GCP Logo

Predifined Roles Finder

RolePermissions

Access Approval Approver

roles/accessapproval.approver

Ability to view or act on access approval requests and view configuration

  • accessapproval.requests.*
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Approval Config Editor

roles/accessapproval.configEditor

Ability update the Access Approval configuration

  • accessapproval.settings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Approval Viewer

roles/accessapproval.viewer

Ability to view access approval requests and configuration

  • accessapproval.requests.get
  • accessapproval.requests.list
  • accessapproval.settings.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Access Binding Admin

roles/accesscontextmanager.gcpAccessAdmin

Create, edit, and change Cloud access bindings.

  • accesscontextmanager.gcpUserAccessBindings.*

Cloud Access Binding Reader

roles/accesscontextmanager.gcpAccessReader

Read access to Cloud access bindings.

  • accesscontextmanager.gcpUserAccessBindings.get
  • accesscontextmanager.gcpUserAccessBindings.list

Access Context Manager Admin

roles/accesscontextmanager.policyAdmin

Full access to policies, access levels, and access zones

  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.*
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.*
  • accesscontextmanager.servicePerimeters.*
  • cloudasset.assets.searchAllResources
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Context Manager Editor

roles/accesscontextmanager.policyEditor

Edit access to policies. Create, edit, and change access levels and access zones.

  • accesscontextmanager.accessLevels.*
  • accesscontextmanager.accessPolicies.create
  • accesscontextmanager.accessPolicies.delete
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessPolicies.update
  • accesscontextmanager.accessZones.*
  • accesscontextmanager.policies.create
  • accesscontextmanager.policies.delete
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.policies.update
  • accesscontextmanager.servicePerimeters.*
  • cloudasset.assets.searchAllResources
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Access Context Manager Reader

roles/accesscontextmanager.policyReader

Read access to policies, access levels, and access zones.

  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.get
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessZones.get
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

VPC Service Controls Troubleshooter Viewer

roles/accesscontextmanager.vpcScTroubleshooterViewer

  • accesscontextmanager.accessLevels.get
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.policies.get
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.get
  • accesscontextmanager.servicePerimeters.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Actions Admin

roles/actions.Admin

Access to edit and deploy an action

  • actions.*
  • firebase.projects.get
  • firebase.projects.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Actions Viewer

roles/actions.Viewer

Access to view an action

  • actions.agent.get
  • actions.agentVersions.get
  • actions.agentVersions.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Notebooks Admin

roles/notebooks.admin

Full access to Notebooks, all resources.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Legacy Admin

roles/notebooks.legacyAdmin

Full access to Notebooks all resources through compute API.

  • compute.*
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Legacy Viewer

roles/notebooks.legacyViewer

Read-only access to Notebooks all resources through compute API.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Runner

roles/notebooks.runner

Restricted access for running scheduled Notebooks.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.create
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.create
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.create
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.create
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Notebooks Viewer

roles/notebooks.viewer

Read-only access to Notebooks, all resources.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • notebooks.environments.get
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.get
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.checkUpgradability
  • notebooks.instances.get
  • notebooks.instances.getHealth
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.*
  • notebooks.operations.get
  • notebooks.operations.list
  • notebooks.runtimes.get
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.get
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

AI Platform Admin

roles/ml.admin

Provides full access to AI Platform resources, and its jobs, operations, models, and versions.

  • ml.*
  • resourcemanager.projects.get

AI Platform Developer

roles/ml.developer

Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.

  • ml.jobs.create
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.locations.*
  • ml.models.create
  • ml.models.get
  • ml.models.getIamPolicy
  • ml.models.list
  • ml.models.predict
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.*
  • ml.trials.*
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict
  • resourcemanager.projects.get

AI Platform Job Owner

roles/ml.jobOwner

Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.

  • ml.jobs.*

AI Platform Model Owner

roles/ml.modelOwner

Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.

  • ml.models.*
  • ml.versions.*

AI Platform Model User

roles/ml.modelUser

Provides permissions to read the model and its versions, and use them for prediction.

  • ml.models.get
  • ml.models.predict
  • ml.versions.get
  • ml.versions.list
  • ml.versions.predict

AI Platform Operation Owner

roles/ml.operationOwner

Provides full access to all permissions for a particular operation resource.

  • ml.operations.*

AI Platform Viewer

roles/ml.viewer

Provides read-only access to AI Platform resources.

  • ml.jobs.get
  • ml.jobs.list
  • ml.locations.*
  • ml.models.get
  • ml.models.list
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.get
  • ml.studies.getIamPolicy
  • ml.studies.list
  • ml.trials.get
  • ml.trials.list
  • ml.versions.get
  • ml.versions.list
  • resourcemanager.projects.get

Android Management User

roles/androidmanagement.user

Full access to manage devices.

  • androidmanagement.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Anthos Multi-cloud Admin

roles/gkemulticloud.admin

Administrator of Anthos Multi-cloud resources

  • gkemulticloud.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Anthos Multi-cloud Viewer

roles/gkemulticloud.viewer

Viewer of Anthos Multi-cloud resources

  • gkemulticloud.awsClusters.get
  • gkemulticloud.awsClusters.list
  • gkemulticloud.awsNodePools.get
  • gkemulticloud.awsNodePools.list
  • gkemulticloud.awsServerConfigs.*
  • gkemulticloud.azureClients.get
  • gkemulticloud.azureClients.list
  • gkemulticloud.azureClusters.get
  • gkemulticloud.azureClusters.list
  • gkemulticloud.azureNodePools.get
  • gkemulticloud.azureNodePools.list
  • gkemulticloud.azureServerConfigs.*
  • gkemulticloud.operations.get
  • gkemulticloud.operations.list
  • gkemulticloud.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list

ApiGateway Admin

roles/apigateway.admin

Full access to ApiGateway and related resources.

  • apigateway.*
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
  • serviceusage.services.list

ApiGateway Viewer

roles/apigateway.viewer

Read-only access to ApiGateway and related resources.

  • apigateway.apiconfigs.get
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.gateways.get
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.locations.*
  • apigateway.operations.get
  • apigateway.operations.list
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get
  • serviceusage.services.list

Apigee Organization Admin

roles/apigee.admin

Full access to all apigee resource features

  • apigee.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Analytics Agent

roles/apigee.analyticsAgent

Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization

  • apigee.environments.getDataLocation
  • apigee.runtimeconfigs.*

Apigee Analytics Editor

roles/apigee.analyticsEditor

Analytics editor for an Apigee Organization

  • apigee.datacollectors.*
  • apigee.datastores.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.*
  • apigee.hostqueries.*
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.*
  • apigee.reports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Analytics Viewer

roles/apigee.analyticsViewer

Analytics viewer for an Apigee Organization

  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.reports.get
  • apigee.reports.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee API Admin

roles/apigee.apiAdmin

Full read/write access to all apigee API resources

  • apigee.apiproductattributes.*
  • apigee.apiproducts.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.keyvaluemaps.list
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.*
  • apigee.proxyrevisions.*
  • apigee.sharedflowrevisions.*
  • apigee.sharedflows.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee API Reader

roles/apigee.apiReader

Reader of apigee resources

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.keyvaluemaps.list
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.sharedflowrevisions.deploy
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflowrevisions.undeploy
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.tracesessions.get
  • apigee.tracesessions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Developer Admin

roles/apigee.developerAdmin

Developer admin of apigee resources

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.*
  • apigee.apps.*
  • apigee.datacollectors.*
  • apigee.developerappattributes.*
  • apigee.developerapps.*
  • apigee.developerattributes.*
  • apigee.developerbalances.*
  • apigee.developermonetizationconfigs.*
  • apigee.developers.*
  • apigee.developersubscriptions.*
  • apigee.environments.get
  • apigee.environments.getStats
  • apigee.hoststats.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.rateplans.get
  • apigee.rateplans.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Environment Admin

roles/apigee.environmentAdmin

Full read/write access to apigee environment resources, including deployments.

  • apigee.archivedeployments.*
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.deployments.*
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.environments.setIamPolicy
  • apigee.flowhooks.*
  • apigee.ingressconfigs.*
  • apigee.keystorealiases.*
  • apigee.keystores.*
  • apigee.keyvaluemaps.*
  • apigee.maskconfigs.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.deploy
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.proxyrevisions.undeploy
  • apigee.references.*
  • apigee.resourcefiles.*
  • apigee.sharedflowrevisions.deploy
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflowrevisions.undeploy
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.*
  • apigee.tracesessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Monetization Admin

roles/apigee.monetizationAdmin

All permissions related to monetization

  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.developerbalances.*
  • apigee.developermonetizationconfigs.*
  • apigee.developersubscriptions.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.rateplans.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Portal Admin

roles/apigee.portalAdmin

Portal admin for an Apigee Organization

  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.portals.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Read-only Admin

roles/apigee.readOnlyAdmin

Viewer of all apigee resources

  • apigee.apiproductattributes.get
  • apigee.apiproductattributes.list
  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.get
  • apigee.apps.*
  • apigee.archivedeployments.download
  • apigee.archivedeployments.get
  • apigee.archivedeployments.list
  • apigee.caches.list
  • apigee.canaryevaluations.get
  • apigee.datacollectors.get
  • apigee.datacollectors.list
  • apigee.datastores.get
  • apigee.datastores.list
  • apigee.deployments.get
  • apigee.deployments.list
  • apigee.developerappattributes.get
  • apigee.developerappattributes.list
  • apigee.developerapps.get
  • apigee.developerapps.list
  • apigee.developerattributes.get
  • apigee.developerattributes.list
  • apigee.developerbalances.get
  • apigee.developermonetizationconfigs.get
  • apigee.developers.get
  • apigee.developers.list
  • apigee.developersubscriptions.get
  • apigee.developersubscriptions.list
  • apigee.envgroupattachments.get
  • apigee.envgroupattachments.list
  • apigee.envgroups.get
  • apigee.envgroups.list
  • apigee.environments.get
  • apigee.environments.getDataLocation
  • apigee.environments.getIamPolicy
  • apigee.environments.getStats
  • apigee.environments.list
  • apigee.exports.get
  • apigee.exports.list
  • apigee.flowhooks.getSharedFlow
  • apigee.flowhooks.list
  • apigee.hostqueries.get
  • apigee.hostqueries.list
  • apigee.hostsecurityreports.get
  • apigee.hostsecurityreports.list
  • apigee.hoststats.*
  • apigee.ingressconfigs.*
  • apigee.instanceattachments.get
  • apigee.instanceattachments.list
  • apigee.instances.get
  • apigee.instances.list
  • apigee.keystorealiases.get
  • apigee.keystorealiases.list
  • apigee.keystores.get
  • apigee.keystores.list
  • apigee.keyvaluemaps.list
  • apigee.maskconfigs.get
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.organizations.list
  • apigee.portals.get
  • apigee.portals.list
  • apigee.proxies.get
  • apigee.proxies.list
  • apigee.proxyrevisions.get
  • apigee.proxyrevisions.list
  • apigee.queries.get
  • apigee.queries.list
  • apigee.rateplans.get
  • apigee.rateplans.list
  • apigee.references.get
  • apigee.references.list
  • apigee.reports.get
  • apigee.reports.list
  • apigee.resourcefiles.get
  • apigee.resourcefiles.list
  • apigee.runtimeconfigs.*
  • apigee.securityreports.get
  • apigee.securityreports.list
  • apigee.sharedflowrevisions.get
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.get
  • apigee.sharedflows.list
  • apigee.targetservers.get
  • apigee.targetservers.list
  • apigee.tracesessions.get
  • apigee.tracesessions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Apigee Runtime Agent

roles/apigee.runtimeAgent

Curated set of permissions for a runtime agent to access Apigee Organization resources

  • apigee.canaryevaluations.*
  • apigee.ingressconfigs.*
  • apigee.instances.reportStatus
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.runtimeconfigs.*

Apigee Synchronizer Manager

roles/apigee.synchronizerManager

Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization

  • apigee.environments.get
  • apigee.environments.manageRuntime
  • apigee.ingressconfigs.*

Apigee Connect Admin

roles/apigeeconnect.Admin

Admin of Apigee Connect

  • apigeeconnect.connections.*

Apigee Connect Agent

roles/apigeeconnect.Agent

Ability to set up Apigee Connect agent between external clusters and Google.

  • apigeeconnect.endpoints.*

App Engine Admin

roles/appengine.appAdmin

Read/Write/Modify access to all application configuration and settings. To deploy new versions, a principal must have the Service Account User (roles/iam.serviceAccountUser) role on the App Engine default service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.operations.*
  • appengine.runtimes.*
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Creator

roles/appengine.appCreator

Ability to create the App Engine resource for the project.

  • appengine.applications.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Viewer

roles/appengine.appViewer

Read-only access to all application configuration and settings.

  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Code Viewer

roles/appengine.codeViewer

Read-only access to all application configuration, settings, and deployed source code.

  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.getFileContents
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Deployer

roles/appengine.deployer

Read-only access to all application configuration and settings. To deploy new versions, you must also have the Service Account User (roles/iam.serviceAccountUser) role on the App Engine default service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project. Cannot modify existing versions other than deleting versions that are not receiving traffic.

  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

App Engine Service Admin

roles/appengine.serviceAdmin

Read-only access to all application configuration and settings. Write access to module-level and version-level settings. Cannot deploy a new version.

  • appengine.applications.get
  • appengine.instances.*
  • appengine.operations.*
  • appengine.services.*
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Artifact Registry Administrator

roles/artifactregistry.admin

Administrator access to create and manage repositories.

  • artifactregistry.*

Artifact Registry Reader

roles/artifactregistry.reader

Access to read repository items.

  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list

Artifact Registry Repository Administrator

roles/artifactregistry.repoAdmin

Access to manage artifacts in repositories.

  • artifactregistry.aptartifacts.*
  • artifactregistry.files.*
  • artifactregistry.packages.*
  • artifactregistry.repositories.deleteArtifacts
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.*
  • artifactregistry.versions.*
  • artifactregistry.yumartifacts.*

Artifact Registry Writer

roles/artifactregistry.writer

Access to read and write repository items.

  • artifactregistry.aptartifacts.*
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.*

Assured Workloads Administrator

roles/assuredworkloads.admin

Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

  • assuredworkloads.*
  • orgpolicy.policy.*
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Assured Workloads Editor

roles/assuredworkloads.editor

Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

  • assuredworkloads.*
  • orgpolicy.policy.*
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Assured Workloads Reader

roles/assuredworkloads.reader

Grants read access to all Assured Workloads resources and CRM resources - project/folder

  • assuredworkloads.operations.*
  • assuredworkloads.workload.get
  • assuredworkloads.workload.list
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AutoML Admin

roles/automl.admin

Full access to all AutoML resources

  • automl.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

AutoML Editor

roles/automl.editor

Editor of all AutoML resources

  • automl.annotationSpecs.*
  • automl.annotations.*
  • automl.columnSpecs.*
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.update
  • automl.examples.*
  • automl.humanAnnotationTasks.*
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.*
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • automl.models.undeploy
  • automl.operations.*
  • automl.tableSpecs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

AutoML Predictor

roles/automl.predictor

Predict using models

  • automl.models.predict
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AutoML Viewer

roles/automl.viewer

Viewer of all AutoML resources

  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list

BigQuery Admin

roles/bigquery.admin

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.config.*
  • bigquery.connections.*
  • bigquery.datasets.*
  • bigquery.jobs.*
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.savedqueries.*
  • bigquery.tables.*
  • bigquery.transfers.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Connection Admin

roles/bigquery.connectionAdmin

  • bigquery.connections.*

BigQuery Connection User

roles/bigquery.connectionUser

  • bigquery.connections.get
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.use

BigQuery Data Editor

roles/bigquery.dataEditor

When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Data Owner

roles/bigquery.dataOwner

When applied to a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. When applied at the project or organization level, this role can also create new datasets.

  • bigquery.datasets.*
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.tables.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Data Viewer

roles/bigquery.dataViewer

When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.export
  • bigquery.models.getData
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.createSnapshot
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Filtered Data Viewer

roles/bigquery.filteredDataViewer

Access to view filtered table data defined by a row access policy

  • bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User

roles/bigquery.jobUser

Provides permissions to run jobs, including queries, within the project.

  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Metadata Viewer

roles/bigquery.metadataViewer

When applied to a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs.

  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.models.getMetadata
  • bigquery.models.list
  • bigquery.routines.get
  • bigquery.routines.list
  • bigquery.tables.get
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Read Session User

roles/bigquery.readSessionUser

Access to create and use read sessions

  • bigquery.readsessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Admin

roles/bigquery.resourceAdmin

Administer all BigQuery resources.

  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • recommender.bigqueryCapacityCommitmentsInsights.*
  • recommender.bigqueryCapacityCommitmentsRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Editor

roles/bigquery.resourceEditor

Manage all BigQuery resources, but cannot make purchasing decisions.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery Resource Viewer

roles/bigquery.resourceViewer

View all BigQuery resources but cannot make changes or purchasing decisions.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

BigQuery User

roles/bigquery.user

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.list
  • bigquery.transfers.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Billing Account Administrator

roles/billing.admin

Provides access to see and manage all aspects of billing accounts.

  • billing.accounts.close
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.move
  • billing.accounts.redeemPromotion
  • billing.accounts.removeFromOrganization
  • billing.accounts.reopen
  • billing.accounts.setIamPolicy
  • billing.accounts.update
  • billing.accounts.updatePaymentInfo
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.credits.*
  • billing.resourceAssociations.*
  • billing.subscriptions.*
  • cloudnotifications.*
  • commerceoffercatalog.*
  • consumerprocurement.accounts.*
  • consumerprocurement.orders.*
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • logging.logEntries.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • recommender.commitmentUtilizationInsights.*
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Billing Account Costs Manager

roles/billing.costsManager

Can view and export cost information of billing accounts.

  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.resourceAssociations.list

Billing Account Creator

roles/billing.creator

Provides access to create billing accounts.

  • billing.accounts.create
  • resourcemanager.organizations.get

Project Billing Manager

roles/billing.projectManager

Provides access to assign a project's billing account or disable its billing.

  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Billing Account User

roles/billing.user

Provides access to associate projects with billing accounts.

  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.redeemPromotion
  • billing.credits.*
  • billing.resourceAssociations.create

Billing Account Viewer

roles/billing.viewer

View billing account cost information and transactions.

  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.budgets.get
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.get
  • billing.subscriptions.list
  • commerceoffercatalog.*
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list

Binary Authorization Attestor Admin

roles/binaryauthorization.attestorsAdmin

Administrator of Binary Authorization Attestors

  • binaryauthorization.attestors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Editor

roles/binaryauthorization.attestorsEditor

Editor of Binary Authorization Attestors

  • binaryauthorization.attestors.create
  • binaryauthorization.attestors.delete
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.update
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Image Verifier

roles/binaryauthorization.attestorsVerifier

Caller of Binary Authorization Attestors VerifyImageAttested

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.verifyImageAttested
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Attestor Viewer

roles/binaryauthorization.attestorsViewer

Viewer of Binary Authorization Attestors

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Administrator

roles/binaryauthorization.policyAdmin

Administrator of Binary Authorization Policy

  • binaryauthorization.continuousValidationConfig.*
  • binaryauthorization.policy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Editor

roles/binaryauthorization.policyEditor

Editor of Binary Authorization Policy

  • binaryauthorization.continuousValidationConfig.get
  • binaryauthorization.continuousValidationConfig.update
  • binaryauthorization.policy.get
  • binaryauthorization.policy.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Policy Viewer

roles/binaryauthorization.policyViewer

Viewer of Binary Authorization Policy

  • binaryauthorization.continuousValidationConfig.get
  • binaryauthorization.policy.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service Admin

roles/privateca.admin

Full access to all CA Service resources.

  • privateca.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create

CA Service Auditor

roles/privateca.auditor

Read-only access to all CA Service resources.

  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service Operation Manager

roles/privateca.caManager

Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.

  • privateca.caPools.create
  • privateca.caPools.delete
  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.caPools.update
  • privateca.certificateAuthorities.create
  • privateca.certificateAuthorities.delete
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateAuthorities.update
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateRevocationLists.update
  • privateca.certificateTemplates.create
  • privateca.certificateTemplates.delete
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.update
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.certificates.update
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.create
  • privateca.reusableConfigs.delete
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • privateca.reusableConfigs.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create

CA Service Certificate Manager

roles/privateca.certificateManager

Create certificates and read-only access for CA Service resources.

  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.create
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.*
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

CA Service Certificate Requester

roles/privateca.certificateRequester

Request certificates from CA Service.

  • privateca.certificates.create

CA Service Certificate Template User

roles/privateca.templateUser

Read, list and use certificate templates.

  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.use

CA Service Workload Certificate Requester

roles/privateca.workloadCertificateRequester

Request certificates from CA Service with caller's identity.

  • privateca.certificates.createForSelf

Cloud Asset Owner

roles/cloudasset.owner

Full access to cloud assets metadata

  • cloudasset.*
  • recommender.cloudAssetInsights.*
  • recommender.locations.*

Cloud Asset Viewer

roles/cloudasset.viewer

Read only access to cloud assets metadata

  • cloudasset.assets.*
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*

Bigtable Administrator

roles/bigtable.admin

Administers all instances within a project, including the data stored within tables. Can create new instances. Intended for project administrators.

  • bigtable.*
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable Reader

roles/bigtable.reader

Provides read-only access to the data stored within tables. Intended for data scientists, dashboard generators, and other data-analysis scenarios.

  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable User

roles/bigtable.user

Provides read-write access to the data stored within tables. Intended for application developers or service accounts.

  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.keyvisualizer.*
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.mutateRows
  • bigtable.tables.readRows
  • bigtable.tables.sampleRowKeys
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Bigtable Viewer

roles/bigtable.viewer

Provides no data access. Intended as a minimal set of permissions to access the Cloud Console for Bigtable.

  • bigtable.appProfiles.get
  • bigtable.appProfiles.list
  • bigtable.backups.get
  • bigtable.backups.list
  • bigtable.clusters.get
  • bigtable.clusters.list
  • bigtable.instances.get
  • bigtable.instances.list
  • bigtable.locations.*
  • bigtable.tables.checkConsistency
  • bigtable.tables.generateConsistencyToken
  • bigtable.tables.get
  • bigtable.tables.list
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get

Cloud Build Approver

roles/cloudbuild.builds.approver

Can approve or reject pending builds.

  • cloudbuild.builds.approve
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Service Account

roles/cloudbuild.builds.builder

Provides access to perform builds.

  • artifactregistry.aptartifacts.*
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • pubsub.topics.create
  • pubsub.topics.publish
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Cloud Build Editor

roles/cloudbuild.builds.editor

Provides access to create and cancel builds.

  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Viewer

roles/cloudbuild.builds.viewer

Provides access to view builds.

