregistry.apis.getIamPolicy apigeeregistry.apis.list apigeeregistry.artifacts.getIamPolicy apigeeregistry.artifacts.list apigeeregistry.deployments.list apigeeregistry.locations.list apigeeregistry.operations.list apigeeregistry.specs.getIamPolicy apigeeregistry.specs.list apigeeregistry.versions.getIamPolicy apigeeregistry.versions.list apikeys.keys.list appengine.instances.list appengine.memcache.list appengine.operations.list appengine.services.list appengine.versions.list artifactregistry.dockerimages.list artifactregistry.files.list artifactregistry.packages.list artifactregistry.repositories.getIamPolicy artifactregistry.repositories.list artifactregistry.tags.list artifactregistry.versions.list assuredworkloads.operations.list assuredworkloads.violations.list assuredworkloads.workload.list automl.annotationSpecs.list automl.annotations.list automl.columnSpecs.list automl.datasets.getIamPolicy automl.datasets.list automl.examples.list automl.humanAnnotationTasks.list automl.locations.getIamPolicy automl.locations.list automl.modelEvaluations.list automl.models.getIamPolicy automl.models.list automl.operations.list automl.tableSpecs.list automlrecommendations.apiKeys.list automlrecommendations.catalogItems.list automlrecommendations.catalogs.list automlrecommendations.events.list automlrecommendations.placements.list automlrecommendations.recommendations.list autoscaling.sites.getIamPolicy baremetalsolution.instances.list baremetalsolution.luns.list baremetalsolution.networks.list baremetalsolution.nfsshares.list baremetalsolution.snapshotschedulepolicies.list baremetalsolution.volumes.list baremetalsolution.volumesnapshots.list bigquery.capacityCommitments.list bigquery.connections.getIamPolicy bigquery.connections.list bigquery.dataPolicies.getIamPolicy bigquery.dataPolicies.list bigquery.datasets.getIamPolicy bigquery.jobs.list bigquery.models.list bigquery.reservationAssignments.list bigquery.reservations.list bigquery.routines.list bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.savedqueries.list bigquery.tables.getIamPolicy bigquery.tables.list bigquerymigration.locations.list bigquerymigration.subtasks.list bigquerymigration.workflows.list bigtable.appProfiles.list bigtable.backups.getIamPolicy bigtable.backups.list bigtable.clusters.list bigtable.instances.getIamPolicy bigtable.instances.list bigtable.keyvisualizer.list bigtable.locations.* bigtable.tables.getIamPolicy bigtable.tables.list billing.accounts.getIamPolicy billing.accounts.list billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.list binaryauthorization.attestors.getIamPolicy binaryauthorization.attestors.list binaryauthorization.continuousValidationConfig.getIamPolicy binaryauthorization.platformPolicies.list binaryauthorization.policy.getIamPolicy certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.locations.list certificatemanager.operations.list clientauthconfig.brands.list clientauthconfig.clients.list cloudasset.feeds.list cloudasset.savedqueries.list cloudbuild.builds.list cloudbuild.integrations.list cloudbuild.workerpools.list clouddebugger.breakpoints.list clouddebugger.debuggees.list clouddeploy.deliveryPipelines.getIamPolicy clouddeploy.deliveryPipelines.list clouddeploy.locations.list clouddeploy.operations.list clouddeploy.releases.list clouddeploy.rollouts.list clouddeploy.targets.getIamPolicy clouddeploy.targets.list cloudfunctions.functions.getIamPolicy cloudfunctions.functions.list cloudfunctions.locations.list cloudfunctions.operations.list cloudfunctions.runtimes.* cloudiot.devices.list cloudiot.registries.getIamPolicy cloudiot.registries.list cloudjobdiscovery.companies.list cloudkms.cryptoKeyVersions.list cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.ekmConnections.getIamPolicy cloudkms.ekmConnections.list cloudkms.importJobs.getIamPolicy cloudkms.importJobs.list cloudkms.keyRings.getIamPolicy cloudkms.keyRings.list cloudkms.locations.list cloudnotifications.* cloudonefs.isiloncloud.com/clusters.list cloudonefs.isiloncloud.com/fileshares.list cloudprivatecatalogproducer.associations.list cloudprivatecatalogproducer.catalogAssociations.list cloudprivatecatalogproducer.catalogs.getIamPolicy cloudprivatecatalogproducer.catalogs.list cloudprivatecatalogproducer.producerCatalogs.getIamPolicy cloudprivatecatalogproducer.producerCatalogs.list cloudprivatecatalogproducer.products.getIamPolicy cloudprivatecatalogproducer.products.list cloudprofiler.profiles.list cloudscheduler.jobs.list cloudscheduler.locations.list cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.list cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.list cloudsql.backupRuns.list cloudsql.databases.list cloudsql.instances.list cloudsql.sslCerts.list cloudsql.users.list cloudsupport.accounts.getIamPolicy cloudsupport.accounts.list cloudsupport.techCases.list cloudtasks.locations.list cloudtasks.queues.getIamPolicy cloudtasks.queues.list cloudtasks.tasks.list cloudtoolresults.executions.list cloudtoolresults.histories.list cloudtoolresults.steps.list cloudtrace.insights.list cloudtrace.tasks.list cloudtrace.traces.list cloudtranslate.glossaries.list cloudtranslate.locations.list cloudtranslate.operations.list cloudvolumesgcp-api.netapp.com/activeDirectories.list cloudvolumesgcp-api.netapp.com/ipRanges.* cloudvolumesgcp-api.netapp.com/jobs.list cloudvolumesgcp-api.netapp.com/regions.* cloudvolumesgcp-api.netapp.com/serviceLevels.* cloudvolumesgcp-api.netapp.com/snapshots.list cloudvolumesgcp-api.netapp.com/volumes.list commerceprice.privateoffers.list composer.dags.list composer.environments.list composer.imageversions.* composer.operations.list compute.acceleratorTypes.list compute.addresses.list compute.autoscalers.list compute.backendBuckets.list compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.list compute.diskTypes.list compute.disks.getIamPolicy compute.disks.list compute.externalVpnGateways.list compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.list compute.forwardingRules.list compute.globalAddresses.list compute.globalForwardingRules.list compute.globalNetworkEndpointGroups.list compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.images.getIamPolicy compute.images.list compute.instanceGroupManagers.list compute.instanceGroups.list compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.getIamPolicy compute.instances.list compute.interconnectAttachments.list compute.interconnectLocations.list compute.interconnects.list compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.list compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.list compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.list compute.packetMirrorings.list compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.list compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.list compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.list compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.list compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.list compute.regionUrlMaps.list compute.regions.list compute.reservations.list compute.resourcePolicies.list compute.routers.list compute.routes.list compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.list compute.snapshots.getIamPolicy compute.snapshots.list compute.sslCertificates.list compute.sslPolicies.list compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetInstances.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.list connectors.connections.getIamPolicy connectors.connections.list connectors.connectors.list connectors.locations.list connectors.operations.list connectors.providers.list connectors.versions.list consumerprocurement.accounts.list consumerprocurement.entitlements.list consumerprocurement.freeTrials.list consumerprocurement.orderAttributions.list consumerprocurement.orders.list contactcenterinsights.analyses.list contactcenterinsights.conversations.list contactcenterinsights.issueModels.list contactcenterinsights.issues.list contactcenterinsights.operations.list contactcenterinsights.phraseMatchers.list container.apiServices.list container.auditSinks.list container.backendConfigs.list container.bindings.list container.certificateSigningRequests.list container.clusterRoleBindings.list container.clusterRoles.list container.clusters.list container.componentStatuses.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.csiDrivers.list container.csiNodeInfos.list container.csiNodes.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpointSlices.list container.endpoints.list container.events.list container.frontendConfigs.list container.horizontalPodAutoscalers.list container.ingresses.list container.initializerConfigurations.list container.jobs.list container.leases.list container.limitRanges.list container.localSubjectAccessReviews.list container.managedCertificates.list container.mutatingWebhookConfigurations.list container.namespaces.list container.networkPolicies.list container.nodes.list container.operations.list container.persistentVolumeClaims.list container.persistentVolumes.list container.petSets.list container.podDisruptionBudgets.list container.podPresets.list container.podSecurityPolicies.list container.podTemplates.list container.pods.list container.priorityClasses.list container.replicaSets.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.runtimeClasses.list container.scheduledJobs.list container.selfSubjectAccessReviews.list container.serviceAccounts.list container.services.list container.statefulSets.list container.storageClasses.list container.storageStates.list container.storageVersionMigrations.list container.subjectAccessReviews.list container.thirdPartyObjects.list container.thirdPartyResources.list container.updateInfos.list container.validatingWebhookConfigurations.list container.volumeAttachments.list container.volumeSnapshotClasses.list container.volumeSnapshotContents.list container.volumeSnapshots.list containeranalysis.notes.getIamPolicy containeranalysis.notes.list containeranalysis.occurrences.getIamPolicy containeranalysis.occurrences.list contentwarehouse.documentSchemas.list contentwarehouse.documents.getIamPolicy contentwarehouse.ruleSets.list contentwarehouse.synonymSets.list datacatalog.categories.getIamPolicy datacatalog.entries.getIamPolicy datacatalog.entries.list datacatalog.entryGroups.getIamPolicy datacatalog.entryGroups.list datacatalog.tagTemplates.getIamPolicy datacatalog.taxonomies.getIamPolicy datacatalog.taxonomies.list dataconnectors.connectors.getIamPolicy dataconnectors.connectors.list dataconnectors.locations.list dataconnectors.operations.list dataflow.jobs.list dataflow.messages.* dataflow.snapshots.list datafusion.instances.getIamPolicy datafusion.instances.list datafusion.locations.list datafusion.operations.list datalabeling.annotateddatasets.list datalabeling.annotationspecsets.list datalabeling.dataitems.list datalabeling.datasets.list datalabeling.examples.list datalabeling.instructions.list datalabeling.operations.list datamigration.connectionprofiles.getIamPolicy datamigration.connectionprofiles.list datamigration.locations.list datamigration.migrationjobs.getIamPolicy datamigration.migrationjobs.list datamigration.operations.list datapipelines.jobs.* datapipelines.pipelines.list dataplex.assetActions.* dataplex.assets.getIamPolicy dataplex.assets.list dataplex.content.getIamPolicy dataplex.content.list dataplex.entities.list dataplex.environments.getIamPolicy dataplex.environments.list dataplex.lakeActions.* dataplex.lakes.getIamPolicy dataplex.lakes.list dataplex.locations.list dataplex.operations.list dataplex.partitions.list dataplex.tasks.getIamPolicy dataplex.tasks.list dataplex.zoneActions.* dataplex.zones.getIamPolicy dataplex.zones.list dataproc.agents.list dataproc.autoscalingPolicies.getIamPolicy dataproc.autoscalingPolicies.list dataproc.batches.list dataproc.clusters.getIamPolicy dataproc.clusters.list dataproc.jobs.getIamPolicy dataproc.jobs.list dataproc.operations.getIamPolicy dataproc.operations.list dataproc.workflowTemplates.getIamPolicy dataproc.workflowTemplates.list dataprocessing.datasources.list dataprocessing.featurecontrols.list dataprocessing.groupcontrols.list datastore.databases.getIamPolicy datastore.databases.list datastore.entities.list datastore.indexes.list datastore.keyVisualizerScans.list datastore.locations.list datastore.namespaces.getIamPolicy datastore.namespaces.list datastore.operations.list datastore.statistics.list datastream.connectionProfiles.getIamPolicy datastream.connectionProfiles.list datastream.locations.list datastream.objects.list datastream.operations.list datastream.privateConnections.getIamPolicy datastream.privateConnections.list datastream.routes.getIamPolicy datastream.routes.list datastream.streams.getIamPolicy datastream.streams.list deploymentmanager.compositeTypes.list deploymentmanager.deployments.getIamPolicy deploymentmanager.deployments.list deploymentmanager.manifests.list deploymentmanager.operations.list deploymentmanager.resources.list deploymentmanager.typeProviders.list deploymentmanager.types.list dialogflow.agents.list dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.list dialogflow.contexts.list dialogflow.conversationDatasets.list dialogflow.conversationModels.list dialogflow.conversationProfiles.list dialogflow.conversations.list dialogflow.documents.list dialogflow.entityTypes.list dialogflow.environments.list dialogflow.flows.list dialogflow.integrations.list dialogflow.intents.list dialogflow.knowledgeBases.list dialogflow.messages.* dialogflow.modelEvaluations.list dialogflow.pages.list dialogflow.participants.list dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.list dialogflow.sessionEntityTypes.list dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.list dialogflow.versions.list dialogflow.webhooks.list dlp.analyzeRiskTemplates.list dlp.columnDataProfiles.list dlp.deidentifyTemplates.list dlp.estimates.list dlp.inspectFindings.* dlp.inspectTemplates.list dlp.jobTriggers.list dlp.jobs.list dlp.locations.list dlp.projectDataProfiles.list dlp.storedInfoTypes.list dlp.tableDataProfiles.list dns.changes.list dns.dnsKeys.list dns.managedZoneOperations.list dns.managedZones.list dns.policies.getIamPolicy dns.policies.list dns.resourceRecordSets.list dns.responsePolicies.list dns.responsePolicyRules.list documentai.evaluations.list documentai.labelerPools.list documentai.locations.list documentai.processorTypes.list documentai.processorVersions.list documentai.processors.list domains.locations.list domains.operations.list domains.registrations.getIamPolicy domains.registrations.list earlyaccesscenter.campaigns.list earlyaccesscenter.customerAllowlists.list earthengine.assets.getIamPolicy earthengine.assets.list earthengine.operations.list edgecontainer.clusters.getIamPolicy edgecontainer.clusters.list edgecontainer.locations.list edgecontainer.machines.getIamPolicy edgecontainer.machines.list edgecontainer.nodePools.getIamPolicy edgecontainer.nodePools.list edgecontainer.operations.list edgecontainer.vpnConnections.getIamPolicy edgecontainer.vpnConnections.list errorreporting.applications.* errorreporting.errorEvents.list errorreporting.groups.* essentialcontacts.contacts.list eventarc.locations.list eventarc.operations.list eventarc.providers.list eventarc.triggers.getIamPolicy eventarc.triggers.list fcmdata.* file.backups.list file.instances.list file.locations.list file.operations.list firebase.clients.list firebase.links.list firebase.playLinks.list firebaseabt.experiments.list firebaseappdistro.groups.list firebaseappdistro.releases.list firebaseappdistro.testers.list firebasecrashlytics.issues.list firebasedatabase.instances.list firebasedynamiclinks.destinations.list firebasedynamiclinks.domains.list firebasedynamiclinks.links.list firebaseextensions.configs.list firebasehosting.sites.list firebaseinappmessaging.campaigns.list firebaseml.compressionjobs.list firebaseml.models.list firebaseml.modelversions.list firebasenotifications.messages.list firebasepredictions.predictions.list firebaserules.releases.list firebaserules.rulesets.list firebasestorage.buckets.list fleetengine.deliveryvehicles.list fleetengine.tasks.list fleetengine.vehicles.list gameservices.gameServerClusters.list gameservices.gameServerConfigs.list gameservices.gameServerDeployments.list gameservices.locations.list gameservices.operations.list gameservices.realms.list gcp.redisenterprise.com/databases.list gcp.redisenterprise.com/subscriptions.list genomics.datasets.getIamPolicy genomics.datasets.list genomics.operations.list gkebackup.backupPlans.getIamPolicy gkebackup.backupPlans.list gkebackup.backups.list gkebackup.locations.list gkebackup.operations.list gkebackup.restorePlans.getIamPolicy gkebackup.restorePlans.list gkebackup.restores.list gkebackup.volumeBackups.list gkebackup.volumeRestores.list gkehub.features.getIamPolicy gkehub.features.list gkehub.gateway.getIamPolicy gkehub.locations.list gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.list gkemulticloud.awsClusters.list gkemulticloud.awsNodePools.list gkemulticloud.azureClients.list gkemulticloud.azureClusters.list gkemulticloud.azureNodePools.list gkemulticloud.operations.list gkeonprem.locations.list gkeonprem.operations.list gkeonprem.vmwareClusters.getIamPolicy gkeonprem.vmwareClusters.list gkeonprem.vmwareNodePools.getIamPolicy gkeonprem.vmwareNodePools.list gsuiteaddons.deployments.list healthcare.annotationStores.getIamPolicy healthcare.annotationStores.list healthcare.annotations.list healthcare.attributeDefinitions.list healthcare.consentArtifacts.list healthcare.consentStores.getIamPolicy healthcare.consentStores.list healthcare.consents.list healthcare.datasets.getIamPolicy healthcare.datasets.list healthcare.dicomStores.getIamPolicy healthcare.dicomStores.list healthcare.fhirStores.getIamPolicy healthcare.fhirStores.list healthcare.hl7V2Messages.list healthcare.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.list healthcare.locations.list healthcare.operations.list healthcare.userDataMappings.list iam.denypolicies.list iam.googleapis.com/workloadIdentityPoolProviders.list iam.googleapis.com/workloadIdentityPools.list iam.roles.get iam.roles.list iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iap.tunnel.getIamPolicy iap.tunnelInstances.getIamPolicy iap.tunnelZones.getIamPolicy iap.web.getIamPolicy iap.webServiceVersions.getIamPolicy iap.webServices.getIamPolicy iap.webTypes.getIamPolicy ids.endpoints.getIamPolicy ids.endpoints.list ids.locations.list ids.operations.list integrations.apigeeAuthConfigs.list integrations.apigeeCertificates.list integrations.apigeeExecutions.* integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.list integrations.apigeeSfdcChannels.list integrations.apigeeSfdcInstances.list integrations.apigeeSuspensions.list integrations.securityAuthConfigs.list integrations.securityExecutions.list integrations.securityIntegTempVers.list integrations.securityIntegrationVers.list integrations.securityIntegrations.list krmapihosting.krmApiHosts.getIamPolicy krmapihosting.krmApiHosts.list krmapihosting.locations.list krmapihosting.operations.list lifesciences.operations.list livestream.channels.list livestream.events.list livestream.inputs.list livestream.locations.list livestream.operations.list logging.buckets.list logging.exclusions.list logging.locations.list logging.logEntries.list logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.notificationRules.list logging.operations.list logging.privateLogEntries.* logging.queries.list logging.sinks.list logging.views.list managedidentities.backups.getIamPolicy managedidentities.backups.list managedidentities.domains.getIamPolicy managedidentities.domains.list managedidentities.locations.list managedidentities.operations.list managedidentities.peerings.getIamPolicy managedidentities.peerings.list managedidentities.sqlintegrations.list memcache.instances.list memcache.locations.list memcache.operations.list metastore.backups.list metastore.databases.getIamPolicy metastore.databases.list metastore.imports.list metastore.locations.list metastore.operations.list metastore.services.getIamPolicy metastore.services.list metastore.tables.getIamPolicy metastore.tables.list ml.jobs.getIamPolicy ml.jobs.list ml.locations.list ml.models.getIamPolicy ml.models.list ml.operations.list ml.studies.getIamPolicy ml.studies.list ml.trials.list ml.versions.list monitoring.alertPolicies.list monitoring.dashboards.list monitoring.groups.list monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.list monitoring.publicWidgets.list monitoring.services.list monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.list networkconnectivity.hubs.getIamPolicy networkconnectivity.hubs.list networkconnectivity.locations.list networkconnectivity.operations.list networkconnectivity.spokes.getIamPolicy networkconnectivity.spokes.list networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.locations.list networkmanagement.operations.list networksecurity.authorizationPolicies.getIamPolicy networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.getIamPolicy networksecurity.clientTlsPolicies.list networksecurity.locations.list networksecurity.operations.list networksecurity.serverTlsPolicies.getIamPolicy networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.getIamPolicy networkservices.endpointConfigSelectors.list networkservices.endpointPolicies.getIamPolicy networkservices.endpointPolicies.list networkservices.gateways.list networkservices.grpcRoutes.getIamPolicy networkservices.grpcRoutes.list networkservices.httpFilters.getIamPolicy networkservices.httpFilters.list networkservices.httpRoutes.getIamPolicy networkservices.httpRoutes.list networkservices.httpfilters.getIamPolicy networkservices.httpfilters.list networkservices.locations.list networkservices.meshes.getIamPolicy networkservices.meshes.list networkservices.operations.list networkservices.serviceBindings.list networkservices.tcpRoutes.getIamPolicy networkservices.tcpRoutes.list notebooks.environments.getIamPolicy notebooks.environments.list notebooks.executions.getIamPolicy notebooks.executions.list notebooks.instances.getIamPolicy notebooks.instances.list notebooks.locations.list notebooks.operations.list notebooks.runtimes.getIamPolicy notebooks.runtimes.list notebooks.schedules.getIamPolicy notebooks.schedules.list ondemandscanning.operations.list opsconfigmonitoring.resourceMetadata.list orgpolicy.constraints.* orgpolicy.policies.list osconfig.guestPolicies.list osconfig.instanceOSPoliciesCompliances.list osconfig.inventories.list osconfig.osPolicyAssignmentReports.list osconfig.osPolicyAssignments.list osconfig.patchDeployments.list osconfig.patchJobs.list osconfig.vulnerabilityReports.list paymentsresellersubscription.products.* paymentsresellersubscription.promotions.* policysimulator.replayResults.* policysimulator.replays.list privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.getIamPolicy privateca.certificateAuthorities.list privateca.certificateRevocationLists.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.getIamPolicy privateca.certificates.list privateca.locations.list privateca.operations.list privateca.reusableConfigs.getIamPolicy privateca.reusableConfigs.list proximitybeacon.attachments.list proximitybeacon.beacons.getIamPolicy proximitybeacon.beacons.list proximitybeacon.namespaces.getIamPolicy proximitybeacon.namespaces.list pubsub.schemas.getIamPolicy pubsub.schemas.list pubsub.snapshots.getIamPolicy pubsub.snapshots.list pubsub.subscriptions.getIamPolicy pubsub.subscriptions.list pubsub.topics.getIamPolicy pubsub.topics.list pubsublite.operations.list pubsublite.reservations.list pubsublite.subscriptions.list pubsublite.topics.list recaptchaenterprise.keys.list recaptchaenterprise.relatedaccountgroupmemberships.* recaptchaenterprise.relatedaccountgroups.* recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.list recommender.cloudAssetInsights.list recommender.cloudsqlIdleInstanceRecommendations.list recommender.cloudsqlInstanceActivityInsights.list recommender.cloudsqlInstanceCpuUsageInsights.list recommender.cloudsqlInstanceDiskUsageTrendInsights.list recommender.cloudsqlInstanceMemoryUsageInsights.list recommender.cloudsqlInstanceOutOfDiskRecommendations.list recommender.cloudsqlOverprovisionedInstanceRecommendations.list recommender.commitmentUtilizationInsights.list recommender.computeAddressIdleResourceInsights.list recommender.computeAddressIdleResourceRecommendations.list recommender.computeDiskIdleResourceInsights.list recommender.computeDiskIdleResourceRecommendations.list recommender.computeFirewallInsights.list recommender.computeImageIdleResourceInsights.list recommender.computeImageIdleResourceRecommendations.list recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.list recommender.dataflowDiagnosticsInsights.list recommender.errorReportingInsights.list recommender.errorReportingRecommendations.list recommender.iamPolicyInsights.list recommender.iamPolicyLateralMovementInsights.list recommender.iamPolicyRecommendations.list recommender.iamServiceAccountInsights.list recommender.locations.list recommender.loggingProductSuggestionContainerInsights.list recommender.loggingProductSuggestionContainerRecommendations.list recommender.monitoringProductSuggestionComputeInsights.list recommender.monitoringProductSuggestionComputeRecommendations.list recommender.resourcemanagerProjectUtilizationInsights.list recommender.resourcemanagerProjectUtilizationRecommendations.list recommender.usageCommitmentRecommendations.list redis.instances.list redis.locations.list redis.operations.list remotebuildexecution.instances.list remotebuildexecution.workerpools.list resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.hierarchyNodes.listTagBindings resourcemanager.organizations.getIamPolicy resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.tagHolds.list resourcemanager.tagKeys.getIamPolicy resourcemanager.tagKeys.list resourcemanager.tagValues.getIamPolicy resourcemanager.tagValues.list resourcesettings.settings.list retail.catalogs.list retail.controls.list retail.models.list retail.operations.list retail.products.list retail.servingConfigs.list riskmanager.operations.list riskmanager.policies.list riskmanager.reports.list run.configurations.list run.locations.* run.operations.list run.revisions.list run.routes.list run.services.getIamPolicy run.services.list runtimeconfig.configs.getIamPolicy runtimeconfig.configs.list runtimeconfig.operations.list runtimeconfig.variables.getIamPolicy runtimeconfig.variables.list runtimeconfig.waiters.getIamPolicy runtimeconfig.waiters.list secretmanager.locations.list secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.versions.list securitycenter.assets.list securitycenter.bigQueryExports.list securitycenter.findings.list securitycenter.muteconfigs.list securitycenter.notificationconfig.list securitycenter.sources.getIamPolicy securitycenter.sources.list servicebroker.bindingoperations.list servicebroker.bindings.getIamPolicy servicebroker.bindings.list servicebroker.catalogs.getIamPolicy servicebroker.catalogs.list servicebroker.instanceoperations.list servicebroker.instances.getIamPolicy servicebroker.instances.list serviceconsumermanagement.tenancyu.list servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.locations.list servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.services.getIamPolicy servicedirectory.services.list servicemanagement.services.getIamPolicy servicemanagement.services.list servicenetworking.operations.list serviceusage.operations.list serviceusage.services.list source.repos.getIamPolicy source.repos.list spanner.backupOperations.list spanner.backups.getIamPolicy spanner.backups.list spanner.databaseOperations.list spanner.databases.getIamPolicy spanner.databases.list spanner.instanceConfigs.list spanner.instanceOperations.list spanner.instances.getIamPolicy spanner.instances.list spanner.sessions.list speech.customClasses.list speech.phraseSets.list storage.buckets.getIamPolicy storage.buckets.list storage.hmacKeys.list storage.multipartUploads.list storage.objects.getIamPolicy storage.objects.list storagetransfer.agentpools.list storagetransfer.jobs.list storagetransfer.operations.list tpu.acceleratortypes.list tpu.locations.list tpu.nodes.list tpu.operations.list tpu.tensorflowversions.list transcoder.jobTemplates.list transcoder.jobs.list translationhub.portals.list videostitcher.cdnKeys.list videostitcher.liveAdTagDetails.list videostitcher.slates.list videostitcher.vodAdTagDetails.list videostitcher.vodStitchDetails.list visualinspection.annotationSets.list visualinspection.annotationSpecs.list visualinspection.annotations.list visualinspection.datasets.list visualinspection.images.list visualinspection.locations.list visualinspection.modelEvaluations.list visualinspection.models.list visualinspection.modules.list visualinspection.operations.list visualinspection.solutionArtifacts.list visualinspection.solutions.list vmmigration.cloneJobs.list vmmigration.cutoverJobs.list vmmigration.datacenterConnectors.list vmmigration.deployments.list vmmigration.groups.list vmmigration.locations.list vmmigration.migratingVms.list vmmigration.operations.list vmmigration.sources.list vmmigration.targets.list vmmigration.utilizationReports.list vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.list workflows.executions.list workflows.locations.list workflows.operations.list workflows.workflows.list
Config Controller Admin roles/krmapihosting.admin Full access to all Config Controller resources.	krmapihosting.* resourcemanager.projects.get resourcemanager.projects.list
Config Controller Viewer roles/krmapihosting.viewer Read-only access to all Config Controller resources.	krmapihosting.krmApiHosts.get krmapihosting.krmApiHosts.getIamPolicy krmapihosting.krmApiHosts.list krmapihosting.locations.* krmapihosting.operations.get krmapihosting.operations.list resourcemanager.projects.get resourcemanager.projects.list
Kubernetes Engine Admin roles/container.admin Provides access to full management of clusters and their Kubernetes API objects. To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the user-managed service account that your nodes will use.	container.* resourcemanager.projects.get resourcemanager.projects.list
Kubernetes Engine Cluster Admin roles/container.clusterAdmin Provides access to management of clusters. To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the user-managed service account that your nodes will use.	container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.operations.* resourcemanager.projects.get resourcemanager.projects.list
Kubernetes Engine Cluster Viewer roles/container.clusterViewer Provides access to get and list GKE clusters.	container.clusters.get container.clusters.list resourcemanager.projects.get resourcemanager.projects.list
Kubernetes Engine Developer roles/container.developer Provides access to Kubernetes API objects inside clusters.	container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.leases.* container.limitRanges.* container.localSubjectAccessReviews.* container.managedCertificates.* container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.selfSubjectRulesReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container.storageVersionMigrations.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* container.updateInfos.* container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.* container.volumeSnapshotClasses.* container.volumeSnapshotContents.* container.volumeSnapshots.* resourcemanager.projects.get resourcemanager.projects.list
Kubernetes Engine Host Service Agent User roles/container.hostServiceAgentUser Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project.	compute.firewalls.get container.hostServiceAgent.* dns.networks.bindDNSResponsePolicy dns.networks.bindPrivateDNSPolicy dns.networks.bindPrivateDNSZone dns.responsePolicies.* dns.responsePolicyRules.*
Kubernetes Engine Viewer roles/container.viewer Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects.	container.apiServices.get container.apiServices.getStatus container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.getStatus container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.getStatus container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getScale container.deployments.getStatus container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container.managedCertificates.get container.managedCertificates.list container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getScale container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container.storageStates.getStatus container.storageStates.list container.storageVersionMigrations.get container.storageVersionMigrations.getStatus container.storageVersionMigrations.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* container.updateInfos.get container.updateInfos.list container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.get container.volumeAttachments.getStatus container.volumeAttachments.list container.volumeSnapshotClasses.get container.volumeSnapshotClasses.list container.volumeSnapshotContents.get container.volumeSnapshotContents.getStatus container.volumeSnapshotContents.list container.volumeSnapshots.get container.volumeSnapshots.list resourcemanager.projects.get resourcemanager.projects.list
Live Stream Editor roles/livestream.editor Full access to Live Stream resources.	livestream.* resourcemanager.projects.get resourcemanager.projects.list
Live Stream Viewer roles/livestream.viewer Read access to Live Stream resources.	livestream.channels.get livestream.channels.list livestream.events.get livestream.events.list livestream.inputs.get livestream.inputs.list livestream.locations.* livestream.operations.get livestream.operations.list resourcemanager.projects.get resourcemanager.projects.list
Logging Admin roles/logging.admin Provides all permissions necessary to use all features of Cloud Logging.	logging.buckets.copyLogEntries logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.fields.* logging.locations.* logging.logEntries.* logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.* logging.notificationRules.* logging.operations.* logging.privateLogEntries.* logging.queries.* logging.sinks.* logging.usage.* logging.views.* resourcemanager.projects.get resourcemanager.projects.list
Logs Bucket Writer roles/logging.bucketWriter Ability to write logs to a log bucket.	logging.buckets.write
Logs Configuration Writer roles/logging.configWriter Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.	logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.locations.* logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.notificationRules.* logging.operations.* logging.sinks.* logging.views.create logging.views.delete logging.views.get logging.views.list logging.views.update resourcemanager.projects.get resourcemanager.projects.list
Log Field Accessor roles/logging.fieldAccessor Ability to read restricted fields in a log bucket.	logging.fields.*
Logs Writer roles/logging.logWriter Provides the permissions to write log entries.	logging.logEntries.create
Private Logs Viewer roles/logging.privateLogViewer Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.	logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.* logging.views.access logging.views.get logging.views.list resourcemanager.projects.get
Logs View Accessor roles/logging.viewAccessor Ability to read logs in a view.	logging.logEntries.download logging.views.access logging.views.listLogs logging.views.listResourceKeys logging.views.listResourceValues
Logs Viewer roles/logging.viewer Provides access to view logs.	logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.* logging.views.get logging.views.list resourcemanager.projects.get
Cloud Memorystore Memcached Admin roles/memcache.admin Full access to Memcached instances and related resources.	compute.networks.list memcache.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Memorystore Memcached Editor roles/memcache.editor Read-Write access to Memcached instances and related resources.	memcache.instances.applyParameters memcache.instances.get memcache.instances.list memcache.instances.update memcache.instances.updateParameters memcache.locations.* memcache.operations.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Memorystore Memcached Viewer roles/memcache.viewer Read-only access to Memcached instances and related resources.	memcache.instances.get memcache.instances.list memcache.locations.* memcache.operations.get memcache.operations.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Memorystore Redis Admin roles/redis.admin Full control for all Memorystore for Redis resources.	compute.networks.list redis.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Cloud Memorystore Redis Editor roles/redis.editor Manage Memorystore for Redis instances. Can't create or delete instances.	compute.networks.list redis.instances.failover redis.instances.get redis.instances.list redis.instances.update redis.locations.* redis.operations.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Cloud Memorystore Redis Viewer roles/redis.viewer Read-only access to all Memorystore for Redis resources.	redis.instances.get redis.instances.list redis.locations.* redis.operations.get redis.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use
Mesh Config Admin roles/meshconfig.admin Full access to all mesh configuration resources	meshconfig.*
Mesh Config Viewer roles/meshconfig.viewer Read access to mesh configuration	meshconfig.projects.get
Monitoring Admin roles/monitoring.admin Provides the same access as the Monitoring Editor role (roles/monitoring.editor).	cloudnotifications.* monitoring.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.*
Monitoring AlertPolicy Editor roles/monitoring.alertPolicyEditor Read/write access to alerting policies.	monitoring.alertPolicies.*
Monitoring AlertPolicy Viewer roles/monitoring.alertPolicyViewer Read-only access to alerting policies.	monitoring.alertPolicies.get monitoring.alertPolicies.list
Monitoring Dashboard Configuration Editor roles/monitoring.dashboardEditor Read/write access to dashboard configurations.	monitoring.dashboards.*
Monitoring Dashboard Configuration Viewer roles/monitoring.dashboardViewer Read-only access to dashboard configurations.	monitoring.dashboards.get monitoring.dashboards.list
Monitoring Editor roles/monitoring.editor Provides full access to information about all monitoring data and configurations.	cloudnotifications.* monitoring.alertPolicies.* monitoring.dashboards.* monitoring.groups.* monitoring.metricDescriptors.* monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify monitoring.publicWidgets.* monitoring.services.* monitoring.slos.* monitoring.timeSeries.* monitoring.uptimeCheckConfigs.* opsconfigmonitoring.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.*
Monitoring Metric Writer roles/monitoring.metricWriter Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.	monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create
Monitoring Metrics Scopes Admin roles/monitoring.metricsScopesAdmin Access to add and remove monitored projects from metrics scopes.	monitoring.metricsScopes.* resourcemanager.projects.get resourcemanager.projects.list
Monitoring Metrics Scopes Viewer roles/monitoring.metricsScopesViewer Read-only access to metrics scopes and their monitored projects.	resourcemanager.projects.get resourcemanager.projects.list
Monitoring NotificationChannel Editor roles/monitoring.notificationChannelEditor Read/write access to notification channels.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.create monitoring.notificationChannels.delete monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.notificationChannels.sendVerificationCode monitoring.notificationChannels.update monitoring.notificationChannels.verify
Monitoring NotificationChannel Viewer roles/monitoring.notificationChannelViewer Read-only access to notification channels.	monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list
Monitoring Services Editor roles/monitoring.servicesEditor Read/write access to services.	monitoring.services.* monitoring.slos.*
Monitoring Services Viewer roles/monitoring.servicesViewer Read-only access to services.	monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list
Monitoring Uptime Check Configuration Editor roles/monitoring.uptimeCheckConfigEditor Read/write access to uptime check configurations.	monitoring.uptimeCheckConfigs.*
Monitoring Uptime Check Configuration Viewer roles/monitoring.uptimeCheckConfigViewer Read-only access to uptime check configurations.	monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list
Monitoring Viewer roles/monitoring.viewer Provides read-only access to get and list information about all monitoring data and configurations.	cloudnotifications.* monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Hub & Spoke Admin roles/networkconnectivity.hubAdmin Enables full access to hub and spoke resources.	networkconnectivity.* resourcemanager.projects.get resourcemanager.projects.list
Hub & Spoke Viewer roles/networkconnectivity.hubViewer Enables read-only access to hub and spoke resources.	networkconnectivity.hubs.get networkconnectivity.hubs.getIamPolicy networkconnectivity.hubs.list networkconnectivity.locations.* networkconnectivity.spokes.get networkconnectivity.spokes.getIamPolicy networkconnectivity.spokes.list resourcemanager.projects.get resourcemanager.projects.list
Spoke Admin roles/networkconnectivity.spokeAdmin Enables full access to spoke resources and read-only access to hub resources.	networkconnectivity.hubs.get networkconnectivity.hubs.getIamPolicy networkconnectivity.hubs.list networkconnectivity.locations.* networkconnectivity.operations.get networkconnectivity.operations.list networkconnectivity.spokes.* resourcemanager.projects.get resourcemanager.projects.list
Network Management Admin roles/networkmanagement.admin Full access to Network Management resources.	networkmanagement.* resourcemanager.projects.get resourcemanager.projects.list
Network Management Viewer roles/networkmanagement.viewer Read-only access to Network Management resources.	networkmanagement.connectivitytests.get networkmanagement.connectivitytests.getIamPolicy networkmanagement.connectivitytests.list networkmanagement.locations.* networkmanagement.operations.* resourcemanager.projects.get resourcemanager.projects.list
On-Demand Scanning Admin roles/ondemandscanning.admin All permissions for On-Demand Scanning	ondemandscanning.*
Ops Config Monitoring Resource Metadata Viewer roles/opsconfigmonitoring.resourceMetadata.viewer Read-only access to resource metadata.	opsconfigmonitoring.resourceMetadata.list
Ops Config Monitoring Resource Metadata Writer roles/opsconfigmonitoring.resourceMetadata.writer Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.	opsconfigmonitoring.resourceMetadata.write
Access Transparency Admin roles/axt.admin Enable Access Transparency for Organization	axt.* resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list
Organization Policy Administrator roles/orgpolicy.policyAdmin Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.	orgpolicy.*
Organization Policy Viewer roles/orgpolicy.policyViewer Provides access to view Organization Policies on resources.	orgpolicy.constraints.* orgpolicy.policies.list orgpolicy.policy.get
Advisory Notifications Viewer roles/advisorynotifications.viewer Grants view access in Advisory Notifications	advisorynotifications.* resourcemanager.organizations.get
Anthos Policy Controller Service Agent roles/anthospolicycontroller.serviceAgent Gives the Anthos Policy Controller service agent access toCloud Platform resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
Autoscaling Metrics Writer roles/autoscaling.metricsWriter Access to write metrics for autoscaling site	autoscaling.sites.writeMetrics
Autoscaling Recommendations Reader roles/autoscaling.recommendationsReader Access to read recommendations from autoscaling site	autoscaling.sites.readRecommendations
Autoscaling Site Admin roles/autoscaling.sitesAdmin Full access to all autoscaling site features	autoscaling.* resourcemanager.projects.get resourcemanager.projects.list
Autoscaling State Writer roles/autoscaling.stateWriter Access to write state for autoscaling site	autoscaling.sites.writeState
Bare Metal Solution Admin roles/baremetalsolution.admin Administrator of Bare Metal Solution resources	baremetalsolution.* resourcemanager.projects.get resourcemanager.projects.list
Bare Metal Solution Editor roles/baremetalsolution.editor Editor of Bare Metal Solution resources	baremetalsolution.* resourcemanager.projects.get resourcemanager.projects.list
Bare Metal Solution Instances Admin roles/baremetalsolution.instancesadmin Admin of Bare Metal Solution Instance resources	baremetalsolution.instances.* resourcemanager.projects.get resourcemanager.projects.list
Bare Metal Solution Instances Viewer roles/baremetalsolution.instancesviewer Viewer of Bare Metal Solution Instance resources	baremetalsolution.instances.get baremetalsolution.instances.list resourcemanager.projects.get resourcemanager.projects.list
Luns Admin roles/baremetalsolution.lunsadmin Administrator of Bare Metal Solution Lun resources	baremetalsolution.luns.*
Luns Viewer roles/baremetalsolution.lunsviewer Viewer of Bare Metal Solution Lun resources	baremetalsolution.luns.*
Networks Admin roles/baremetalsolution.networksadmin Admin of Bare Metal Solution networks resources	baremetalsolution.networks.*
NFS Shares Admin roles/baremetalsolution.nfssharesadmin Administrator of Bare Metal Solution NFS Share resources	baremetalsolution.nfsshares.*
NFS Shares Editor roles/baremetalsolution.nfsshareseditor Editor of Bare Metal Solution NFS Share resources	baremetalsolution.nfsshares.*
NFS Shares Viewer roles/baremetalsolution.nfssharesviewer Viewer of Bare Metal Solution NFS Share resources	baremetalsolution.nfsshares.get baremetalsolution.nfsshares.list
Bare Metal Solution Storage Admin roles/baremetalsolution.storageadmin Administrator of Bare Metal Solution storage resources	baremetalsolution.luns.* baremetalsolution.nfsshares.* baremetalsolution.snapshotschedulepolicies.* baremetalsolution.volumes.* baremetalsolution.volumesnapshots.* resourcemanager.projects.get resourcemanager.projects.list
Bare Metal Solution Viewer roles/baremetalsolution.viewer Viewer of Bare Metal Solution resources	baremetalsolution.instances.get baremetalsolution.instances.list baremetalsolution.luns.* baremetalsolution.networks.get baremetalsolution.networks.list baremetalsolution.nfsshares.get baremetalsolution.nfsshares.list baremetalsolution.snapshotschedulepolicies.get baremetalsolution.snapshotschedulepolicies.list baremetalsolution.volumes.get baremetalsolution.volumes.list baremetalsolution.volumesnapshots.get baremetalsolution.volumesnapshots.list resourcemanager.projects.get resourcemanager.projects.list
Volume Admin roles/baremetalsolution.volumesadmin Administrator of Bare Metal Solution volume resources	baremetalsolution.volumes.*
Volumes Editor roles/baremetalsolution.volumeseditor Editor of Bare Metal Solution volumes resources	baremetalsolution.volumes.*
Volumes Viewer roles/baremetalsolution.volumessviewer Viewer of Bare Metal Solution volumes resources	baremetalsolution.volumes.get baremetalsolution.volumes.list
MigrationWorkflow Editor roles/bigquerymigration.editor Editor of EDW migration workflows.	bigquerymigration.locations.* bigquerymigration.subtasks.get bigquerymigration.subtasks.list bigquerymigration.workflows.create bigquerymigration.workflows.delete bigquerymigration.workflows.get bigquerymigration.workflows.list bigquerymigration.workflows.update
Task Orchestrator roles/bigquerymigration.orchestrator Orchestrator of EDW migration tasks.	bigquerymigration.subtasks.create bigquerymigration.taskTypes.* bigquerymigration.workflows.orchestrateTask bigquerymigration.workflows.writeLogs storage.objects.list
Migration Translation User roles/bigquerymigration.translationUser User of EDW migration SQL translation service.	bigquerymigration.translation.*
MigrationWorkflow Viewer roles/bigquerymigration.viewer Viewer of EDW migration MigrationWorkflow.	bigquerymigration.locations.* bigquerymigration.subtasks.get bigquerymigration.subtasks.list bigquerymigration.workflows.get bigquerymigration.workflows.list
Task Worker roles/bigquerymigration.worker Worker that executes EDW migration subtasks.	bigquerymigration.subtaskTypes.* bigquerymigration.subtasks.executeTask bigquerymigration.workflows.writeLogs storage.objects.create storage.objects.get storage.objects.list
Chronicle Service Admin roles/chroniclesm.admin Admins can view and modify Chronicle service details.	chroniclesm.*
Chronicle Service Viewer roles/chroniclesm.viewer Viewers can see Chronicle service details but not change them.	chroniclesm.gcpAssociations.get chroniclesm.gcpSettings.get
Contact Center AI Insights editor roles/contactcenterinsights.editor Grants read and write access to all Contact Center AI Insights resources.	contactcenterinsights.*
Contact Center AI Insights viewer roles/contactcenterinsights.viewer Grants read access to all Contact Center AI Insights resources.	contactcenterinsights.analyses.get contactcenterinsights.analyses.list contactcenterinsights.conversations.get contactcenterinsights.conversations.list contactcenterinsights.issueModels.get contactcenterinsights.issueModels.list contactcenterinsights.issues.get contactcenterinsights.issues.list contactcenterinsights.operations.* contactcenterinsights.phraseMatchers.get contactcenterinsights.phraseMatchers.list contactcenterinsights.settings.get
Content Warehouse Admin roles/contentwarehouse.admin Grants full access to all the resources in Content Warehouse	contentwarehouse.documentSchemas.* contentwarehouse.documents.create contentwarehouse.documents.delete contentwarehouse.documents.get contentwarehouse.documents.getIamPolicy contentwarehouse.documents.setIamPolicy contentwarehouse.documents.update contentwarehouse.locations.* contentwarehouse.rawDocuments.* contentwarehouse.ruleSets.* contentwarehouse.synonymSets.* resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse document creator roles/contentwarehouse.documentCreator Grants access to create document in Content Warehouse	contentwarehouse.documentSchemas.get contentwarehouse.documentSchemas.list contentwarehouse.documents.create resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse Document Editor roles/contentwarehouse.documentEditor Grants edit access to document resource in Content Warehouse	contentwarehouse.documentSchemas.get contentwarehouse.documents.create contentwarehouse.documents.delete contentwarehouse.documents.get contentwarehouse.documents.getIamPolicy contentwarehouse.documents.setIamPolicy contentwarehouse.documents.update contentwarehouse.rawDocuments.* resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse document owner roles/contentwarehouse.documentOwner Grants editor access to all owned documents in Content Warehouse	contentwarehouse.documents.enableOwnership resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse document schema viewer roles/contentwarehouse.documentSchemaViewer Grants access to view the document schemas in Content Warehouse	contentwarehouse.documentSchemas.get contentwarehouse.documentSchemas.list resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse Viewer roles/contentwarehouse.documentViewer Grants access to view all the resources in Content Warehouse	contentwarehouse.documentSchemas.get contentwarehouse.documents.get contentwarehouse.documents.getIamPolicy contentwarehouse.rawDocuments.download resourcemanager.projects.get resourcemanager.projects.list
Data Processing Controls Resource Admin roles/dataprocessing.admin Data processing controls admin who can fully manage data processing controls settings and view all datasource data.	billing.accounts.get billing.accounts.list dataprocessing.*
Data Processing Controls Data Source Manager roles/dataprocessing.dataSourceManager Data processing controls data source manager who can get, list, and update the underlying data.	dataprocessing.datasources.list dataprocessing.datasources.update
Early Access Center Administrator roles/earlyaccesscenter.admin Grants full access to the Early Access Center, including access to all DATA_READ and DATA_WRITE permissions. Including the ability to enroll into Early Access Campaigns.	earlyaccesscenter.*
Early Access Center Viewer roles/earlyaccesscenter.viewer Grants view access to the Early Access Center, including access to all DATA_READ but no DATA_WRITE permissions.	earlyaccesscenter.campaigns.get earlyaccesscenter.campaigns.list earlyaccesscenter.customerAllowlists.*