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Editor

roles/cloudbuild.integrationsEditor

Can update Integrations

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Owner

roles/cloudbuild.integrationsOwner

Can create/delete Integrations

  • compute.firewalls.create
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.networks.get
  • compute.networks.updatePolicy
  • compute.regions.get
  • compute.subnetworks.get
  • compute.subnetworks.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build Integrations Viewer

roles/cloudbuild.integrationsViewer

Can view Integrations

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool Editor

roles/cloudbuild.workerPoolEditor

Can update and view WorkerPools

  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • cloudbuild.workerpools.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool Owner

roles/cloudbuild.workerPoolOwner

Can create, delete, update, and view WorkerPools

  • cloudbuild.workerpools.create
  • cloudbuild.workerpools.delete
  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • cloudbuild.workerpools.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Build WorkerPool User

roles/cloudbuild.workerPoolUser

Can run builds in the WorkerPool

  • cloudbuild.workerpools.use

Cloud Build WorkerPool Viewer

roles/cloudbuild.workerPoolViewer

Can view WorkerPools

  • cloudbuild.workerpools.get
  • cloudbuild.workerpools.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Composer v2 API Service Agent Extension

roles/composer.ServiceAgentV2Ext

Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.

  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy

Composer Administrator

roles/composer.admin

Provides full control of Cloud Composer resources.

  • composer.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Environment and Storage Object Administrator

roles/composer.environmentAndStorageObjectAdmin

Provides full control of Cloud Composer resources and of the objects in all project buckets.

  • composer.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.*

Environment User and Storage Object Viewer

roles/composer.environmentAndStorageObjectViewer

Provides the permissions necessary to list and get Cloud Composer environments and operations. Provides read-only access to objects in all project buckets.

  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list

Composer Shared VPC Agent

roles/composer.sharedVpcAgent

Role that should be assigned to Composer Agent service account in Shared VPC host project

  • compute.networks.access
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.updatePeering
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zones.*

Composer User

roles/composer.user

Provides the permissions necessary to list and get Cloud Composer environments and operations.

  • composer.environments.get
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.get
  • composer.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Composer Worker

roles/composer.worker

Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.

  • artifactregistry.*
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • container.*
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.*

Connector Admin

roles/connectors.admin

Full access to all resources of Connectors Service.

  • connectors.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Connectors Viewer

roles/connectors.viewer

Read-only access to Connectors all resources.

  • connectors.connections.get
  • connectors.connections.getConnectionSchemaMetadata
  • connectors.connections.getIamPolicy
  • connectors.connections.getRuntimeActionSchema
  • connectors.connections.getRuntimeEntitySchema
  • connectors.connections.list
  • connectors.connectors.*
  • connectors.locations.*
  • connectors.operations.get
  • connectors.operations.list
  • connectors.providers.*
  • connectors.runtimeconfig.*
  • connectors.versions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Data Fusion Admin

roles/datafusion.admin

Full access to Cloud Data Fusion Instances, Namespaces and related resources.

  • datafusion.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Data Fusion Runner

roles/datafusion.runner

Access to Cloud Data Fusion runtime resources.

  • datafusion.instances.runtime

Cloud Data Fusion Viewer

roles/datafusion.viewer

Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.

  • datafusion.instances.get
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.instances.runtime
  • datafusion.locations.*
  • datafusion.operations.get
  • datafusion.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Labeling Service Admin

roles/datalabeling.admin

Full access to all Data Labeling resources

  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Labeling Service Editor

roles/datalabeling.editor

Editor of all Data Labeling resources

  • datalabeling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Labeling Service Viewer

roles/datalabeling.viewer

Viewer of all Data Labeling resources

  • datalabeling.annotateddatasets.get
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.get
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.*
  • datalabeling.datasets.get
  • datalabeling.datasets.list
  • datalabeling.examples.*
  • datalabeling.instructions.get
  • datalabeling.instructions.list
  • datalabeling.operations.get
  • datalabeling.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Debugger Agent

roles/clouddebugger.agent

Provides permissions to register the debug target, read active breakpoints, and report breakpoint results.

  • clouddebugger.breakpoints.list
  • clouddebugger.breakpoints.listActive
  • clouddebugger.breakpoints.update
  • clouddebugger.debuggees.create

Cloud Debugger User

roles/clouddebugger.user

Provides permissions to create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

  • clouddebugger.breakpoints.create
  • clouddebugger.breakpoints.delete
  • clouddebugger.breakpoints.get
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list

Cloud Deploy Admin

roles/clouddeploy.admin

Full control of Cloud Deploy resources.

  • clouddeploy.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Approver

roles/clouddeploy.approver

Permission to approve or reject rollouts.

  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.rollouts.approve
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Developer

roles/clouddeploy.developer

Permission to manage deployment configuration without permission to access operational resources, such as targets.

  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.*
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Runner

roles/clouddeploy.jobRunner

Permission to execute Cloud Deploy work without permission to deliver to a target.

  • logging.logEntries.create
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list

Cloud Deploy Operator

roles/clouddeploy.operator

Permission to manage deployment configuration.

  • clouddeploy.deliveryPipelines.create
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.update
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.*
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.create
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • clouddeploy.targets.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Releaser

roles/clouddeploy.releaser

Permission to create Cloud Deploy releases and rollouts.

  • clouddeploy.deliveryPipelines.get
  • clouddeploy.locations.*
  • clouddeploy.operations.*
  • clouddeploy.releases.create
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.create
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Deploy Viewer

roles/clouddeploy.viewer

Can view Cloud Deploy resources.

  • clouddeploy.config.*
  • clouddeploy.deliveryPipelines.get
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.locations.*
  • clouddeploy.operations.get
  • clouddeploy.operations.list
  • clouddeploy.releases.get
  • clouddeploy.releases.list
  • clouddeploy.rollouts.get
  • clouddeploy.rollouts.list
  • clouddeploy.targets.get
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

DLP Administrator

roles/dlp.admin

Administer DLP including jobs and templates.

  • dlp.*
  • serviceusage.services.use

DLP Analyze Risk Templates Editor

roles/dlp.analyzeRiskTemplatesEditor

Edit DLP analyze risk templates.

  • dlp.analyzeRiskTemplates.*

DLP Analyze Risk Templates Reader

roles/dlp.analyzeRiskTemplatesReader

Read DLP analyze risk templates.

  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list

DLP Column Data Profiles Reader

roles/dlp.columnDataProfilesReader

Read DLP column profiles.

  • dlp.columnDataProfiles.*

DLP Data Profiles Reader

roles/dlp.dataProfilesReader

Read DLP profiles.

  • dlp.columnDataProfiles.*
  • dlp.projectDataProfiles.*
  • dlp.tableDataProfiles.*

DLP De-identify Templates Editor

roles/dlp.deidentifyTemplatesEditor

Edit DLP de-identify templates.

  • dlp.deidentifyTemplates.*

DLP De-identify Templates Reader

roles/dlp.deidentifyTemplatesReader

Read DLP de-identify templates.

  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list

DLP Cost Estimation

roles/dlp.estimatesAdmin

Manage DLP Cost Estimates.

  • dlp.estimates.*

DLP Inspect Findings Reader

roles/dlp.inspectFindingsReader

Read DLP stored findings.

  • dlp.inspectFindings.*

DLP Inspect Templates Editor

roles/dlp.inspectTemplatesEditor

Edit DLP inspect templates.

  • dlp.inspectTemplates.*

DLP Inspect Templates Reader

roles/dlp.inspectTemplatesReader

Read DLP inspect templates.

  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list

DLP Job Triggers Editor

roles/dlp.jobTriggersEditor

Edit job triggers configurations.

  • dlp.jobTriggers.*

DLP Job Triggers Reader

roles/dlp.jobTriggersReader

Read job triggers.

  • dlp.jobTriggers.get
  • dlp.jobTriggers.list

DLP Jobs Editor

roles/dlp.jobsEditor

Edit and create jobs

  • dlp.jobs.*
  • dlp.kms.*

DLP Jobs Reader

roles/dlp.jobsReader

Read jobs

  • dlp.jobs.get
  • dlp.jobs.list

DLP Organization Data Profiles Driver

roles/dlp.orgdriver

Permissions needed by the DLP service account to generate data profiles within an organization or folder.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.connections.updateTag
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • cloudasset.assets.*
  • datacatalog.categories.fineGrainedGet
  • datacatalog.entries.updateTag
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • dlp.*
  • pubsub.topics.updateTag
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

DLP Project Data Profiles Reader

roles/dlp.projectDataProfilesReader

Read DLP project profiles.

  • dlp.projectDataProfiles.*

DLP Project Data Profiles Driver

roles/dlp.projectdriver

Permissions needed by the DLP service account to generate data profiles within a project.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.connections.updateTag
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.listAll
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • cloudasset.assets.*
  • datacatalog.categories.fineGrainedGet
  • datacatalog.entries.updateTag
  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • dlp.*
  • pubsub.topics.updateTag
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

DLP Reader

roles/dlp.reader

Read DLP entities, such as jobs and templates.

  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
  • dlp.deidentifyTemplates.get
  • dlp.deidentifyTemplates.list
  • dlp.inspectFindings.*
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.get
  • dlp.jobTriggers.list
  • dlp.jobs.get
  • dlp.jobs.list
  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list

DLP Stored InfoTypes Editor

roles/dlp.storedInfoTypesEditor

Edit DLP stored info types.

  • dlp.storedInfoTypes.*

DLP Stored InfoTypes Reader

roles/dlp.storedInfoTypesReader

Read DLP stored info types.

  • dlp.storedInfoTypes.get
  • dlp.storedInfoTypes.list

DLP Table Data Profiles Reader

roles/dlp.tableDataProfilesReader

Read DLP table profiles.

  • dlp.tableDataProfiles.*

DLP User

roles/dlp.user

Inspect, Redact, and De-identify Content

  • dlp.kms.*
  • serviceusage.services.use

Cloud Domains Admin

roles/domains.admin

Full access to Cloud Domains Registrations and related resources.

  • domains.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Domains Viewer

roles/domains.viewer

Read-only access to Cloud Domains Registrations and related resources.

  • domains.locations.*
  • domains.operations.get
  • domains.operations.list
  • domains.registrations.get
  • domains.registrations.getIamPolicy
  • domains.registrations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Filestore Editor

roles/file.editor

Read-write access to Filestore instances and related resources.

  • file.*

Cloud Filestore Viewer

roles/file.viewer

Read-only access to Filestore instances and related resources.

  • file.backups.get
  • file.backups.list
  • file.instances.get
  • file.instances.list
  • file.locations.*
  • file.operations.get
  • file.operations.list

Cloud Functions Admin

roles/cloudfunctions.admin

Full access to functions, operations and locations.

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.*
  • eventarc.*
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Functions Developer

roles/cloudfunctions.developer

Read and write access to all functions-related resources.

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.call
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.invoke
  • cloudfunctions.functions.list
  • cloudfunctions.functions.sourceCodeGet
  • cloudfunctions.functions.sourceCodeSet
  • cloudfunctions.functions.update
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • eventarc.locations.*
  • eventarc.operations.*
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.undelete
  • eventarc.triggers.update
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.*
  • run.routes.*
  • run.services.create
  • run.services.delete
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • run.services.update
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Functions Invoker

roles/cloudfunctions.invoker

Ability to invoke HTTP functions with restricted access.

  • cloudfunctions.functions.invoke

Cloud Functions Viewer

roles/cloudfunctions.viewer

Read-only access to functions and locations.

  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • eventarc.locations.*
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.get
  • run.revisions.list
  • run.routes.get
  • run.routes.list
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Game Services API Admin

roles/gameservices.admin

Full access to Game Services API and related resources.

  • gameservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Game Services API Viewer

roles/gameservices.viewer

Read-only access to Game Services API and related resources.

  • gameservices.gameServerClusters.get
  • gameservices.gameServerClusters.list
  • gameservices.gameServerConfigs.get
  • gameservices.gameServerConfigs.list
  • gameservices.gameServerDeployments.get
  • gameservices.gameServerDeployments.list
  • gameservices.locations.*
  • gameservices.operations.get
  • gameservices.operations.list
  • gameservices.realms.get
  • gameservices.realms.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Annotation Editor

roles/healthcare.annotationEditor

Create, delete, update, read and list annotations.

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.annotations.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Annotation Reader

roles/healthcare.annotationReader

Read and list annotations in an Annotation store.

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.annotations.get
  • healthcare.annotations.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Annotation Administrator

roles/healthcare.annotationStoreAdmin

Administer Annotation stores.

  • healthcare.annotationStores.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Annotation Store Viewer

roles/healthcare.annotationStoreViewer

List Annotation Stores in a dataset.

  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Attribute Definition Editor

roles/healthcare.attributeDefinitionEditor

Edit AttributeDefinition objects.

  • healthcare.attributeDefinitions.*
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Attribute Definition Reader

roles/healthcare.attributeDefinitionReader

Read AttributeDefinition objects in a consent store.

  • healthcare.attributeDefinitions.get
  • healthcare.attributeDefinitions.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Artifact Administrator

roles/healthcare.consentArtifactAdmin

Administer ConsentArtifact objects.

  • healthcare.consentArtifacts.*
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Artifact Editor

roles/healthcare.consentArtifactEditor

Edit ConsentArtifact objects.

  • healthcare.consentArtifacts.create
  • healthcare.consentArtifacts.get
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Artifact Reader

roles/healthcare.consentArtifactReader

Read ConsentArtifact objects in a consent store.

  • healthcare.consentArtifacts.get
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Editor

roles/healthcare.consentEditor

Edit Consent objects.

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.consents.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Reader

roles/healthcare.consentReader

Read Consent objects in a consent store.

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.consents.get
  • healthcare.consents.list
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Store Administrator

roles/healthcare.consentStoreAdmin

Administer Consent stores.

  • healthcare.consentStores.*
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Consent Store Viewer

roles/healthcare.consentStoreViewer

List Consent Stores in a dataset.

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Dataset Administrator

roles/healthcare.datasetAdmin

Administer Healthcare Datasets.

  • healthcare.datasets.*
  • healthcare.locations.*
  • healthcare.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Dataset Viewer

roles/healthcare.datasetViewer

List the Healthcare Datasets in a project.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare DICOM Editor

roles/healthcare.dicomEditor

Edit DICOM images individually and in bulk.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.dicomWebRead
  • healthcare.dicomStores.dicomWebWrite
  • healthcare.dicomStores.export
  • healthcare.dicomStores.get
  • healthcare.dicomStores.import
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare DICOM Store Administrator

roles/healthcare.dicomStoreAdmin

Administer DICOM stores.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.create
  • healthcare.dicomStores.deidentify
  • healthcare.dicomStores.delete
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.get
  • healthcare.dicomStores.getIamPolicy
  • healthcare.dicomStores.list
  • healthcare.dicomStores.setIamPolicy
  • healthcare.dicomStores.update
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare DICOM Store Viewer

roles/healthcare.dicomStoreViewer

List DICOM Stores in a dataset.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.get
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare DICOM Viewer

roles/healthcare.dicomViewer

Retrieve DICOM images from a DICOM store.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.dicomStores.dicomWebRead
  • healthcare.dicomStores.export
  • healthcare.dicomStores.get
  • healthcare.dicomStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare FHIR Resource Editor

roles/healthcare.fhirResourceEditor

Create, delete, update, read and search FHIR resources.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.create
  • healthcare.fhirResources.delete
  • healthcare.fhirResources.get
  • healthcare.fhirResources.patch
  • healthcare.fhirResources.translateConceptMap
  • healthcare.fhirResources.update
  • healthcare.fhirStores.executeBundle
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.fhirStores.searchResources
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare FHIR Resource Reader

roles/healthcare.fhirResourceReader

Read and search FHIR resources.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.get
  • healthcare.fhirResources.translateConceptMap
  • healthcare.fhirStores.executeBundle
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.fhirStores.searchResources
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare FHIR Store Administrator

roles/healthcare.fhirStoreAdmin

Administer FHIR resource stores.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirResources.purge
  • healthcare.fhirStores.configureSearch
  • healthcare.fhirStores.create
  • healthcare.fhirStores.deidentify
  • healthcare.fhirStores.delete
  • healthcare.fhirStores.export
  • healthcare.fhirStores.get
  • healthcare.fhirStores.getIamPolicy
  • healthcare.fhirStores.import
  • healthcare.fhirStores.list
  • healthcare.fhirStores.setIamPolicy
  • healthcare.fhirStores.update
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare FHIR Store Viewer

roles/healthcare.fhirStoreViewer

List FHIR Stores in a dataset.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare HL7v2 Message Consumer

roles/healthcare.hl7V2Consumer

List and read HL7v2 messages, update message labels, and publish new messages.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.create
  • healthcare.hl7V2Messages.get
  • healthcare.hl7V2Messages.list
  • healthcare.hl7V2Messages.update
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare HL7v2 Message Editor

roles/healthcare.hl7V2Editor

Read, write, and delete access to HL7v2 messages.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.*
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare HL7v2 Message Ingest

roles/healthcare.hl7V2Ingest

Ingest HL7v2 messages received from a source network.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Messages.ingest
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare HL7v2 Store Administrator

roles/healthcare.hl7V2StoreAdmin

Administer HL7v2 Stores.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Stores.*
  • healthcare.locations.*
  • healthcare.operations.cancel
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare HL7v2 Store Viewer

roles/healthcare.hl7V2StoreViewer

View HL7v2 Stores in a dataset.

  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
  • healthcare.locations.*
  • healthcare.operations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare NLP Service Viewer

roles/healthcare.nlpServiceViewer

Extract and analyze medical entities from a given text.

  • healthcare.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare User Data Mapping Editor

roles/healthcare.userDataMappingEditor

Edit UserDataMapping objects.

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • healthcare.userDataMappings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare User Data Mapping Reader

roles/healthcare.userDataMappingReader

Read UserDataMapping objects in a consent store.

  • healthcare.consentStores.checkDataAccess
  • healthcare.consentStores.evaluateUserConsents
  • healthcare.consentStores.get
  • healthcare.consentStores.list
  • healthcare.consentStores.queryAccessibleData
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.locations.*
  • healthcare.operations.get
  • healthcare.userDataMappings.get
  • healthcare.userDataMappings.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

IAP Policy Admin

roles/iap.admin

Provides full access to Identity-Aware Proxy resources.

  • iap.tunnel.*
  • iap.tunnelInstances.getIamPolicy
  • iap.tunnelInstances.setIamPolicy
  • iap.tunnelZones.*
  • iap.web.getIamPolicy
  • iap.web.setIamPolicy
  • iap.webServiceVersions.getIamPolicy
  • iap.webServiceVersions.setIamPolicy
  • iap.webServices.getIamPolicy
  • iap.webServices.setIamPolicy
  • iap.webTypes.getIamPolicy
  • iap.webTypes.setIamPolicy

IAP-secured Web App User

roles/iap.httpsResourceAccessor

Provides permission to access HTTPS resources which use Identity-Aware Proxy.

  • iap.webServiceVersions.accessViaIAP

IAP Settings Admin

roles/iap.settingsAdmin

Administrator of IAP Settings.

  • iap.projects.*
  • iap.web.getSettings
  • iap.web.updateSettings
  • iap.webServiceVersions.getSettings
  • iap.webServiceVersions.updateSettings
  • iap.webServices.getSettings
  • iap.webServices.updateSettings
  • iap.webTypes.getSettings
  • iap.webTypes.updateSettings

IAP-secured Tunnel User

roles/iap.tunnelResourceAccessor

Access Tunnel resources which use Identity-Aware Proxy

  • iap.tunnelInstances.accessViaIAP

Cloud IoT Admin

roles/cloudiot.admin

Full control of all Cloud IoT resources and permissions.

  • cloudiot.*
  • cloudiottoken.*

Cloud IoT Device Controller

roles/cloudiot.deviceController

Access to update the device configuration, but not to create or delete devices.

  • cloudiot.devices.get
  • cloudiot.devices.list
  • cloudiot.devices.sendCommand
  • cloudiot.devices.updateConfig
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get

Cloud IoT Editor

roles/cloudiot.editor

Read-write access to all Cloud IoT resources.

  • cloudiot.devices.*
  • cloudiot.registries.create
  • cloudiot.registries.delete
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiot.registries.update
  • cloudiottoken.*

Cloud IoT Provisioner

roles/cloudiot.provisioner

Access to create and delete devices from registries, but not to modify the registries, and enable devices to publish to topics associated with IoT registry.

  • cloudiot.devices.*
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get

Cloud IoT Viewer

roles/cloudiot.viewer

Read-only access to all Cloud IoT resources.

  • cloudiot.devices.get
  • cloudiot.devices.list
  • cloudiot.registries.get
  • cloudiot.registries.list
  • cloudiottoken.tokensettings.get

Cloud KMS Admin

roles/cloudkms.admin

Provides full access to Cloud KMS resources, except encrypt and decrypt operations.

  • cloudkms.cryptoKeyVersions.create
  • cloudkms.cryptoKeyVersions.destroy
  • cloudkms.cryptoKeyVersions.get
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.cryptoKeyVersions.restore
  • cloudkms.cryptoKeyVersions.update
  • cloudkms.cryptoKeys.*
  • cloudkms.importJobs.*
  • cloudkms.keyRings.*
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Cloud KMS CryptoKey Decrypter

roles/cloudkms.cryptoKeyDecrypter

Provides ability to use Cloud KMS resources for decrypt operations only.

  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Cloud KMS CryptoKey Encrypter

roles/cloudkms.cryptoKeyEncrypter

Provides ability to use Cloud KMS resources for encrypt operations only.

  • cloudkms.cryptoKeyVersions.useToEncrypt
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Cloud KMS CryptoKey Encrypter/Decrypter

roles/cloudkms.cryptoKeyEncrypterDecrypter

Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.

  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.cryptoKeyVersions.useToEncrypt
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Cloud KMS Crypto Operator

roles/cloudkms.cryptoOperator

Enables all Crypto Operations.

  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.cryptoKeyVersions.useToEncrypt
  • cloudkms.cryptoKeyVersions.useToSign
  • cloudkms.cryptoKeyVersions.useToVerify
  • cloudkms.cryptoKeyVersions.viewPublicKey
  • cloudkms.locations.*
  • resourcemanager.projects.get

Cloud KMS Importer

roles/cloudkms.importer

Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations

  • cloudkms.importJobs.create
  • cloudkms.importJobs.get
  • cloudkms.importJobs.list
  • cloudkms.importJobs.useToImport
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Cloud KMS CryptoKey Public Key Viewer

roles/cloudkms.publicKeyViewer

Enables GetPublicKey operations

  • cloudkms.cryptoKeyVersions.viewPublicKey
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Cloud KMS CryptoKey Signer

roles/cloudkms.signer

Enables Sign operations

  • cloudkms.cryptoKeyVersions.useToSign
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Cloud KMS CryptoKey Signer/Verifier

roles/cloudkms.signerVerifier

Enables Sign, Verify, and GetPublicKey operations

  • cloudkms.cryptoKeyVersions.useToSign
  • cloudkms.cryptoKeyVersions.useToVerify
  • cloudkms.cryptoKeyVersions.viewPublicKey
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Cloud KMS CryptoKey Verifier

roles/cloudkms.verifier

Enables Verify and GetPublicKey operations

  • cloudkms.cryptoKeyVersions.useToVerify
  • cloudkms.cryptoKeyVersions.viewPublicKey
  • cloudkms.locations.get
  • cloudkms.locations.list
  • resourcemanager.projects.get

Cloud Life Sciences Admin

roles/lifesciences.admin

Full control of Cloud Life Sciences resources.