Essential Contacts Admin roles/essentialcontacts.admin Full access to all essential contacts	essentialcontacts.*
Essential Contacts Viewer roles/essentialcontacts.viewer Viewer for all essential contacts	essentialcontacts.contacts.get essentialcontacts.contacts.list
Firebase Cloud Messaging API Admin roles/firebasecloudmessaging.admin Full read/write access to Firebase Cloud Messaging API resources.	cloudmessaging.* fcmdata.* resourcemanager.projects.get resourcemanager.projects.list
Firebase Crash Symbol Uploader roles/firebasecrash.symbolMappingsAdmin Full read/write access to symbol mapping file resources for Firebase Crash Reporting.	firebase.clients.get firebase.clients.list resourcemanager.projects.get
Identity Platform Admin roles/identityplatform.admin Full access to Identity Platform resources.	firebaseauth.*
Identity Platform Viewer roles/identityplatform.viewer Read access to Identity Platform resources.	firebaseauth.configs.get firebaseauth.users.get
Identity Toolkit Admin roles/identitytoolkit.admin Full access to Identity Toolkit resources.	firebaseauth.*
Identity Toolkit Viewer roles/identitytoolkit.viewer Read access to Identity Toolkit resources.	firebaseauth.configs.get firebaseauth.users.get
Apigee Integration Admin roles/integrations.apigeeIntegrationAdminRole A user that has full access to all Apigee integrations.	integrations.apigeeAuthConfigs.* integrations.apigeeCertificates.* integrations.apigeeExecutions.* integrations.apigeeIntegrationVers.* integrations.apigeeIntegrations.* integrations.apigeeSfdcChannels.* integrations.apigeeSfdcInstances.* integrations.apigeeSuspensions.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Integration Deployer roles/integrations.apigeeIntegrationDeployerRole A developer that can deploy/undeploy Apigee integrations to the integration runtime.	integrations.apigeeIntegrationVers.deploy integrations.apigeeIntegrationVers.get integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Integration Editor roles/integrations.apigeeIntegrationEditorRole A developer that can list, create and update Apigee integrations.	integrations.apigeeAuthConfigs.create integrations.apigeeAuthConfigs.get integrations.apigeeAuthConfigs.list integrations.apigeeAuthConfigs.update integrations.apigeeCertificates.create integrations.apigeeCertificates.get integrations.apigeeCertificates.list integrations.apigeeCertificates.update integrations.apigeeExecutions.* integrations.apigeeIntegrationVers.* integrations.apigeeIntegrations.* integrations.apigeeSfdcChannels.create integrations.apigeeSfdcChannels.get integrations.apigeeSfdcChannels.list integrations.apigeeSfdcChannels.update integrations.apigeeSfdcInstances.create integrations.apigeeSfdcInstances.get integrations.apigeeSfdcInstances.list integrations.apigeeSfdcInstances.update resourcemanager.projects.get resourcemanager.projects.list
Apigee Integration Invoker roles/integrations.apigeeIntegrationInvokerRole A role that can invoke Apigee integrations.	integrations.apigeeExecutions.* integrations.apigeeIntegrationVers.get integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.* resourcemanager.projects.get resourcemanager.projects.list
Apigee Integration Viewer roles/integrations.apigeeIntegrationsViewer A developer that can list and view Apigee integrations.	integrations.apigeeAuthConfigs.list integrations.apigeeCertificates.list integrations.apigeeIntegrationVers.get integrations.apigeeIntegrationVers.list integrations.apigeeIntegrations.list integrations.apigeeSfdcChannels.list integrations.apigeeSfdcInstances.list resourcemanager.projects.get resourcemanager.projects.list
Apigee Integration Approver roles/integrations.apigeeSuspensionResolver A role that can approve / reject Apigee integrations that contain a suspension/wait task.	integrations.apigeeSuspensions.* resourcemanager.projects.get resourcemanager.projects.list
Security Integration Admin roles/integrations.securityIntegrationAdmin A user that has full access to all Security integrations.	integrations.securityAuthConfigs.* integrations.securityExecutions.* integrations.securityIntegTempVers.* integrations.securityIntegrationVers.* integrations.securityIntegrations.*
OAuth Config Editor roles/oauthconfig.editor Read/write access to OAuth config resources	clientauthconfig.* oauthconfig.*
OAuth Config Viewer roles/oauthconfig.viewer Read-only access to OAuth config resources	clientauthconfig.brands.get clientauthconfig.brands.list clientauthconfig.clients.get clientauthconfig.clients.list oauthconfig.clientpolicy.* oauthconfig.testusers.get oauthconfig.verification.get
Payments Reseller Admin roles/paymentsresellersubscription.partnerAdmin Full access to all Payments Reseller resources, including subscriptions, products and promotions	paymentsresellersubscription.* resourcemanager.projects.get resourcemanager.projects.list
Payments Reseller Viewer roles/paymentsresellersubscription.partnerViewer Read access to all Payments Reseller resources, including subscriptions, products and promotions	paymentsresellersubscription.products.* paymentsresellersubscription.promotions.* paymentsresellersubscription.subscriptions.get resourcemanager.projects.get resourcemanager.projects.list
Payments Reseller Products Viewer roles/paymentsresellersubscription.productViewer Read access to Payments Reseller Product resource	paymentsresellersubscription.products.* resourcemanager.projects.get resourcemanager.projects.list
Payments Reseller Promotions Viewer roles/paymentsresellersubscription.promotionViewer Read access to Payments Reseller Promotion resource	paymentsresellersubscription.promotions.* resourcemanager.projects.get resourcemanager.projects.list
Payments Reseller Subscriptions Editor roles/paymentsresellersubscription.subscriptionEditor Write access to Payments Reseller Subscription resource	paymentsresellersubscription.subscriptions.* resourcemanager.projects.get resourcemanager.projects.list
Payments Reseller Subscriptions Viewer roles/paymentsresellersubscription.subscriptionViewer Read access to Payments Reseller Subscription resource	paymentsresellersubscription.subscriptions.get resourcemanager.projects.get resourcemanager.projects.list
Activity Analysis Viewer roles/policyanalyzer.activityAnalysisViewer Viewer user that can read all activity analysis.	policyanalyzer.*
Simulator Admin roles/policysimulator.admin Admin user that can run and access replays.	policysimulator.*
Recommendations Exporter roles/recommender.exporter Exporter of Recommendations	recommender.resources.*
Remote Build Execution Action Cache Writer roles/remotebuildexecution.actionCacheWriter Remote Build Execution Action Cache Writer	remotebuildexecution.actions.set remotebuildexecution.blobs.create
Remote Build Execution Artifact Admin roles/remotebuildexecution.artifactAdmin Remote Build Execution Artifact Admin	remotebuildexecution.actions.create remotebuildexecution.actions.delete remotebuildexecution.actions.get remotebuildexecution.blobs.* remotebuildexecution.logstreams.*
Remote Build Execution Artifact Creator roles/remotebuildexecution.artifactCreator Remote Build Execution Artifact Creator	remotebuildexecution.actions.create remotebuildexecution.actions.get remotebuildexecution.blobs.* remotebuildexecution.logstreams.*
Remote Build Execution Artifact Viewer roles/remotebuildexecution.artifactViewer Remote Build Execution Artifact Viewer	remotebuildexecution.actions.get remotebuildexecution.blobs.get remotebuildexecution.logstreams.get
Remote Build Execution Configuration Admin roles/remotebuildexecution.configurationAdmin Remote Build Execution Configuration Admin	remotebuildexecution.instances.* remotebuildexecution.workerpools.*
Remote Build Execution Configuration Viewer roles/remotebuildexecution.configurationViewer Remote Build Execution Configuration Viewer	remotebuildexecution.instances.get remotebuildexecution.instances.list remotebuildexecution.workerpools.get remotebuildexecution.workerpools.list
Remote Build Execution Logstream Writer roles/remotebuildexecution.logstreamWriter Remote Build Execution Logstream Writer	remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
Remote Build Execution Reservation Admin roles/remotebuildexecution.reservationAdmin Remote Build Execution Reservation Admin	remotebuildexecution.actions.create remotebuildexecution.actions.delete remotebuildexecution.actions.get
Remote Build Execution Worker roles/remotebuildexecution.worker Remote Build Execution Worker	remotebuildexecution.actions.update remotebuildexecution.blobs.* remotebuildexecution.botsessions.* remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
Retail Admin roles/retail.admin Full access to Retail api resources.	automlrecommendations.apiKeys.create automlrecommendations.apiKeys.delete automlrecommendations.catalogItems.* automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.* automlrecommendations.placements.* automlrecommendations.recommendations.* retail.*
Retail Editor roles/retail.editor Full access to Retail api resources except purge, rejoin, and setSponsorship.	automlrecommendations.apiKeys.create automlrecommendations.apiKeys.delete automlrecommendations.catalogItems.* automlrecommendations.catalogs.* automlrecommendations.eventStores.* automlrecommendations.events.create automlrecommendations.events.list automlrecommendations.placements.* automlrecommendations.recommendations.* retail.attributesConfigs.addCatalogAttribute retail.attributesConfigs.exportCatalogAttributes retail.attributesConfigs.get retail.attributesConfigs.importCatalogAttributes retail.attributesConfigs.replaceCatalogAttribute retail.attributesConfigs.update retail.catalogs.* retail.controls.* retail.models.* retail.operations.* retail.placements.* retail.products.create retail.products.delete retail.products.export retail.products.get retail.products.import retail.products.list retail.products.update retail.retailProjects.* retail.servingConfigs.* retail.userEvents.create retail.userEvents.import
Retail Viewer roles/retail.viewer Grants access to read all resources in Retail.	automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.list retail.attributesConfigs.exportCatalogAttributes retail.attributesConfigs.get retail.catalogs.completeQuery retail.catalogs.list retail.controls.export retail.controls.get retail.controls.list retail.models.list retail.operations.* retail.placements.* retail.products.export retail.products.get retail.products.list retail.retailProjects.* retail.servingConfigs.get retail.servingConfigs.list
Cloud RuntimeConfig Admin roles/runtimeconfig.admin Full access to RuntimeConfig resources.	runtimeconfig.*
Cloud Speech Administrator roles/speech.admin Grants full access to all resources in Speech-to-text	speech.*
Cloud Speech Client roles/speech.client Grants access to the recognition APIs.	speech.adaptations.*
Cloud Speech Editor roles/speech.editor Grants access to edit resources in Speech-to-text	speech.*
Subscribe with Google Developer roles/subscribewithgoogledeveloper.developer Access DevTools for Subscribe with Google	resourcemanager.projects.get resourcemanager.projects.list subscribewithgoogledeveloper.*
Traffic Director Client roles/trafficdirector.client Fetch service configurations and report metrics.	trafficdirector.*
Translation Hub Admin roles/translationhub.admin Admin of Translation Hub	automl.models.get automl.models.list automl.models.predict cloudtranslate.glossaries.create cloudtranslate.glossaries.delete cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict resourcemanager.projects.get resourcemanager.projects.list translationhub.*
Translation Hub Portal User roles/translationhub.portalUser Portal user of Translation Hub	automl.models.get automl.models.list automl.models.predict cloudtranslate.glossaries.get cloudtranslate.glossaries.list cloudtranslate.glossaries.predict resourcemanager.projects.get resourcemanager.projects.list translationhub.portals.get translationhub.portals.list
Visual Inspection AI Solution Editor roles/visualinspection.editor Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics	visualinspection.annotationSets.* visualinspection.annotationSpecs.* visualinspection.annotations.* visualinspection.datasets.* visualinspection.images.* visualinspection.locations.get visualinspection.locations.list visualinspection.modelEvaluations.* visualinspection.models.* visualinspection.modules.* visualinspection.operations.* visualinspection.solutionArtifacts.* visualinspection.solutions.*
Visual Inspection AI Usage Metrics Reporter roles/visualinspection.usageMetricsReporter ReportUsageMetric access to Visual Inspection AI Service	visualinspection.locations.reportUsageMetrics
Visual Inspection AI Viewer roles/visualinspection.viewer Read access to Visual Inspection AI resources	visualinspection.annotationSets.get visualinspection.annotationSets.list visualinspection.annotationSpecs.get visualinspection.annotationSpecs.list visualinspection.annotations.get visualinspection.annotations.list visualinspection.datasets.export visualinspection.datasets.get visualinspection.datasets.list visualinspection.images.get visualinspection.images.list visualinspection.locations.get visualinspection.locations.list visualinspection.modelEvaluations.* visualinspection.models.get visualinspection.models.list visualinspection.modules.get visualinspection.modules.list visualinspection.operations.* visualinspection.solutionArtifacts.get visualinspection.solutionArtifacts.list visualinspection.solutionArtifacts.predict visualinspection.solutions.get visualinspection.solutions.list
Browser roles/browser Read access to browse the hierarchy for a project, including the folder, organization, and IAM policy. This role doesn't include permission to view resources in the project.	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Beacon Attachment Editor roles/proximitybeacon.attachmentEditor Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.	proximitybeacon.attachments.* proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.namespaces.list resourcemanager.projects.get resourcemanager.projects.list
Beacon Attachment Publisher roles/proximitybeacon.attachmentPublisher Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.	proximitybeacon.beacons.attach proximitybeacon.beacons.get proximitybeacon.beacons.list resourcemanager.projects.get resourcemanager.projects.list
Beacon Attachment Viewer roles/proximitybeacon.attachmentViewer Can view all attachments under a namespace; no beacon or namespace permissions.	proximitybeacon.attachments.get proximitybeacon.attachments.list resourcemanager.projects.get resourcemanager.projects.list
Beacon Editor roles/proximitybeacon.beaconEditor Necessary access to register, modify, and view beacons; no attachment or namespace permissions.	proximitybeacon.beacons.create proximitybeacon.beacons.get proximitybeacon.beacons.list proximitybeacon.beacons.update resourcemanager.projects.get resourcemanager.projects.list
Pub/Sub Admin roles/pubsub.admin Provides full access to topics and subscriptions.	pubsub.* resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Pub/Sub Editor roles/pubsub.editor Provides access to modify topics and subscriptions, and access to publish and consume messages.	pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Pub/Sub Publisher roles/pubsub.publisher Provides access to publish messages to a topic.	pubsub.topics.publish
Pub/Sub Subscriber roles/pubsub.subscriber Provides access to consume messages from a subscription and to attach subscriptions to a topic.	pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription
Pub/Sub Viewer roles/pubsub.viewer Provides access to view topics and subscriptions.	pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.get pubsub.snapshots.list pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.get pubsub.topics.list resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Pub/Sub Lite Admin roles/pubsublite.admin Full access to topics, subscriptions and reservations.	pubsublite.*
Pub/Sub Lite Editor roles/pubsublite.editor Modify topics, subscriptions and reservations, publish and consume messages.	pubsublite.*
Pub/Sub Lite Publisher roles/pubsublite.publisher Publish messages to a topic.	pubsublite.topics.getPartitions pubsublite.topics.publish
Pub/Sub Lite Subscriber roles/pubsublite.subscriber Subscribe to and read messages from a topic.	pubsublite.operations.get pubsublite.subscriptions.getCursor pubsublite.subscriptions.seek pubsublite.subscriptions.setCursor pubsublite.subscriptions.subscribe pubsublite.topics.computeHeadCursor pubsublite.topics.computeMessageStats pubsublite.topics.computeTimeCursor pubsublite.topics.getPartitions pubsublite.topics.subscribe
Pub/Sub Lite Viewer roles/pubsublite.viewer View topics, subscriptions and reservations.	pubsublite.operations.* pubsublite.reservations.get pubsublite.reservations.list pubsublite.reservations.listTopics pubsublite.subscriptions.get pubsublite.subscriptions.getCursor pubsublite.subscriptions.list pubsublite.topics.get pubsublite.topics.getPartitions pubsublite.topics.list pubsublite.topics.listSubscriptions
reCAPTCHA Enterprise Admin roles/recaptchaenterprise.admin Access to view and modify reCAPTCHA Enterprise keys	monitoring.timeSeries.list recaptchaenterprise.keys.* recaptchaenterprise.metrics.* recaptchaenterprise.projectmetadata.* resourcemanager.projects.get resourcemanager.projects.list
reCAPTCHA Enterprise Agent roles/recaptchaenterprise.agent Access to create and annotate reCAPTCHA Enterprise assessments	recaptchaenterprise.assessments.* recaptchaenterprise.relatedaccountgroupmemberships.* recaptchaenterprise.relatedaccountgroups.* resourcemanager.projects.get resourcemanager.projects.list
reCAPTCHA Enterprise Viewer roles/recaptchaenterprise.viewer Access to view reCAPTCHA Enterprise keys and metrics	monitoring.timeSeries.list recaptchaenterprise.keys.get recaptchaenterprise.keys.list recaptchaenterprise.metrics.* recaptchaenterprise.projectmetadata.get resourcemanager.projects.get resourcemanager.projects.list
Recommendations AI Admin roles/automlrecommendations.admin Full access to all Recommendations AI resources.	automlrecommendations.* resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.catalogs.update retail.operations.* retail.placements.* retail.products.create retail.products.delete retail.products.export retail.products.get retail.products.import retail.products.list retail.products.update retail.retailProjects.* retail.userEvents.* serviceusage.services.get serviceusage.services.list
Recommendations AI Admin Viewer roles/automlrecommendations.adminViewer Viewer of all Recommendations AI resources.	automlrecommendations.apiKeys.list automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.list resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.operations.* retail.placements.* retail.products.export retail.products.get retail.products.list retail.retailProjects.* serviceusage.services.get serviceusage.services.list
Recommendations AI Editor roles/automlrecommendations.editor Editor of all Recommendations AI resources.	automlrecommendations.apiKeys.create automlrecommendations.apiKeys.list automlrecommendations.catalogItems.* automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.* automlrecommendations.events.create automlrecommendations.events.list automlrecommendations.placements.create automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.create automlrecommendations.recommendations.list automlrecommendations.recommendations.pause automlrecommendations.recommendations.resume automlrecommendations.recommendations.update resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.catalogs.update retail.operations.* retail.placements.* retail.products.create retail.products.delete retail.products.export retail.products.get retail.products.import retail.products.list retail.products.update retail.retailProjects.* retail.userEvents.create retail.userEvents.import serviceusage.services.get serviceusage.services.list
Recommendations AI Viewer roles/automlrecommendations.viewer Viewer of all Recommendations AI resources except apiKeys. To view all resources, including apiKeys, grant the Recommendations AI Admin Viewer role (roles/automlrecommendations.adminViewer).	automlrecommendations.catalogItems.get automlrecommendations.catalogItems.list automlrecommendations.catalogs.getStats automlrecommendations.catalogs.list automlrecommendations.eventStores.* automlrecommendations.events.list automlrecommendations.placements.getStats automlrecommendations.placements.list automlrecommendations.recommendations.list resourcemanager.projects.get resourcemanager.projects.list retail.catalogs.list retail.operations.* retail.placements.* retail.products.export retail.products.get retail.products.list retail.retailProjects.* serviceusage.services.get serviceusage.services.list
BigQuery Slot Recommender Admin roles/recommender.bigQueryCapacityCommitmentsAdmin Admin of BigQuery Capacity Commitments insights and recommendations.	recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Recommender Billing Account Admin roles/recommender.bigQueryCapacityCommitmentsBillingAccountAdmin Billing Account Admin of BigQuery Capacity Commitments insights and recommendations.	billing.accounts.get billing.accounts.list recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.*
BigQuery Recommender Billing Account Viewer roles/recommender.bigQueryCapacityCommitmentsBillingAccountViewer Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations.	billing.accounts.get billing.accounts.list recommender.bigqueryCapacityCommitmentsInsights.get recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.get recommender.bigqueryCapacityCommitmentsRecommendations.list
BigQuery Recommender Project Admin roles/recommender.bigQueryCapacityCommitmentsProjectAdmin Project Admin of BigQuery Capacity Commitments insights and recommendations.	recommender.bigqueryCapacityCommitmentsInsights.* recommender.bigqueryCapacityCommitmentsRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Recommender Project Viewer roles/recommender.bigQueryCapacityCommitmentsProjectViewer Project Viewer of BigQuery Capacity Commitments insights and recommendations.	recommender.bigqueryCapacityCommitmentsInsights.get recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.get recommender.bigqueryCapacityCommitmentsRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
BigQuery Slot Recommender Viewer roles/recommender.bigQueryCapacityCommitmentsViewer Viewer of BigQuery Capacity Commitments insights and recommendations.	recommender.bigqueryCapacityCommitmentsInsights.get recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.get recommender.bigqueryCapacityCommitmentsRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Billing Account Usage Commitment Recommender Admin roles/recommender.billingAccountCudAdmin Admin of Billing Account Usage Commitment Recommender.	billing.accounts.get billing.accounts.list recommender.commitmentUtilizationInsights.* recommender.usageCommitmentRecommendations.*
Billing Account Usage Commitment Recommender Viewer roles/recommender.billingAccountCudViewer Viewer of Billing Account Usage Commitment Recommender.	billing.accounts.get billing.accounts.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list
Cloud Asset Insights Admin roles/recommender.cloudAssetInsightsAdmin Admin of all Cloud Asset insights.	recommender.cloudAssetInsights.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Asset Insights Viewer roles/recommender.cloudAssetInsightsViewer Viewer of all Cloud Asset insights.	recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list resourcemanager.projects.get resourcemanager.projects.list
Cloud SQL Recommender Admin roles/recommender.cloudsqlAdmin Admin of Cloud SQL insights and recommendations.	recommender.cloudsqlIdleInstanceRecommendations.* recommender.cloudsqlInstanceActivityInsights.* recommender.cloudsqlInstanceCpuUsageInsights.* recommender.cloudsqlInstanceDiskUsageTrendInsights.* recommender.cloudsqlInstanceMemoryUsageInsights.* recommender.cloudsqlInstanceOutOfDiskRecommendations.* recommender.cloudsqlOverprovisionedInstanceRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
Cloud SQL Recommender Viewer roles/recommender.cloudsqlViewer Viewer of Cloud SQL insights and recommendations.	recommender.cloudsqlIdleInstanceRecommendations.get recommender.cloudsqlIdleInstanceRecommendations.list recommender.cloudsqlInstanceActivityInsights.get recommender.cloudsqlInstanceActivityInsights.list recommender.cloudsqlInstanceCpuUsageInsights.get recommender.cloudsqlInstanceCpuUsageInsights.list recommender.cloudsqlInstanceDiskUsageTrendInsights.get recommender.cloudsqlInstanceDiskUsageTrendInsights.list recommender.cloudsqlInstanceMemoryUsageInsights.get recommender.cloudsqlInstanceMemoryUsageInsights.list recommender.cloudsqlInstanceOutOfDiskRecommendations.get recommender.cloudsqlInstanceOutOfDiskRecommendations.list recommender.cloudsqlOverprovisionedInstanceRecommendations.get recommender.cloudsqlOverprovisionedInstanceRecommendations.list resourcemanager.projects.get resourcemanager.projects.list