  • lifesciences.*

Cloud Life Sciences Editor

roles/lifesciences.editor

Access to read and edit Cloud Life Sciences resources.

  • lifesciences.*

Cloud Life Sciences Viewer

roles/lifesciences.viewer

Access to read Cloud Life Sciences resources.

  • lifesciences.operations.get
  • lifesciences.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Life Sciences Workflows Runner

roles/lifesciences.workflowsRunner

Full access to operate on Cloud Life Sciences workflows.

  • lifesciences.*

Google Cloud Managed Identities Admin

roles/managedidentities.admin

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.

  • managedidentities.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Cloud Managed Identities Domain Admin

roles/managedidentities.domainAdmin

Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.

  • managedidentities.domains.attachTrust
  • managedidentities.domains.delete
  • managedidentities.domains.detachTrust
  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.reconfigureTrust
  • managedidentities.domains.resetpassword
  • managedidentities.domains.update
  • managedidentities.domains.updateLDAPSSettings
  • managedidentities.domains.validateTrust
  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • managedidentities.sqlintegrations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Cloud Managed Identities Peering Admin

roles/managedidentities.peeringAdmin

Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level

  • managedidentities.locations.*
  • managedidentities.operations.*
  • managedidentities.peerings.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Cloud Managed Identities Peering Viewer

roles/managedidentities.peeringViewer

Read-only access to Google Cloud Managed Identities Peering and related resources.

  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • managedidentities.peerings.get
  • managedidentities.peerings.getIamPolicy
  • managedidentities.peerings.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Cloud Managed Identities Viewer

roles/managedidentities.viewer

Read-only access to Google Cloud Managed Identities Domains and related resources.

  • managedidentities.domains.get
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.list
  • managedidentities.locations.*
  • managedidentities.operations.get
  • managedidentities.operations.list
  • managedidentities.peerings.get
  • managedidentities.peerings.getIamPolicy
  • managedidentities.peerings.list
  • managedidentities.sqlintegrations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Commerce Offer Catalog Offers Viewer

roles/commerceoffercatalog.offersViewer

Allows viewing offers

  • commerceoffercatalog.*

Commerce Price Management Private Offers Admin

roles/commercepricemanagement.privateOffersAdmin

Allows managing private offers

  • commerceprice.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list

Commerce Price Management Viewer

roles/commercepricemanagement.viewer

Allows viewing offers, free trials, skus

  • commerceprice.privateoffers.get
  • commerceprice.privateoffers.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list

Consumer Procurement Entitlement Manager

roles/consumerprocurement.entitlementManager

Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.

  • consumerprocurement.entitlements.*
  • consumerprocurement.freeTrials.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.services.disable
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list

Consumer Procurement Entitlement Viewer

roles/consumerprocurement.entitlementViewer

Allows inspecting entitlements and service states for a consumer project.

  • consumerprocurement.entitlements.*
  • consumerprocurement.freeTrials.get
  • consumerprocurement.freeTrials.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list

Consumer Procurement Order Administrator

roles/consumerprocurement.orderAdmin

Allows managing purchases.

  • commerceoffercatalog.*
  • consumerprocurement.accounts.*
  • consumerprocurement.orders.*

Consumer Procurement Order Viewer

roles/consumerprocurement.orderViewer

Allows inspecting purchases.

  • commerceoffercatalog.*
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list

Velostrata Manager

roles/cloudmigration.inframanager

Ability to create and manage Compute VMs to run Velostrata Infrastructure

  • cloudmigration.*
  • compute.addresses.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalOperations.get
  • compute.images.get
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.reset
  • compute.instances.setDiskAutoDelete
  • compute.instances.setLabels
  • compute.instances.setMachineType
  • compute.instances.setMetadata
  • compute.instances.setMinCpuPlatform
  • compute.instances.setScheduling
  • compute.instances.setServiceAccount
  • compute.instances.setTags
  • compute.instances.start
  • compute.instances.startWithEncryptionKey
  • compute.instances.stop
  • compute.instances.update
  • compute.instances.updateNetworkInterface
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.use
  • compute.licenseCodes.get
  • compute.licenseCodes.list
  • compute.licenseCodes.update
  • compute.licenseCodes.use
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.nodeGroups.get
  • compute.nodeGroups.list
  • compute.nodeTemplates.list
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regions.*
  • compute.snapshots.create
  • compute.snapshots.delete
  • compute.snapshots.get
  • compute.snapshots.setLabels
  • compute.snapshots.useReadOnly
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zoneOperations.get
  • compute.zones.*
  • gkehub.endpoints.*
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.update

Velostrata Storage Access

roles/cloudmigration.storageaccess

Ability to access migration storage

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Velostrata Manager Connection Agent

roles/cloudmigration.velostrataconnect

Ability to set up connection between Velostrata Manager and Google

  • cloudmigration.*
  • gkehub.endpoints.*

VM Migration Administrator

roles/vmmigration.admin

Ability to view and edit all VM Migration objects

  • vmmigration.*

VM Migration Viewer

roles/vmmigration.viewer

Ability to view all VM Migration objects

  • vmmigration.cloneJobs.get
  • vmmigration.cloneJobs.list
  • vmmigration.cutoverJobs.get
  • vmmigration.cutoverJobs.list
  • vmmigration.datacenterConnectors.get
  • vmmigration.datacenterConnectors.list
  • vmmigration.deployments.get
  • vmmigration.deployments.list
  • vmmigration.groups.get
  • vmmigration.groups.list
  • vmmigration.locations.*
  • vmmigration.migratingVms.get
  • vmmigration.migratingVms.list
  • vmmigration.operations.get
  • vmmigration.operations.list
  • vmmigration.sources.get
  • vmmigration.sources.list
  • vmmigration.targets.get
  • vmmigration.targets.list
  • vmmigration.utilizationReports.get
  • vmmigration.utilizationReports.list

Catalog Consumer

roles/cloudprivatecatalog.consumer

Can browse catalogs in the target resource context.

  • cloudprivatecatalog.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Catalog Admin

roles/cloudprivatecatalogproducer.admin

Can manage catalog and view its associations.

  • cloudprivatecatalog.*
  • cloudprivatecatalogproducer.associations.*
  • cloudprivatecatalogproducer.catalogAssociations.*
  • cloudprivatecatalogproducer.catalogs.*
  • cloudprivatecatalogproducer.producerCatalogs.*
  • cloudprivatecatalogproducer.products.*
  • cloudprivatecatalogproducer.targets.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Catalog Manager

roles/cloudprivatecatalogproducer.manager

Can manage associations between a catalog and a target resource.

  • cloudprivatecatalog.*
  • cloudprivatecatalogproducer.associations.*
  • cloudprivatecatalogproducer.catalogAssociations.*
  • cloudprivatecatalogproducer.catalogs.get
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.producerCatalogs.get
  • cloudprivatecatalogproducer.producerCatalogs.list
  • cloudprivatecatalogproducer.targets.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Catalog Org Admin

roles/cloudprivatecatalogproducer.orgAdmin

Can manage catalog org settings.

  • cloudprivatecatalog.*
  • cloudprivatecatalogproducer.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Profiler Agent

roles/cloudprofiler.agent

Cloud Profiler agents are allowed to register and provide the profiling data.

  • cloudprofiler.profiles.create
  • cloudprofiler.profiles.update

Cloud Profiler User

roles/cloudprofiler.user

Cloud Profiler users are allowed to query and view the profiling data.

  • cloudprofiler.profiles.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Run Admin

roles/run.admin

Full control over all Cloud Run resources.

  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.*

Cloud Run Developer

roles/run.developer

Read and write access to all Cloud Run resources.

  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.*
  • run.routes.*
  • run.services.create
  • run.services.delete
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • run.services.update

Cloud Run Invoker

roles/run.invoker

Can invoke a Cloud Run service.

  • run.routes.invoke

Cloud Run Viewer

roles/run.viewer

Can view the state of all Cloud Run resources, including IAM policies.

  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.get
  • run.revisions.list
  • run.routes.get
  • run.routes.list
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list

Cloud Scheduler Admin

roles/cloudscheduler.admin

Full access to jobs and executions. Note that a Cloud Scheduler Admin (or any custom role with the permission cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the project.

  • appengine.applications.get
  • cloudscheduler.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Scheduler Job Runner

roles/cloudscheduler.jobRunner

Access to run jobs.

  • appengine.applications.get
  • cloudscheduler.jobs.fullView
  • cloudscheduler.jobs.run
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Scheduler Viewer

roles/cloudscheduler.viewer

Get and list access to jobs, executions, and locations.

  • appengine.applications.get
  • cloudscheduler.jobs.fullView
  • cloudscheduler.jobs.get
  • cloudscheduler.jobs.list
  • cloudscheduler.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list

Web Security Scanner Editor

roles/cloudsecurityscanner.editor

Full access to all Web Security Scanner resources

  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Web Security Scanner Runner

roles/cloudsecurityscanner.runner

Read access to Scan and ScanRun, plus the ability to start scans

  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scanruns.stop
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • cloudsecurityscanner.scans.run

Web Security Scanner Viewer

roles/cloudsecurityscanner.viewer

Read access to all Web Security Scanner resources

  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Service Broker Admin

roles/servicebroker.admin

Full access to ServiceBroker resources.

  • servicebroker.*

Service Broker Operator

roles/servicebroker.operator

Operational access to the ServiceBroker resources.

  • servicebroker.bindingoperations.*
  • servicebroker.bindings.create
  • servicebroker.bindings.delete
  • servicebroker.bindings.get
  • servicebroker.bindings.list
  • servicebroker.catalogs.create
  • servicebroker.catalogs.delete
  • servicebroker.catalogs.get
  • servicebroker.catalogs.list
  • servicebroker.instanceoperations.*
  • servicebroker.instances.create
  • servicebroker.instances.delete
  • servicebroker.instances.get
  • servicebroker.instances.list
  • servicebroker.instances.update

Cloud Spanner Admin

roles/spanner.admin

Has complete access to all Cloud Spanner resources in a Google Cloud project. A principal with this role can: Grant and revoke permissions to other principals for all Cloud Spanner resources in the project. Allocate and delete chargeable Cloud Spanner resources. Issue get/list/modify operations on Cloud Spanner resources. Read from and write to all Cloud Spanner databases in the project. Fetch project metadata.

  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • spanner.*

Cloud Spanner Backup Admin

roles/spanner.backupAdmin

A principal with this role can: Create, view, update, and delete backups. View and manage a backup's IAM policy. This role cannot restore a database from a backup.

  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • spanner.backupOperations.*
  • spanner.backups.create
  • spanner.backups.delete
  • spanner.backups.get
  • spanner.backups.getIamPolicy
  • spanner.backups.list
  • spanner.backups.setIamPolicy
  • spanner.backups.update
  • spanner.databases.createBackup
  • spanner.databases.get
  • spanner.databases.list
  • spanner.instances.get
  • spanner.instances.list

Cloud Spanner Backup Writer

roles/spanner.backupWriter

This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them.

  • spanner.backupOperations.get
  • spanner.backupOperations.list
  • spanner.backups.create
  • spanner.backups.get
  • spanner.backups.list
  • spanner.databases.createBackup
  • spanner.databases.get
  • spanner.databases.list
  • spanner.instances.get

Cloud Spanner Database Admin

roles/spanner.databaseAdmin

A principal with this role can: Get/list all Cloud Spanner instances in the project. Create/list/drop databases in an instance. Grant/revoke access to databases in the project. Read from and write to all Cloud Spanner databases in the project.

  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • spanner.databaseOperations.*
  • spanner.databases.beginOrRollbackReadWriteTransaction
  • spanner.databases.beginPartitionedDmlTransaction
  • spanner.databases.beginReadOnlyTransaction
  • spanner.databases.create
  • spanner.databases.drop
  • spanner.databases.get
  • spanner.databases.getDdl
  • spanner.databases.getIamPolicy
  • spanner.databases.list
  • spanner.databases.partitionQuery
  • spanner.databases.partitionRead
  • spanner.databases.read
  • spanner.databases.select
  • spanner.databases.setIamPolicy
  • spanner.databases.update
  • spanner.databases.updateDdl
  • spanner.databases.write
  • spanner.instances.get
  • spanner.instances.getIamPolicy
  • spanner.instances.list
  • spanner.sessions.*

Cloud Spanner Database Reader

roles/spanner.databaseReader

A principal with this role can: Read from the Cloud Spanner database. Execute SQL queries on the database. View schema for the database.

  • spanner.databases.beginReadOnlyTransaction
  • spanner.databases.getDdl
  • spanner.databases.partitionQuery
  • spanner.databases.partitionRead
  • spanner.databases.read
  • spanner.databases.select
  • spanner.instances.get
  • spanner.sessions.*

Cloud Spanner Database User

roles/spanner.databaseUser

A principal with this role can: Read from and write to the Cloud Spanner database. Execute SQL queries on the database, including DML and Partitioned DML. View and update schema for the database.

  • spanner.databaseOperations.*
  • spanner.databases.beginOrRollbackReadWriteTransaction
  • spanner.databases.beginPartitionedDmlTransaction
  • spanner.databases.beginReadOnlyTransaction
  • spanner.databases.getDdl
  • spanner.databases.partitionQuery
  • spanner.databases.partitionRead
  • spanner.databases.read
  • spanner.databases.select
  • spanner.databases.updateDdl
  • spanner.databases.write
  • spanner.instances.get
  • spanner.sessions.*

Cloud Spanner Restore Admin

roles/spanner.restoreAdmin

A principal with this role can restore databases from backups. If you need to restore a backup to a different instance, apply this role at the project level or to both instances. This role cannot create backups.

  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • spanner.backups.get
  • spanner.backups.list
  • spanner.backups.restoreDatabase
  • spanner.databaseOperations.cancel
  • spanner.databaseOperations.get
  • spanner.databaseOperations.list
  • spanner.databases.create
  • spanner.databases.get
  • spanner.databases.list
  • spanner.instances.get
  • spanner.instances.list

Cloud Spanner Viewer

roles/spanner.viewer

A principal with this role can: View all Cloud Spanner instances (but cannot modify instances). View all Cloud Spanner databases (but cannot modify or read from databases). For example, you can combine this role with the roles/spanner.databaseUser role to grant a user with access to a specific database, but only view access to other instances and databases. This role is recommended at the Google Cloud project level for users interacting with Cloud Spanner resources in the Google Cloud Console.

  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • spanner.databases.list
  • spanner.instanceConfigs.*
  • spanner.instances.get
  • spanner.instances.list

Cloud SQL Admin

roles/cloudsql.admin

Provides full control of Cloud SQL resources.

  • cloudsql.*
  • recommender.cloudsqlIdleInstanceRecommendations.*
  • recommender.cloudsqlInstanceActivityInsights.*
  • recommender.cloudsqlInstanceCpuUsageInsights.*
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.*
  • recommender.cloudsqlInstanceMemoryUsageInsights.*
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.*
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud SQL Client

roles/cloudsql.client

Provides connectivity access to Cloud SQL instances.

  • cloudsql.instances.connect
  • cloudsql.instances.get

Cloud SQL Editor

roles/cloudsql.editor

Provides full control of existing Cloud SQL instances excluding modifying users, SSL certificates or deleting resources.

  • cloudsql.backupRuns.create
  • cloudsql.backupRuns.get
  • cloudsql.backupRuns.list
  • cloudsql.databases.create
  • cloudsql.databases.get
  • cloudsql.databases.list
  • cloudsql.databases.update
  • cloudsql.instances.addServerCa
  • cloudsql.instances.connect
  • cloudsql.instances.export
  • cloudsql.instances.failover
  • cloudsql.instances.get
  • cloudsql.instances.list
  • cloudsql.instances.listServerCas
  • cloudsql.instances.listTagBindings
  • cloudsql.instances.restart
  • cloudsql.instances.rotateServerCa
  • cloudsql.instances.truncateLog
  • cloudsql.instances.update
  • cloudsql.sslCerts.get
  • cloudsql.sslCerts.list
  • cloudsql.users.list
  • recommender.cloudsqlIdleInstanceRecommendations.*
  • recommender.cloudsqlInstanceActivityInsights.*
  • recommender.cloudsqlInstanceCpuUsageInsights.*
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.*
  • recommender.cloudsqlInstanceMemoryUsageInsights.*
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.*
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud SQL Instance User

roles/cloudsql.instanceUser

Role allowing access to a Cloud SQL instance

  • cloudsql.instances.get
  • cloudsql.instances.login

Cloud SQL Viewer

roles/cloudsql.viewer

Provides read-only access to Cloud SQL resources.

  • cloudsql.backupRuns.get
  • cloudsql.backupRuns.list
  • cloudsql.databases.get
  • cloudsql.databases.list
  • cloudsql.instances.export
  • cloudsql.instances.get
  • cloudsql.instances.list
  • cloudsql.instances.listServerCas
  • cloudsql.instances.listTagBindings
  • cloudsql.sslCerts.get
  • cloudsql.sslCerts.list
  • cloudsql.users.list
  • recommender.cloudsqlIdleInstanceRecommendations.get
  • recommender.cloudsqlIdleInstanceRecommendations.list
  • recommender.cloudsqlInstanceActivityInsights.get
  • recommender.cloudsqlInstanceActivityInsights.list
  • recommender.cloudsqlInstanceCpuUsageInsights.get
  • recommender.cloudsqlInstanceCpuUsageInsights.list
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.get
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.list
  • recommender.cloudsqlInstanceMemoryUsageInsights.get
  • recommender.cloudsqlInstanceMemoryUsageInsights.list
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.get
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.list
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.get
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Storage Admin

roles/storage.admin

Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*

Storage HMAC Key Admin

roles/storage.hmacKeyAdmin

Full control of Cloud Storage HMAC keys.

  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.hmacKeys.*

Storage Object Admin

roles/storage.objectAdmin

Grants full control of objects, including listing, creating, viewing, and deleting objects.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.*

Storage Object Creator

roles/storage.objectCreator

Allows users to create objects. Does not give permission to view, delete, or overwrite objects.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.multipartUploads.abort
  • storage.multipartUploads.create
  • storage.multipartUploads.listParts
  • storage.objects.create

Storage Object Viewer

roles/storage.objectViewer

Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.get
  • storage.objects.list

Storage Transfer Admin

roles/storagetransfer.admin

Create, update and manage transfer jobs and operations.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storagetransfer.*

Storage Transfer User

roles/storagetransfer.user

Create and update storage transfer jobs and operations.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storagetransfer.agentpools.create
  • storagetransfer.agentpools.get
  • storagetransfer.agentpools.list
  • storagetransfer.agentpools.update
  • storagetransfer.jobs.create
  • storagetransfer.jobs.get
  • storagetransfer.jobs.list
  • storagetransfer.jobs.run
  • storagetransfer.jobs.update
  • storagetransfer.operations.*
  • storagetransfer.projects.*

Storage Transfer Viewer

roles/storagetransfer.viewer

Read access to storage transfer jobs and operations.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storagetransfer.agentpools.get
  • storagetransfer.agentpools.list
  • storagetransfer.jobs.get
  • storagetransfer.jobs.list
  • storagetransfer.operations.get
  • storagetransfer.operations.list
  • storagetransfer.projects.*

Storage Legacy Bucket Owner

roles/storage.legacyBucketOwner

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding IAM policies, when listing; and read and edit bucket metadata, including IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

  • storage.buckets.createTagBinding
  • storage.buckets.deleteTagBinding
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.listTagBindings
  • storage.buckets.setIamPolicy
  • storage.buckets.update
  • storage.multipartUploads.*
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.list

Storage Legacy Bucket Reader

roles/storage.legacyBucketReader

Grants permission to list a bucket's contents and read bucket metadata, excluding IAM policies. Also grants permission to read object metadata, excluding IAM policies, when listing objects. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

  • storage.buckets.get
  • storage.multipartUploads.list
  • storage.objects.list

Storage Legacy Bucket Writer

roles/storage.legacyBucketWriter

Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding IAM policies, when listing; and read bucket metadata, excluding IAM policies. Use of this role is also reflected in the bucket's ACLs. For more information, see IAM relation to ACLs.

  • storage.buckets.get
  • storage.multipartUploads.*
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.list

Storage Legacy Object Owner

roles/storage.legacyObjectOwner

Grants permission to view and edit objects and their metadata, including ACLs.

  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.setIamPolicy
  • storage.objects.update

Storage Legacy Object Reader

roles/storage.legacyObjectReader

Grants permission to view objects and their metadata, excluding ACLs.

  • storage.objects.get

Admin

roles/cloudjobdiscovery.admin

Access to Cloud Talent Solution Self-Service Tools.

  • cloudjobdiscovery.tools.*
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Job Editor

roles/cloudjobdiscovery.jobsEditor

Write access to all job data in Cloud Talent Solution.

  • cloudjobdiscovery.companies.*
  • cloudjobdiscovery.events.*
  • cloudjobdiscovery.jobs.*
  • cloudjobdiscovery.tenants.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Job Viewer

roles/cloudjobdiscovery.jobsViewer

Read access to all job data in Cloud Talent Solution.

  • cloudjobdiscovery.companies.get
  • cloudjobdiscovery.companies.list
  • cloudjobdiscovery.jobs.get
  • cloudjobdiscovery.jobs.search
  • cloudjobdiscovery.tenants.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Profile Editor

roles/cloudjobdiscovery.profilesEditor

Write access to all profile data in Cloud Talent Solution.

  • cloudjobdiscovery.events.*
  • cloudjobdiscovery.profiles.*
  • cloudjobdiscovery.tenants.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Profile Viewer

roles/cloudjobdiscovery.profilesViewer

Read access to all profile data in Cloud Talent Solution.

  • cloudjobdiscovery.profiles.get
  • cloudjobdiscovery.profiles.search
  • cloudjobdiscovery.tenants.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Tasks Admin

roles/cloudtasks.admin

Full access to queues and tasks.

  • cloudtasks.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Tasks Enqueuer

roles/cloudtasks.enqueuer

Access to create tasks.

  • cloudtasks.tasks.create
  • cloudtasks.tasks.fullView
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Tasks Queue Admin

roles/cloudtasks.queueAdmin

Admin access to queues.

  • cloudtasks.locations.*
  • cloudtasks.queues.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Tasks Task Deleter

roles/cloudtasks.taskDeleter

Access to delete tasks.

  • cloudtasks.tasks.delete
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Tasks Task Runner

roles/cloudtasks.taskRunner

Access to run tasks.

  • cloudtasks.tasks.fullView
  • cloudtasks.tasks.run
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Tasks Viewer

roles/cloudtasks.viewer

Get and list access to tasks, queues, and locations.

  • cloudtasks.locations.*
  • cloudtasks.queues.get
  • cloudtasks.queues.list
  • cloudtasks.tasks.fullView
  • cloudtasks.tasks.get
  • cloudtasks.tasks.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Threat Detection Settings Editor

roles/threatdetection.editor

Read-write access to all Threat Detection settings

  • threatdetection.*

Threat Detection Settings Viewer

roles/threatdetection.viewer

Read access to all Threat Detection settings

  • threatdetection.detectorSettings.get
  • threatdetection.sinkSettings.get
  • threatdetection.sourceSettings.get

TPU Admin

roles/tpu.admin

Full access to TPU nodes and related resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • tpu.*

TPU Viewer

roles/tpu.viewer

Read-only access to TPU nodes and related resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • tpu.acceleratortypes.*
  • tpu.locations.*
  • tpu.nodes.get
  • tpu.nodes.list
  • tpu.operations.*
  • tpu.tensorflowversions.*

Cloud Trace Admin

roles/cloudtrace.admin

Provides full access to the Trace console and read-write access to traces.

  • cloudtrace.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Trace Agent

roles/cloudtrace.agent

For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.

  • cloudtrace.traces.patch

Cloud Trace User

roles/cloudtrace.user

Provides full access to the Trace console and read access to traces.

  • cloudtrace.insights.*
  • cloudtrace.stats.*
  • cloudtrace.tasks.*
  • cloudtrace.traces.get
  • cloudtrace.traces.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Translation API Admin

roles/cloudtranslate.admin

Full access to all Cloud Translation resources

  • automl.models.get
  • automl.models.predict
  • cloudtranslate.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Translation API Editor

roles/cloudtranslate.editor

Editor of all Cloud Translation resources

  • automl.models.get
  • automl.models.predict
  • cloudtranslate.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Translation API User

roles/cloudtranslate.user

User of Cloud Translation and AutoML models

  • automl.models.get
  • automl.models.predict
  • cloudtranslate.generalModels.*
  • cloudtranslate.glossaries.batchDocPredict
  • cloudtranslate.glossaries.batchPredict
  • cloudtranslate.glossaries.docPredict
  • cloudtranslate.glossaries.get
  • cloudtranslate.glossaries.list
  • cloudtranslate.glossaries.predict
  • cloudtranslate.languageDetectionModels.*
  • cloudtranslate.locations.*
  • cloudtranslate.operations.get
  • cloudtranslate.operations.list
  • cloudtranslate.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Translation API Viewer

roles/cloudtranslate.viewer

Viewer of all Translation resources

  • automl.models.get
  • cloudtranslate.generalModels.get
  • cloudtranslate.glossaries.get
  • cloudtranslate.glossaries.list
  • cloudtranslate.locations.*
  • cloudtranslate.operations.get
  • cloudtranslate.operations.list
  • cloudtranslate.operations.wait
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Codelab ApiKeys Admin

roles/codelabapikeys.admin

Full access to API keys

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Codelab API Keys Editor

roles/codelabapikeys.editor

This role can view and edit all properties of API keys.

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Codelab API Keys Viewer

roles/codelabapikeys.viewer

This role can view all properties except change history of API keys.

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Compute Admin

roles/compute.admin

Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

  • compute.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Image User

roles/compute.imageUser

Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project.

  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Instance Admin (beta)

roles/compute.instanceAdmin

Permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure Shielded VMBETA settings. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role. For example, if your company has someone who manages groups of virtual machine instances but does not manage network or security settings and does not manage instances that run as service accounts, you can grant this role on the organization, folder, or project that contains the instances, or you can grant it on individual instances.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.resize
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regionNetworkEndpointGroups.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Instance Admin (v1)

roles/compute.instanceAdmin.v1

Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources. If you grant a user this role only at an instance level, then that user cannot create new instances.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Load Balancer Admin

roles/compute.loadBalancerAdmin

Permissions to create, modify, and delete load balancers and associate resources. For example, if your company has a load balancing team that manages load balancers, SSL certificates for load balancers, SSL policies, and other load balancing resources, and a separate networking team that manages the rest of the networking resources, then grant this role to the load balancing team's group.

  • compute.addresses.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.*
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.instanceGroups.*
  • compute.instances.get
  • compute.instances.list
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.projects.get
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.*
  • compute.regionSslCertificates.*
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.urlMaps.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Load Balancer Services User

roles/compute.loadBalancerServiceUser

Permissions to use services from a load balancer in other projects.

  • compute.backendServices.get
  • compute.backendServices.list
  • compute.backendServices.use
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionBackendServices.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Network Admin

roles/compute.networkAdmin

Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group.

  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.externalVpnGateways.*
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalNetworkEndpointGroups.use
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.instances.updateSecurity
  • compute.instances.use
  • compute.instances.useReadOnly
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.use
  • compute.networks.*
  • compute.projects.get
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNetworkEndpointGroups.use
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.regions.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.serviceAttachments.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.*
  • networksecurity.*
  • networkservices.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • trafficdirector.*

Compute Network User

roles/compute.networkUser

Provides access to a shared VPC network Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.

  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.useInternal
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.externalVpnGateways.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.interconnects.use
  • compute.networks.access
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnGateways.use
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.use
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.use
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.use
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.use
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.list
  • networkservices.endpointPolicies.use
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpFilters.use
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.httpfilters.use
  • networkservices.locations.*
  • networkservices.operations.get
  • networkservices.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Network Viewer

roles/compute.networkViewer

Read-only access to all networking resources For example, if you have software that inspects your network configuration, you could grant this role to that software's service account.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.list
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.locations.*
  • networkservices.operations.get
  • networkservices.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • trafficdirector.*

Compute Organization Firewall Policy Admin

roles/compute.orgFirewallPolicyAdmin

Full control of Compute Engine Organization Firewall Policies.

  • compute.firewallPolicies.cloneRules
  • compute.firewallPolicies.create
  • compute.firewallPolicies.delete
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.move
  • compute.firewallPolicies.setIamPolicy
  • compute.firewallPolicies.update
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionOperations.setIamPolicy
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Firewall Policy User

roles/compute.orgFirewallPolicyUser

View or use Compute Engine Firewall Policies to associate with the organization or folders.

  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Security Policy Admin

roles/compute.orgSecurityPolicyAdmin

Full control of Compute Engine Organization Security Policies.

  • compute.firewallPolicies.*
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Security Policy User

roles/compute.orgSecurityPolicyUser

View or use Compute Engine Security Policies to associate with the organization or folders.

  • compute.firewallPolicies.addAssociation
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.removeAssociation
  • compute.firewallPolicies.use
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.projects.get
  • compute.securityPolicies.addAssociation
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.removeAssociation
  • compute.securityPolicies.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Organization Resource Admin

roles/compute.orgSecurityResourceAdmin

Full control of Compute Engine Firewall Policy associations to the organization or folders.

  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.organizations.listAssociations
  • compute.organizations.setFirewallPolicy
  • compute.organizations.setSecurityPolicy
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Admin Login

roles/compute.osAdminLogin

Access to log in to a Compute Engine instance as an administrator user.

  • compute.instances.get
  • compute.instances.list
  • compute.instances.osAdminLogin
  • compute.instances.osLogin
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Login

roles/compute.osLogin

Access to log in to a Compute Engine instance as a standard user.

  • compute.instances.get
  • compute.instances.list
  • compute.instances.osLogin
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute OS Login External User

roles/compute.osLoginExternalUser

Available only at the organization level. Access for an external user to set OS Login information associated with this organization. This role does not grant access to instances. External users must be granted one of the required OS Login roles in order to allow access to instances using SSH.

  • compute.oslogin.*

Compute packet mirroring admin

roles/compute.packetMirroringAdmin

Specify resources to be mirrored.

  • compute.instances.updateSecurity
  • compute.networks.mirror
  • compute.projects.get
  • compute.subnetworks.mirror
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute packet mirroring user

roles/compute.packetMirroringUser

Use Compute Engine packet mirrorings.

  • compute.packetMirrorings.*
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Public IP Admin

roles/compute.publicIpAdmin

Full control of public IP address management for Compute Engine.

  • compute.addresses.*
  • compute.globalAddresses.*
  • compute.globalPublicDelegatedPrefixes.*
  • compute.publicAdvertisedPrefixes.*
  • compute.publicDelegatedPrefixes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Compute Security Admin

roles/compute.securityAdmin

Permissions to create, modify, and delete firewall rules and SSL certificates, and also to configure Shielded VMBETA settings. For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the security team's group.

  • compute.firewallPolicies.*
  • compute.firewalls.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.instances.getEffectiveFirewalls
  • compute.instances.setShieldedInstanceIntegrityPolicy
  • compute.instances.setShieldedVmIntegrityPolicy
  • compute.instances.updateSecurity
  • compute.instances.updateShieldedInstanceConfig
  • compute.instances.updateShieldedVmConfig
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.updatePolicy
  • compute.packetMirrorings.*
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.*
  • compute.regions.*
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.*
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Storage Admin

roles/compute.storageAdmin

Permissions to create, modify, and delete disks, images, and snapshots. For example, if your company has someone who manages project images and you don't want them to have the editor role on the project, then grant this role to their account on the project.

  • compute.diskTypes.*
  • compute.disks.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.resourcePolicies.*
  • compute.snapshots.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Viewer

roles/compute.viewer

Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. For example, an account with this role could inventory all of the disks in a project, but it could not read any of the data on those disks.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Compute Shared VPC Admin

roles/compute.xpnAdmin

Permissions to administer shared VPC host projects, specifically enabling the host projects and associating shared VPC service projects to the host project's network. At the organization level, this role can only be granted by an organization admin. Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The Shared VPC Admin is responsible for granting the Compute Network User role (roles/compute.networkUser) to service owners, and the shared VPC host project owner controls the project itself. Managing the project is easier if a single principal (individual or group) can fulfill both roles.

  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.organizations.administerXpn
  • compute.organizations.disableXpnHost
  • compute.organizations.disableXpnResource
  • compute.organizations.enableXpnHost
  • compute.organizations.enableXpnResource
  • compute.projects.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.setIamPolicy
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

GuestPolicy Admin

roles/osconfig.guestPolicyAdmin

Full admin access to GuestPolicies

  • osconfig.guestPolicies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

GuestPolicy Editor

roles/osconfig.guestPolicyEditor

Editor of GuestPolicy resources

  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • osconfig.guestPolicies.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

GuestPolicy Viewer

roles/osconfig.guestPolicyViewer

Viewer of GuestPolicy resources

  • osconfig.guestPolicies.get
  • osconfig.guestPolicies.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

InstanceOSPoliciesCompliance Viewer

roles/osconfig.instanceOSPoliciesComplianceViewer

Viewer of OS Policies Compliance of VM instances

  • osconfig.instanceOSPoliciesCompliances.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OS Inventory Viewer

roles/osconfig.inventoryViewer

Viewer of OS Inventories

  • osconfig.inventories.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Admin

roles/osconfig.osPolicyAssignmentAdmin

Full admin access to OS Policy Assignments

  • osconfig.osPolicyAssignments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Editor

roles/osconfig.osPolicyAssignmentEditor

Editor of OS Policy Assignments

  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • osconfig.osPolicyAssignments.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignmentReport Viewer

roles/osconfig.osPolicyAssignmentReportViewer

Viewer of OS policy assignment reports for VM instances

  • osconfig.osPolicyAssignmentReports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OSPolicyAssignment Viewer

roles/osconfig.osPolicyAssignmentViewer

Viewer of OS Policy Assignments

  • osconfig.osPolicyAssignments.get
  • osconfig.osPolicyAssignments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

PatchDeployment Admin

roles/osconfig.patchDeploymentAdmin

Full admin access to PatchDeployments

  • osconfig.patchDeployments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

PatchDeployment Viewer

roles/osconfig.patchDeploymentViewer

Viewer of PatchDeployment resources

  • osconfig.patchDeployments.get
  • osconfig.patchDeployments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Patch Job Executor

roles/osconfig.patchJobExecutor

Access to execute Patch Jobs.

  • osconfig.patchJobs.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Patch Job Viewer

roles/osconfig.patchJobViewer

Get and list Patch Jobs.

  • osconfig.patchJobs.get
  • osconfig.patchJobs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

OS VulnerabilityReport Viewer

roles/osconfig.vulnerabilityReportViewer

Viewer of OS VulnerabilityReports

  • osconfig.vulnerabilityReports.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Container Analysis Admin

roles/containeranalysis.admin

Access to all Container Analysis resources.

  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.getIamPolicy
  • containeranalysis.notes.list
  • containeranalysis.notes.setIamPolicy
  • containeranalysis.notes.update
  • containeranalysis.occurrences.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Container Analysis Notes Attacher

roles/containeranalysis.notes.attacher

Can attach Container Analysis Occurrences to Notes.

  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.get

Container Analysis Notes Editor

roles/containeranalysis.notes.editor

Can edit Container Analysis Notes.

  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Container Analysis Occurrences for Notes Viewer

roles/containeranalysis.notes.occurrences.viewer

Can view all Container Analysis Occurrences attached to a Note.

  • containeranalysis.notes.get
  • containeranalysis.notes.listOccurrences

Container Analysis Notes Viewer

roles/containeranalysis.notes.viewer

Can view Container Analysis Notes.

  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Container Analysis Occurrences Editor

roles/containeranalysis.occurrences.editor

Can edit Container Analysis Occurrences.

  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Container Analysis Occurrences Viewer

roles/containeranalysis.occurrences.viewer

Can view Container Analysis Occurrences.

  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Catalog Admin

roles/datacatalog.admin

Full access to all DataCatalog resources

  • bigquery.connections.get
  • bigquery.connections.updateTag
  • bigquery.datasets.get
  • bigquery.datasets.updateTag
  • bigquery.models.getMetadata
  • bigquery.models.updateTag
  • bigquery.routines.get
  • bigquery.routines.updateTag
  • bigquery.tables.get
  • bigquery.tables.updateTag
  • datacatalog.categories.getIamPolicy
  • datacatalog.categories.setIamPolicy
  • datacatalog.entries.*
  • datacatalog.entryGroups.*
  • datacatalog.tagTemplates.*
  • datacatalog.taxonomies.*
  • pubsub.topics.get
  • pubsub.topics.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Policy Tag Admin

roles/datacatalog.categoryAdmin

Manage taxonomies

  • datacatalog.categories.getIamPolicy
  • datacatalog.categories.setIamPolicy
  • datacatalog.taxonomies.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Fine-Grained Reader

roles/datacatalog.categoryFineGrainedReader

Read access to sub-resources tagged by a policy tag, for example, BigQuery columns

  • datacatalog.categories.fineGrainedGet

DataCatalog EntryGroup Creator

roles/datacatalog.entryGroupCreator

Can create new entryGroups

  • datacatalog.entryGroups.create
  • datacatalog.entryGroups.get
  • datacatalog.entryGroups.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

DataCatalog entryGroup Owner

roles/datacatalog.entryGroupOwner

Full access to entryGroups

  • datacatalog.entries.*
  • datacatalog.entryGroups.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

DataCatalog entry Owner

roles/datacatalog.entryOwner

Full access to entries

  • datacatalog.entries.*
  • datacatalog.entryGroups.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

DataCatalog Entry Viewer

roles/datacatalog.entryViewer

Read access to entries

  • datacatalog.entries.get
  • datacatalog.entries.list
  • datacatalog.entryGroups.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Catalog Tag Editor

roles/datacatalog.tagEditor

Provides access to modify tags on Google Cloud assets for BigQuery and Pub/Sub

  • bigquery.connections.updateTag
  • bigquery.datasets.updateTag
  • bigquery.models.updateTag
  • bigquery.routines.updateTag
  • bigquery.tables.updateTag
  • datacatalog.entries.updateTag
  • pubsub.topics.updateTag

Data Catalog TagTemplate Creator

roles/datacatalog.tagTemplateCreator

Access to create new tag templates

  • datacatalog.tagTemplates.create
  • datacatalog.tagTemplates.get

Data Catalog TagTemplate Owner

roles/datacatalog.tagTemplateOwner

Full access to tag templates

  • datacatalog.tagTemplates.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Catalog TagTemplate User

roles/datacatalog.tagTemplateUser

Access to use templates to tag resources

  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.tagTemplates.use
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Catalog TagTemplate Viewer

roles/datacatalog.tagTemplateViewer

Read access to templates and tags created using the templates

  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data Catalog Viewer

roles/datacatalog.viewer

Provides metadata read access to catalogued Google Cloud assets for BigQuery and Pub/Sub

  • bigquery.connections.get
  • bigquery.datasets.get
  • bigquery.models.getMetadata
  • bigquery.routines.get
  • bigquery.tables.get
  • datacatalog.entries.get
  • datacatalog.entries.list
  • datacatalog.entryGroups.get
  • datacatalog.entryGroups.list
  • datacatalog.tagTemplates.get
  • datacatalog.tagTemplates.getTag
  • datacatalog.taxonomies.get
  • datacatalog.taxonomies.list
  • pubsub.topics.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Database Migration Admin

roles/datamigration.admin

Full access to all resources of Database Migration.

  • datamigration.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data pipelines Admin

roles/datapipelines.admin

Administrator of datapipelines resources

  • datapipelines.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data pipelines Invoker

roles/datapipelines.invoker

Invoker of datapipelines jobs

  • datapipelines.pipelines.run
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Data pipelines Viewer

roles/datapipelines.viewer

Viewer of datapipelines resources

  • datapipelines.pipelines.get
  • datapipelines.pipelines.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataflow Admin

roles/dataflow.admin

Minimal role for creating and managing dataflow jobs.

  • compute.machineTypes.get
  • dataflow.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list

Dataflow Developer

roles/dataflow.developer

Provides the permissions necessary to execute and manipulate Dataflow jobs.

  • dataflow.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataflow Viewer

roles/dataflow.viewer

Provides read-only access to all Dataflow-related resources.

  • dataflow.jobs.get
  • dataflow.jobs.list
  • dataflow.messages.*
  • dataflow.metrics.*
  • dataflow.snapshots.get
  • dataflow.snapshots.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataflow Worker

roles/dataflow.worker

Provides the permissions necessary for a Compute Engine service account to execute work units for a Dataflow pipeline.

  • autoscaling.sites.readRecommendations
  • autoscaling.sites.writeMetrics
  • autoscaling.sites.writeState
  • compute.instanceGroupManagers.update
  • compute.instances.delete
  • compute.instances.setDiskAutoDelete
  • dataflow.jobs.get
  • logging.logEntries.create
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.get

Dataprep User

roles/dataprep.projects.user

Use of Dataprep.

  • dataprep.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Dataproc Administrator

roles/dataproc.admin

Full control of Dataproc resources.

  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.regions.*
  • compute.zones.*
  • dataproc.autoscalingPolicies.*
  • dataproc.clusters.*
  • dataproc.jobs.*
  • dataproc.operations.*
  • dataproc.workflowTemplates.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataproc Editor

roles/dataproc.editor

Provides the permissions necessary for viewing the resources required to manage Dataproc, including machine types, networks, projects, and zones.

  • compute.machineTypes.*
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.regions.*
  • compute.zones.*
  • dataproc.autoscalingPolicies.create
  • dataproc.autoscalingPolicies.delete
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.update
  • dataproc.autoscalingPolicies.use
  • dataproc.clusters.create
  • dataproc.clusters.delete
  • dataproc.clusters.get
  • dataproc.clusters.list
  • dataproc.clusters.start
  • dataproc.clusters.stop
  • dataproc.clusters.update
  • dataproc.clusters.use
  • dataproc.jobs.cancel
  • dataproc.jobs.create
  • dataproc.jobs.delete
  • dataproc.jobs.get
  • dataproc.jobs.list
  • dataproc.jobs.update
  • dataproc.operations.delete
  • dataproc.operations.get
  • dataproc.operations.list
  • dataproc.workflowTemplates.create
  • dataproc.workflowTemplates.delete
  • dataproc.workflowTemplates.get
  • dataproc.workflowTemplates.instantiate
  • dataproc.workflowTemplates.instantiateInline
  • dataproc.workflowTemplates.list
  • dataproc.workflowTemplates.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataproc Hub Agent

roles/dataproc.hubAgent

Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.

  • compute.instances.get
  • compute.instances.setMetadata
  • compute.instances.setTags
  • compute.zoneOperations.get
  • compute.zones.list
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.use
  • dataproc.clusters.create
  • dataproc.clusters.delete
  • dataproc.clusters.get
  • dataproc.clusters.list
  • dataproc.clusters.update
  • dataproc.operations.cancel
  • dataproc.operations.delete
  • dataproc.operations.get
  • dataproc.operations.list
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.locations.*
  • logging.logEntries.create
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.operations.get
  • logging.operations.list
  • logging.queries.create
  • logging.queries.delete
  • logging.queries.get
  • logging.queries.list
  • logging.queries.listShared
  • logging.queries.update
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • logging.views.get
  • logging.views.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.get
  • storage.objects.get
  • storage.objects.list

Dataproc Viewer

roles/dataproc.viewer

Provides read-only access to Dataproc resources.

  • compute.machineTypes.get
  • compute.regions.*
  • compute.zones.*
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.clusters.get
  • dataproc.clusters.list
  • dataproc.jobs.get
  • dataproc.jobs.list
  • dataproc.operations.get
  • dataproc.operations.list
  • dataproc.workflowTemplates.get
  • dataproc.workflowTemplates.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataproc Worker

roles/dataproc.worker

Provides worker access to Dataproc resources. Intended for service accounts.

  • dataproc.agents.*
  • dataproc.tasks.*
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • storage.buckets.get
  • storage.multipartUploads.*
  • storage.objects.*

Dataproc Metastore Admin

roles/metastore.admin

Full access to all Dataproc Metastore resources.

  • metastore.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataproc Metastore Editor

roles/metastore.editor

Read and write access to all Dataproc Metastore resources.

  • metastore.backups.*
  • metastore.imports.*
  • metastore.locations.*
  • metastore.operations.*
  • metastore.services.create
  • metastore.services.delete
  • metastore.services.export
  • metastore.services.get
  • metastore.services.getIamPolicy
  • metastore.services.list
  • metastore.services.restore
  • metastore.services.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataproc Metastore Metadata Operator

roles/metastore.metadataOperator

Read-only access to Dataproc Metastore resources with additional metadata operations permission.

  • metastore.backups.*
  • metastore.imports.*
  • metastore.locations.*
  • metastore.operations.get
  • metastore.operations.list
  • metastore.services.export
  • metastore.services.get
  • metastore.services.getIamPolicy
  • metastore.services.list
  • metastore.services.restore
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dataproc Metastore Viewer

roles/metastore.user

Read-only access to all Dataproc Metastore resources.