Compute Recommender Admin roles/recommender.computeAdmin Admin of compute recommendations.	recommender.computeAddressIdleResourceInsights.* recommender.computeAddressIdleResourceRecommendations.* recommender.computeDiskIdleResourceInsights.* recommender.computeDiskIdleResourceRecommendations.* recommender.computeImageIdleResourceInsights.* recommender.computeImageIdleResourceRecommendations.* recommender.computeInstanceGroupManagerMachineTypeRecommendations.* recommender.computeInstanceIdleResourceRecommendations.* recommender.computeInstanceMachineTypeRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Compute Recommender Viewer roles/recommender.computeViewer Viewer of compute recommendations.	recommender.computeAddressIdleResourceInsights.get recommender.computeAddressIdleResourceInsights.list recommender.computeAddressIdleResourceRecommendations.get recommender.computeAddressIdleResourceRecommendations.list recommender.computeDiskIdleResourceInsights.get recommender.computeDiskIdleResourceInsights.list recommender.computeDiskIdleResourceRecommendations.get recommender.computeDiskIdleResourceRecommendations.list recommender.computeImageIdleResourceInsights.get recommender.computeImageIdleResourceInsights.list recommender.computeImageIdleResourceRecommendations.get recommender.computeImageIdleResourceRecommendations.list recommender.computeInstanceGroupManagerMachineTypeRecommendations.get recommender.computeInstanceGroupManagerMachineTypeRecommendations.list recommender.computeInstanceIdleResourceRecommendations.get recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.get recommender.computeInstanceMachineTypeRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Dataflow Diagnostics Admin roles/recommender.dataflowDiagnosticsAdmin Admin of Diagnostics recommendations.	recommender.dataflowDiagnosticsInsights.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Dataflow Diagnostics Viewer roles/recommender.dataflowDiagnosticsViewer Viewer of Diagnostics recommendations.	recommender.dataflowDiagnosticsInsights.get recommender.dataflowDiagnosticsInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Error Reporting Recommender Admin roles/recommender.errorReportingAdmin Admin of Error Reporting Insights and Recommendations.	recommender.errorReportingInsights.* recommender.errorReportingRecommendations.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Error Reporting Recommender Viewer roles/recommender.errorReportingViewer Viewer of Error Reporting Insights and Recommendations.	recommender.errorReportingInsights.get recommender.errorReportingInsights.list recommender.errorReportingRecommendations.get recommender.errorReportingRecommendations.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Firewall Recommender Admin roles/recommender.firewallAdmin Admin of Firewall insights and recommendations.	monitoring.timeSeries.list recommender.computeFirewallInsights.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Firewall Recommender Viewer roles/recommender.firewallViewer Viewer of Firewall insights and recommendations.	monitoring.timeSeries.list recommender.computeFirewallInsights.get recommender.computeFirewallInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
IAM Recommender Admin roles/recommender.iamAdmin Admin of IAM recommendations.	recommender.iamPolicyInsights.* recommender.iamPolicyLateralMovementInsights.* recommender.iamPolicyRecommendations.* recommender.iamServiceAccountInsights.* recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
IAM Recommender Viewer roles/recommender.iamViewer Viewer of IAM recommendations.	recommender.iamPolicyInsights.get recommender.iamPolicyInsights.list recommender.iamPolicyLateralMovementInsights.get recommender.iamPolicyLateralMovementInsights.list recommender.iamPolicyRecommendations.get recommender.iamPolicyRecommendations.list recommender.iamServiceAccountInsights.get recommender.iamServiceAccountInsights.list recommender.locations.* resourcemanager.projects.get resourcemanager.projects.list
Product Suggestion Recommenders Admin roles/recommender.productSuggestionAdmin Admin of all Product Suggestion insights and recommendations.	recommender.locations.* recommender.loggingProductSuggestionContainerInsights.* recommender.loggingProductSuggestionContainerRecommendations.* recommender.monitoringProductSuggestionComputeInsights.* recommender.monitoringProductSuggestionComputeRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
Product Suggestion Recommenders Viewer roles/recommender.productSuggestionViewer Viewer of all Product Suggestion insights and recommendations.	recommender.locations.* recommender.loggingProductSuggestionContainerInsights.get recommender.loggingProductSuggestionContainerInsights.list recommender.loggingProductSuggestionContainerRecommendations.get recommender.loggingProductSuggestionContainerRecommendations.list recommender.monitoringProductSuggestionComputeInsights.get recommender.monitoringProductSuggestionComputeInsights.list recommender.monitoringProductSuggestionComputeRecommendations.get recommender.monitoringProductSuggestionComputeRecommendations.list resourcemanager.projects.get resourcemanager.projects.list
Project Usage Commitment Recommender Admin roles/recommender.projectCudAdmin Admin of Project Usage Commitment Recommender.	recommender.commitmentUtilizationInsights.* recommender.locations.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
Project Usage Commitment Recommender Viewer roles/recommender.projectCudViewer Viewer of Project Usage Commitment Recommender.	recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.locations.* recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list resourcemanager.projects.get resourcemanager.projects.list
Project Utilization Recommender Admin roles/recommender.projectUtilAdmin Admin of Project Utilization insights and recommendations.	recommender.resourcemanagerProjectUtilizationInsights.* recommender.resourcemanagerProjectUtilizationRecommendations.* resourcemanager.projects.get resourcemanager.projects.list
Project Utilization Recommender Viewer roles/recommender.projectUtilViewer Viewer of Project Utilization insights and recommendations.	recommender.resourcemanagerProjectUtilizationInsights.get recommender.resourcemanagerProjectUtilizationInsights.list recommender.resourcemanagerProjectUtilizationRecommendations.get recommender.resourcemanagerProjectUtilizationRecommendations.list resourcemanager.projects.get resourcemanager.projects.list
Folder Admin roles/resourcemanager.folderAdmin Provides all available permissions for working with folders.	orgpolicy.constraints.* orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.move resourcemanager.projects.setIamPolicy
Folder Creator roles/resourcemanager.folderCreator Provides permissions needed to browse the hierarchy and create folders.	orgpolicy.constraints.* orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.create resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list
Folder Editor roles/resourcemanager.folderEditor Provides permission to modify folders as well as to view a folder's IAM policy.	orgpolicy.constraints.* orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.delete resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.undelete resourcemanager.folders.update resourcemanager.projects.get resourcemanager.projects.list
Folder IAM Admin roles/resourcemanager.folderIamAdmin Provides permissions to administer IAM policies on folders.	resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.setIamPolicy
Folder Mover roles/resourcemanager.folderMover Provides permission to move projects and folders into and out of a parent organization or folder.	resourcemanager.folders.move resourcemanager.projects.move
Folder Viewer roles/resourcemanager.folderViewer Provides permission to get a folder and list the folders and projects below a resource.	orgpolicy.constraints.* orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list
Project Lien Modifier roles/resourcemanager.lienModifier Provides access to modify Liens on projects.	resourcemanager.projects.updateLiens
Organization Administrator roles/resourcemanager.organizationAdmin Access to manage IAM policies and view organization policies for organizations, folders, and projects.	orgpolicy.constraints.* orgpolicy.policies.list orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.organizations.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicy
Organization Viewer roles/resourcemanager.organizationViewer Provides access to view an organization.	resourcemanager.organizations.get
Project Creator roles/resourcemanager.projectCreator Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.	resourcemanager.organizations.get resourcemanager.projects.create
Project Deleter roles/resourcemanager.projectDeleter Provides access to delete Google Cloud projects.	resourcemanager.projects.delete
Project IAM Admin roles/resourcemanager.projectIamAdmin Provides permissions to administer IAM policies on projects.	resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy
Project Mover roles/resourcemanager.projectMover Provides access to update and move projects.	resourcemanager.projects.get resourcemanager.projects.move resourcemanager.projects.update
Tag Administrator roles/resourcemanager.tagAdmin Access to create, delete, update, and manage access to Tags	resourcemanager.tagHolds.* resourcemanager.tagKeys.* resourcemanager.tagValues.*
Tag Hold Administrator roles/resourcemanager.tagHoldAdmin Access to create, delete and list TagHolds under a TagValue	resourcemanager.tagHolds.*
Tag User roles/resourcemanager.tagUser Access to list Tags and manage their associations with resources	artifactregistry.repositories.createTagBinding artifactregistry.repositories.deleteTagBinding artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings cloudkms.keyRings.createTagBinding cloudkms.keyRings.deleteTagBinding cloudkms.keyRings.listTagBindings cloudsql.instances.createTagBinding cloudsql.instances.deleteTagBinding cloudsql.instances.listTagBindings compute.disks.createTagBinding compute.disks.deleteTagBinding compute.disks.listTagBindings compute.images.createTagBinding compute.images.deleteTagBinding compute.images.listTagBindings compute.snapshots.createTagBinding compute.snapshots.deleteTagBinding compute.snapshots.listTagBindings domains.registrations.createTagBinding domains.registrations.deleteTagBinding domains.registrations.listTagBindings file.backups.createTagBinding file.backups.deleteTagBinding file.backups.listTagBindings file.instances.createTagBinding file.instances.deleteTagBinding file.instances.listTagBindings file.snapshots.createTagBinding file.snapshots.deleteTagBinding file.snapshots.listTagBindings managedidentities.domains.createTagBinding managedidentities.domains.deleteTagBinding managedidentities.domains.listTagBindings resourcemanager.hierarchyNodes.* resourcemanager.projects.get resourcemanager.tagKeys.get resourcemanager.tagKeys.list resourcemanager.tagValueBindings.* resourcemanager.tagValues.get resourcemanager.tagValues.list run.services.createTagBinding run.services.deleteTagBinding run.services.listEffectiveTags run.services.listTagBindings storage.buckets.createTagBinding storage.buckets.deleteTagBinding storage.buckets.listTagBindings
Tag Viewer roles/resourcemanager.tagViewer Access to list Tags and their associations with resources	artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings cloudkms.keyRings.listTagBindings cloudsql.instances.listTagBindings compute.disks.listTagBindings compute.images.listTagBindings compute.snapshots.listTagBindings domains.registrations.listTagBindings file.backups.listTagBindings file.instances.listTagBindings file.snapshots.listTagBindings managedidentities.domains.listTagBindings resourcemanager.hierarchyNodes.listTagBindings resourcemanager.tagHolds.list resourcemanager.tagKeys.get resourcemanager.tagKeys.list resourcemanager.tagValues.get resourcemanager.tagValues.list run.services.listEffectiveTags run.services.listTagBindings storage.buckets.listTagBindings
Resource Settings Administrator roles/resourcesettings.admin Provides admin capabilities to set Resource Setting Values on resources.	resourcesettings.*
Resource Settings Viewer roles/resourcesettings.viewer Provides capabilities to view Resource Settings and Resource Setting Values on resources.	resourcesettings.settings.get resourcesettings.settings.list
Risk Manager Admin roles/riskmanager.admin Grants all Risk Manager permissions	resourcemanager.projects.get resourcemanager.projects.list riskmanager.*
Risk Manager Editor roles/riskmanager.editor Access to edit Risk Manager resources	resourcemanager.projects.get resourcemanager.projects.list riskmanager.operations.* riskmanager.policies.* riskmanager.reports.create riskmanager.reports.delete riskmanager.reports.get riskmanager.reports.list riskmanager.serviceAccount.* riskmanager.settings.*
Risk Manager Report Reviewer roles/riskmanager.reviewer Access to review Risk Manager reports	resourcemanager.projects.get resourcemanager.projects.list riskmanager.operations.get riskmanager.operations.list riskmanager.reports.get riskmanager.reports.list riskmanager.reports.review
Risk Manager Viewer roles/riskmanager.viewer Access to view Risk Manager resources	resourcemanager.projects.get resourcemanager.projects.list riskmanager.operations.get riskmanager.operations.list riskmanager.policies.* riskmanager.reports.get riskmanager.reports.list riskmanager.settings.get
Organization Role Administrator roles/iam.organizationRoleAdmin Provides access to administer all custom roles in the organization and the projects below it.	iam.roles.* resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Organization Role Viewer roles/iam.organizationRoleViewer Provides read access to all custom roles in the organization and the projects below it.	iam.roles.get iam.roles.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Role Administrator roles/iam.roleAdmin Provides access to all custom roles in the project.	iam.roles.* resourcemanager.projects.get resourcemanager.projects.getIamPolicy
Role Viewer roles/iam.roleViewer Provides read access to all custom roles in the project.	iam.roles.get iam.roles.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy
Secret Manager Admin roles/secretmanager.admin Full access to administer Secret Manager resources.	resourcemanager.projects.get resourcemanager.projects.list secretmanager.*
Secret Manager Secret Accessor roles/secretmanager.secretAccessor Allows accessing the payload of secrets.	resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.access
Secret Manager Secret Version Adder roles/secretmanager.secretVersionAdder Allows adding versions to existing secrets.	resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.add
Secret Manager Secret Version Manager roles/secretmanager.secretVersionManager Allows creating and managing versions of existing secrets.	resourcemanager.projects.get resourcemanager.projects.list secretmanager.versions.add secretmanager.versions.destroy secretmanager.versions.disable secretmanager.versions.enable secretmanager.versions.get secretmanager.versions.list
Secret Manager Viewer roles/secretmanager.viewer Allows viewing metadata of all Secret Manager resources	resourcemanager.projects.get resourcemanager.projects.list secretmanager.locations.* secretmanager.secrets.get secretmanager.secrets.getIamPolicy secretmanager.secrets.list secretmanager.versions.get secretmanager.versions.list
Security Center Admin roles/securitycenter.admin Admin(super user) access to security center	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.* serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Security Center Admin Editor roles/securitycenter.adminEditor Admin Read-write access to security center	appengine.applications.get cloudsecurityscanner.* compute.addresses.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findingexternalsystems.* securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Security Center Admin Viewer roles/securitycenter.adminViewer Admin Read access to security center	cloudsecurityscanner.crawledurls.* cloudsecurityscanner.results.* cloudsecurityscanner.scanruns.get cloudsecurityscanner.scanruns.getSummary cloudsecurityscanner.scanruns.list cloudsecurityscanner.scans.get cloudsecurityscanner.scans.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.bigQueryExports.get securitycenter.bigQueryExports.list securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.muteconfigs.get securitycenter.muteconfigs.list securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Security Center Asset Security Marks Writer roles/securitycenter.assetSecurityMarksWriter Write access to asset security marks	securitycenter.assetsecuritymarks.* securitycenter.userinterfacemetadata.*
Security Center Assets Discovery Runner roles/securitycenter.assetsDiscoveryRunner Run asset discovery access to assets	securitycenter.assets.runDiscovery securitycenter.userinterfacemetadata.*
Security Center Assets Viewer roles/securitycenter.assetsViewer Read access to assets	resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.userinterfacemetadata.*
Security Center BigQuery Exports Editor roles/securitycenter.bigQueryExportsEditor Read-Write access to security center BigQuery Exports	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.bigQueryExports.*
Security Center BigQuery Exports Viewer roles/securitycenter.bigQueryExportsViewer Read access to security center BigQuery Exports	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.bigQueryExports.get securitycenter.bigQueryExports.list
Security Center External Systems Editor roles/securitycenter.externalSystemsEditor Write access to security center external systems	securitycenter.findingexternalsystems.*
Security Center Finding Security Marks Writer roles/securitycenter.findingSecurityMarksWriter Write access to finding security marks	securitycenter.findingsecuritymarks.* securitycenter.userinterfacemetadata.*
Security Center Findings Bulk Mute Editor roles/securitycenter.findingsBulkMuteEditor Ability to mute findings in bulk	securitycenter.findings.bulkMuteUpdate
Security Center Findings Editor roles/securitycenter.findingsEditor Read-write access to findings	resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get securitycenter.findings.bulkMuteUpdate securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.findings.setMute securitycenter.findings.setState securitycenter.findings.update securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.*
Security Center Findings Mute Setter roles/securitycenter.findingsMuteSetter Set mute access to findings	securitycenter.findings.setMute
Security Center Findings State Setter roles/securitycenter.findingsStateSetter Set state access to findings	securitycenter.findings.setState securitycenter.userinterfacemetadata.*
Security Center Findings Viewer roles/securitycenter.findingsViewer Read access to findings	resourcemanager.folders.get resourcemanager.organizations.get resourcemanager.projects.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.*
Security Center Findings Workflow State Setter roles/securitycenter.findingsWorkflowStateSetter Set workflow state access to findings	securitycenter.findings.setWorkflowState securitycenter.userinterfacemetadata.*
Security Center Mute Configurations Editor roles/securitycenter.muteConfigsEditor Read-Write access to security center mute configurations	securitycenter.muteconfigs.*
Security Center Mute Configurations Viewer roles/securitycenter.muteConfigsViewer Read access to security center mute configurations	securitycenter.muteconfigs.get securitycenter.muteconfigs.list
Security Center Notification Configurations Editor roles/securitycenter.notificationConfigEditor Write access to notification configurations	securitycenter.notificationconfig.* securitycenter.userinterfacemetadata.*
Security Center Notification Configurations Viewer roles/securitycenter.notificationConfigViewer Read access to notification configurations	securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.userinterfacemetadata.*
Security Center Settings Admin roles/securitycenter.settingsAdmin Admin(super user) access to security center settings	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.* securitycenter.eventthreatdetectionsettings.* securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.* securitycenter.securitycentersettings.* securitycenter.securityhealthanalyticssettings.* securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.virtualmachinethreatdetectionsettings.* securitycenter.websecurityscannersettings.*
Security Center Settings Editor roles/securitycenter.settingsEditor Read-Write access to security center settings	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.* securitycenter.eventthreatdetectionsettings.* securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.* securitycenter.securitycentersettings.* securitycenter.securityhealthanalyticssettings.* securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.virtualmachinethreatdetectionsettings.* securitycenter.websecurityscannersettings.*
Security Center Settings Viewer roles/securitycenter.settingsViewer Read access to security center settings	resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.bigQueryExports.get securitycenter.bigQueryExports.list securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.muteconfigs.get securitycenter.muteconfigs.list securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get
Security Center Sources Admin roles/securitycenter.sourcesAdmin Admin access to sources	resourcemanager.organizations.get securitycenter.sources.* securitycenter.userinterfacemetadata.*
Security Center Sources Editor roles/securitycenter.sourcesEditor Read-write access to sources	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.userinterfacemetadata.*
Security Center Sources Viewer roles/securitycenter.sourcesViewer Read access to sources	resourcemanager.organizations.get securitycenter.sources.get securitycenter.sources.list securitycenter.userinterfacemetadata.*
Serverless VPC Access Admin roles/vpcaccess.admin Full access to all Serverless VPC Access resources	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.*
Serverless VPC Access User roles/vpcaccess.user User of Serverless VPC Access connectors	compute.networks.access resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.connectors.use vpcaccess.locations.* vpcaccess.operations.*
Serverless VPC Access Viewer roles/vpcaccess.viewer Viewer of all Serverless VPC Access resources	resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.locations.* vpcaccess.operations.*
Service Account Admin roles/iam.serviceAccountAdmin Create and manage service accounts.	iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.disable iam.serviceAccounts.enable iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy iam.serviceAccounts.undelete iam.serviceAccounts.update resourcemanager.projects.get resourcemanager.projects.list
Create Service Accounts roles/iam.serviceAccountCreator Access to create service accounts.	iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
Delete Service Accounts roles/iam.serviceAccountDeleter Access to delete service accounts.	iam.serviceAccounts.delete iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
Service Account Key Admin roles/iam.serviceAccountKeyAdmin Create and manage (and rotate) service account keys.	iam.serviceAccountKeys.* iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
Service Account Token Creator roles/iam.serviceAccountTokenCreator Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt resourcemanager.projects.get resourcemanager.projects.list
Service Account User roles/iam.serviceAccountUser Run operations as the service account.	iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
View Service Accounts roles/iam.serviceAccountViewer Read access to service accounts, metadata, and keys.	iam.serviceAccountKeys.get iam.serviceAccountKeys.list iam.serviceAccounts.get iam.serviceAccounts.getIamPolicy iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list
Workload Identity User roles/iam.workloadIdentityUser Impersonate service accounts from GKE Workloads	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.list
Vertex AI Custom Code Service Agent roles/aiplatform.customCodeServiceAgent Gives Vertex AI Custom Code the proper permissions.	aiplatform.annotationSpecs.* aiplatform.annotations.* aiplatform.artifacts.* aiplatform.batchPredictionJobs.* aiplatform.contexts.* aiplatform.customJobs.* aiplatform.dataItems.* aiplatform.dataLabelingJobs.* aiplatform.datasets.* aiplatform.deploymentResourcePools.* aiplatform.edgeDeploymentJobs.* aiplatform.edgeDeviceDebugInfo.* aiplatform.edgeDevices.* aiplatform.endpoints.* aiplatform.entityTypes.* aiplatform.executions.* aiplatform.features.* aiplatform.featurestores.* aiplatform.humanInTheLoops.* aiplatform.hyperparameterTuningJobs.* aiplatform.indexEndpoints.* aiplatform.indexes.* aiplatform.locations.* aiplatform.metadataSchemas.* aiplatform.metadataStores.* aiplatform.modelDeploymentMonitoringJobs.* aiplatform.modelEvaluationSlices.* aiplatform.modelEvaluations.* aiplatform.models.* aiplatform.nasJobs.* aiplatform.operations.* aiplatform.pipelineJobs.* aiplatform.specialistPools.* aiplatform.studies.* aiplatform.tensorboardExperiments.* aiplatform.tensorboardRuns.* aiplatform.tensorboardTimeSeries.* aiplatform.tensorboards.create aiplatform.tensorboards.delete aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.tensorboards.update aiplatform.trainingPipelines.* aiplatform.trials.* artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.tags.get artifactregistry.versions.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.readsessions.create bigquery.readsessions.getData bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.update bigquery.tables.updateData iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Vertex AI Service Agent roles/aiplatform.serviceAgent Gives Vertex AI the permissions it needs to function.	aiplatform.annotationSpecs.* aiplatform.annotations.* aiplatform.artifacts.* aiplatform.batchPredictionJobs.* aiplatform.contexts.* aiplatform.customJobs.* aiplatform.dataItems.* aiplatform.dataLabelingJobs.* aiplatform.datasets.* aiplatform.deploymentResourcePools.* aiplatform.edgeDeploymentJobs.* aiplatform.edgeDeviceDebugInfo.* aiplatform.edgeDevices.* aiplatform.endpoints.* aiplatform.entityTypes.* aiplatform.executions.* aiplatform.features.* aiplatform.featurestores.* aiplatform.humanInTheLoops.* aiplatform.hyperparameterTuningJobs.* aiplatform.indexEndpoints.* aiplatform.indexes.* aiplatform.locations.* aiplatform.metadataSchemas.* aiplatform.metadataStores.* aiplatform.modelDeploymentMonitoringJobs.* aiplatform.modelEvaluationSlices.* aiplatform.modelEvaluations.* aiplatform.models.* aiplatform.nasJobs.* aiplatform.operations.* aiplatform.pipelineJobs.* aiplatform.specialistPools.* aiplatform.studies.* aiplatform.tensorboardExperiments.* aiplatform.tensorboardRuns.* aiplatform.tensorboardTimeSeries.* aiplatform.tensorboards.create aiplatform.tensorboards.delete aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.tensorboards.update aiplatform.trainingPipelines.* aiplatform.trials.* artifactregistry.repositories.create artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.uploadArtifacts artifactregistry.tags.get artifactregistry.versions.get automl.datasets.export automl.datasets.get automl.datasets.list automl.modelEvaluations.list automl.models.get automl.models.list automl.operations.get automl.tableSpecs.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.models.export bigquery.readsessions.create bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.update bigquery.tables.updateData bigtable.tables.get bigtable.tables.list bigtable.tables.readRows compute.machineTypes.get dataflow.jobs.* dataflow.messages.* dataflow.metrics.* dataflow.snapshots.* datalabeling.annotateddatasets.get datalabeling.datasets.export datalabeling.datasets.get datalabeling.datasets.list datalabeling.operations.get iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken logging.logEntries.create ml.models.list ml.operations.get ml.versions.get ml.versions.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Anthos Service Agent roles/anthos.serviceAgent Gives the Anthos service agent access to Google Cloud resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list serviceusage.services.get serviceusage.services.list