  • metastore.backups.get
  • metastore.backups.list
  • metastore.imports.get
  • metastore.imports.list
  • metastore.locations.*
  • metastore.operations.get
  • metastore.operations.list
  • metastore.services.export
  • metastore.services.get
  • metastore.services.getIamPolicy
  • metastore.services.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Datastore Import Export Admin

roles/datastore.importExportAdmin

Provides full access to manage imports and exports.

  • appengine.applications.get
  • datastore.databases.export
  • datastore.databases.import
  • datastore.operations.cancel
  • datastore.operations.get
  • datastore.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Datastore Index Admin

roles/datastore.indexAdmin

Provides full access to manage index definitions.

  • appengine.applications.get
  • datastore.indexes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Datastore Owner

roles/datastore.owner

Provides full access to Datastore resources.

  • appengine.applications.get
  • datastore.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Datastore User

roles/datastore.user

Provides read/write access to data in a Datastore database.

  • appengine.applications.get
  • datastore.databases.get
  • datastore.databases.getMetadata
  • datastore.entities.*
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.list
  • datastore.statistics.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Datastore Viewer

roles/datastore.viewer

Provides read access to Datastore resources.

  • appengine.applications.get
  • datastore.databases.get
  • datastore.databases.getMetadata
  • datastore.databases.list
  • datastore.entities.get
  • datastore.entities.list
  • datastore.indexes.get
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.list
  • datastore.statistics.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Datastream Admin

roles/datastream.admin

Full access to all Datastream resources.

  • datastream.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Datastream Viewer

roles/datastream.viewer

Read-only access to all Datastream resources.

  • datastream.connectionProfiles.destinationTypes
  • datastream.connectionProfiles.discover
  • datastream.connectionProfiles.get
  • datastream.connectionProfiles.getIamPolicy
  • datastream.connectionProfiles.list
  • datastream.connectionProfiles.listStaticServiceIps
  • datastream.connectionProfiles.sourceTypes
  • datastream.locations.*
  • datastream.operations.get
  • datastream.operations.list
  • datastream.privateConnections.get
  • datastream.privateConnections.getIamPolicy
  • datastream.privateConnections.list
  • datastream.routes.get
  • datastream.routes.getIamPolicy
  • datastream.routes.list
  • datastream.streams.fetchErrors
  • datastream.streams.get
  • datastream.streams.getIamPolicy
  • datastream.streams.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Deployment Manager Editor

roles/deploymentmanager.editor

Provides the permissions necessary to create and manage deployments.

  • deploymentmanager.compositeTypes.*
  • deploymentmanager.deployments.cancelPreview
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.stop
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Deployment Manager Type Editor

roles/deploymentmanager.typeEditor

Provides read and write access to all Type Registry resources.

  • deploymentmanager.compositeTypes.*
  • deploymentmanager.operations.get
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get

Deployment Manager Type Viewer

roles/deploymentmanager.typeViewer

Provides read-only access to all Type Registry resources.

  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get

Deployment Manager Viewer

roles/deploymentmanager.viewer

Provides read-only access to all Deployment Manager-related resources.

  • deploymentmanager.compositeTypes.get
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.get
  • deploymentmanager.typeProviders.getType
  • deploymentmanager.typeProviders.list
  • deploymentmanager.typeProviders.listTypes
  • deploymentmanager.types.get
  • deploymentmanager.types.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

AAM Admin

roles/dialogflow.aamAdmin

An admin has access to all resources and can perform all administrative actions in an AAM project.

  • dialogflow.agents.export
  • dialogflow.agents.get
  • dialogflow.agents.list
  • dialogflow.agents.search
  • dialogflow.agents.searchResources
  • dialogflow.answerrecords.get
  • dialogflow.answerrecords.list
  • dialogflow.callMatchers.list
  • dialogflow.changelogs.*
  • dialogflow.contexts.get
  • dialogflow.contexts.list
  • dialogflow.conversationDatasets.get
  • dialogflow.conversationDatasets.list
  • dialogflow.conversationModels.get
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.get
  • dialogflow.conversationProfiles.list
  • dialogflow.conversations.get
  • dialogflow.conversations.list
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.entityTypes.get
  • dialogflow.entityTypes.list
  • dialogflow.environments.get
  • dialogflow.environments.list
  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.fulfillments.get
  • dialogflow.intents.get
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.messages.*
  • dialogflow.modelEvaluations.*
  • dialogflow.operations.*
  • dialogflow.pages.get
  • dialogflow.pages.list
  • dialogflow.participants.get
  • dialogflow.participants.list
  • dialogflow.phoneNumberOrders.get
  • dialogflow.phoneNumberOrders.list
  • dialogflow.phoneNumbers.list
  • dialogflow.securitySettings.get
  • dialogflow.securitySettings.list
  • dialogflow.sessionEntityTypes.get
  • dialogflow.sessionEntityTypes.list
  • dialogflow.smartMessagingEntries.get
  • dialogflow.smartMessagingEntries.list
  • dialogflow.transitionRouteGroups.get
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.get
  • dialogflow.versions.list
  • dialogflow.webhooks.get
  • dialogflow.webhooks.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AAM Conversational Architect

roles/dialogflow.aamConversationalArchitect

A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.

  • dialogflow.agents.export
  • dialogflow.agents.get
  • dialogflow.agents.list
  • dialogflow.agents.search
  • dialogflow.agents.searchResources
  • dialogflow.answerrecords.get
  • dialogflow.answerrecords.list
  • dialogflow.callMatchers.list
  • dialogflow.changelogs.*
  • dialogflow.contexts.get
  • dialogflow.contexts.list
  • dialogflow.conversationDatasets.get
  • dialogflow.conversationDatasets.list
  • dialogflow.conversationModels.get
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.get
  • dialogflow.conversationProfiles.list
  • dialogflow.conversations.get
  • dialogflow.conversations.list
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.entityTypes.get
  • dialogflow.entityTypes.list
  • dialogflow.environments.get
  • dialogflow.environments.list
  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.fulfillments.get
  • dialogflow.intents.get
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.messages.*
  • dialogflow.modelEvaluations.*
  • dialogflow.operations.*
  • dialogflow.pages.get
  • dialogflow.pages.list
  • dialogflow.participants.get
  • dialogflow.participants.list
  • dialogflow.phoneNumberOrders.get
  • dialogflow.phoneNumberOrders.list
  • dialogflow.phoneNumbers.list
  • dialogflow.securitySettings.get
  • dialogflow.securitySettings.list
  • dialogflow.sessionEntityTypes.get
  • dialogflow.sessionEntityTypes.list
  • dialogflow.smartMessagingEntries.get
  • dialogflow.smartMessagingEntries.list
  • dialogflow.transitionRouteGroups.get
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.get
  • dialogflow.versions.list
  • dialogflow.webhooks.get
  • dialogflow.webhooks.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AAM Dialog Designer

roles/dialogflow.aamDialogDesigner

A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.

  • dialogflow.agents.export
  • dialogflow.agents.get
  • dialogflow.agents.list
  • dialogflow.agents.search
  • dialogflow.agents.searchResources
  • dialogflow.answerrecords.get
  • dialogflow.answerrecords.list
  • dialogflow.callMatchers.list
  • dialogflow.changelogs.*
  • dialogflow.contexts.get
  • dialogflow.contexts.list
  • dialogflow.conversationDatasets.get
  • dialogflow.conversationDatasets.list
  • dialogflow.conversationModels.get
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.get
  • dialogflow.conversationProfiles.list
  • dialogflow.conversations.get
  • dialogflow.conversations.list
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.entityTypes.get
  • dialogflow.entityTypes.list
  • dialogflow.environments.get
  • dialogflow.environments.list
  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.fulfillments.get
  • dialogflow.intents.get
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.messages.*
  • dialogflow.modelEvaluations.*
  • dialogflow.operations.*
  • dialogflow.pages.get
  • dialogflow.pages.list
  • dialogflow.participants.get
  • dialogflow.participants.list
  • dialogflow.phoneNumberOrders.get
  • dialogflow.phoneNumberOrders.list
  • dialogflow.phoneNumbers.list
  • dialogflow.securitySettings.get
  • dialogflow.securitySettings.list
  • dialogflow.sessionEntityTypes.get
  • dialogflow.sessionEntityTypes.list
  • dialogflow.smartMessagingEntries.get
  • dialogflow.smartMessagingEntries.list
  • dialogflow.transitionRouteGroups.get
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.get
  • dialogflow.versions.list
  • dialogflow.webhooks.get
  • dialogflow.webhooks.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AAM Lead Dialog Designer

roles/dialogflow.aamLeadDialogDesigner

A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.

  • dialogflow.agents.export
  • dialogflow.agents.get
  • dialogflow.agents.list
  • dialogflow.agents.search
  • dialogflow.agents.searchResources
  • dialogflow.answerrecords.get
  • dialogflow.answerrecords.list
  • dialogflow.callMatchers.list
  • dialogflow.changelogs.*
  • dialogflow.contexts.get
  • dialogflow.contexts.list
  • dialogflow.conversationDatasets.get
  • dialogflow.conversationDatasets.list
  • dialogflow.conversationModels.get
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.get
  • dialogflow.conversationProfiles.list
  • dialogflow.conversations.get
  • dialogflow.conversations.list
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.entityTypes.get
  • dialogflow.entityTypes.list
  • dialogflow.environments.get
  • dialogflow.environments.list
  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.fulfillments.get
  • dialogflow.intents.get
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.messages.*
  • dialogflow.modelEvaluations.*
  • dialogflow.operations.*
  • dialogflow.pages.get
  • dialogflow.pages.list
  • dialogflow.participants.get
  • dialogflow.participants.list
  • dialogflow.phoneNumberOrders.get
  • dialogflow.phoneNumberOrders.list
  • dialogflow.phoneNumbers.list
  • dialogflow.securitySettings.get
  • dialogflow.securitySettings.list
  • dialogflow.sessionEntityTypes.get
  • dialogflow.sessionEntityTypes.list
  • dialogflow.smartMessagingEntries.get
  • dialogflow.smartMessagingEntries.list
  • dialogflow.transitionRouteGroups.get
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.get
  • dialogflow.versions.list
  • dialogflow.webhooks.get
  • dialogflow.webhooks.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

AAM Viewer

roles/dialogflow.aamViewer

A user can view the taxonomy and data reports in an AAM project.

  • dialogflow.agents.export
  • dialogflow.agents.get
  • dialogflow.agents.list
  • dialogflow.agents.search
  • dialogflow.agents.searchResources
  • dialogflow.answerrecords.get
  • dialogflow.answerrecords.list
  • dialogflow.callMatchers.list
  • dialogflow.changelogs.*
  • dialogflow.contexts.get
  • dialogflow.contexts.list
  • dialogflow.conversationDatasets.get
  • dialogflow.conversationDatasets.list
  • dialogflow.conversationModels.get
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.get
  • dialogflow.conversationProfiles.list
  • dialogflow.conversations.get
  • dialogflow.conversations.list
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.entityTypes.get
  • dialogflow.entityTypes.list
  • dialogflow.environments.get
  • dialogflow.environments.list
  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.fulfillments.get
  • dialogflow.intents.get
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.messages.*
  • dialogflow.modelEvaluations.*
  • dialogflow.operations.*
  • dialogflow.pages.get
  • dialogflow.pages.list
  • dialogflow.participants.get
  • dialogflow.participants.list
  • dialogflow.phoneNumberOrders.get
  • dialogflow.phoneNumberOrders.list
  • dialogflow.phoneNumbers.list
  • dialogflow.securitySettings.get
  • dialogflow.securitySettings.list
  • dialogflow.sessionEntityTypes.get
  • dialogflow.sessionEntityTypes.list
  • dialogflow.smartMessagingEntries.get
  • dialogflow.smartMessagingEntries.list
  • dialogflow.transitionRouteGroups.get
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.get
  • dialogflow.versions.list
  • dialogflow.webhooks.get
  • dialogflow.webhooks.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dialogflow API Admin

roles/dialogflow.admin

Grant to Dialogflow API admins that need full access to Dialogflow-specific resources. Also see Dialogflow access control.

  • dialogflow.*
  • resourcemanager.projects.get

Dialogflow API Client

roles/dialogflow.client

Grant to Dialogflow API clients that perform Dialogflow-specific edits and detect intent calls using the API. Also see Dialogflow access control.

  • dialogflow.contexts.*
  • dialogflow.conversations.*
  • dialogflow.messages.*
  • dialogflow.participants.*
  • dialogflow.sessionEntityTypes.*
  • dialogflow.sessions.*

Dialogflow Console Agent Editor

roles/dialogflow.consoleAgentEditor

Grant to Dialogflow Console editors that edit existing agents. Also see Dialogflow access control.

  • actions.agentVersions.create
  • dialogflow.*
  • resourcemanager.projects.get

Dialogflow Console Simulator User

roles/dialogflow.consoleSimulatorUser

Can perform query of dialogflow suggestions in the simulator in web console.

  • dialogflow.conversationModels.get
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.get
  • dialogflow.conversationProfiles.list
  • dialogflow.conversations.*
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.participants.*
  • dialogflow.sessions.detectIntent
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dialogflow Console Smart Messaging Allowlist Editor

roles/dialogflow.consoleSmartMessagingAllowlistEditor

Can edit allowlist for smart messaging associated with conversation model in the agent assist console

  • dialogflow.conversationDatasets.get
  • dialogflow.conversationDatasets.list
  • dialogflow.conversationModels.get
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.list
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.operations.*
  • dialogflow.smartMessagingEntries.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dialogflow Conversation Manager

roles/dialogflow.conversationManager

Can manage all the resources related to Dialogflow Conversations.

  • dialogflow.conversationProfiles.*
  • dialogflow.conversations.*
  • dialogflow.participants.*

Dialogflow Entity Type Admin

roles/dialogflow.entityTypeAdmin

Can read & write entity types.

  • dialogflow.entityTypes.*

Dialogflow Environment editor

roles/dialogflow.environmentEditor

Can read & update environment and its sub-resources.

  • dialogflow.environments.get
  • dialogflow.environments.getHistory
  • dialogflow.environments.list
  • dialogflow.environments.lookupHistory
  • dialogflow.environments.update

Dialogflow Flow editor

roles/dialogflow.flowEditor

Can read & update flow and its sub-resources.

  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.flows.train
  • dialogflow.flows.update
  • dialogflow.flows.validate
  • dialogflow.pages.*
  • dialogflow.transitionRouteGroups.*
  • dialogflow.versions.*

Dialogflow Integration Manager

roles/dialogflow.integrationManager

Can add, remove, enable and disable Dialogflow integrations.

Dialogflow Intent Admin

roles/dialogflow.intentAdmin

Can read & write intents.

  • dialogflow.intents.*

Dialogflow API Reader

roles/dialogflow.reader

Grant to Dialogflow API clients that perform Dialogflow-specific read-only calls using the API. Also see Dialogflow access control.

  • dialogflow.agents.export
  • dialogflow.agents.get
  • dialogflow.agents.list
  • dialogflow.agents.search
  • dialogflow.agents.searchResources
  • dialogflow.answerrecords.get
  • dialogflow.answerrecords.list
  • dialogflow.callMatchers.list
  • dialogflow.changelogs.*
  • dialogflow.contexts.get
  • dialogflow.contexts.list
  • dialogflow.conversationDatasets.get
  • dialogflow.conversationDatasets.list
  • dialogflow.conversationModels.get
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.get
  • dialogflow.conversationProfiles.list
  • dialogflow.conversations.get
  • dialogflow.conversations.list
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.entityTypes.get
  • dialogflow.entityTypes.list
  • dialogflow.environments.get
  • dialogflow.environments.list
  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.fulfillments.get
  • dialogflow.intents.get
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.messages.*
  • dialogflow.modelEvaluations.*
  • dialogflow.operations.*
  • dialogflow.pages.get
  • dialogflow.pages.list
  • dialogflow.participants.get
  • dialogflow.participants.list
  • dialogflow.phoneNumberOrders.get
  • dialogflow.phoneNumberOrders.list
  • dialogflow.phoneNumbers.list
  • dialogflow.securitySettings.get
  • dialogflow.securitySettings.list
  • dialogflow.sessionEntityTypes.get
  • dialogflow.sessionEntityTypes.list
  • dialogflow.smartMessagingEntries.get
  • dialogflow.smartMessagingEntries.list
  • dialogflow.transitionRouteGroups.get
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.get
  • dialogflow.versions.list
  • dialogflow.webhooks.get
  • dialogflow.webhooks.list
  • resourcemanager.projects.get

Dialogflow Test Case Admin

roles/dialogflow.testCaseAdmin

Can read & write test cases.

Dialogflow Webhook Admin

roles/dialogflow.webhookAdmin

Can read & write webhooks.

  • dialogflow.webhooks.*

DNS Administrator

roles/dns.admin

Provides read-write access to all Cloud DNS resources.

  • compute.networks.get
  • compute.networks.list
  • dns.changes.*
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.*
  • dns.networks.*
  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.list
  • dns.policies.update
  • dns.projects.*
  • dns.resourceRecordSets.*
  • dns.responsePolicies.*
  • dns.responsePolicyRules.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

DNS Peer

roles/dns.peer

Access to target networks with DNS peering zones

  • dns.networks.targetWithPeeringZone

DNS Reader

roles/dns.reader

Provides read-only access to all Cloud DNS resources.

  • compute.networks.get
  • dns.changes.get
  • dns.changes.list
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.policies.get
  • dns.policies.list
  • dns.projects.*
  • dns.resourceRecordSets.get
  • dns.resourceRecordSets.list
  • dns.responsePolicies.get
  • dns.responsePolicies.list
  • dns.responsePolicyRules.get
  • dns.responsePolicyRules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud DocumentAI Administrator.

roles/documentai.admin

Grants full access to all resources in Cloud DocumentAI

  • documentai.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud DocumentAI API User

roles/documentai.apiUser

Grants access to process documents in Cloud DocumentAI

  • documentai.humanReviewConfigs.review
  • documentai.operations.*
  • documentai.processorVersions.processBatch
  • documentai.processorVersions.processOnline
  • documentai.processors.processBatch
  • documentai.processors.processOnline

Cloud DocumentAI Editor

roles/documentai.editor

Grants access to use all resources in Cloud DocumentAI

  • documentai.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud DocumentAI Viewer

roles/documentai.viewer

Grants access to view all resources and process documents in Cloud DocumentAI

  • documentai.evaluations.get
  • documentai.evaluations.list
  • documentai.humanReviewConfigs.get
  • documentai.humanReviewConfigs.review
  • documentai.labelerPools.get
  • documentai.labelerPools.list
  • documentai.locations.*
  • documentai.operations.*
  • documentai.processorTypes.*
  • documentai.processorVersions.get
  • documentai.processorVersions.list
  • documentai.processorVersions.processBatch
  • documentai.processorVersions.processOnline
  • documentai.processors.fetchHumanReviewDetails
  • documentai.processors.get
  • documentai.processors.list
  • documentai.processors.processBatch
  • documentai.processors.processOnline
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Earth Engine Resource Admin

roles/earthengine.admin

Full access to all Earth Engine resource features

  • earthengine.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Earth Engine Apps Publisher

roles/earthengine.appsPublisher

Publisher of Earth Engine Apps

  • iam.serviceAccounts.create
  • iam.serviceAccounts.disable
  • iam.serviceAccounts.enable
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy
  • resourcemanager.projects.get

Earth Engine Resource Viewer

roles/earthengine.viewer

Viewer of all Earth Engine resources

  • earthengine.assets.get
  • earthengine.assets.getIamPolicy
  • earthengine.assets.list
  • earthengine.computations.*
  • earthengine.filmstripthumbnails.get
  • earthengine.maps.get
  • earthengine.operations.get
  • earthengine.operations.list
  • earthengine.tables.get
  • earthengine.thumbnails.get
  • earthengine.videothumbnails.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Earth Engine Resource Writer

roles/earthengine.writer

Writer of all Earth Engine resources

  • earthengine.assets.create
  • earthengine.assets.delete
  • earthengine.assets.get
  • earthengine.assets.getIamPolicy
  • earthengine.assets.list
  • earthengine.assets.update
  • earthengine.computations.*
  • earthengine.exports.*
  • earthengine.filmstripthumbnails.*
  • earthengine.imports.*
  • earthengine.maps.*
  • earthengine.operations.*
  • earthengine.tables.*
  • earthengine.thumbnails.*
  • earthengine.videothumbnails.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Endpoints Portal Admin

roles/endpoints.portalAdmin

Provides all permissions needed to add, view, and delete custom domains on the Endpoints > Developer Portal page in the Cloud Console. On a portal created for an API, provides the permission to change settings on the Site Wide tab on the Settings page.

  • endpoints.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicemanagement.services.get

Error Reporting Admin

roles/errorreporting.admin

Provides full access to Error Reporting data.

  • cloudnotifications.*
  • errorreporting.*
  • logging.notificationRules.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get

Error Reporting User

roles/errorreporting.user

Provides the permissions to read and write Error Reporting data, except for sending new error events.

  • cloudnotifications.*
  • errorreporting.applications.*
  • errorreporting.errorEvents.delete
  • errorreporting.errorEvents.list
  • errorreporting.groupMetadata.*
  • errorreporting.groups.*
  • logging.notificationRules.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get

Error Reporting Viewer

roles/errorreporting.viewer

Provides read-only access to Error Reporting data.

  • cloudnotifications.*
  • errorreporting.applications.*
  • errorreporting.errorEvents.list
  • errorreporting.groupMetadata.get
  • errorreporting.groups.*
  • logging.notificationRules.get
  • logging.notificationRules.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get

Error Reporting Writer

roles/errorreporting.writer

Provides the permissions to send error events to Error Reporting.

  • errorreporting.errorEvents.create

Eventarc Admin

roles/eventarc.admin

Full control over all Eventarc resources.

  • eventarc.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Eventarc Developer

roles/eventarc.developer

Access to read and write Eventarc resources.

  • eventarc.locations.*
  • eventarc.operations.*
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.undelete
  • eventarc.triggers.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Eventarc Event Receiver

roles/eventarc.eventReceiver

Can receive events from all event providers.

  • eventarc.events.*

Eventarc Viewer

roles/eventarc.viewer

Can view the state of all Eventarc resources, including IAM policies.

  • eventarc.locations.*
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Admin

roles/firebase.admin

Full access to Firebase products.

  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • automl.*
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.brands.update
  • clientauthconfig.clients.create
  • clientauthconfig.clients.delete
  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • clientauthconfig.clients.update
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudconfig.*
  • cloudfunctions.*
  • cloudmessaging.*
  • cloudnotifications.*
  • cloudtestservice.*
  • cloudtoolresults.*
  • datastore.*
  • errorreporting.groups.*
  • eventarc.*
  • fcmdata.*
  • firebase.*
  • firebaseabt.*
  • firebaseanalytics.*
  • firebaseappcheck.*
  • firebaseappdistro.*
  • firebaseauth.*
  • firebasecrash.*
  • firebasecrashlytics.*
  • firebasedatabase.*
  • firebasedynamiclinks.*
  • firebaseextensions.*
  • firebasehosting.*
  • firebaseinappmessaging.*
  • firebaseml.*
  • firebasenotifications.*
  • firebaseperformance.*
  • firebasepredictions.*
  • firebaserules.*
  • firebasestorage.*
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • run.*
  • runtimeconfig.configs.create
  • runtimeconfig.configs.delete
  • runtimeconfig.configs.get
  • runtimeconfig.configs.list
  • runtimeconfig.configs.update
  • runtimeconfig.operations.*
  • runtimeconfig.variables.create
  • runtimeconfig.variables.delete
  • runtimeconfig.variables.get
  • runtimeconfig.variables.list
  • runtimeconfig.variables.update
  • runtimeconfig.variables.watch
  • runtimeconfig.waiters.create
  • runtimeconfig.waiters.delete
  • runtimeconfig.waiters.get
  • runtimeconfig.waiters.list
  • runtimeconfig.waiters.update
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*

Firebase Analytics Admin

roles/firebase.analyticsAdmin

Full access to Google Analytics for Firebase.

  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.get
  • firebase.playLinks.list
  • firebase.projects.get
  • firebaseanalytics.*
  • firebaseextensions.configs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Firebase Analytics Viewer

roles/firebase.analyticsViewer

Read access to Google Analytics for Firebase.

  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.get
  • firebase.playLinks.list
  • firebase.projects.get
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseextensions.configs.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Firebase Develop Admin

roles/firebase.developAdmin

Full access to Firebase Develop products and Analytics.

  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • automl.*
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.brands.update
  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.*
  • cloudnotifications.*
  • datastore.*
  • errorreporting.groups.*
  • eventarc.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.get
  • firebase.playLinks.list
  • firebase.projects.get
  • firebaseanalytics.*
  • firebaseappcheck.*
  • firebaseauth.*
  • firebasedatabase.*
  • firebaseextensions.configs.list
  • firebasehosting.*
  • firebaseml.*
  • firebaserules.*
  • firebasestorage.*
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • run.*
  • runtimeconfig.configs.create
  • runtimeconfig.configs.delete
  • runtimeconfig.configs.get
  • runtimeconfig.configs.list
  • runtimeconfig.configs.update
  • runtimeconfig.operations.*
  • runtimeconfig.variables.create
  • runtimeconfig.variables.delete
  • runtimeconfig.variables.get
  • runtimeconfig.variables.list
  • runtimeconfig.variables.update
  • runtimeconfig.variables.watch
  • runtimeconfig.waiters.create
  • runtimeconfig.waiters.delete
  • runtimeconfig.waiters.get
  • runtimeconfig.waiters.list
  • runtimeconfig.waiters.update
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*

Firebase Develop Viewer

roles/firebase.developViewer

Read access to Firebase Develop products and Analytics.

  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • cloudnotifications.*
  • datastore.databases.get
  • datastore.databases.getIamPolicy
  • datastore.databases.list
  • datastore.entities.get
  • datastore.entities.list
  • datastore.indexes.get
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.getIamPolicy
  • datastore.namespaces.list
  • datastore.statistics.*
  • errorreporting.groups.*
  • eventarc.locations.*
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.get
  • firebase.playLinks.list
  • firebase.projects.get
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseappcheck.appAttestConfig.get
  • firebaseappcheck.debugTokens.get
  • firebaseappcheck.deviceCheckConfig.get
  • firebaseappcheck.recaptchaConfig.get
  • firebaseappcheck.safetyNetConfig.get
  • firebaseappcheck.services.get
  • firebaseauth.configs.get
  • firebaseauth.users.get
  • firebasedatabase.instances.get
  • firebasedatabase.instances.list
  • firebaseextensions.configs.list
  • firebasehosting.sites.get
  • firebasehosting.sites.list
  • firebaseml.compressionjobs.get
  • firebaseml.compressionjobs.list
  • firebaseml.models.get
  • firebaseml.models.list
  • firebaseml.modelversions.get
  • firebaseml.modelversions.list
  • firebaserules.releases.get
  • firebaserules.releases.list
  • firebaserules.rulesets.get
  • firebaserules.rulesets.list
  • firebasestorage.buckets.get
  • firebasestorage.buckets.list
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.get
  • run.revisions.list
  • run.routes.get
  • run.routes.list
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list

Firebase Grow Admin

roles/firebase.growthAdmin

Full access to Firebase Grow products and Analytics.

  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • cloudconfig.*
  • cloudmessaging.*
  • cloudnotifications.*
  • fcmdata.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.get
  • firebase.playLinks.list
  • firebase.projects.get
  • firebaseabt.*
  • firebaseanalytics.*
  • firebasedynamiclinks.*
  • firebaseextensions.configs.list
  • firebaseinappmessaging.*
  • firebasenotifications.*
  • firebasepredictions.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Firebase Grow Viewer

roles/firebase.growthViewer

Read access to Firebase Grow products and Analytics.

  • cloudconfig.configs.get
  • cloudnotifications.*
  • fcmdata.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.get
  • firebase.playLinks.list
  • firebase.projects.get
  • firebaseabt.experimentresults.*
  • firebaseabt.experiments.get
  • firebaseabt.experiments.list
  • firebaseabt.projectmetadata.*
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.get
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.get
  • firebasedynamiclinks.links.list
  • firebasedynamiclinks.stats.*
  • firebaseextensions.configs.list
  • firebaseinappmessaging.campaigns.get
  • firebaseinappmessaging.campaigns.list
  • firebasenotifications.messages.get
  • firebasenotifications.messages.list
  • firebasepredictions.predictions.list
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Firebase Quality Admin

roles/firebase.qualityAdmin

Full access to Firebase Quality products and Analytics.

  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.get
  • firebase.playLinks.list
  • firebase.projects.get
  • firebaseanalytics.*
  • firebaseappdistro.*
  • firebasecrash.*
  • firebasecrashlytics.*
  • firebaseextensions.configs.list
  • firebaseperformance.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Firebase Quality Viewer

roles/firebase.qualityViewer

Read access to Firebase Quality products and Analytics.

  • cloudnotifications.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.get
  • firebase.playLinks.list
  • firebase.projects.get
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • firebasecrash.reports.*
  • firebasecrashlytics.config.get
  • firebasecrashlytics.data.*
  • firebasecrashlytics.issues.get
  • firebasecrashlytics.issues.list
  • firebasecrashlytics.sessions.*
  • firebaseextensions.configs.list
  • firebaseperformance.data.*
  • monitoring.timeSeries.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Firebase Viewer

roles/firebase.viewer

Read-only access to Firebase products.

  • automl.annotationSpecs.get
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.get
  • automl.columnSpecs.list
  • automl.datasets.get
  • automl.datasets.list
  • automl.examples.get
  • automl.examples.list
  • automl.humanAnnotationTasks.get
  • automl.humanAnnotationTasks.list
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.get
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.operations.list
  • automl.tableSpecs.get
  • automl.tableSpecs.list
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudconfig.configs.get
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • cloudnotifications.*
  • cloudtestservice.environmentcatalog.*
  • cloudtestservice.matrices.get
  • cloudtoolresults.executions.get
  • cloudtoolresults.executions.list
  • cloudtoolresults.histories.get
  • cloudtoolresults.histories.list
  • cloudtoolresults.settings.get
  • cloudtoolresults.steps.get
  • cloudtoolresults.steps.list
  • datastore.databases.get
  • datastore.databases.getIamPolicy
  • datastore.databases.list
  • datastore.entities.get
  • datastore.entities.list
  • datastore.indexes.get
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.getIamPolicy
  • datastore.namespaces.list
  • datastore.statistics.*
  • errorreporting.groups.*
  • eventarc.locations.*
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • fcmdata.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.get
  • firebase.playLinks.list
  • firebase.projects.get
  • firebaseabt.experimentresults.*
  • firebaseabt.experiments.get
  • firebaseabt.experiments.list
  • firebaseabt.projectmetadata.*
  • firebaseanalytics.resources.googleAnalyticsReadAndAnalyze
  • firebaseappcheck.appAttestConfig.get
  • firebaseappcheck.debugTokens.get
  • firebaseappcheck.deviceCheckConfig.get
  • firebaseappcheck.recaptchaConfig.get
  • firebaseappcheck.safetyNetConfig.get
  • firebaseappcheck.services.get
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • firebaseauth.configs.get
  • firebaseauth.users.get
  • firebasecrash.reports.*
  • firebasecrashlytics.config.get
  • firebasecrashlytics.data.*
  • firebasecrashlytics.issues.get
  • firebasecrashlytics.issues.list
  • firebasecrashlytics.sessions.*
  • firebasedatabase.instances.get
  • firebasedatabase.instances.list
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.get
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.get
  • firebasedynamiclinks.links.list
  • firebasedynamiclinks.stats.*
  • firebaseextensions.configs.list
  • firebasehosting.sites.get
  • firebasehosting.sites.list
  • firebaseinappmessaging.campaigns.get
  • firebaseinappmessaging.campaigns.list
  • firebaseml.compressionjobs.get
  • firebaseml.compressionjobs.list
  • firebaseml.models.get
  • firebaseml.models.list
  • firebaseml.modelversions.get
  • firebaseml.modelversions.list
  • firebasenotifications.messages.get
  • firebasenotifications.messages.list
  • firebaseperformance.data.*
  • firebasepredictions.predictions.list
  • firebaserules.releases.get
  • firebaserules.releases.list
  • firebaserules.rulesets.get
  • firebaserules.rulesets.list
  • firebasestorage.buckets.get
  • firebasestorage.buckets.list
  • logging.logEntries.list
  • monitoring.timeSeries.list
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.get
  • run.revisions.list
  • run.routes.get
  • run.routes.list
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list

Firebase Remote Config Admin

roles/cloudconfig.admin

Full access to Firebase Remote Config resources.

  • cloudconfig.*
  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Remote Config Viewer

roles/cloudconfig.viewer

Read access to Firebase Remote Config resources.

  • cloudconfig.configs.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Test Lab Admin

roles/cloudtestservice.testAdmin

Full access to all Test Lab features

  • cloudtestservice.*
  • cloudtoolresults.*
  • firebase.billingPlans.get
  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list

Firebase Test Lab Viewer

roles/cloudtestservice.testViewer

Read access to Test Lab features

  • cloudtestservice.environmentcatalog.*
  • cloudtestservice.matrices.get
  • cloudtoolresults.executions.get
  • cloudtoolresults.executions.list
  • cloudtoolresults.histories.get
  • cloudtoolresults.histories.list
  • cloudtoolresults.settings.get
  • cloudtoolresults.steps.get
  • cloudtoolresults.steps.list
  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.get
  • storage.objects.list

Firebase A/B Testing Admin

roles/firebaseabt.admin

Full read/write access to Firebase A/B Testing resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseabt.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase A/B Testing Viewer

roles/firebaseabt.viewer

Read-only access to Firebase A/B Testing resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseabt.experimentresults.*
  • firebaseabt.experiments.get
  • firebaseabt.experiments.list
  • firebaseabt.projectmetadata.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase App Check Admin

roles/firebaseappcheck.admin

Full management of Firebase App Check.

  • firebaseappcheck.*

Firebase App Check Viewer

roles/firebaseappcheck.viewer

Read-only access for Firebase App Check.

  • firebaseappcheck.appAttestConfig.get
  • firebaseappcheck.debugTokens.get
  • firebaseappcheck.deviceCheckConfig.get
  • firebaseappcheck.recaptchaConfig.get
  • firebaseappcheck.safetyNetConfig.get
  • firebaseappcheck.services.get

Firebase App Distribution Admin

roles/firebaseappdistro.admin

Full read/write access to Firebase App Distribution resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseappdistro.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase App Distribution Viewer

roles/firebaseappdistro.viewer

Read-only access to Firebase App Distribution resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Authentication Admin

roles/firebaseauth.admin

Full read/write access to Firebase Authentication resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseauth.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Authentication Viewer

roles/firebaseauth.viewer

Read-only access to Firebase Authentication resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseauth.configs.get
  • firebaseauth.users.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Crashlytics Admin

roles/firebasecrashlytics.admin

Full read/write access to Firebase Crashlytics resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasecrashlytics.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Crashlytics Viewer

roles/firebasecrashlytics.viewer

Read-only access to Firebase Crashlytics resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasecrashlytics.config.get
  • firebasecrashlytics.data.*
  • firebasecrashlytics.issues.get
  • firebasecrashlytics.issues.list
  • firebasecrashlytics.sessions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Realtime Database Admin

roles/firebasedatabase.admin

Full read/write access to Firebase Realtime Database resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasedatabase.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Realtime Database Viewer

roles/firebasedatabase.viewer

Read-only access to Firebase Realtime Database resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasedatabase.instances.get
  • firebasedatabase.instances.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Dynamic Links Admin

roles/firebasedynamiclinks.admin

Full read/write access to Firebase Dynamic Links resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasedynamiclinks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Dynamic Links Viewer

roles/firebasedynamiclinks.viewer

Read-only access to Firebase Dynamic Links resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.get
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.get
  • firebasedynamiclinks.links.list
  • firebasedynamiclinks.stats.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Hosting Admin

roles/firebasehosting.admin

Full read/write access to Firebase Hosting resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasehosting.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Hosting Viewer

roles/firebasehosting.viewer

Read-only access to Firebase Hosting resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasehosting.sites.get
  • firebasehosting.sites.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase In-App Messaging Admin

roles/firebaseinappmessaging.admin

Full read/write access to Firebase In-App Messaging resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseinappmessaging.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase In-App Messaging Viewer

roles/firebaseinappmessaging.viewer

Read-only access to Firebase In-App Messaging resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseinappmessaging.campaigns.get
  • firebaseinappmessaging.campaigns.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase ML Kit Admin

roles/firebaseml.admin

Full read/write access to Firebase ML Kit resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseml.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase ML Kit Viewer

roles/firebaseml.viewer

Read-only access to Firebase ML Kit resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseml.compressionjobs.get
  • firebaseml.compressionjobs.list
  • firebaseml.models.get
  • firebaseml.models.list
  • firebaseml.modelversions.get
  • firebaseml.modelversions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Cloud Messaging Admin

roles/firebasenotifications.admin

Full read/write access to Firebase Cloud Messaging resources.

  • fcmdata.*
  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasenotifications.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Cloud Messaging Viewer

roles/firebasenotifications.viewer

Read-only access to Firebase Cloud Messaging resources.

  • fcmdata.*
  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasenotifications.messages.get
  • firebasenotifications.messages.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Performance Reporting Admin

roles/firebaseperformance.admin

Full access to firebaseperformance resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseperformance.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Performance Reporting Viewer

roles/firebaseperformance.viewer

Read-only access to firebaseperformance resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebaseperformance.data.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Predictions Admin

roles/firebasepredictions.admin

Full read/write access to Firebase Predictions resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasepredictions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Predictions Viewer

roles/firebasepredictions.viewer

Read-only access to Firebase Predictions resources.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasepredictions.predictions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Rules Admin

roles/firebaserules.admin

Full management of Firebase Rules.

  • firebaserules.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase Rules Viewer

roles/firebaserules.viewer

Read-only access on all resources with the ability to test Rulesets.

  • firebaserules.releases.get
  • firebaserules.releases.list
  • firebaserules.rulesets.get
  • firebaserules.rulesets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Storage for Firebase Admin

roles/firebasestorage.admin

Full management of Cloud Storage for Firebase.

  • firebase.clients.get
  • firebase.clients.list
  • firebase.projects.get
  • firebasestorage.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Storage for Firebase Viewer

roles/firebasestorage.viewer

Read-only access for Cloud Storage for Firebase.

  • firebasestorage.buckets.get
  • firebasestorage.buckets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Fleet Engine Consumer SDK User

roles/fleetengine.consumerSdkUser

Limited read access to Fleet Engine resources

  • fleetengine.trips.get
  • fleetengine.vehicles.get
  • fleetengine.vehicles.search
  • fleetengine.vehicles.searchFuzzed

Fleet Engine Driver SDK User

roles/fleetengine.driverSdkUser

Read and limited update access to Fleet Engine resources

  • fleetengine.trips.get
  • fleetengine.trips.search
  • fleetengine.trips.update
  • fleetengine.vehicles.get
  • fleetengine.vehicles.updateLocation

Fleet Engine Service Super User

roles/fleetengine.serviceSuperUser

Full access to all Fleet Engine resources.

  • fleetengine.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Genomics Admin

roles/genomics.admin

Full access to genomics datasets and operations.

  • genomics.*

Genomics Editor

roles/genomics.editor

Access to read and edit genomics datasets and operations.

  • genomics.datasets.create
  • genomics.datasets.delete
  • genomics.datasets.get
  • genomics.datasets.list
  • genomics.datasets.update
  • genomics.operations.*

Genomics Pipelines Runner

roles/genomics.pipelinesRunner

Full access to operate on genomics pipelines.

  • genomics.operations.*

Genomics Viewer

roles/genomics.viewer

Access to view genomics datasets and operations.

  • genomics.datasets.get
  • genomics.datasets.list
  • genomics.operations.get
  • genomics.operations.list

GKE Hub Admin

roles/gkehub.admin

Full access to GKE Hub resources.

  • gkehub.features.*
  • gkehub.locations.*
  • gkehub.memberships.*
  • gkehub.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

GKE Connect Agent

roles/gkehub.connect

Ability to set up GKE Connect between external clusters and Google.

  • gkehub.endpoints.*

GKE Hub Editor

roles/gkehub.editor

Edit access to GKE Hub resources.

  • gkehub.features.create
  • gkehub.features.delete
  • gkehub.features.get
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.features.update
  • gkehub.locations.*
  • gkehub.memberships.create
  • gkehub.memberships.delete
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.get
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.memberships.update
  • gkehub.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Connect Gateway Admin

roles/gkehub.gatewayAdmin

Full access to Connect Gateway.

  • gkehub.gateway.*
  • serviceusage.services.get

Connect Gateway Reader

roles/gkehub.gatewayReader

Read-only access to Connect Gateway.

  • gkehub.gateway.get
  • serviceusage.services.get

GKE Hub Viewer

roles/gkehub.viewer

Read-only access to GKE Hubs and related resources.

  • gkehub.features.get
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.locations.*
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.get
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.operations.get
  • gkehub.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Workspace Add-ons Developer

roles/gsuiteaddons.developer

Full access to Google Workspace Add-ons resources

  • gsuiteaddons.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Workspace Add-ons Reader

roles/gsuiteaddons.reader

Read-only access to Google Workspace Add-ons resources

  • gsuiteaddons.authorizations.*
  • gsuiteaddons.deployments.get
  • gsuiteaddons.deployments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Google Workspace Add-ons Tester

roles/gsuiteaddons.tester

Testing execution access to Google Workspace Add-ons resources

  • gsuiteaddons.deployments.execute
  • gsuiteaddons.deployments.install
  • gsuiteaddons.deployments.installStatus
  • gsuiteaddons.deployments.uninstall
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Chat Bots Owner

roles/chat.owner

Can view and modify bot configurations

  • chat.*

Chat Bots Viewer

roles/chat.reader

Can view bot configurations

  • chat.bots.get

Security Admin

roles/iam.securityAdmin

Security admin role, with permissions to get and set any IAM policy.