Anthos Audit Service Agent roles/anthosaudit.serviceAgent Gives the Anthos Audit service agent access to Cloud Platform resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
Anthos Config Management Service Agent roles/anthosconfigmanagement.serviceAgent Gives the Anthos Config Management service agent access to Google Cloud resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
Anthos Identity Service Agent roles/anthosidentityservice.serviceAgent Gives the Anthos Identity service agent access to Google Cloud resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
Anthos Service Mesh Service Agent roles/anthosservicemesh.serviceAgent Gives the Anthos Service Mesh service agent access to Cloud Platform resources.	container.backendConfigs.* container.clusterRoleBindings.* container.clusterRoles.* container.clusters.get container.configMaps.* container.customResourceDefinitions.create container.customResourceDefinitions.get container.customResourceDefinitions.list container.customResourceDefinitions.update container.daemonSets.create container.daemonSets.delete container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.daemonSets.update container.deployments.get container.deployments.list container.events.get container.events.list container.mutatingWebhookConfigurations.create container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.mutatingWebhookConfigurations.update container.namespaces.create container.namespaces.get container.namespaces.list container.pods.get container.pods.list container.secrets.* container.serviceAccounts.create container.serviceAccounts.delete container.serviceAccounts.get container.serviceAccounts.list container.serviceAccounts.update container.services.get container.services.list container.thirdPartyObjects.create container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyObjects.update container.validatingWebhookConfigurations.create container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.validatingWebhookConfigurations.update gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list meshconfig.projects.init
Anthos Support Service Agent roles/anthossupport.serviceAgent Gives the Anthos Support Service Agent access to Cloud Platform resource.	gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.gateway.get gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get
Cloud API Gateway Service Agent roles/apigateway.serviceAgent Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken servicemanagement.services.check servicemanagement.services.quota servicemanagement.services.report
Cloud API Gateway Management Service Agent roles/apigateway_management.serviceAgent Gives Cloud API Gateway service account access to retrieve a Service configuration.	iam.serviceAccounts.get servicemanagement.services.create servicemanagement.services.delete servicemanagement.services.get servicemanagement.services.list servicemanagement.services.update serviceusage.services.get
Apigee Service Agent roles/apigee.serviceAgent Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.	apigee.apiproducts.get apigee.apiproducts.list apigee.appkeys.create apigee.appkeys.delete apigee.appkeys.manage apigee.apps.get apigee.canaryevaluations.* apigee.developerapps.* apigee.developers.create apigee.developers.get apigee.environments.get apigee.environments.getDataLocation apigee.environments.manageRuntime apigee.ingressconfigs.* apigee.instances.reportStatus apigee.operations.* apigee.organizations.get apigee.proxyrevisions.get apigee.runtimeconfigs.* cloudtrace.traces.patch iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.buckets.create logging.buckets.get logging.buckets.list logging.views.create logging.views.get logging.views.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create
App Development Experience Service Agent roles/appdevelopmentexperience.serviceAgent Give the App Development Experience service agent access to Cloud Platform resources.	container.clusters.get container.clusters.update gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
App Engine flexible environment Service Agent roles/appengineflex.serviceAgent Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.	billing.accounts.get cloudbuild.builds.create cloudbuild.builds.get compute.addresses.create compute.addresses.delete compute.addresses.get compute.addresses.list compute.addresses.use compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get compute.autoscalers.update compute.backendServices.create compute.backendServices.delete compute.backendServices.get compute.backendServices.list compute.backendServices.update compute.backendServices.use compute.disks.list compute.firewalls.* compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute.globalAddresses.create compute.globalAddresses.delete compute.globalAddresses.get compute.globalAddresses.use compute.globalForwardingRules.create compute.globalForwardingRules.delete compute.globalForwardingRules.get compute.globalOperations.get compute.healthChecks.create compute.healthChecks.delete compute.healthChecks.get compute.healthChecks.update compute.healthChecks.useReadOnly compute.httpHealthChecks.create compute.httpHealthChecks.delete compute.httpHealthChecks.get compute.httpHealthChecks.use compute.httpHealthChecks.useReadOnly compute.httpsHealthChecks.create compute.httpsHealthChecks.delete compute.httpsHealthChecks.get compute.httpsHealthChecks.update compute.httpsHealthChecks.use compute.httpsHealthChecks.useReadOnly compute.images.get compute.images.useReadOnly compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.update compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getGuestAttributes compute.instances.getSerialPortOutput compute.instances.list compute.instances.reset compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.use compute.machineTypes.get compute.networks.create compute.networks.delete compute.networks.get compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.create compute.regionBackendServices.delete compute.regionBackendServices.get compute.regionBackendServices.list compute.regionBackendServices.update compute.regionBackendServices.use compute.regionOperations.get compute.regions.get compute.routes.get compute.routes.list compute.subnetworks.delete compute.subnetworks.get compute.targetHttpProxies.create compute.targetHttpProxies.delete compute.targetHttpProxies.get compute.targetHttpProxies.use compute.targetHttpsProxies.create compute.targetHttpsProxies.delete compute.targetHttpsProxies.get compute.targetHttpsProxies.setSslCertificates compute.targetHttpsProxies.use compute.urlMaps.create compute.urlMaps.delete compute.urlMaps.get compute.urlMaps.update compute.urlMaps.use compute.zoneOperations.get compute.zoneOperations.list compute.zones.* deploymentmanager.compositeTypes.get deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.typeProviders.create deploymentmanager.typeProviders.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create logging.logMetrics.create logging.logMetrics.delete logging.logMetrics.get logging.logMetrics.update resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list
Artifact Registry Service Agent roles/artifactregistry.serviceAgent Gives the Artifact Registry service account access to managed resources.	artifactregistry.repositories.downloadArtifacts pubsub.topics.publish
Assured Workloads Service Agent roles/assuredworkloads.serviceAgent Gives the Assured Workloads service account access to create KMS keyrings and keys, and to monitor Assured Workloads.	cloudkms.cryptoKeys.create cloudkms.keyRings.create serviceusage.services.enable serviceusage.services.use
AutoML Service Agent roles/automl.serviceAgent AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.	bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.update bigquery.tables.updateData bigtable.tables.get bigtable.tables.list bigtable.tables.readRows serviceusage.services.use storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Recommendations AI Service Agent roles/automlrecommendations.serviceAgent Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.	bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.updateData cloudnotifications.* dataflow.jobs.* dataflow.messages.* dataflow.metrics.* logging.logEntries.create monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get storage.buckets.create storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
BigQuery Connection Service Agent roles/bigqueryconnection.serviceAgent Gives BigQuery Connection Service access to Cloud SQL instances in user projects.	cloudsql.instances.connect cloudsql.instances.get logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create
BigQuery Data Transfer Service Agent roles/bigquerydatatransfer.serviceAgent Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project.	bigquery.config.get bigquery.jobs.create iam.serviceAccounts.getAccessToken logging.logEntries.create resourcemanager.projects.get resourcemanager.projects.list
Binary Authorization Service Agent roles/binaryauthorization.serviceAgent Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.	binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.verifyImageAttested cloudasset.assets.exportResource cloudasset.feeds.create cloudasset.feeds.delete cloudasset.feeds.get cloudasset.feeds.update containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.listOccurrences containeranalysis.occurrences.get containeranalysis.occurrences.list resourcemanager.projects.get resourcemanager.projects.list
Cloud Asset Service Agent roles/cloudasset.serviceAgent Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.	bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.delete bigquery.tables.get bigquery.tables.update bigquery.tables.updateData pubsub.topics.publish storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.objects.create storage.objects.delete storage.objects.get
Cloud Build Service Agent roles/cloudbuild.serviceAgent Gives Cloud Build service account access to managed resources.	artifactregistry.aptartifacts.* artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.repositories.uploadArtifacts artifactregistry.tags.create artifactregistry.tags.get artifactregistry.tags.list artifactregistry.tags.update artifactregistry.versions.get artifactregistry.versions.list artifactregistry.yumartifacts.* binaryauthorization.attestors.create binaryauthorization.attestors.delete binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.update binaryauthorization.attestors.verifyImageAttested cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use compute.firewalls.get compute.firewalls.list compute.networks.get compute.subnetworks.get containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update iam.serviceAccounts.get iam.serviceAccounts.getAccessToken logging.logEntries.create logging.logEntries.list logging.privateLogEntries.* logging.views.access pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.publish remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Deploy Service Agent roles/clouddeploy.serviceAgent Gives Cloud Deploy Service Account access to managed resources.	cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.workerpools.use iam.serviceAccounts.actAs logging.logEntries.create pubsub.topics.get pubsub.topics.publish servicemanagement.services.report serviceusage.services.use storage.buckets.create storage.buckets.get
Cloud Functions Service Agent roles/cloudfunctions.serviceAgent Gives Cloud Functions service account access to managed resources.	artifactregistry.* clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list cloudbuild.builds.update cloudbuild.workerpools.use cloudfunctions.functions.invoke compute.globalOperations.get compute.networks.access eventarc.locations.* eventarc.operations.* eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update firebasedatabase.instances.get firebasedatabase.instances.update iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob pubsub.subscriptions.* pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.get pubsub.topics.list recommender.locations.* remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.configurations.* run.locations.* run.revisions.* run.routes.* run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update serviceusage.quotas.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.use source.repos.get source.repos.list storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use
Cloud IoT Core Service Agent roles/cloudiot.serviceAgent Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.	logging.logEntries.create pubsub.topics.publish
Cloud KMS Service Agent roles/cloudkms.serviceAgent Gives Cloud KMS service account access to managed resources.	cloudasset.assets.listCloudkmsCryptoKeys
Cloud Optimization Service Agent roles/cloudoptimization.serviceAgent Grants Cloud Optimization Service Account access to read and write data in the user project.	storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Scheduler Service Agent roles/cloudscheduler.serviceAgent Grants Cloud Scheduler Service Account access to manage resources.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.logEntries.create pubsub.topics.publish
Cloud SQL Service Agent roles/cloudsql.serviceAgent Grants Cloud SQL access to services and APIs in the user project	cloudsql.instances.get
Cloud Tasks Service Agent roles/cloudtasks.serviceAgent Grants Cloud Tasks Service Account access to manage resources.	iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken logging.logEntries.create
Cloud TPU V2 API Service Agent roles/cloudtpu.serviceAgent Give Cloud TPUs service account access to managed resources	compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionFirewallPolicies.get compute.regionFirewallPolicies.list compute.regionFirewallPolicies.use compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create networkconnectivity.locations.* networkconnectivity.operations.* networksecurity.* networkservices.* pubsub.* resourcemanager.projects.get resourcemanager.projects.list servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list trafficdirector.*
Cloud Translation API Service Agent roles/cloudtranslate.serviceAgent Gives Cloud Translation Service Account access to consumer resources.	storage.buckets.get storage.objects.create storage.objects.get storage.objects.list
Compliance Scanning Service Agent roles/compliancescanning.ServiceAgent Gives Compliance Scanning the access it needs to analyze containers and VMs for compliance and create occurrences using the Container Analysis API	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list compute.images.get compute.images.list compute.images.useReadOnly compute.instances.get compute.instances.getGuestAttributes compute.instances.list compute.zones.* containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Cloud Composer API Service Agent roles/composer.serviceAgent Cloud Composer API service agent can manage environments.	appengine.applications.get appengine.applications.update appengine.instances.* appengine.operations.* appengine.runtimes.* appengine.services.* appengine.versions.create appengine.versions.delete appengine.versions.get appengine.versions.list appengine.versions.update artifactregistry.repositories.create artifactregistry.repositories.delete artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.update cloudnotifications.* cloudsql.* compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionFirewallPolicies.get compute.regionFirewallPolicies.list compute.regionFirewallPolicies.use compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container.* deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.locations.* logging.logEntries.create logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.notificationRules.* logging.operations.* logging.sinks.* logging.views.create logging.views.delete logging.views.get logging.views.list logging.views.update monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list networkconnectivity.locations.* networkconnectivity.operations.* networksecurity.* networkservices.* opsconfigmonitoring.resourceMetadata.list orgpolicy.policy.get pubsub.* recommender.cloudsqlIdleInstanceRecommendations.* recommender.cloudsqlInstanceActivityInsights.* recommender.cloudsqlInstanceCpuUsageInsights.* recommender.cloudsqlInstanceDiskUsageTrendInsights.* recommender.cloudsqlInstanceMemoryUsageInsights.* recommender.cloudsqlInstanceOutOfDiskRecommendations.* recommender.cloudsqlOverprovisionedInstanceRecommendations.* resourcemanager.projects.get resourcemanager.projects.list servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.* storage.multipartUploads.* storage.objects.* trafficdirector.*
Compute Engine Service Agent roles/compute.serviceAgent Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.	cloudnotifications.* compute.instanceGroupManagers.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signJwt logging.logEntries.create monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Contact Center AI Insights Service Agent roles/contactcenterinsights.serviceAgent Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage.	bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.get bigquery.tables.update bigquery.tables.updateData datalabeling.dataitems.* datalabeling.datasets.create datalabeling.datasets.delete datalabeling.datasets.export datalabeling.datasets.get datalabeling.datasets.import datalabeling.operations.get datalabeling.operations.list dialogflow.conversationDatasets.* dialogflow.conversationModels.* dialogflow.documents.* dialogflow.operations.* dialogflow.participants.suggest dialogflow.sessions.detectIntent pubsub.topics.get pubsub.topics.publish storage.objects.get storage.objects.list
Kubernetes Engine Service Agent roles/container.serviceAgent Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.	bigquery.datasets.create bigquery.datasets.get bigquery.tables.create bigquery.tables.get bigquery.tables.update bigquery.tables.updateData binaryauthorization.policy.evaluatePolicy certificatemanager.certmapentries.create certificatemanager.certmapentries.delete certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmapentries.update certificatemanager.certmaps.create certificatemanager.certmaps.delete certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certmaps.update certificatemanager.certmaps.use certificatemanager.certs.create certificatemanager.certs.delete certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.certs.update certificatemanager.certs.use certificatemanager.dnsauthorizations.create certificatemanager.dnsauthorizations.delete certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.dnsauthorizations.update certificatemanager.dnsauthorizations.use compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.* compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.nodeGroups.get compute.packetMirrorings.* compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionFirewallPolicies.* compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.* compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.* compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.* compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container.* dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* file.* iam.serviceAccounts.actAs iam.serviceAccounts.get logging.logEntries.create meshconfig.projects.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.timeSeries.* networkconnectivity.locations.* networkconnectivity.operations.* networksecurity.* networkservices.* pubsub.topics.create pubsub.topics.get pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list tpu.locations.* tpu.nodes.create tpu.nodes.delete tpu.nodes.get tpu.nodes.list tpu.operations.* trafficdirector.*
Container Analysis Service Agent roles/containeranalysis.ServiceAgent Gives Container Analysis API the access it needs to function	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update pubsub.schemas.attach pubsub.schemas.create pubsub.schemas.delete pubsub.schemas.get pubsub.schemas.list pubsub.schemas.validate pubsub.snapshots.create pubsub.snapshots.delete pubsub.snapshots.get pubsub.snapshots.list pubsub.snapshots.seek pubsub.snapshots.update pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.topics.updateTag resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.objects.get storage.objects.list
Container Registry Service Agent roles/containerregistry.ServiceAgent Access for Container Registry	pubsub.topics.publish storage.objects.get storage.objects.getIamPolicy storage.objects.list
Container Scanner Service Agent roles/containerscanning.ServiceAgent Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Container Threat Detection Service Agent roles/containerthreatdetection.serviceAgent Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.	container.apiServices.get container.apiServices.getStatus container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.getStatus container.certificateSigningRequests.list container.clusterRoleBindings.* container.clusterRoles.bind container.clusterRoles.create container.clusterRoles.delete container.clusterRoles.get container.clusterRoles.list container.clusterRoles.update container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.getStatus container.customResourceDefinitions.list container.daemonSets.* container.deployments.get container.deployments.getScale container.deployments.getStatus container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container.managedCertificates.get container.managedCertificates.list container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.networkPolicies.update container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.attach container.pods.create container.pods.delete container.pods.exec container.pods.get container.pods.getLogs container.pods.getStatus container.pods.list container.pods.portForward container.pods.update container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.* container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.secrets.create container.secrets.delete container.secrets.list container.secrets.update container.serviceAccounts.create container.serviceAccounts.delete container.serviceAccounts.get container.serviceAccounts.list container.serviceAccounts.update container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getScale container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container.storageStates.getStatus container.storageStates.list container.storageVersionMigrations.get container.storageVersionMigrations.getStatus container.storageVersionMigrations.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* container.updateInfos.get container.updateInfos.list container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.get container.volumeAttachments.getStatus container.volumeAttachments.list container.volumeSnapshotClasses.get container.volumeSnapshotClasses.list container.volumeSnapshotContents.get container.volumeSnapshotContents.getStatus container.volumeSnapshotContents.list container.volumeSnapshots.get container.volumeSnapshots.list resourcemanager.projects.get resourcemanager.projects.list
Content Warehouse Service Agent roles/contentwarehouse.serviceAgent Gives the Content Warehouse service account to manage customer resources	cloudfunctions.functions.invoke pubsub.topics.publish pubsublite.topics.publish storage.objects.get storage.objects.list
Data Connectors Service Agent roles/dataconnectors.serviceAgent Gives Data Connectors service agent permission to access the virtual private cloud	compute.globalOperations.get compute.networks.access vpcaccess.connectors.get vpcaccess.connectors.use
Cloud Dataflow Service Agent roles/dataflow.serviceAgent Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.* bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.overrideTimeTravelRestrictions bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration.translation.* clouddebugger.breakpoints.list clouddebugger.breakpoints.listActive clouddebugger.breakpoints.update clouddebugger.debuggees.create cloudnotifications.* compute.acceleratorTypes.* compute.addresses.* compute.autoscalers.* compute.backendBuckets.* compute.backendServices.* compute.diskTypes.* compute.disks.* compute.externalVpnGateways.* compute.firewallPolicies.get compute.firewallPolicies.list compute.firewallPolicies.use compute.firewalls.get compute.firewalls.list compute.forwardingRules.* compute.globalAddresses.* compute.globalForwardingRules.* compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.globalPublicDelegatedPrefixes.delete compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.globalPublicDelegatedPrefixes.update compute.globalPublicDelegatedPrefixes.updatePolicy compute.healthChecks.* compute.httpHealthChecks.* compute.httpsHealthChecks.* compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.* compute.interconnectLocations.* compute.interconnects.* compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.* compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicDelegatedPrefixes.delete compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.publicDelegatedPrefixes.update compute.publicDelegatedPrefixes.updatePolicy compute.regionBackendServices.* compute.regionFirewallPolicies.get compute.regionFirewallPolicies.list compute.regionFirewallPolicies.use compute.regionHealthCheckServices.* compute.regionHealthChecks.* compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.* compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.* compute.routes.* compute.securityPolicies.get compute.securityPolicies.list compute.securityPolicies.use compute.serviceAttachments.* compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.* compute.subnetworks.* compute.targetGrpcProxies.* compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetInstances.* compute.targetPools.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.targetVpnGateways.* compute.urlMaps.* compute.vpnGateways.* compute.vpnTunnels.* compute.zoneOperations.get compute.zoneOperations.list compute.zones.* firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.buckets.create logging.buckets.delete logging.buckets.get logging.buckets.list logging.buckets.undelete logging.buckets.update logging.cmekSettings.* logging.exclusions.* logging.locations.* logging.logEntries.create logging.logMetrics.* logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.notificationRules.* logging.operations.* logging.sinks.* logging.views.create logging.views.delete logging.views.get logging.views.list logging.views.update monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list networkconnectivity.locations.* networkconnectivity.operations.* networksecurity.* networkservices.* opsconfigmonitoring.resourceMetadata.list orgpolicy.policy.get pubsub.* resourcemanager.projects.get resourcemanager.projects.list servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete servicenetworking.operations.get servicenetworking.services.addPeering servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.* storage.multipartUploads.* storage.objects.* trafficdirector.*
Dataform Service Agent roles/dataform.serviceAgent Gives permission for the Dataform API to access a secret from Secret Manager	resourcemanager.projects.get resourcemanager.projects.list
Cloud Data Fusion API Service Agent roles/datafusion.serviceAgent Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.	bigquery.config.get bigquery.dataPolicies.* bigquery.datasets.* bigquery.jobs.create bigquery.models.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* bigtable.* compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalOperations.get compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.getGuestAttributes compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.machineTypes.* compute.networks.addPeering compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.update compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zones.* dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.batches.* dataproc.clusters.create dataproc.clusters.delete dataproc.clusters.get dataproc.clusters.list dataproc.clusters.start dataproc.clusters.stop dataproc.clusters.update dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update dataproc.operations.cancel dataproc.operations.delete dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.create dataproc.workflowTemplates.delete dataproc.workflowTemplates.get dataproc.workflowTemplates.instantiate dataproc.workflowTemplates.instantiateInline dataproc.workflowTemplates.list dataproc.workflowTemplates.update dns.managedZones.create dns.managedZones.delete dns.managedZones.get dns.managedZones.list dns.networks.bindPrivateDNSZone dns.networks.targetWithPeeringZone firebase.projects.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.* networkconnectivity.locations.* networkconnectivity.operations.get networkconnectivity.operations.list networksecurity.authorizationPolicies.get networksecurity.authorizationPolicies.list networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.locations.* networksecurity.operations.get networksecurity.operations.list networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointPolicies.get networkservices.endpointPolicies.list networkservices.gateways.get networkservices.gateways.list networkservices.grpcRoutes.get networkservices.grpcRoutes.list networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpRoutes.get networkservices.httpRoutes.list networkservices.httpfilters.get networkservices.httpfilters.list networkservices.locations.* networkservices.meshes.get networkservices.meshes.list networkservices.operations.get networkservices.operations.list networkservices.serviceBindings.get networkservices.serviceBindings.list networkservices.tcpRoutes.get networkservices.tcpRoutes.list orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list servicenetworking.services.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list spanner.databaseOperations.* spanner.databases.beginOrRollbackReadWriteTransaction spanner.databases.beginPartitionedDmlTransaction spanner.databases.beginReadOnlyTransaction spanner.databases.getDdl spanner.databases.list spanner.databases.partitionQuery spanner.databases.partitionRead spanner.databases.read spanner.databases.select spanner.databases.updateDdl spanner.databases.write spanner.instanceConfigs.* spanner.instances.get spanner.instances.list spanner.sessions.* storage.buckets.* storage.multipartUploads.* storage.objects.* trafficdirector.*
Data Labeling Service Agent roles/datalabeling.serviceAgent Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.	automl.annotationSpecs.* automl.annotations.* automl.columnSpecs.* automl.datasets.create automl.datasets.delete automl.datasets.export automl.datasets.get automl.datasets.import automl.datasets.list automl.datasets.update automl.examples.* automl.humanAnnotationTasks.* automl.locations.get automl.locations.list automl.modelEvaluations.* automl.models.create automl.models.delete automl.models.deploy automl.models.export automl.models.get automl.models.list automl.models.predict automl.models.undeploy automl.operations.* automl.tableSpecs.* bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.tables.create bigquery.tables.get bigquery.tables.getData ml.jobs.create ml.jobs.get ml.jobs.getIamPolicy ml.jobs.list ml.locations.* ml.models.* ml.operations.get ml.operations.list ml.projects.* ml.studies.* ml.trials.* ml.versions.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Datapipelines Service Agent roles/datapipelines.serviceAgent Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project.	appengine.applications.get cloudscheduler.* compute.machineTypes.get compute.projects.get compute.regions.list compute.zones.list dataflow.jobs.* dataflow.messages.* dataflow.metrics.* dataflow.snapshots.* firebase.projects.get iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list orgpolicy.policy.get recommender.dataflowDiagnosticsInsights.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Cloud Dataplex Service Agent roles/dataplex.serviceAgent Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management.	bigquery.bireservations.* bigquery.capacityCommitments.* bigquery.config.* bigquery.connections.* bigquery.dataPolicies.* bigquery.datasets.* bigquery.jobs.* bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.* bigquery.reservations.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.overrideTimeTravelRestrictions bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.savedqueries.* bigquery.tables.* bigquery.transfers.* bigquerymigration.translation.* dataplex.assets.getIamPolicy dataplex.environments.get dataplex.lakes.get dataplex.lakes.getIamPolicy dataplex.zones.getIamPolicy dataproc.autoscalingPolicies.create dataproc.batches.cancel dataproc.batches.create dataproc.batches.get dataproc.jobs.delete dataproc.jobs.get dataproc.operations.cancel dataproc.operations.get dataproc.operations.list dataproc.workflowTemplates.instantiateInline firebase.projects.get iam.serviceAccounts.actAs logging.logEntries.create metastore.services.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list servicemanagement.services.report serviceusage.services.use storage.buckets.* storage.multipartUploads.* storage.objects.*
Dataprep Service Agent roles/dataprep.serviceAgent Dataprep service identity. Includes access to service accounts.	bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.datasets.updateTag bigquery.jobs.create bigquery.jobs.list bigquery.models.* bigquery.readsessions.* bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.* bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.create bigquery.tables.createIndex bigquery.tables.createSnapshot bigquery.tables.delete bigquery.tables.deleteIndex bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.restoreSnapshot bigquery.tables.update bigquery.tables.updateData bigquery.tables.updateTag bigquery.transfers.get bigquerymigration.translation.* compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* dataflow.jobs.* dataflow.messages.* dataflow.metrics.* dataflow.snapshots.* iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list orgpolicy.policy.get recommender.dataflowDiagnosticsInsights.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.get storage.buckets.list storage.multipartUploads.* storage.objects.*
Dataproc Service Agent roles/dataproc.serviceAgent Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.diskTypes.* compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use compute.disks.useReadOnly compute.firewalls.get compute.firewalls.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.images.get compute.images.getFromFamily compute.images.list compute.images.useReadOnly compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.licenses.get compute.licenses.list compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeTypes.get compute.projects.get compute.regionNetworkEndpointGroups.* compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.reservations.get compute.reservations.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetPools.get compute.targetPools.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* container.clusterRoleBindings.* container.clusterRoles.* container.clusters.get container.clusters.update container.customResourceDefinitions.create container.customResourceDefinitions.delete container.customResourceDefinitions.get container.customResourceDefinitions.list container.customResourceDefinitions.update container.namespaces.create container.namespaces.delete container.namespaces.get container.namespaces.list container.namespaces.update container.operations.get container.roleBindings.* container.roles.bind container.roles.escalate dataproc.autoscalingPolicies.create dataproc.autoscalingPolicies.delete dataproc.autoscalingPolicies.get dataproc.autoscalingPolicies.getIamPolicy dataproc.autoscalingPolicies.list dataproc.autoscalingPolicies.update dataproc.autoscalingPolicies.use dataproc.clusters.* dataproc.jobs.* firebase.projects.get iam.serviceAccounts.actAs metastore.services.get orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Data Studio Service Agent roles/datastudio.serviceAgent Grants Data Studio Service Account access to manage resources.	bigquery.jobs.create
Dialogflow Service Agent roles/dialogflow.serviceAgent Gives Dialogflow Service Account access to resources on behalf of user project for intent detection in integrations (Facebook Messenger, Slack, Telephony, etc.).	cloudfunctions.functions.invoke dialogflow.agents.export dialogflow.agents.get dialogflow.agents.list dialogflow.agents.search dialogflow.agents.searchResources dialogflow.answerrecords.get dialogflow.answerrecords.list dialogflow.callMatchers.list dialogflow.changelogs.* dialogflow.contexts.* dialogflow.conversationDatasets.get dialogflow.conversationDatasets.list dialogflow.conversationModels.get dialogflow.conversationModels.list dialogflow.conversationProfiles.get dialogflow.conversationProfiles.list dialogflow.conversations.* dialogflow.documents.get dialogflow.documents.list dialogflow.entityTypes.get dialogflow.entityTypes.list dialogflow.environments.get dialogflow.environments.list dialogflow.flows.get dialogflow.flows.list dialogflow.fulfillments.get dialogflow.integrations.get dialogflow.integrations.list dialogflow.intents.get dialogflow.intents.list dialogflow.knowledgeBases.get dialogflow.knowledgeBases.list dialogflow.messages.* dialogflow.modelEvaluations.* dialogflow.operations.* dialogflow.pages.get dialogflow.pages.list dialogflow.participants.* dialogflow.phoneNumberOrders.get dialogflow.phoneNumberOrders.list dialogflow.phoneNumbers.list dialogflow.securitySettings.get dialogflow.securitySettings.list dialogflow.sessionEntityTypes.* dialogflow.sessions.* dialogflow.smartMessagingEntries.get dialogflow.smartMessagingEntries.list dialogflow.transitionRouteGroups.get dialogflow.transitionRouteGroups.list dialogflow.versions.get dialogflow.versions.list dialogflow.webhooks.get dialogflow.webhooks.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list logging.logEntries.create pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.use speech.adaptations.* speech.customClasses.get speech.customClasses.list speech.phraseSets.get speech.phraseSets.list storage.objects.create storage.objects.get storage.objects.list
DLP API Service Agent roles/dlp.serviceAgent Gives the Cloud DLP API service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub, and Cloud KMS.	appengine.applications.get bigquery.config.get bigquery.dataPolicies.* bigquery.datasets.* bigquery.jobs.create bigquery.jobs.get bigquery.jobs.update bigquery.models.* bigquery.readsessions.* bigquery.routines.* bigquery.rowAccessPolicies.create bigquery.rowAccessPolicies.delete bigquery.rowAccessPolicies.getIamPolicy bigquery.rowAccessPolicies.list bigquery.rowAccessPolicies.setIamPolicy bigquery.rowAccessPolicies.update bigquery.tables.* cloudasset.assets.analyzeIamPolicy cloudasset.assets.exportResource cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.locations.get cloudkms.locations.list datacatalog.categories.fineGrainedGet datacatalog.tagTemplates.* datastore.databases.get datastore.databases.getMetadata datastore.entities.* datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* dlp.analyzeRiskTemplates.get dlp.analyzeRiskTemplates.list dlp.deidentifyTemplates.get dlp.deidentifyTemplates.list dlp.inspectTemplates.get dlp.inspectTemplates.list dlp.jobs.* dlp.kms.* firebase.projects.get orgpolicy.policy.get pubsub.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use storage.buckets.* storage.multipartUploads.* storage.objects.*
DocumentAI Core Service Agent roles/documentaicore.serviceAgent Gives DocumentAI Core Service Account access to consumer resources.	automl.models.predict storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Cloud Endpoints Service Agent roles/endpoints.serviceAgent Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.	servicemanagement.services.check servicemanagement.services.get servicemanagement.services.quota servicemanagement.services.report
Endpoints Portal Service Agent roles/endpointsportal.serviceAgent Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.	servicemanagement.services.get servicemanagement.services.list source.repos.get
Enterprise Knowledge Graph Service Agent roles/enterpriseknowledgegraph.serviceAgent Gives Enterprise Knowledge Graph Service Account access to consumer resources.	bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.readsessions.create bigquery.readsessions.getData bigquery.tables.create bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.update bigquery.tables.updateData resourcemanager.projects.get resourcemanager.projects.list storage.objects.get storage.objects.list
Eventarc Service Agent roles/eventarc.serviceAgent Gives Eventarc service account access to managed resources.	compute.instanceGroupManagers.get container.clusters.get container.deployments.create container.deployments.delete container.deployments.get container.deployments.list container.deployments.update container.namespaces.create container.namespaces.delete container.namespaces.get container.namespaces.list container.serviceAccounts.create container.serviceAccounts.delete container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.list iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken monitoring.timeSeries.create pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update run.services.get serviceusage.services.use storage.buckets.get storage.buckets.update workflows.workflows.get
Cloud Filestore Service Agent roles/file.serviceAgent Gives Cloud Filestore service account access to managed resources.	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.networks.updatePeering compute.routes.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
Firebase App Distribution Admin SDK Service Agent roles/firebase.appDistributionSdkServiceAgent Read and write access to Firebase App Distribution with the Admin SDK	firebaseappdistro.*
Firebase Service Management Service Agent roles/firebase.managementServiceAgent Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.	apikeys.keys.create apikeys.keys.get apikeys.keys.list apikeys.keys.update appengine.applications.* appengine.operations.get appengine.services.list clientauthconfig.brands.create clientauthconfig.brands.update clientauthconfig.clients.create clientauthconfig.clients.getWithSecret clientauthconfig.clients.list clientauthconfig.clients.update firebase.clients.create firebase.clients.delete firebase.clients.get firebase.projects.* firebaseauth.configs.create firebaseauth.configs.get firebaseauth.configs.update firebaserules.releases.create firebaserules.releases.delete firebaserules.releases.get firebaserules.rulesets.create iam.roles.get iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy resourcemanager.projects.update servicemanagement.services.bind serviceusage.services.enable serviceusage.services.get serviceusage.services.use storage.buckets.create storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.buckets.setIamPolicy
Firebase Admin SDK Administrator Service Agent roles/firebase.sdkAdminServiceAgent Read and write access to Firebase products available in the Admin SDK	appengine.applications.get cloudconfig.* cloudmessaging.* datastore.databases.get datastore.databases.getMetadata datastore.databases.list datastore.entities.* datastore.indexes.get datastore.indexes.list datastore.namespaces.get datastore.namespaces.list datastore.statistics.* firebase.clients.* firebase.projects.get firebase.projects.update firebaseappcheck.* firebaseauth.configs.create firebaseauth.configs.get firebaseauth.configs.update firebaseauth.users.* firebasedatabase.* firebasehosting.* firebaseml.* firebasenotifications.* firebaserules.releases.get firebaserules.releases.list firebaserules.releases.update firebaserules.rulesets.create firebaserules.rulesets.delete firebaserules.rulesets.get firebaserules.rulesets.list orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list resourcemanager.projects.update storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.multipartUploads.* storage.objects.*
Firebase SDK Provisioning Service Agent roles/firebase.sdkProvisioningServiceAgent Access to provision apps with the Admin SDK.	apikeys.keys.list clientauthconfig.clients.list cloudmessaging.* firebase.clients.create servicemanagement.services.bind serviceusage.services.enable
Firebase App Check Service Agent roles/firebaseappcheck.serviceAgent Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise.	recaptchaenterprise.assessments.*
Firebase Extensions API Service Agent roles/firebasemods.serviceAgent Grants Firebase Extensions API Service Account access to manage resources.	appengine.applications.get artifactregistry.packages.delete cloudfunctions.functions.getIamPolicy cloudfunctions.functions.setIamPolicy cloudtasks.locations.* cloudtasks.queues.* cloudtasks.tasks.create cloudtasks.tasks.fullView deploymentmanager.compositeTypes.* deploymentmanager.deployments.cancelPreview deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.stop deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.resources.* deploymentmanager.typeProviders.* deploymentmanager.types.* iam.serviceAccounts.create iam.serviceAccounts.get iam.serviceAccounts.list resourcemanager.projects.get resourcemanager.projects.list resourcemanager.projects.updateLiens run.services.getIamPolicy run.services.setIamPolicy serviceusage.quotas.get serviceusage.services.enable serviceusage.services.get serviceusage.services.list
Cloud Storage for Firebase Service Agent roles/firebasestorage.serviceAgent Access to Cloud Storage for Firebase through API and SDK.	storage.buckets.get storage.buckets.getIamPolicy storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list storage.objects.update
Firestore Service Agent roles/firestore.serviceAgent Gives Firestore service account access to managed resources.	storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list
Cloud Firewall Insights Service Agent roles/firewallinsights.serviceAgent Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.	compute.backendServices.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.list compute.healthChecks.list compute.httpHealthChecks.list compute.httpsHealthChecks.list compute.instanceGroups.list compute.instances.get compute.instances.list compute.networks.getEffectiveFirewalls compute.networks.list compute.projects.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list
FleetEngine Service Agent roles/fleetengine.serviceAgent Grants the FleetEngine Service Account access to manage resources.	bigquery.config.get bigquery.datasets.get bigquery.jobs.create bigquery.tables.getData resourcemanager.projects.get resourcemanager.projects.list
Game Services Service Agent roles/gameservices.serviceAgent Gives Game Services Service Account access to GCP resources.	container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.create container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoleBindings.update container.clusterRoles.bind container.clusterRoles.create container.clusterRoles.escalate container.clusterRoles.get container.clusterRoles.list container.clusterRoles.update container.clusters.create container.clusters.delete container.clusters.get container.clusters.list container.clusters.update container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.leases.* container.limitRanges.* container.localSubjectAccessReviews.* container.managedCertificates.* container.mutatingWebhookConfigurations.* container.namespaces.* container.networkPolicies.* container.nodes.* container.operations.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.create container.roleBindings.get container.roleBindings.list container.roles.bind container.roles.create container.roles.escalate container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.selfSubjectRulesReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container.storageVersionMigrations.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* container.updateInfos.* container.validatingWebhookConfigurations.* container.volumeAttachments.* container.volumeSnapshotClasses.* container.volumeSnapshotContents.* container.volumeSnapshots.* gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list iam.serviceAccounts.actAs resourcemanager.projects.get resourcemanager.projects.list
Genomics Service Agent roles/genomics.serviceAgent Gives Genomics Service Account access to compute resources. Includes access to service accounts.	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
Backup for GKE Service Agent roles/gkebackup.serviceAgent Grants the Backup for GKE Service Account access to managed resources.	compute.disks.create compute.disks.createSnapshot compute.disks.get compute.disks.useReadOnly compute.globalOperations.get compute.regionOperations.get compute.snapshots.delete compute.snapshots.get compute.zoneOperations.get container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.create container.certificateSigningRequests.delete container.certificateSigningRequests.get container.certificateSigningRequests.list container.certificateSigningRequests.update container.certificateSigningRequests.updateStatus container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container.horizontalPodAutoscalers.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.leases.* container.limitRanges.* container.localSubjectAccessReviews.* container.managedCertificates.* container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.* container.networkPolicies.* container.nodes.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.selfSubjectRulesReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container.storageVersionMigrations.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* container.updateInfos.* container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.* container.volumeSnapshotClasses.* container.volumeSnapshotContents.* container.volumeSnapshots.* gkebackup.operations.get resourcemanager.projects.get resourcemanager.projects.list resourcemanager.projects.updateLiens
GKE Hub Service Agent roles/gkehub.serviceAgent Gives the GKE Hub service agent access to Cloud Platform resources.	container.clusterRoleBindings.* container.clusterRoles.* container.clusters.get container.customResourceDefinitions.create container.customResourceDefinitions.delete container.customResourceDefinitions.get container.customResourceDefinitions.list container.customResourceDefinitions.update container.namespaces.get container.thirdPartyObjects.* gkehub.features.create gkehub.features.get gkehub.features.list gkehub.fleet.create gkehub.fleet.get gkehub.locations.* gkehub.memberships.create gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.list gkehub.operations.get gkemulticloud.awsClusters.get gkemulticloud.azureClusters.get gkeonprem.vmwareClusters.get serviceusage.services.get serviceusage.services.list
Anthos Multi-Cloud Service Agent roles/gkemulticloud.serviceAgent Grants the Anthos Multi-Cloud Service Account access to manage resources.	gkehub.features.* gkehub.fleet.* gkehub.locations.* gkehub.memberships.* gkehub.operations.* gkemulticloud.awsClusters.delete gkemulticloud.awsNodePools.delete gkemulticloud.azureClients.delete gkemulticloud.azureClusters.delete gkemulticloud.azureNodePools.delete resourcemanager.projects.get resourcemanager.projects.list
Healthcare Service Agent roles/healthcare.serviceAgent Gives the Healthcare Service Account access to networks,Kubernetes engine, and pubsub resources.	cloudnotifications.* monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