  • accessapproval.requests.list
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessPolicies.setIamPolicy
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.gcpUserAccessBindings.list
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.policies.setIamPolicy
  • accesscontextmanager.servicePerimeters.list
  • actions.agentVersions.list
  • aiplatform.annotationSpecs.list
  • aiplatform.annotations.list
  • aiplatform.artifacts.list
  • aiplatform.batchPredictionJobs.list
  • aiplatform.contexts.list
  • aiplatform.customJobs.list
  • aiplatform.dataItems.list
  • aiplatform.dataLabelingJobs.list
  • aiplatform.datasets.list
  • aiplatform.edgeDeploymentJobs.list
  • aiplatform.edgeDevices.list
  • aiplatform.endpoints.list
  • aiplatform.entityTypes.list
  • aiplatform.executions.list
  • aiplatform.features.list
  • aiplatform.featurestores.list
  • aiplatform.humanInTheLoops.list
  • aiplatform.hyperparameterTuningJobs.list
  • aiplatform.indexEndpoints.list
  • aiplatform.indexes.list
  • aiplatform.locations.list
  • aiplatform.metadataSchemas.list
  • aiplatform.metadataStores.list
  • aiplatform.modelDeploymentMonitoringJobs.list
  • aiplatform.modelEvaluationSlices.list
  • aiplatform.modelEvaluations.list
  • aiplatform.models.list
  • aiplatform.nasJobs.list
  • aiplatform.operations.*
  • aiplatform.pipelineJobs.list
  • aiplatform.specialistPools.list
  • aiplatform.studies.list
  • aiplatform.tensorboardExperiments.list
  • aiplatform.tensorboardRuns.list
  • aiplatform.tensorboardTimeSeries.list
  • aiplatform.tensorboards.list
  • aiplatform.trainingPipelines.list
  • aiplatform.trials.list
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apiconfigs.setIamPolicy
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.apis.setIamPolicy
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.gateways.setIamPolicy
  • apigateway.locations.list
  • apigateway.operations.list
  • apigee.apiproductattributes.list
  • apigee.apiproducts.list
  • apigee.apps.list
  • apigee.archivedeployments.list
  • apigee.caches.list
  • apigee.datacollectors.list
  • apigee.datastores.list
  • apigee.deployments.list
  • apigee.developerappattributes.list
  • apigee.developerapps.list
  • apigee.developerattributes.list
  • apigee.developers.list
  • apigee.developersubscriptions.list
  • apigee.envgroupattachments.list
  • apigee.envgroups.list
  • apigee.environments.getIamPolicy
  • apigee.environments.list
  • apigee.environments.setIamPolicy
  • apigee.exports.list
  • apigee.flowhooks.list
  • apigee.hostqueries.list
  • apigee.hostsecurityreports.list
  • apigee.instanceattachments.list
  • apigee.instances.list
  • apigee.keystorealiases.list
  • apigee.keystores.list
  • apigee.keyvaluemaps.list
  • apigee.operations.list
  • apigee.organizations.list
  • apigee.portals.list
  • apigee.proxies.list
  • apigee.proxyrevisions.list
  • apigee.queries.list
  • apigee.rateplans.list
  • apigee.references.list
  • apigee.reports.list
  • apigee.resourcefiles.list
  • apigee.securityreports.list
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.list
  • apigee.targetservers.list
  • apigee.tracesessions.list
  • apigeeconnect.connections.*
  • apikeys.keys.list
  • appengine.instances.list
  • appengine.memcache.list
  • appengine.operations.list
  • appengine.services.list
  • appengine.versions.list
  • artifactregistry.files.list
  • artifactregistry.packages.list
  • artifactregistry.repositories.getIamPolicy
  • artifactregistry.repositories.list
  • artifactregistry.repositories.setIamPolicy
  • artifactregistry.tags.list
  • artifactregistry.versions.list
  • assuredworkloads.operations.list
  • assuredworkloads.workload.list
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.list
  • automl.datasets.getIamPolicy
  • automl.datasets.list
  • automl.datasets.setIamPolicy
  • automl.examples.list
  • automl.humanAnnotationTasks.list
  • automl.locations.getIamPolicy
  • automl.locations.list
  • automl.locations.setIamPolicy
  • automl.modelEvaluations.list
  • automl.models.getIamPolicy
  • automl.models.list
  • automl.models.setIamPolicy
  • automl.operations.list
  • automl.tableSpecs.list
  • automlrecommendations.apiKeys.list
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogs.list
  • automlrecommendations.events.list
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.list
  • autoscaling.sites.getIamPolicy
  • autoscaling.sites.setIamPolicy
  • baremetalsolution.instances.list
  • bigquery.capacityCommitments.list
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.connections.setIamPolicy
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.setIamPolicy
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.reservationAssignments.list
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.savedqueries.list
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.setIamPolicy
  • bigtable.appProfiles.list
  • bigtable.backups.getIamPolicy
  • bigtable.backups.list
  • bigtable.backups.setIamPolicy
  • bigtable.clusters.list
  • bigtable.instances.getIamPolicy
  • bigtable.instances.list
  • bigtable.instances.setIamPolicy
  • bigtable.keyvisualizer.list
  • bigtable.locations.*
  • bigtable.tables.getIamPolicy
  • bigtable.tables.list
  • bigtable.tables.setIamPolicy
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.setIamPolicy
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.list
  • binaryauthorization.attestors.getIamPolicy
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.setIamPolicy
  • binaryauthorization.continuousValidationConfig.getIamPolicy
  • binaryauthorization.continuousValidationConfig.setIamPolicy
  • binaryauthorization.policy.getIamPolicy
  • binaryauthorization.policy.setIamPolicy
  • clientauthconfig.brands.list
  • clientauthconfig.clients.list
  • cloudasset.assets.searchAllResources
  • cloudasset.feeds.list
  • cloudbuild.builds.list
  • cloudbuild.workerpools.list
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.deliveryPipelines.setIamPolicy
  • clouddeploy.locations.list
  • clouddeploy.operations.list
  • clouddeploy.releases.list
  • clouddeploy.rollouts.list
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • clouddeploy.targets.setIamPolicy
  • cloudfunctions.functions.getIamPolicy
  • cloudfunctions.functions.list
  • cloudfunctions.functions.setIamPolicy
  • cloudfunctions.locations.list
  • cloudfunctions.operations.list
  • cloudiot.devices.list
  • cloudiot.registries.getIamPolicy
  • cloudiot.registries.list
  • cloudiot.registries.setIamPolicy
  • cloudjobdiscovery.companies.list
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.cryptoKeys.setIamPolicy
  • cloudkms.importJobs.getIamPolicy
  • cloudkms.importJobs.list
  • cloudkms.importJobs.setIamPolicy
  • cloudkms.keyRings.getIamPolicy
  • cloudkms.keyRings.list
  • cloudkms.keyRings.setIamPolicy
  • cloudkms.locations.list
  • cloudnotifications.*
  • cloudonefs.isiloncloud.com/clusters.list
  • cloudonefs.isiloncloud.com/fileshares.list
  • cloudprivatecatalogproducer.associations.list
  • cloudprivatecatalogproducer.catalogAssociations.list
  • cloudprivatecatalogproducer.catalogs.getIamPolicy
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.catalogs.setIamPolicy
  • cloudprivatecatalogproducer.producerCatalogs.getIamPolicy
  • cloudprivatecatalogproducer.producerCatalogs.list
  • cloudprivatecatalogproducer.producerCatalogs.setIamPolicy
  • cloudprivatecatalogproducer.products.getIamPolicy
  • cloudprivatecatalogproducer.products.list
  • cloudprivatecatalogproducer.products.setIamPolicy
  • cloudprofiler.profiles.list
  • cloudscheduler.jobs.list
  • cloudscheduler.locations.list
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.list
  • cloudsql.backupRuns.list
  • cloudsql.databases.list
  • cloudsql.instances.list
  • cloudsql.sslCerts.list
  • cloudsql.users.list
  • cloudsupport.accounts.getIamPolicy
  • cloudsupport.accounts.list
  • cloudsupport.accounts.setIamPolicy
  • cloudsupport.techCases.list
  • cloudtasks.locations.list
  • cloudtasks.queues.getIamPolicy
  • cloudtasks.queues.list
  • cloudtasks.queues.setIamPolicy
  • cloudtasks.tasks.list
  • cloudtoolresults.executions.list
  • cloudtoolresults.histories.list
  • cloudtoolresults.steps.list
  • cloudtrace.insights.list
  • cloudtrace.tasks.list
  • cloudtrace.traces.list
  • cloudtranslate.glossaries.list
  • cloudtranslate.locations.list
  • cloudtranslate.operations.list
  • cloudvolumesgcp-api.netapp.com/activeDirectories.list
  • cloudvolumesgcp-api.netapp.com/ipRanges.*
  • cloudvolumesgcp-api.netapp.com/jobs.list
  • cloudvolumesgcp-api.netapp.com/regions.*
  • cloudvolumesgcp-api.netapp.com/serviceLevels.*
  • cloudvolumesgcp-api.netapp.com/snapshots.list
  • cloudvolumesgcp-api.netapp.com/volumes.list
  • commerceprice.privateoffers.list
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.list
  • compute.acceleratorTypes.list
  • compute.addresses.list
  • compute.autoscalers.list
  • compute.backendBuckets.list
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.backendServices.setIamPolicy
  • compute.commitments.list
  • compute.diskTypes.list
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.disks.setIamPolicy
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewallPolicies.setIamPolicy
  • compute.firewalls.list
  • compute.forwardingRules.list
  • compute.globalAddresses.list
  • compute.globalForwardingRules.list
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalOperations.setIamPolicy
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.list
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.list
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.images.setIamPolicy
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.list
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instances.getIamPolicy
  • compute.instances.list
  • compute.instances.setIamPolicy
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.list
  • compute.interconnects.list
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenseCodes.setIamPolicy
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.licenses.setIamPolicy
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineImages.setIamPolicy
  • compute.machineTypes.list
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.maintenancePolicies.setIamPolicy
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.setIamPolicy
  • compute.networks.list
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeGroups.setIamPolicy
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTemplates.setIamPolicy
  • compute.nodeTypes.list
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionBackendServices.setIamPolicy
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionOperations.setIamPolicy
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.list
  • compute.regions.list
  • compute.reservations.list
  • compute.resourcePolicies.list
  • compute.routers.list
  • compute.routes.list
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.securityPolicies.setIamPolicy
  • compute.serviceAttachments.list
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.snapshots.setIamPolicy
  • compute.sslCertificates.list
  • compute.sslPolicies.list
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.subnetworks.setIamPolicy
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.list
  • compute.targetInstances.list
  • compute.targetPools.list
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.list
  • compute.urlMaps.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.list
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zoneOperations.setIamPolicy
  • compute.zones.list
  • connectors.connections.getIamPolicy
  • connectors.connections.list
  • connectors.connections.setIamPolicy
  • connectors.connectors.list
  • connectors.locations.list
  • connectors.operations.list
  • connectors.providers.list
  • connectors.versions.list
  • consumerprocurement.accounts.list
  • consumerprocurement.entitlements.list
  • consumerprocurement.freeTrials.list
  • consumerprocurement.orders.list
  • contactcenterinsights.analyses.list
  • contactcenterinsights.conversations.list
  • contactcenterinsights.issueModels.list
  • contactcenterinsights.issues.list
  • contactcenterinsights.operations.list
  • contactcenterinsights.phraseMatchers.list
  • container.apiServices.list
  • container.auditSinks.list
  • container.backendConfigs.list
  • container.bindings.list
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.list
  • container.clusterRoles.list
  • container.clusters.list
  • container.componentStatuses.list
  • container.configMaps.list
  • container.controllerRevisions.list
  • container.cronJobs.list
  • container.csiDrivers.list
  • container.csiNodeInfos.list
  • container.csiNodes.list
  • container.customResourceDefinitions.list
  • container.daemonSets.list
  • container.deployments.list
  • container.endpointSlices.list
  • container.endpoints.list
  • container.events.list
  • container.frontendConfigs.list
  • container.horizontalPodAutoscalers.list
  • container.ingresses.list
  • container.initializerConfigurations.list
  • container.jobs.list
  • container.leases.list
  • container.limitRanges.list
  • container.localSubjectAccessReviews.list
  • container.managedCertificates.list
  • container.mutatingWebhookConfigurations.list
  • container.namespaces.list
  • container.networkPolicies.list
  • container.nodes.list
  • container.operations.list
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.list
  • container.petSets.list
  • container.podDisruptionBudgets.list
  • container.podPresets.list
  • container.podSecurityPolicies.list
  • container.podTemplates.list
  • container.pods.list
  • container.priorityClasses.list
  • container.replicaSets.list
  • container.replicationControllers.list
  • container.resourceQuotas.list
  • container.roleBindings.list
  • container.roles.list
  • container.runtimeClasses.list
  • container.scheduledJobs.list
  • container.selfSubjectAccessReviews.list
  • container.serviceAccounts.list
  • container.services.list
  • container.statefulSets.list
  • container.storageClasses.list
  • container.storageStates.list
  • container.storageVersionMigrations.list
  • container.subjectAccessReviews.list
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.list
  • container.updateInfos.list
  • container.validatingWebhookConfigurations.list
  • container.volumeAttachments.list
  • container.volumeSnapshotClasses.list
  • container.volumeSnapshotContents.list
  • container.volumeSnapshots.list
  • containeranalysis.notes.getIamPolicy
  • containeranalysis.notes.list
  • containeranalysis.notes.setIamPolicy
  • containeranalysis.occurrences.getIamPolicy
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.setIamPolicy
  • datacatalog.categories.getIamPolicy
  • datacatalog.categories.setIamPolicy
  • datacatalog.entries.getIamPolicy
  • datacatalog.entries.list
  • datacatalog.entries.setIamPolicy
  • datacatalog.entryGroups.getIamPolicy
  • datacatalog.entryGroups.list
  • datacatalog.entryGroups.setIamPolicy
  • datacatalog.tagTemplates.getIamPolicy
  • datacatalog.tagTemplates.setIamPolicy
  • datacatalog.taxonomies.getIamPolicy
  • datacatalog.taxonomies.list
  • datacatalog.taxonomies.setIamPolicy
  • dataflow.jobs.list
  • dataflow.messages.*
  • dataflow.snapshots.list
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.instances.setIamPolicy
  • datafusion.locations.list
  • datafusion.operations.list
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.list
  • datalabeling.datasets.list
  • datalabeling.examples.list
  • datalabeling.instructions.list
  • datalabeling.operations.list
  • datamigration.connectionprofiles.getIamPolicy
  • datamigration.connectionprofiles.list
  • datamigration.connectionprofiles.setIamPolicy
  • datamigration.locations.list
  • datamigration.migrationjobs.getIamPolicy
  • datamigration.migrationjobs.list
  • datamigration.migrationjobs.setIamPolicy
  • datamigration.operations.list
  • datapipelines.pipelines.list
  • dataproc.agents.list
  • dataproc.autoscalingPolicies.getIamPolicy
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.setIamPolicy
  • dataproc.clusters.getIamPolicy
  • dataproc.clusters.list
  • dataproc.clusters.setIamPolicy
  • dataproc.jobs.getIamPolicy
  • dataproc.jobs.list
  • dataproc.jobs.setIamPolicy
  • dataproc.operations.getIamPolicy
  • dataproc.operations.list
  • dataproc.operations.setIamPolicy
  • dataproc.workflowTemplates.getIamPolicy
  • dataproc.workflowTemplates.list
  • dataproc.workflowTemplates.setIamPolicy
  • dataprocessing.datasources.list
  • dataprocessing.featurecontrols.list
  • dataprocessing.groupcontrols.list
  • datastore.databases.getIamPolicy
  • datastore.databases.list
  • datastore.databases.setIamPolicy
  • datastore.entities.list
  • datastore.indexes.list
  • datastore.locations.list
  • datastore.namespaces.getIamPolicy
  • datastore.namespaces.list
  • datastore.namespaces.setIamPolicy
  • datastore.operations.list
  • datastore.statistics.list
  • datastream.connectionProfiles.getIamPolicy
  • datastream.connectionProfiles.list
  • datastream.connectionProfiles.setIamPolicy
  • datastream.locations.list
  • datastream.operations.list
  • datastream.privateConnections.getIamPolicy
  • datastream.privateConnections.list
  • datastream.privateConnections.setIamPolicy
  • datastream.routes.getIamPolicy
  • datastream.routes.list
  • datastream.routes.setIamPolicy
  • datastream.streams.getIamPolicy
  • datastream.streams.list
  • datastream.streams.setIamPolicy
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.deployments.getIamPolicy
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.setIamPolicy
  • deploymentmanager.manifests.list
  • deploymentmanager.operations.list
  • deploymentmanager.resources.list
  • deploymentmanager.typeProviders.list
  • deploymentmanager.types.list
  • dialogflow.agents.list
  • dialogflow.answerrecords.list
  • dialogflow.callMatchers.list
  • dialogflow.changelogs.list
  • dialogflow.contexts.list
  • dialogflow.conversationDatasets.list
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.list
  • dialogflow.conversations.list
  • dialogflow.documents.list
  • dialogflow.entityTypes.list
  • dialogflow.environments.list
  • dialogflow.flows.list
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.list
  • dialogflow.messages.*
  • dialogflow.modelEvaluations.list
  • dialogflow.pages.list
  • dialogflow.participants.list
  • dialogflow.phoneNumberOrders.list
  • dialogflow.phoneNumbers.list
  • dialogflow.securitySettings.list
  • dialogflow.sessionEntityTypes.list
  • dialogflow.smartMessagingEntries.list
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.list
  • dialogflow.webhooks.list
  • dlp.analyzeRiskTemplates.list
  • dlp.columnDataProfiles.list
  • dlp.deidentifyTemplates.list
  • dlp.estimates.list
  • dlp.inspectFindings.*
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.list
  • dlp.jobs.list
  • dlp.projectDataProfiles.list
  • dlp.storedInfoTypes.list
  • dlp.tableDataProfiles.list
  • dns.changes.list
  • dns.dnsKeys.list
  • dns.managedZoneOperations.list
  • dns.managedZones.list
  • dns.policies.getIamPolicy
  • dns.policies.list
  • dns.policies.setIamPolicy
  • dns.resourceRecordSets.list
  • dns.responsePolicies.list
  • dns.responsePolicyRules.list
  • documentai.evaluations.list
  • documentai.labelerPools.list
  • documentai.locations.list
  • documentai.processorTypes.*
  • documentai.processorVersions.list
  • documentai.processors.list
  • domains.locations.list
  • domains.operations.list
  • domains.registrations.getIamPolicy
  • domains.registrations.list
  • domains.registrations.setIamPolicy
  • earlyaccesscenter.campaigns.list
  • earlyaccesscenter.customerAllowlists.list
  • earthengine.assets.getIamPolicy
  • earthengine.assets.list
  • earthengine.assets.setIamPolicy
  • earthengine.operations.list
  • errorreporting.applications.*
  • errorreporting.errorEvents.list
  • errorreporting.groups.*
  • essentialcontacts.contacts.list
  • eventarc.locations.list
  • eventarc.operations.list
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.setIamPolicy
  • fcmdata.*
  • file.backups.list
  • file.instances.list
  • file.locations.list
  • file.operations.list
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.list
  • firebaseabt.experiments.list
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • firebasecrashlytics.issues.list
  • firebasedatabase.instances.list
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.list
  • firebaseextensions.configs.list
  • firebasehosting.sites.list
  • firebaseinappmessaging.campaigns.list
  • firebaseml.compressionjobs.list
  • firebaseml.models.list
  • firebaseml.modelversions.list
  • firebasenotifications.messages.list
  • firebasepredictions.predictions.list
  • firebaserules.releases.list
  • firebaserules.rulesets.list
  • firebasestorage.buckets.list
  • fleetengine.vehicles.list
  • gameservices.gameServerClusters.list
  • gameservices.gameServerConfigs.list
  • gameservices.gameServerDeployments.list
  • gameservices.locations.list
  • gameservices.operations.list
  • gameservices.realms.list
  • gcp.redisenterprise.com/databases.list
  • gcp.redisenterprise.com/subscriptions.list
  • genomics.datasets.getIamPolicy
  • genomics.datasets.list
  • genomics.datasets.setIamPolicy
  • genomics.operations.list
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.features.setIamPolicy
  • gkehub.gateway.getIamPolicy
  • gkehub.gateway.setIamPolicy
  • gkehub.locations.list
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.memberships.setIamPolicy
  • gkehub.operations.list
  • gkemulticloud.awsClusters.list
  • gkemulticloud.awsNodePools.list
  • gkemulticloud.azureClients.list
  • gkemulticloud.azureClusters.list
  • gkemulticloud.azureNodePools.list
  • gkemulticloud.operations.list
  • gsuiteaddons.deployments.list
  • healthcare.annotationStores.getIamPolicy
  • healthcare.annotationStores.list
  • healthcare.annotationStores.setIamPolicy
  • healthcare.annotations.list
  • healthcare.attributeDefinitions.list
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.getIamPolicy
  • healthcare.consentStores.list
  • healthcare.consentStores.setIamPolicy
  • healthcare.consents.list
  • healthcare.datasets.getIamPolicy
  • healthcare.datasets.list
  • healthcare.datasets.setIamPolicy
  • healthcare.dicomStores.getIamPolicy
  • healthcare.dicomStores.list
  • healthcare.dicomStores.setIamPolicy
  • healthcare.fhirStores.getIamPolicy
  • healthcare.fhirStores.list
  • healthcare.fhirStores.setIamPolicy
  • healthcare.hl7V2Messages.list
  • healthcare.hl7V2Stores.getIamPolicy
  • healthcare.hl7V2Stores.list
  • healthcare.hl7V2Stores.setIamPolicy
  • healthcare.locations.list
  • healthcare.operations.list
  • healthcare.userDataMappings.list
  • iam.googleapis.com/workloadIdentityPoolProviders.list
  • iam.googleapis.com/workloadIdentityPools.list
  • iam.roles.get
  • iam.roles.list
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • iam.serviceAccounts.setIamPolicy
  • iap.tunnel.*
  • iap.tunnelInstances.getIamPolicy
  • iap.tunnelInstances.setIamPolicy
  • iap.tunnelZones.*
  • iap.web.getIamPolicy
  • iap.web.setIamPolicy
  • iap.webServiceVersions.getIamPolicy
  • iap.webServiceVersions.setIamPolicy
  • iap.webServices.getIamPolicy
  • iap.webServices.setIamPolicy
  • iap.webTypes.getIamPolicy
  • iap.webTypes.setIamPolicy
  • integrations.apigeeAuthConfigs.list
  • integrations.apigeeCertificates.list
  • integrations.apigeeExecutions.*
  • integrations.apigeeIntegrationVers.list
  • integrations.apigeeIntegrations.list
  • integrations.apigeeSfdcChannels.list
  • integrations.apigeeSfdcInstances.list
  • integrations.apigeeSuspensions.list
  • integrations.securityAuthConfigs.list
  • integrations.securityExecutions.list
  • integrations.securityIntegTempVers.list
  • integrations.securityIntegrationVers.list
  • integrations.securityIntegrations.list
  • lifesciences.operations.list
  • livestream.channels.list
  • livestream.events.list
  • livestream.inputs.list
  • livestream.locations.list
  • livestream.operations.list
  • logging.buckets.list
  • logging.exclusions.list
  • logging.locations.list
  • logging.logEntries.list
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.notificationRules.list
  • logging.operations.list
  • logging.privateLogEntries.*
  • logging.queries.list
  • logging.sinks.list
  • logging.views.list
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.list
  • managedidentities.domains.setIamPolicy
  • managedidentities.locations.list
  • managedidentities.operations.list
  • managedidentities.peerings.getIamPolicy
  • managedidentities.peerings.list
  • managedidentities.peerings.setIamPolicy
  • managedidentities.sqlintegrations.list
  • memcache.instances.list
  • memcache.locations.list
  • memcache.operations.list
  • metastore.backups.list
  • metastore.imports.list
  • metastore.locations.list
  • metastore.operations.list
  • metastore.services.getIamPolicy
  • metastore.services.list
  • metastore.services.setIamPolicy
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.jobs.setIamPolicy
  • ml.locations.list
  • ml.models.getIamPolicy
  • ml.models.list
  • ml.models.setIamPolicy
  • ml.operations.list
  • ml.studies.getIamPolicy
  • ml.studies.list
  • ml.studies.setIamPolicy
  • ml.trials.list
  • ml.versions.list
  • monitoring.alertPolicies.list
  • monitoring.dashboards.list
  • monitoring.groups.list
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.list
  • monitoring.notificationChannelDescriptors.list
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.list
  • monitoring.services.list
  • monitoring.slos.list
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.list
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.setIamPolicy
  • networkconnectivity.locations.list
  • networkconnectivity.operations.list
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkconnectivity.spokes.setIamPolicy
  • networkmanagement.connectivitytests.getIamPolicy
  • networkmanagement.connectivitytests.list
  • networkmanagement.connectivitytests.setIamPolicy
  • networkmanagement.locations.list
  • networkmanagement.operations.list
  • networksecurity.authorizationPolicies.getIamPolicy
  • networksecurity.authorizationPolicies.list
  • networksecurity.authorizationPolicies.setIamPolicy
  • networksecurity.clientTlsPolicies.getIamPolicy
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.setIamPolicy
  • networksecurity.locations.list
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.getIamPolicy
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.setIamPolicy
  • networkservices.endpointConfigSelectors.getIamPolicy
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.setIamPolicy
  • networkservices.endpointPolicies.getIamPolicy
  • networkservices.endpointPolicies.list
  • networkservices.endpointPolicies.setIamPolicy
  • networkservices.httpFilters.getIamPolicy
  • networkservices.httpFilters.list
  • networkservices.httpFilters.setIamPolicy
  • networkservices.httpfilters.getIamPolicy
  • networkservices.httpfilters.list
  • networkservices.httpfilters.setIamPolicy
  • networkservices.locations.list
  • networkservices.operations.list
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.environments.setIamPolicy
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.executions.setIamPolicy
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.instances.setIamPolicy
  • notebooks.locations.list
  • notebooks.operations.list
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.runtimes.setIamPolicy
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • notebooks.schedules.setIamPolicy
  • ondemandscanning.operations.list
  • opsconfigmonitoring.resourceMetadata.list
  • orgpolicy.constraints.*
  • orgpolicy.policies.list
  • osconfig.guestPolicies.list
  • osconfig.instanceOSPoliciesCompliances.list
  • osconfig.inventories.list
  • osconfig.osPolicyAssignmentReports.list
  • osconfig.osPolicyAssignments.list
  • osconfig.patchDeployments.list
  • osconfig.patchJobs.list
  • osconfig.vulnerabilityReports.list
  • paymentsresellersubscription.products.*
  • paymentsresellersubscription.promotions.*
  • policysimulator.*
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.caPools.setIamPolicy
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateAuthorities.setIamPolicy
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateRevocationLists.setIamPolicy
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.setIamPolicy
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.certificates.setIamPolicy
  • privateca.locations.list
  • privateca.operations.list
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • privateca.reusableConfigs.setIamPolicy
  • proximitybeacon.attachments.list
  • proximitybeacon.beacons.getIamPolicy
  • proximitybeacon.beacons.list
  • proximitybeacon.beacons.setIamPolicy
  • proximitybeacon.namespaces.getIamPolicy
  • proximitybeacon.namespaces.list
  • proximitybeacon.namespaces.setIamPolicy
  • pubsub.schemas.getIamPolicy
  • pubsub.schemas.list
  • pubsub.schemas.setIamPolicy
  • pubsub.snapshots.getIamPolicy
  • pubsub.snapshots.list
  • pubsub.snapshots.setIamPolicy
  • pubsub.subscriptions.getIamPolicy
  • pubsub.subscriptions.list
  • pubsub.subscriptions.setIamPolicy
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsub.topics.setIamPolicy
  • pubsublite.operations.list
  • pubsublite.reservations.list
  • pubsublite.subscriptions.list
  • pubsublite.topics.list
  • recaptchaenterprise.keys.list
  • recommender.bigqueryCapacityCommitmentsInsights.list
  • recommender.bigqueryCapacityCommitmentsRecommendations.list
  • recommender.cloudAssetInsights.list
  • recommender.cloudsqlIdleInstanceRecommendations.list
  • recommender.cloudsqlInstanceActivityInsights.list
  • recommender.cloudsqlInstanceCpuUsageInsights.list
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.list
  • recommender.cloudsqlInstanceMemoryUsageInsights.list
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.list
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.list
  • recommender.commitmentUtilizationInsights.list
  • recommender.computeAddressIdleResourceInsights.list
  • recommender.computeAddressIdleResourceRecommendations.list
  • recommender.computeDiskIdleResourceInsights.list
  • recommender.computeDiskIdleResourceRecommendations.list
  • recommender.computeFirewallInsights.list
  • recommender.computeImageIdleResourceInsights.list
  • recommender.computeImageIdleResourceRecommendations.list
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
  • recommender.computeInstanceIdleResourceRecommendations.list
  • recommender.computeInstanceMachineTypeRecommendations.list
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyLateralMovementInsights.list
  • recommender.iamPolicyRecommendations.list
  • recommender.iamServiceAccountInsights.list
  • recommender.locations.list
  • recommender.loggingProductSuggestionContainerInsights.list
  • recommender.loggingProductSuggestionContainerRecommendations.list
  • recommender.monitoringProductSuggestionComputeInsights.list
  • recommender.monitoringProductSuggestionComputeRecommendations.list
  • recommender.resourcemanagerProjectUtilizationInsights.list
  • recommender.resourcemanagerProjectUtilizationRecommendations.list
  • recommender.usageCommitmentRecommendations.list
  • redis.instances.list
  • redis.locations.list
  • redis.operations.list
  • remotebuildexecution.instances.list
  • remotebuildexecution.workerpools.list
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.list
  • resourcemanager.folders.setIamPolicy
  • resourcemanager.hierarchyNodes.listTagBindings
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.organizations.setIamPolicy
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • resourcemanager.projects.setIamPolicy
  • resourcemanager.tagKeys.getIamPolicy
  • resourcemanager.tagKeys.list
  • resourcemanager.tagKeys.setIamPolicy
  • resourcemanager.tagValues.getIamPolicy
  • resourcemanager.tagValues.list
  • resourcemanager.tagValues.setIamPolicy
  • resourcesettings.settings.list
  • retail.catalogs.list
  • retail.operations.list
  • retail.products.list
  • riskmanager.operations.list
  • riskmanager.policies.list
  • riskmanager.reports.list
  • run.configurations.list
  • run.locations.*
  • run.revisions.list
  • run.routes.list
  • run.services.getIamPolicy
  • run.services.list
  • run.services.setIamPolicy
  • runtimeconfig.configs.getIamPolicy
  • runtimeconfig.configs.list
  • runtimeconfig.configs.setIamPolicy
  • runtimeconfig.operations.list
  • runtimeconfig.variables.getIamPolicy
  • runtimeconfig.variables.list
  • runtimeconfig.variables.setIamPolicy
  • runtimeconfig.waiters.getIamPolicy
  • runtimeconfig.waiters.list
  • runtimeconfig.waiters.setIamPolicy
  • secretmanager.locations.list
  • secretmanager.secrets.getIamPolicy
  • secretmanager.secrets.list
  • secretmanager.secrets.setIamPolicy
  • secretmanager.versions.list
  • securitycenter.assets.list
  • securitycenter.findings.list
  • securitycenter.notificationconfig.list
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • securitycenter.sources.setIamPolicy
  • servicebroker.bindingoperations.list
  • servicebroker.bindings.getIamPolicy
  • servicebroker.bindings.list
  • servicebroker.bindings.setIamPolicy
  • servicebroker.catalogs.getIamPolicy
  • servicebroker.catalogs.list
  • servicebroker.catalogs.setIamPolicy
  • servicebroker.instanceoperations.list
  • servicebroker.instances.getIamPolicy
  • servicebroker.instances.list
  • servicebroker.instances.setIamPolicy
  • serviceconsumermanagement.tenancyu.list
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.endpoints.setIamPolicy
  • servicedirectory.locations.list
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.namespaces.setIamPolicy
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicedirectory.services.setIamPolicy
  • servicemanagement.services.getIamPolicy
  • servicemanagement.services.list
  • servicemanagement.services.setIamPolicy
  • servicenetworking.operations.list
  • serviceusage.operations.list
  • serviceusage.services.list
  • source.repos.getIamPolicy
  • source.repos.list
  • source.repos.setIamPolicy
  • spanner.backupOperations.list
  • spanner.backups.getIamPolicy
  • spanner.backups.list
  • spanner.backups.setIamPolicy
  • spanner.databaseOperations.list
  • spanner.databases.getIamPolicy
  • spanner.databases.list
  • spanner.databases.setIamPolicy
  • spanner.instanceConfigs.list
  • spanner.instanceOperations.list
  • spanner.instances.getIamPolicy
  • spanner.instances.list
  • spanner.instances.setIamPolicy
  • spanner.sessions.list
  • speech.customClasses.list
  • speech.phraseSets.list
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.buckets.setIamPolicy
  • storage.hmacKeys.list
  • storage.multipartUploads.list
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.setIamPolicy
  • storagetransfer.agentpools.list
  • storagetransfer.jobs.list
  • storagetransfer.operations.list
  • tpu.acceleratortypes.list
  • tpu.locations.list
  • tpu.nodes.list
  • tpu.operations.list
  • tpu.tensorflowversions.list
  • transcoder.jobTemplates.list
  • transcoder.jobs.list
  • translationhub.portals.list
  • visualinspection.annotationSets.list
  • visualinspection.annotationSpecs.list
  • visualinspection.annotations.list
  • visualinspection.datasets.list
  • visualinspection.images.list
  • visualinspection.locations.list
  • visualinspection.modelEvaluations.list
  • visualinspection.models.list
  • visualinspection.modules.list
  • visualinspection.operations.list
  • visualinspection.solutionArtifacts.list
  • visualinspection.solutions.list
  • vmmigration.cloneJobs.list
  • vmmigration.cutoverJobs.list
  • vmmigration.datacenterConnectors.list
  • vmmigration.deployments.list
  • vmmigration.groups.list
  • vmmigration.locations.list
  • vmmigration.migratingVms.list
  • vmmigration.operations.list
  • vmmigration.sources.list
  • vmmigration.targets.list
  • vmmigration.utilizationReports.list
  • vpcaccess.connectors.list
  • vpcaccess.locations.*
  • vpcaccess.operations.list
  • workflows.executions.list
  • workflows.locations.list
  • workflows.operations.list
  • workflows.workflows.getIamPolicy
  • workflows.workflows.list
  • workflows.workflows.setIamPolicy