KubeRun Events Control Plane Service Agent roles/kuberun.eventsControlPlaneServiceAgent Service account role used to setup authentication for the control plane used by KubeRun Events.	cloudscheduler.jobs.create cloudscheduler.jobs.delete cloudscheduler.jobs.get logging.sinks.create logging.sinks.delete logging.sinks.get pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.getIamPolicy pubsub.topics.setIamPolicy resourcemanager.projects.get storage.buckets.get storage.buckets.update
KubeRun Events Data Plane Service Agent roles/kuberun.eventsDataPlaneServiceAgent Service account role used to setup authentication for the data plane used by KubeRun Events.	cloudtrace.traces.patch monitoring.timeSeries.create pubsub.subscriptions.consume pubsub.subscriptions.get pubsub.topics.get pubsub.topics.publish resourcemanager.projects.get
Cloud Life Sciences Service Agent roles/lifesciences.serviceAgent Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.	compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.networkEndpointGroups.* compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.list compute.zones.* iam.serviceAccounts.actAs pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
Live Stream Service Agent roles/livestream.serviceAgent Uploads media files to customer Cloud Storage buckets.	storage.objects.create storage.objects.delete storage.objects.update
Cloud Logging Service Agent roles/logging.serviceAgent Grants a Cloud Logging Service Account the ability to create and link datasets.	bigquery.datasets.create
Cloud Managed Identities Service Agent roles/managedidentities.serviceAgent Gives Managed Identities service account access to managed resources.	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.bindPrivateDNSPolicy dns.networks.bindPrivateDNSZone dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
Media Asset Service Agent roles/mediaasset.serviceAgent Downloads and uploads media files from and to customer Cloud Storage buckets.	pubsub.topics.get pubsub.topics.publish storage.objects.create storage.objects.delete storage.objects.get transcoder.jobs.create transcoder.jobs.delete transcoder.jobs.get
Cloud Memorystore Memcached Service Agent roles/memcache.serviceAgent Gives Cloud Memorystore Memcached service account access to managed resource	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
Mesh Config Service Agent roles/meshconfig.serviceAgent Apply mesh configuration	compute.backendServices.create compute.backendServices.delete compute.backendServices.get compute.backendServices.list compute.backendServices.setSecurityPolicy compute.backendServices.update compute.backendServices.use compute.firewalls.* compute.globalForwardingRules.create compute.globalForwardingRules.delete compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.setLabels compute.globalForwardingRules.setTarget compute.globalOperations.get compute.globalOperations.list compute.healthChecks.* compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networkEndpointGroups.use compute.networks.get compute.networks.updatePolicy compute.networks.use compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.targetSslProxies.* compute.targetTcpProxies.* compute.urlMaps.* networksecurity.clientTlsPolicies.create networksecurity.clientTlsPolicies.delete networksecurity.clientTlsPolicies.get networksecurity.clientTlsPolicies.list networksecurity.clientTlsPolicies.update networksecurity.serverTlsPolicies.create networksecurity.serverTlsPolicies.delete networksecurity.serverTlsPolicies.get networksecurity.serverTlsPolicies.list networksecurity.serverTlsPolicies.update networkservices.endpointConfigSelectors.create networkservices.endpointConfigSelectors.delete networkservices.endpointConfigSelectors.get networkservices.endpointConfigSelectors.list networkservices.endpointConfigSelectors.update networkservices.httpFilters.create networkservices.httpFilters.delete networkservices.httpFilters.get networkservices.httpFilters.list networkservices.httpFilters.update networkservices.httpfilters.create networkservices.httpfilters.delete networkservices.httpfilters.get networkservices.httpfilters.list networkservices.httpfilters.update
Mesh Managed Control Plane Service Agent roles/meshcontrolplane.serviceAgent Anthos Service Mesh Managed Control Plane Agent	container.apiServices.* container.auditSinks.* container.backendConfigs.* container.bindings.* container.certificateSigningRequests.* container.clusterRoleBindings.* container.clusterRoles.* container.clusters.get container.clusters.getCredentials container.clusters.list container.componentStatuses.* container.configMaps.* container.controllerRevisions.* container.cronJobs.* container.csiDrivers.* container.csiNodeInfos.* container.csiNodes.* container.customResourceDefinitions.* container.daemonSets.* container.deployments.* container.endpointSlices.* container.endpoints.* container.events.* container.frontendConfigs.* container.horizontalPodAutoscalers.* container.hostServiceAgent.* container.ingresses.* container.initializerConfigurations.* container.jobs.* container.leases.* container.limitRanges.* container.localSubjectAccessReviews.* container.managedCertificates.* container.mutatingWebhookConfigurations.* container.namespaces.* container.networkPolicies.* container.nodes.* container.operations.* container.persistentVolumeClaims.* container.persistentVolumes.* container.petSets.* container.podDisruptionBudgets.* container.podPresets.* container.podSecurityPolicies.* container.podTemplates.* container.pods.* container.priorityClasses.* container.replicaSets.* container.replicationControllers.* container.resourceQuotas.* container.roleBindings.* container.roles.* container.runtimeClasses.* container.scheduledJobs.* container.secrets.* container.selfSubjectAccessReviews.* container.selfSubjectRulesReviews.* container.serviceAccounts.* container.services.* container.statefulSets.* container.storageClasses.* container.storageStates.* container.storageVersionMigrations.* container.subjectAccessReviews.* container.thirdPartyObjects.* container.thirdPartyResources.* container.tokenReviews.* container.updateInfos.* container.validatingWebhookConfigurations.* container.volumeAttachments.* container.volumeSnapshotClasses.* container.volumeSnapshotContents.* container.volumeSnapshots.* gkehub.features.get gkehub.features.getIamPolicy gkehub.features.list gkehub.fleet.get gkehub.gateway.* gkehub.locations.* gkehub.memberships.generateConnectManifest gkehub.memberships.get gkehub.memberships.getIamPolicy gkehub.memberships.list gkehub.operations.get gkehub.operations.list logging.logEntries.create monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.use
Mesh Data Plane Service Agent roles/meshdataplane.serviceAgent Run user-space Istio components	cloudtrace.traces.patch compute.forwardingRules.get compute.globalForwardingRules.get logging.logEntries.create meshconfig.projects.get monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create serviceusage.services.use
Dataproc Metastore Service Agent roles/metastore.serviceAgent Gives the Dataproc Metastore service account access to managed resources.	compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.use compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute.forwardingRules.pscCreate compute.forwardingRules.pscDelete compute.globalAddresses.createInternal compute.globalAddresses.deleteInternal compute.globalAddresses.get compute.globalAddresses.list compute.globalOperations.get compute.globalOperations.list compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.updatePeering compute.networks.use compute.regionOperations.get compute.subnetworks.get compute.subnetworks.use metastore.databases.setIamPolicy metastore.services.get metastore.tables.setIamPolicy servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.services.create servicedirectory.services.delete storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
AI Platform Service Agent roles/ml.serviceAgent AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.updateData firebase.projects.get iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt logging.logEntries.create orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Monitoring Service Agent roles/monitoring.notificationServiceAgent Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.	servicedirectory.networks.access servicedirectory.services.resolve serviceusage.services.use
Multi Cluster Ingress Service Agent roles/multiclusteringress.serviceAgent Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.	certificatemanager.certmapentries.create certificatemanager.certmapentries.delete certificatemanager.certmapentries.get certificatemanager.certmapentries.getIamPolicy certificatemanager.certmapentries.list certificatemanager.certmapentries.update certificatemanager.certmaps.create certificatemanager.certmaps.delete certificatemanager.certmaps.get certificatemanager.certmaps.getIamPolicy certificatemanager.certmaps.list certificatemanager.certmaps.update certificatemanager.certmaps.use certificatemanager.certs.create certificatemanager.certs.delete certificatemanager.certs.get certificatemanager.certs.getIamPolicy certificatemanager.certs.list certificatemanager.certs.update certificatemanager.certs.use certificatemanager.dnsauthorizations.create certificatemanager.dnsauthorizations.delete certificatemanager.dnsauthorizations.get certificatemanager.dnsauthorizations.getIamPolicy certificatemanager.dnsauthorizations.list certificatemanager.dnsauthorizations.update certificatemanager.dnsauthorizations.use compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.backendServices.* compute.firewalls.* compute.forwardingRules.* compute.globalAddresses.create compute.globalAddresses.delete compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.* compute.healthChecks.* compute.networkEndpointGroups.get compute.networkEndpointGroups.use compute.networks.updatePolicy compute.networks.use compute.regionBackendServices.* compute.regionHealthChecks.* compute.regionSslCertificates.* compute.regionTargetHttpProxies.* compute.regionTargetHttpsProxies.* compute.regionUrlMaps.* compute.securityPolicies.use compute.sslCertificates.* compute.sslPolicies.use compute.subnetworks.list compute.subnetworks.use compute.targetHttpProxies.* compute.targetHttpsProxies.* compute.urlMaps.* container.backendConfigs.* container.clusters.get container.customResourceDefinitions.create container.customResourceDefinitions.delete container.customResourceDefinitions.get container.customResourceDefinitions.update container.deployments.* container.events.create container.events.update container.frontendConfigs.* container.namespaces.list container.secrets.get container.secrets.list container.services.* container.thirdPartyObjects.* gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list serviceusage.services.get serviceusage.services.list
Multi-cluster metering Service Agent roles/multiclustermetering.serviceAgent Gives the Multi-cluster metering service agent access to CloudPlatform resources.	gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list
GCP Network Management Service Agent roles/networkmanagement.serviceAgent Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.	cloudsql.instances.get cloudsql.instances.list compute.addresses.get compute.addresses.list compute.backendServices.get compute.backendServices.list compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.list compute.networkEndpointGroups.get compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.packetMirrorings.get compute.packetMirrorings.list compute.regionBackendServices.get compute.regionBackendServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list container.clusters.get container.clusters.list container.nodes.get container.nodes.list
AI Platform Notebooks Service Agent roles/notebooks.serviceAgent Provide access for notebooks service agent to manage notebook instances in user projects	aiplatform.customJobs.cancel aiplatform.customJobs.create aiplatform.customJobs.get aiplatform.customJobs.list compute.acceleratorTypes.* compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.get compute.addresses.list compute.addresses.use compute.addresses.useInternal compute.autoscalers.* compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.* compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.* compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.* compute.instanceGroupManagers.* compute.instanceGroups.* compute.instanceTemplates.* compute.instances.* compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.* compute.licenses.* compute.machineImages.* compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.* compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.networks.use compute.networks.useExternalIp compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.projects.setCommonInstanceMetadata compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.* compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.* compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.* compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* dataproc.clusters.get dataproc.clusters.use dataproc.jobs.cancel dataproc.jobs.create dataproc.jobs.delete dataproc.jobs.get dataproc.jobs.list dataproc.jobs.update iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.list ml.jobs.create ml.jobs.get ml.jobs.list notebooks.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Cloud OS Config Service Agent roles/osconfig.serviceAgent Grants OS Config Service Account access to Google Compute Engine instances.	compute.instances.get compute.instances.getGuestAttributes compute.instances.list compute.instances.setMetadata compute.zones.* containeranalysis.notes.attachOccurrence containeranalysis.notes.create containeranalysis.notes.delete containeranalysis.notes.get containeranalysis.notes.list containeranalysis.notes.update containeranalysis.occurrences.create containeranalysis.occurrences.delete containeranalysis.occurrences.get containeranalysis.occurrences.list containeranalysis.occurrences.update iam.serviceAccounts.actAs resourcemanager.projects.get resourcemanager.projects.list
Cloud Pub/Sub Service Agent roles/pubsub.serviceAgent Grants Cloud Pub/Sub Service Account access to manage resources.	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.implicitDelegation iam.serviceAccounts.list iam.serviceAccounts.signBlob iam.serviceAccounts.signJwt resourcemanager.projects.get resourcemanager.projects.list
Cloud Memorystore Redis Service Agent roles/redis.serviceAgent Gives Cloud Memorystore Redis service account access to managed resource	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.projects.get compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
Remote Build Execution Service Agent roles/remotebuildexecution.serviceAgent Gives Remote Build Execution service account access to managed resources.	remotebuildexecution.actions.update remotebuildexecution.blobs.* remotebuildexecution.botsessions.* remotebuildexecution.logstreams.create remotebuildexecution.logstreams.update
Retail Service Agent roles/retail.serviceAgent Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Google Cloud's operations suite metrics for customer projects.	bigquery.datasets.create bigquery.datasets.get bigquery.jobs.create bigquery.jobs.get bigquery.jobs.list bigquery.jobs.update bigquery.tables.create bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.list bigquery.tables.updateData cloudnotifications.* dataflow.jobs.* dataflow.messages.* dataflow.metrics.* logging.logEntries.create monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.notificationChannelDescriptors.* monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.timeSeries.* monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get storage.buckets.create storage.buckets.get storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update
Risk Manager Service Agent roles/riskmanager.serviceAgent Service agent that grants Risk Manager service access to fetch findings for generating Reports	cloudasset.assets.* recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.group securitycenter.assets.list securitycenter.assets.listAssetPropertyNames securitycenter.bigQueryExports.get securitycenter.bigQueryExports.list securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.muteconfigs.get securitycenter.muteconfigs.list securitycenter.notificationconfig.get securitycenter.notificationconfig.list securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get
Cloud Run Service Agent roles/run.serviceAgent Gives Cloud Run service account access to managed resources.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list binaryauthorization.platformPolicies.evaluatePolicy binaryauthorization.policy.evaluatePolicy clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get compute.globalOperations.get compute.networks.access iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.routes.invoke serviceusage.services.use storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use
Secured Landing Zone Service Agent roles/securedlandingzone.serviceAgent Grants Secured Landing Zone service account permissions to manage resources in the customer project	cloudasset.assets.exportOrgPolicy cloudasset.assets.exportResource cloudasset.feeds.create cloudasset.feeds.delete cloudasset.feeds.update logging.logEntries.list pubsub.subscriptions.consume pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.getIamPolicy pubsub.topics.setIamPolicy resourcemanager.projects.get securitycenter.assetsecuritymarks.* securitycenter.findings.list securitycenter.findings.update securitycenter.sources.list securitycenter.sources.update serviceusage.services.use
Security Center Automation Service Agent roles/securitycenter.automationServiceAgent Security Center automation service agent can configure GCP resources to enable security scanning.	cloudasset.feeds.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list serviceusage.services.enable
Security Center Control Service Agent roles/securitycenter.controlServiceAgent Security Center Control service agent can monitor and configure GCP resources and import security findings.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list bigquery.datasets.get binaryauthorization.policy.get cloudasset.assets.* cloudasset.feeds.* cloudsecurityscanner.* cloudsql.instances.connect cloudsql.instances.get cloudsql.users.list compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* container.apiServices.get container.apiServices.getStatus container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.getStatus container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.getStatus container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getScale container.deployments.getStatus container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container.managedCertificates.get container.managedCertificates.list container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getScale container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container.storageStates.getStatus container.storageStates.list container.storageVersionMigrations.get container.storageVersionMigrations.getStatus container.storageVersionMigrations.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* container.updateInfos.get container.updateInfos.list container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.get container.volumeAttachments.getStatus container.volumeAttachments.list container.volumeSnapshotClasses.get container.volumeSnapshotClasses.list container.volumeSnapshotContents.get container.volumeSnapshotContents.getStatus container.volumeSnapshotContents.list container.volumeSnapshots.get container.volumeSnapshots.list dlp.jobs.get dlp.jobs.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.* logging.views.get logging.views.list monitoring.alertPolicies.get monitoring.alertPolicies.list orgpolicy.policy.get recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findingexternalsystems.* securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.enable serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list
Security Center Integration Executor Service Agent roles/securitycenter.integrationExecutorServiceAgent Gives Security Center access to execute Integrations.	integrations.securityExecutions.cancel integrations.securityExecutions.list integrations.securityIntegrations.invoke
Security Center Notification Service Agent roles/securitycenter.notificationServiceAgent Security Center service agent can publish notifications to Pub/Sub topics.	pubsub.topics.publish
Security Health Analytics Service Agent roles/securitycenter.securityHealthAnalyticsServiceAgent Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get bigquery.datasets.get binaryauthorization.policy.get cloudasset.assets.* cloudasset.feeds.* cloudsecurityscanner.* cloudsql.instances.connect cloudsql.instances.get cloudsql.users.list compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* container.clusters.get container.clusters.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.* logging.views.get logging.views.list monitoring.alertPolicies.get monitoring.alertPolicies.list orgpolicy.policy.get recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findingexternalsystems.* securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get
Google Cloud Security Response Service Agent roles/securitycenter.securityResponseServiceAgent Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks	compute.instances.deleteAccessConfig compute.instances.get compute.instances.setMetadata iam.serviceAccounts.actAs pubsub.topics.publish securitycenter.findings.list storage.buckets.get storage.buckets.update
Security Center Service Agent roles/securitycenter.serviceAgent Security Center service agent can scan GCP resources and import security scans.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup appengine.applications.get appengine.instances.get appengine.instances.list appengine.operations.* appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list bigquery.datasets.get binaryauthorization.policy.get cloudasset.assets.* cloudasset.feeds.* cloudsecurityscanner.* cloudsql.instances.connect cloudsql.instances.get cloudsql.users.list compute.acceleratorTypes.* compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.diskTypes.* compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewalls.get compute.firewalls.list compute.forwardingRules.get compute.forwardingRules.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listReferrers compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.* compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.* compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listPeeringRoutes compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.* compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.validate compute.regions.* compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.list compute.routers.get compute.routers.list compute.routes.get compute.routes.list compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.serviceAttachments.get compute.serviceAttachments.list compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetInstances.get compute.targetInstances.list compute.targetPools.get compute.targetPools.list compute.targetSslProxies.get compute.targetSslProxies.list compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.* container.apiServices.get container.apiServices.getStatus container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.getStatus container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.get container.clusters.list container.componentStatuses.* container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.getStatus container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getScale container.deployments.getStatus container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container.managedCertificates.get container.managedCertificates.list container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.* container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getScale container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container.storageStates.getStatus container.storageStates.list container.storageVersionMigrations.get container.storageVersionMigrations.getStatus container.storageVersionMigrations.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.* container.updateInfos.get container.updateInfos.list container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.get container.volumeAttachments.getStatus container.volumeAttachments.list container.volumeSnapshotClasses.get container.volumeSnapshotClasses.list container.volumeSnapshotContents.get container.volumeSnapshotContents.getStatus container.volumeSnapshotContents.list container.volumeSnapshots.get container.volumeSnapshots.list dlp.jobs.get dlp.jobs.list logging.buckets.get logging.buckets.list logging.exclusions.get logging.exclusions.list logging.locations.* logging.logEntries.list logging.logMetrics.get logging.logMetrics.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.operations.get logging.operations.list logging.queries.create logging.queries.delete logging.queries.get logging.queries.list logging.queries.listShared logging.queries.update logging.sinks.get logging.sinks.list logging.usage.* logging.views.get logging.views.list monitoring.alertPolicies.get monitoring.alertPolicies.list orgpolicy.policy.get recommender.cloudAssetInsights.get recommender.cloudAssetInsights.list recommender.locations.* resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list securitycenter.assets.* securitycenter.assetsecuritymarks.* securitycenter.bigQueryExports.* securitycenter.containerthreatdetectionsettings.calculate securitycenter.containerthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.findingexternalsystems.* securitycenter.findings.* securitycenter.findingsecuritymarks.* securitycenter.muteconfigs.* securitycenter.notificationconfig.* securitycenter.organizationsettings.get securitycenter.securitycentersettings.get securitycenter.securityhealthanalyticssettings.calculate securitycenter.securityhealthanalyticssettings.get securitycenter.sources.get securitycenter.sources.list securitycenter.sources.update securitycenter.subscription.* securitycenter.userinterfacemetadata.* securitycenter.virtualmachinethreatdetectionsettings.calculate securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.websecurityscannersettings.calculate securitycenter.websecurityscannersettings.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list stackdriver.projects.get storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list
Service Directory Service Agent roles/servicedirectory.serviceAgent Give the Service Directory service agent access to Cloud Platform resources.	container.clusters.get gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.create servicedirectory.endpoints.delete servicedirectory.endpoints.get servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.endpoints.update servicedirectory.locations.* servicedirectory.namespaces.associatePrivateZone servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.namespaces.update servicedirectory.networks.attach servicedirectory.services.bind servicedirectory.services.create servicedirectory.services.delete servicedirectory.services.get servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.resolve servicedirectory.services.update
Service Networking Service Agent roles/servicenetworking.serviceAgent Gives permission to manage network configuration, such as establishing network peering, necessary for service producers	compute.globalAddresses.get compute.globalAddresses.list compute.globalOperations.get compute.networks.addPeering compute.networks.create compute.networks.delete compute.networks.get compute.networks.list compute.networks.listPeeringRoutes compute.networks.removePeering compute.networks.update compute.networks.updatePeering compute.networks.updatePolicy compute.projects.get compute.regionOperations.get compute.routers.get compute.routers.list compute.routes.list compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.list dns.changes.* dns.dnsKeys.* dns.managedZoneOperations.* dns.managedZones.* dns.networks.* dns.policies.create dns.policies.delete dns.policies.get dns.policies.list dns.policies.update dns.projects.* dns.resourceRecordSets.* dns.responsePolicies.* dns.responsePolicyRules.* resourcemanager.projects.get resourcemanager.projects.list
Cloud Source Repositories Service Agent roles/sourcerepo.serviceAgent Allow Cloud Source Repositories to integrate with other Cloud services.	iam.serviceAccounts.getAccessToken pubsub.topics.publish
Cloud Speech-to-Text Service Agent roles/speech.serviceAgent Gives Speech-to-Text service account access to Cloud Storage resources.	storage.objects.create storage.objects.get storage.objects.list storage.objects.update
Dataform Service Agent roles/sqlx.serviceAgent Gives permission for the Dataform API to access a secret from Secret Manager	resourcemanager.projects.get resourcemanager.projects.list
Cloud TPU API Service Agent roles/tpu.serviceAgent Give Cloud TPUs service account access to managed resources	compute.globalOperations.get compute.networks.addPeering compute.networks.get compute.networks.removePeering compute.networks.update compute.routes.get compute.routes.list compute.subnetworks.get compute.subnetworks.list compute.zones.* monitoring.metricDescriptors.create monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.* monitoring.timeSeries.create resourcemanager.projects.get resourcemanager.projects.list
Transcoder Service Agent roles/transcoder.serviceAgent Downloads and uploads media files from and to customer Cloud Storage buckets. Publishes status updates to customer Pub/Sub.	pubsub.topics.publish storage.objects.create storage.objects.delete storage.objects.get transcoder.jobs.delete
Visual Inspection AI Service Agent roles/visualinspection.serviceAgent Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs.	aiplatform.* artifactregistry.* firebase.projects.get orgpolicy.policy.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.* storage.multipartUploads.* storage.objects.*
Serverless VPC Access Service Agent roles/vpcaccess.serviceAgent Can create and manage resources to support serverless application to connect to virtual private cloud.	billing.accounts.get compute.autoscalers.* compute.disks.create compute.firewalls.* compute.healthChecks.* compute.httpHealthChecks.create compute.httpHealthChecks.delete compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpHealthChecks.use compute.httpHealthChecks.useReadOnly compute.httpsHealthChecks.create compute.httpsHealthChecks.delete compute.httpsHealthChecks.get compute.httpsHealthChecks.update compute.httpsHealthChecks.use compute.httpsHealthChecks.useReadOnly compute.images.get compute.images.useReadOnly compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.update compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.useReadOnly compute.instances.create compute.instances.delete compute.instances.get compute.instances.getGuestAttributes compute.instances.list compute.instances.reset compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.use compute.machineTypes.get compute.networks.get compute.networks.use compute.projects.get compute.projects.setCommonInstanceMetadata compute.regionOperations.get compute.regionOperations.list compute.regions.* compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.zoneOperations.get compute.zoneOperations.list compute.zones.* deploymentmanager.compositeTypes.get deploymentmanager.deployments.create deploymentmanager.deployments.delete deploymentmanager.deployments.get deploymentmanager.deployments.list deploymentmanager.deployments.update deploymentmanager.manifests.* deploymentmanager.operations.* deploymentmanager.typeProviders.create deploymentmanager.typeProviders.get logging.logEntries.create logging.logMetrics.create logging.logMetrics.delete logging.logMetrics.get logging.logMetrics.update resourcemanager.projects.get
Cloud Web Security Scanner Service Agent roles/websecurityscanner.serviceAgent Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.	appengine.applications.get cloudasset.assets.listResource compute.addresses.list compute.backendServices.get compute.forwardingRules.get compute.globalForwardingRules.get compute.sslCertificates.list compute.targetHttpProxies.get compute.targetHttpsProxies.get compute.urlMaps.get
Cloud Workflows Service Agent roles/workflows.serviceAgent Gives Cloud Workflows service account access to managed resources.	iam.serviceAccounts.get iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken
Workload Certificate Service Agent roles/workloadcertificate.serviceAgent Gives the Workload Certificate service agent access to Cloud Platform resources.	container.clusters.get container.clusters.update gkehub.features.get gkehub.locations.* gkehub.memberships.get gkehub.memberships.list serviceconsumermanagement.tenancyu.addResource serviceconsumermanagement.tenancyu.create serviceconsumermanagement.tenancyu.delete serviceconsumermanagement.tenancyu.removeResource
Admin of Tenancy Units roles/serviceconsumermanagement.tenancyUnitsAdmin Administrate tenancy units	serviceconsumermanagement.tenancyu.*
Viewer of Tenancy Units roles/serviceconsumermanagement.tenancyUnitsViewer View tenancy units	serviceconsumermanagement.tenancyu.list
Service Directory Admin roles/servicedirectory.admin Full control of all Service Directory resources and permissions.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.* servicedirectory.locations.* servicedirectory.namespaces.* servicedirectory.networks.attach servicedirectory.services.*
Service Directory Editor roles/servicedirectory.editor Edit Service Directory resources.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.create servicedirectory.endpoints.delete servicedirectory.endpoints.get servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.endpoints.update servicedirectory.locations.* servicedirectory.namespaces.associatePrivateZone servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.namespaces.update servicedirectory.networks.attach servicedirectory.services.bind servicedirectory.services.create servicedirectory.services.delete servicedirectory.services.get servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.resolve servicedirectory.services.update
Service Directory Network Attacher roles/servicedirectory.networkAttacher Gives access to attach VPC Networks to Service Directory Endpoints	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.networks.attach
Private Service Connect Authorized Service roles/servicedirectory.pscAuthorizedService Gives access to VPC Networks via Service Directory	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.networks.access
Service Directory Viewer roles/servicedirectory.viewer View Service Directory resources.	resourcemanager.projects.get resourcemanager.projects.list servicedirectory.endpoints.get servicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.locations.* servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.services.get servicedirectory.services.getIamPolicy servicedirectory.services.list servicedirectory.services.resolve
Cloud Run Service Agent roles/serverless.serviceAgent Gives Cloud Run service account access to managed resources.	artifactregistry.dockerimages.* artifactregistry.files.* artifactregistry.packages.get artifactregistry.packages.list artifactregistry.repositories.downloadArtifacts artifactregistry.repositories.get artifactregistry.repositories.list artifactregistry.repositories.listEffectiveTags artifactregistry.repositories.listTagBindings artifactregistry.tags.get artifactregistry.tags.list artifactregistry.versions.get artifactregistry.versions.list binaryauthorization.platformPolicies.evaluatePolicy binaryauthorization.policy.evaluatePolicy clientauthconfig.clients.list cloudbuild.builds.create cloudbuild.builds.get compute.globalOperations.get compute.networks.access iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.getOpenIdToken iam.serviceAccounts.signBlob pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.get pubsub.topics.list pubsub.topics.publish resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list run.routes.invoke serviceusage.services.use storage.objects.get storage.objects.list vpcaccess.connectors.get vpcaccess.connectors.use
Service Management Administrator roles/servicemanagement.admin Full control of Google Service Management resources.	monitoring.timeSeries.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list serviceconsumermanagement.* servicemanagement.* serviceusage.quotas.get serviceusage.services.get
Service Config Editor roles/servicemanagement.configEditor Access to update the service config and create rollouts.	servicemanagement.services.get servicemanagement.services.update
Quota Administrator roles/servicemanagement.quotaAdmin Provides access to administer service quotas.	monitoring.timeSeries.list resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.* serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list
Quota Viewer roles/servicemanagement.quotaViewer Provides access to view service quotas.	monitoring.timeSeries.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Service Reporter roles/servicemanagement.reporter Can report usage of a service during runtime.	servicemanagement.services.report
Service Consumer roles/servicemanagement.serviceConsumer Can enable the service.	servicemanagement.services.bind
Service Controller roles/servicemanagement.serviceController Can check preconditions and report usage of a service during runtime.	servicemanagement.services.check servicemanagement.services.get servicemanagement.services.quota servicemanagement.services.report
Service Networking Admin roles/servicenetworking.networksAdmin Full control of service networking with projects.	servicenetworking.*
API Keys Admin roles/serviceusage.apiKeysAdmin Ability to create, delete, update, get and list API keys for a project.	apikeys.* serviceusage.apiKeys.* serviceusage.operations.get
API Keys Viewer roles/serviceusage.apiKeysViewer Ability to get and list API keys for a project.	apikeys.keys.get apikeys.keys.list apikeys.keys.lookup
Service Usage Admin roles/serviceusage.serviceUsageAdmin Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.operations.* serviceusage.quotas.* serviceusage.services.*
Service Usage Consumer roles/serviceusage.serviceUsageConsumer Ability to inspect service states and operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
Service Usage Viewer roles/serviceusage.serviceUsageViewer Ability to inspect service states and operations for a consumer project.	monitoring.timeSeries.list serviceusage.operations.get serviceusage.operations.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list
Source Repository Administrator roles/source.admin Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies.	source.*
Source Repository Reader roles/source.reader Provides permissions to list, clone, fetch, and browse repositories.	source.repos.get source.repos.list
Source Repository Writer roles/source.writer Provides permissions to list, clone, fetch, browse, and update repositories.	source.repos.get source.repos.list source.repos.update
Stackdriver Accounts Editor roles/stackdriver.accounts.editor Read/write access to manage Stackdriver account structure.	resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.enable stackdriver.projects.*
Stackdriver Accounts Viewer roles/stackdriver.accounts.viewer Read-only access to get and list information about Stackdriver account structure.	resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get
Stackdriver Resource Metadata Writer roles/stackdriver.resourceMetadata.writer Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.	stackdriver.resourceMetadata.*
Support Account Administrator roles/cloudsupport.admin Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information.	cloudsupport.accounts.* cloudsupport.operations.* cloudsupport.properties.* resourcemanager.organizations.get
Tech Support Editor roles/cloudsupport.techSupportEditor Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support).	cloudsupport.properties.* cloudsupport.techCases.* resourcemanager.projects.get resourcemanager.projects.list
Tech Support Viewer roles/cloudsupport.techSupportViewer Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).	cloudsupport.properties.* cloudsupport.techCases.get cloudsupport.techCases.list resourcemanager.projects.get resourcemanager.projects.list
Support Account Viewer roles/cloudsupport.viewer Read-only access to details of a support account. This does not allow viewing cases.	cloudsupport.accounts.get cloudsupport.accounts.getUserRoles cloudsupport.accounts.list cloudsupport.properties.*
Dell EMC Cloud OneFS Admin roles/dellemccloudonefs.admin This role is managed by Dell EMC, not Google.	cloudonefs.isiloncloud.com/* resourcemanager.projects.get resourcemanager.projects.list
Dell EMC Cloud OneFS User roles/dellemccloudonefs.user This role is managed by Dell EMC, not Google.	cloudonefs.isiloncloud.com/clusters.create cloudonefs.isiloncloud.com/clusters.delete cloudonefs.isiloncloud.com/clusters.get cloudonefs.isiloncloud.com/clusters.list cloudonefs.isiloncloud.com/clusters.update cloudonefs.isiloncloud.com/fileshares.* resourcemanager.projects.get resourcemanager.projects.list
Dell EMC Cloud OneFS Viewer roles/dellemccloudonefs.viewer This role is managed by Dell EMC, not Google.	cloudonefs.isiloncloud.com/clusters.get cloudonefs.isiloncloud.com/clusters.list cloudonefs.isiloncloud.com/fileshares.get cloudonefs.isiloncloud.com/fileshares.list resourcemanager.projects.get resourcemanager.projects.list
NetApp Cloud Volumes Admin roles/netappcloudvolumes.admin This role is managed by NetApp, not Google.	cloudvolumesgcp-api.netapp.com/* resourcemanager.projects.get resourcemanager.projects.list
NetApp Cloud Volumes Viewer roles/netappcloudvolumes.viewer This role is managed by NetApp, not Google.	cloudvolumesgcp-api.netapp.com/activeDirectories.get cloudvolumesgcp-api.netapp.com/activeDirectories.list cloudvolumesgcp-api.netapp.com/ipRanges.* cloudvolumesgcp-api.netapp.com/jobs.* cloudvolumesgcp-api.netapp.com/regions.* cloudvolumesgcp-api.netapp.com/serviceLevels.* cloudvolumesgcp-api.netapp.com/snapshots.get cloudvolumesgcp-api.netapp.com/snapshots.list cloudvolumesgcp-api.netapp.com/volumes.get cloudvolumesgcp-api.netapp.com/volumes.list resourcemanager.projects.get resourcemanager.projects.list
Redis Enterprise Cloud Admin roles/redisenterprisecloud.admin This role is managed by Redis Labs, not Google.	gcp.redisenterprise.com/* resourcemanager.projects.get resourcemanager.projects.list
Redis Enterprise Cloud Viewer roles/redisenterprisecloud.viewer This role is managed by Redis Labs, not Google.	gcp.redisenterprise.com/databases.get gcp.redisenterprise.com/databases.list gcp.redisenterprise.com/subscriptions.get gcp.redisenterprise.com/subscriptions.list resourcemanager.projects.get resourcemanager.projects.list
Transcoder Admin roles/transcoder.admin Full access to all transcoder resources.	resourcemanager.projects.get resourcemanager.projects.list transcoder.*
Transcoder Viewer roles/transcoder.viewer Viewer of all transcoder resources.	resourcemanager.projects.get resourcemanager.projects.list transcoder.jobTemplates.get transcoder.jobTemplates.list transcoder.jobs.get transcoder.jobs.list
Vertex AI Administrator roles/aiplatform.admin Grants full access to all resources in Vertex AI	aiplatform.* resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store Admin roles/aiplatform.featurestoreAdmin Grants full access to all resources in Vertex AI Feature Store	aiplatform.entityTypes.* aiplatform.features.* aiplatform.featurestores.* aiplatform.operations.* resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store Data Viewer roles/aiplatform.featurestoreDataViewer This role provides permissions to read Feature data.	aiplatform.entityTypes.exportFeatureValues aiplatform.entityTypes.get aiplatform.entityTypes.readFeatureValues aiplatform.entityTypes.streamingReadFeatureValues aiplatform.features.get aiplatform.features.list aiplatform.featurestores.batchReadFeatureValues resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store Data Writer roles/aiplatform.featurestoreDataWriter This role provides permissions to read and write Feature data.	aiplatform.entityTypes.exportFeatureValues aiplatform.entityTypes.get aiplatform.entityTypes.importFeatureValues aiplatform.entityTypes.readFeatureValues aiplatform.entityTypes.streamingReadFeatureValues aiplatform.entityTypes.writeFeatureValues aiplatform.features.get aiplatform.features.list aiplatform.featurestores.batchReadFeatureValues resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store Instance Creator roles/aiplatform.featurestoreInstanceCreator Administrator of Featurestore resources, but not the child resources under Featurestores.	aiplatform.featurestores.create aiplatform.featurestores.delete aiplatform.featurestores.get aiplatform.featurestores.list aiplatform.featurestores.update
Vertex AI Feature Store Resource Viewer roles/aiplatform.featurestoreResourceViewer Viewer of all resources in Vertex AI Feature Store but cannot make changes.	aiplatform.entityTypes.get aiplatform.entityTypes.list aiplatform.features.get aiplatform.features.list aiplatform.featurestores.get aiplatform.featurestores.list aiplatform.operations.* resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Feature Store User roles/aiplatform.featurestoreUser Deprecated. Use featurestoreAdmin instead.	aiplatform.entityTypes.* aiplatform.features.* aiplatform.featurestores.* aiplatform.operations.* resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Migration Service User roles/aiplatform.migrator Grants access to use migration service in Vertex AI	aiplatform.migratableResources.*
Vertex AI Tensorboard Web App User roles/aiplatform.tensorboardWebAppUser Grants access to the Vertex AI Tensorboard web app. Using the web app will incur charges.	aiplatform.tensorboards.recordAccess
Vertex AI User roles/aiplatform.user Grants access to use all resource in Vertex AI	aiplatform.annotationSpecs.* aiplatform.annotations.* aiplatform.artifacts.* aiplatform.batchPredictionJobs.* aiplatform.contexts.* aiplatform.customJobs.* aiplatform.dataItems.* aiplatform.dataLabelingJobs.* aiplatform.datasets.* aiplatform.deploymentResourcePools.* aiplatform.edgeDeploymentJobs.* aiplatform.edgeDeviceDebugInfo.* aiplatform.edgeDevices.* aiplatform.endpoints.* aiplatform.entityTypes.* aiplatform.executions.* aiplatform.features.* aiplatform.featurestores.* aiplatform.humanInTheLoops.* aiplatform.hyperparameterTuningJobs.* aiplatform.indexEndpoints.* aiplatform.indexes.* aiplatform.locations.* aiplatform.metadataSchemas.* aiplatform.metadataStores.* aiplatform.modelDeploymentMonitoringJobs.* aiplatform.modelEvaluationSlices.* aiplatform.modelEvaluations.* aiplatform.models.* aiplatform.nasJobs.* aiplatform.operations.* aiplatform.pipelineJobs.* aiplatform.specialistPools.* aiplatform.studies.* aiplatform.tensorboardExperiments.* aiplatform.tensorboardRuns.* aiplatform.tensorboardTimeSeries.* aiplatform.tensorboards.create aiplatform.tensorboards.delete aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.tensorboards.update aiplatform.trainingPipelines.* aiplatform.trials.* resourcemanager.projects.get resourcemanager.projects.list
Vertex AI Viewer roles/aiplatform.viewer Grants access to view all resource in Vertex AI	aiplatform.annotationSpecs.get aiplatform.annotationSpecs.list aiplatform.annotations.get aiplatform.annotations.list aiplatform.artifacts.get aiplatform.artifacts.list aiplatform.batchPredictionJobs.get aiplatform.batchPredictionJobs.list aiplatform.contexts.get aiplatform.contexts.list aiplatform.contexts.queryContextLineageSubgraph aiplatform.customJobs.get aiplatform.customJobs.list aiplatform.dataItems.get aiplatform.dataItems.list aiplatform.dataLabelingJobs.get aiplatform.dataLabelingJobs.list aiplatform.datasets.get aiplatform.datasets.list aiplatform.deploymentResourcePools.get aiplatform.deploymentResourcePools.list aiplatform.deploymentResourcePools.queryDeployedModels aiplatform.edgeDeploymentJobs.get aiplatform.edgeDeploymentJobs.list aiplatform.edgeDeviceDebugInfo.* aiplatform.edgeDevices.get aiplatform.edgeDevices.list aiplatform.endpoints.get aiplatform.endpoints.list aiplatform.entityTypes.get aiplatform.entityTypes.list aiplatform.executions.get aiplatform.executions.list aiplatform.executions.queryExecutionInputsAndOutputs aiplatform.features.get aiplatform.features.list aiplatform.featurestores.get aiplatform.featurestores.list aiplatform.humanInTheLoops.get aiplatform.humanInTheLoops.list aiplatform.hyperparameterTuningJobs.get aiplatform.hyperparameterTuningJobs.list aiplatform.indexEndpoints.get aiplatform.indexEndpoints.list aiplatform.indexes.get aiplatform.indexes.list aiplatform.locations.* aiplatform.metadataSchemas.get aiplatform.metadataSchemas.list aiplatform.metadataStores.get aiplatform.metadataStores.list aiplatform.modelDeploymentMonitoringJobs.get aiplatform.modelDeploymentMonitoringJobs.list aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies aiplatform.modelEvaluationSlices.* aiplatform.modelEvaluations.get aiplatform.modelEvaluations.list aiplatform.models.get aiplatform.models.list aiplatform.nasJobs.get aiplatform.nasJobs.list aiplatform.operations.* aiplatform.pipelineJobs.get aiplatform.pipelineJobs.list aiplatform.specialistPools.get aiplatform.specialistPools.list aiplatform.specialistPools.update aiplatform.studies.get aiplatform.studies.list aiplatform.tensorboardExperiments.get aiplatform.tensorboardExperiments.list aiplatform.tensorboardRuns.get aiplatform.tensorboardRuns.list aiplatform.tensorboardTimeSeries.batchRead aiplatform.tensorboardTimeSeries.get aiplatform.tensorboardTimeSeries.list aiplatform.tensorboardTimeSeries.read aiplatform.tensorboards.get aiplatform.tensorboards.list aiplatform.trainingPipelines.get aiplatform.trainingPipelines.list aiplatform.trials.get aiplatform.trials.list resourcemanager.projects.get resourcemanager.projects.list
Video Stitcher Admin roles/videostitcher.admin Full access to all video stitcher resources.	resourcemanager.projects.get resourcemanager.projects.list videostitcher.*
Video Stitcher User roles/videostitcher.user Full access to video stitcher sessions.	resourcemanager.projects.get resourcemanager.projects.list videostitcher.liveSessions.* videostitcher.vodSessions.*
Video Stitcher Viewer roles/videostitcher.viewer Read-only access to video stitcher resources.	resourcemanager.projects.get resourcemanager.projects.list videostitcher.cdnKeys.get videostitcher.cdnKeys.list videostitcher.liveAdTagDetails.* videostitcher.liveSessions.get videostitcher.slates.get videostitcher.slates.list videostitcher.vodAdTagDetails.* videostitcher.vodSessions.get videostitcher.vodStitchDetails.*
VMware Engine Service Admin roles/vmwareengine.vmwareengineAdmin Admin has full access to VMware Engine Service	resourcemanager.projects.get resourcemanager.projects.list vmwareengine.*
VMware Engine Service Viewer roles/vmwareengine.vmwareengineViewer Viewer has read-only access to VMware Engine Service	resourcemanager.projects.get resourcemanager.projects.list vmwareengine.services.view
Workflows Admin roles/workflows.admin Full access to workflows and related resources.	resourcemanager.projects.get resourcemanager.projects.list workflows.*
Workflows Editor roles/workflows.editor Read and write access to workflows and related resources.	resourcemanager.projects.get resourcemanager.projects.list workflows.*
Workflows Invoker roles/workflows.invoker Access to execute workflows and manage the executions.	resourcemanager.projects.get resourcemanager.projects.list workflows.callbacks.* workflows.executions.*
Workflows Viewer roles/workflows.viewer Read-only access to workflows and related resources.	resourcemanager.projects.get resourcemanager.projects.list workflows.executions.get workflows.executions.list workflows.locations.* workflows.operations.get workflows.operations.list workflows.workflows.get workflows.workflows.list
IAM Workload Identity Pool Admin roles/iam.workloadIdentityPoolAdmin Full rights to create and manage workload identity pools.	iam.workloadIdentityPoolProviders.* iam.workloadIdentityPools.* resourcemanager.projects.get resourcemanager.projects.list
IAM Workload Identity Pool Viewer roles/iam.workloadIdentityPoolViewer Read access to workload identity pools.	iam.googleapis.com/workloadIdentityPoolProviders.get iam.googleapis.com/workloadIdentityPoolProviders.list iam.googleapis.com/workloadIdentityPools.get iam.googleapis.com/workloadIdentityPools.list resourcemanager.projects.get resourcemanager.projects.list