Security Reviewer

roles/iam.securityReviewer

Provides permissions to list all resources and IAM policies on them.

  • accessapproval.requests.list
  • accesscontextmanager.accessLevels.list
  • accesscontextmanager.accessPolicies.getIamPolicy
  • accesscontextmanager.accessPolicies.list
  • accesscontextmanager.accessZones.list
  • accesscontextmanager.gcpUserAccessBindings.list
  • accesscontextmanager.policies.getIamPolicy
  • accesscontextmanager.policies.list
  • accesscontextmanager.servicePerimeters.list
  • actions.agentVersions.list
  • aiplatform.annotationSpecs.list
  • aiplatform.annotations.list
  • aiplatform.artifacts.list
  • aiplatform.batchPredictionJobs.list
  • aiplatform.contexts.list
  • aiplatform.customJobs.list
  • aiplatform.dataItems.list
  • aiplatform.dataLabelingJobs.list
  • aiplatform.datasets.list
  • aiplatform.edgeDeploymentJobs.list
  • aiplatform.edgeDevices.list
  • aiplatform.endpoints.list
  • aiplatform.entityTypes.list
  • aiplatform.executions.list
  • aiplatform.features.list
  • aiplatform.featurestores.list
  • aiplatform.humanInTheLoops.list
  • aiplatform.hyperparameterTuningJobs.list
  • aiplatform.indexEndpoints.list
  • aiplatform.indexes.list
  • aiplatform.locations.list
  • aiplatform.metadataSchemas.list
  • aiplatform.metadataStores.list
  • aiplatform.modelDeploymentMonitoringJobs.list
  • aiplatform.modelEvaluationSlices.list
  • aiplatform.modelEvaluations.list
  • aiplatform.models.list
  • aiplatform.nasJobs.list
  • aiplatform.operations.*
  • aiplatform.pipelineJobs.list
  • aiplatform.specialistPools.list
  • aiplatform.studies.list
  • aiplatform.tensorboardExperiments.list
  • aiplatform.tensorboardRuns.list
  • aiplatform.tensorboardTimeSeries.list
  • aiplatform.tensorboards.list
  • aiplatform.trainingPipelines.list
  • aiplatform.trials.list
  • apigateway.apiconfigs.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apis.getIamPolicy
  • apigateway.apis.list
  • apigateway.gateways.getIamPolicy
  • apigateway.gateways.list
  • apigateway.locations.list
  • apigateway.operations.list
  • apigee.apiproductattributes.list
  • apigee.apiproducts.list
  • apigee.apps.list
  • apigee.archivedeployments.list
  • apigee.caches.list
  • apigee.datacollectors.list
  • apigee.datastores.list
  • apigee.deployments.list
  • apigee.developerappattributes.list
  • apigee.developerapps.list
  • apigee.developerattributes.list
  • apigee.developers.list
  • apigee.developersubscriptions.list
  • apigee.envgroupattachments.list
  • apigee.envgroups.list
  • apigee.environments.getIamPolicy
  • apigee.environments.list
  • apigee.exports.list
  • apigee.flowhooks.list
  • apigee.hostqueries.list
  • apigee.hostsecurityreports.list
  • apigee.instanceattachments.list
  • apigee.instances.list
  • apigee.keystorealiases.list
  • apigee.keystores.list
  • apigee.keyvaluemaps.list
  • apigee.operations.list
  • apigee.organizations.list
  • apigee.portals.list
  • apigee.proxies.list
  • apigee.proxyrevisions.list
  • apigee.queries.list
  • apigee.rateplans.list
  • apigee.references.list
  • apigee.reports.list
  • apigee.resourcefiles.list
  • apigee.securityreports.list
  • apigee.sharedflowrevisions.list
  • apigee.sharedflows.list
  • apigee.targetservers.list
  • apigee.tracesessions.list
  • apigeeconnect.connections.*
  • apikeys.keys.list
  • appengine.instances.list
  • appengine.memcache.list
  • appengine.operations.list
  • appengine.services.list
  • appengine.versions.list
  • artifactregistry.files.list
  • artifactregistry.packages.list
  • artifactregistry.repositories.getIamPolicy
  • artifactregistry.repositories.list
  • artifactregistry.tags.list
  • artifactregistry.versions.list
  • assuredworkloads.operations.list
  • assuredworkloads.workload.list
  • automl.annotationSpecs.list
  • automl.annotations.list
  • automl.columnSpecs.list
  • automl.datasets.getIamPolicy
  • automl.datasets.list
  • automl.examples.list
  • automl.humanAnnotationTasks.list
  • automl.locations.getIamPolicy
  • automl.locations.list
  • automl.modelEvaluations.list
  • automl.models.getIamPolicy
  • automl.models.list
  • automl.operations.list
  • automl.tableSpecs.list
  • automlrecommendations.apiKeys.list
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogs.list
  • automlrecommendations.events.list
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.list
  • autoscaling.sites.getIamPolicy
  • baremetalsolution.instances.list
  • bigquery.capacityCommitments.list
  • bigquery.connections.getIamPolicy
  • bigquery.connections.list
  • bigquery.datasets.getIamPolicy
  • bigquery.jobs.list
  • bigquery.models.list
  • bigquery.reservationAssignments.list
  • bigquery.reservations.list
  • bigquery.routines.list
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.savedqueries.list
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigtable.appProfiles.list
  • bigtable.backups.getIamPolicy
  • bigtable.backups.list
  • bigtable.clusters.list
  • bigtable.instances.getIamPolicy
  • bigtable.instances.list
  • bigtable.keyvisualizer.list
  • bigtable.locations.*
  • bigtable.tables.getIamPolicy
  • bigtable.tables.list
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.list
  • binaryauthorization.attestors.getIamPolicy
  • binaryauthorization.attestors.list
  • binaryauthorization.continuousValidationConfig.getIamPolicy
  • binaryauthorization.policy.getIamPolicy
  • clientauthconfig.brands.list
  • clientauthconfig.clients.list
  • cloudasset.feeds.list
  • cloudbuild.builds.list
  • cloudbuild.workerpools.list
  • clouddebugger.breakpoints.list
  • clouddebugger.debuggees.list
  • clouddeploy.deliveryPipelines.getIamPolicy
  • clouddeploy.deliveryPipelines.list
  • clouddeploy.locations.list
  • clouddeploy.operations.list
  • clouddeploy.releases.list
  • clouddeploy.rollouts.list
  • clouddeploy.targets.getIamPolicy
  • clouddeploy.targets.list
  • cloudfunctions.functions.getIamPolicy
  • cloudfunctions.functions.list
  • cloudfunctions.locations.list
  • cloudfunctions.operations.list
  • cloudiot.devices.list
  • cloudiot.registries.getIamPolicy
  • cloudiot.registries.list
  • cloudjobdiscovery.companies.list
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.importJobs.getIamPolicy
  • cloudkms.importJobs.list
  • cloudkms.keyRings.getIamPolicy
  • cloudkms.keyRings.list
  • cloudkms.locations.list
  • cloudnotifications.*
  • cloudonefs.isiloncloud.com/clusters.list
  • cloudonefs.isiloncloud.com/fileshares.list
  • cloudprivatecatalogproducer.associations.list
  • cloudprivatecatalogproducer.catalogAssociations.list
  • cloudprivatecatalogproducer.catalogs.getIamPolicy
  • cloudprivatecatalogproducer.catalogs.list
  • cloudprivatecatalogproducer.producerCatalogs.getIamPolicy
  • cloudprivatecatalogproducer.producerCatalogs.list
  • cloudprivatecatalogproducer.products.getIamPolicy
  • cloudprivatecatalogproducer.products.list
  • cloudprofiler.profiles.list
  • cloudscheduler.jobs.list
  • cloudscheduler.locations.list
  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.list
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.list
  • cloudsql.backupRuns.list
  • cloudsql.databases.list
  • cloudsql.instances.list
  • cloudsql.sslCerts.list
  • cloudsql.users.list
  • cloudsupport.accounts.getIamPolicy
  • cloudsupport.accounts.list
  • cloudsupport.techCases.list
  • cloudtasks.locations.list
  • cloudtasks.queues.getIamPolicy
  • cloudtasks.queues.list
  • cloudtasks.tasks.list
  • cloudtoolresults.executions.list
  • cloudtoolresults.histories.list
  • cloudtoolresults.steps.list
  • cloudtrace.insights.list
  • cloudtrace.tasks.list
  • cloudtrace.traces.list
  • cloudtranslate.glossaries.list
  • cloudtranslate.locations.list
  • cloudtranslate.operations.list
  • cloudvolumesgcp-api.netapp.com/activeDirectories.list
  • cloudvolumesgcp-api.netapp.com/ipRanges.*
  • cloudvolumesgcp-api.netapp.com/jobs.list
  • cloudvolumesgcp-api.netapp.com/regions.*
  • cloudvolumesgcp-api.netapp.com/serviceLevels.*
  • cloudvolumesgcp-api.netapp.com/snapshots.list
  • cloudvolumesgcp-api.netapp.com/volumes.list
  • commerceprice.privateoffers.list
  • composer.environments.list
  • composer.imageversions.*
  • composer.operations.list
  • compute.acceleratorTypes.list
  • compute.addresses.list
  • compute.autoscalers.list
  • compute.backendBuckets.list
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.list
  • compute.diskTypes.list
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.list
  • compute.forwardingRules.list
  • compute.globalAddresses.list
  • compute.globalForwardingRules.list
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.list
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.list
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.list
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.getIamPolicy
  • compute.instances.list
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.list
  • compute.interconnects.list
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.list
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.list
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.list
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.list
  • compute.regions.list
  • compute.reservations.list
  • compute.resourcePolicies.list
  • compute.routers.list
  • compute.routes.list
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.list
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.list
  • compute.sslPolicies.list
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.list
  • compute.targetInstances.list
  • compute.targetPools.list
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.list
  • compute.urlMaps.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.list
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.list
  • connectors.connections.getIamPolicy
  • connectors.connections.list
  • connectors.connectors.list
  • connectors.locations.list
  • connectors.operations.list
  • connectors.providers.list
  • connectors.versions.list
  • consumerprocurement.accounts.list
  • consumerprocurement.entitlements.list
  • consumerprocurement.freeTrials.list
  • consumerprocurement.orders.list
  • contactcenterinsights.analyses.list
  • contactcenterinsights.conversations.list
  • contactcenterinsights.issueModels.list
  • contactcenterinsights.issues.list
  • contactcenterinsights.operations.list
  • contactcenterinsights.phraseMatchers.list
  • container.apiServices.list
  • container.auditSinks.list
  • container.backendConfigs.list
  • container.bindings.list
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.list
  • container.clusterRoles.list
  • container.clusters.list
  • container.componentStatuses.list
  • container.configMaps.list
  • container.controllerRevisions.list
  • container.cronJobs.list
  • container.csiDrivers.list
  • container.csiNodeInfos.list
  • container.csiNodes.list
  • container.customResourceDefinitions.list
  • container.daemonSets.list
  • container.deployments.list
  • container.endpointSlices.list
  • container.endpoints.list
  • container.events.list
  • container.frontendConfigs.list
  • container.horizontalPodAutoscalers.list
  • container.ingresses.list
  • container.initializerConfigurations.list
  • container.jobs.list
  • container.leases.list
  • container.limitRanges.list
  • container.localSubjectAccessReviews.list
  • container.managedCertificates.list
  • container.mutatingWebhookConfigurations.list
  • container.namespaces.list
  • container.networkPolicies.list
  • container.nodes.list
  • container.operations.list
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.list
  • container.petSets.list
  • container.podDisruptionBudgets.list
  • container.podPresets.list
  • container.podSecurityPolicies.list
  • container.podTemplates.list
  • container.pods.list
  • container.priorityClasses.list
  • container.replicaSets.list
  • container.replicationControllers.list
  • container.resourceQuotas.list
  • container.roleBindings.list
  • container.roles.list
  • container.runtimeClasses.list
  • container.scheduledJobs.list
  • container.selfSubjectAccessReviews.list
  • container.serviceAccounts.list
  • container.services.list
  • container.statefulSets.list
  • container.storageClasses.list
  • container.storageStates.list
  • container.storageVersionMigrations.list
  • container.subjectAccessReviews.list
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.list
  • container.updateInfos.list
  • container.validatingWebhookConfigurations.list
  • container.volumeAttachments.list
  • container.volumeSnapshotClasses.list
  • container.volumeSnapshotContents.list
  • container.volumeSnapshots.list
  • containeranalysis.notes.getIamPolicy
  • containeranalysis.notes.list
  • containeranalysis.occurrences.getIamPolicy
  • containeranalysis.occurrences.list
  • datacatalog.categories.getIamPolicy
  • datacatalog.entries.getIamPolicy
  • datacatalog.entries.list
  • datacatalog.entryGroups.getIamPolicy
  • datacatalog.entryGroups.list
  • datacatalog.tagTemplates.getIamPolicy
  • datacatalog.taxonomies.getIamPolicy
  • datacatalog.taxonomies.list
  • dataflow.jobs.list
  • dataflow.messages.*
  • dataflow.snapshots.list
  • datafusion.instances.getIamPolicy
  • datafusion.instances.list
  • datafusion.locations.list
  • datafusion.operations.list
  • datalabeling.annotateddatasets.list
  • datalabeling.annotationspecsets.list
  • datalabeling.dataitems.list
  • datalabeling.datasets.list
  • datalabeling.examples.list
  • datalabeling.instructions.list
  • datalabeling.operations.list
  • datamigration.connectionprofiles.getIamPolicy
  • datamigration.connectionprofiles.list
  • datamigration.locations.list
  • datamigration.migrationjobs.getIamPolicy
  • datamigration.migrationjobs.list
  • datamigration.operations.list
  • datapipelines.pipelines.list
  • dataproc.agents.list
  • dataproc.autoscalingPolicies.getIamPolicy
  • dataproc.autoscalingPolicies.list
  • dataproc.clusters.getIamPolicy
  • dataproc.clusters.list
  • dataproc.jobs.getIamPolicy
  • dataproc.jobs.list
  • dataproc.operations.getIamPolicy
  • dataproc.operations.list
  • dataproc.workflowTemplates.getIamPolicy
  • dataproc.workflowTemplates.list
  • dataprocessing.datasources.list
  • dataprocessing.featurecontrols.list
  • dataprocessing.groupcontrols.list
  • datastore.databases.getIamPolicy
  • datastore.databases.list
  • datastore.entities.list
  • datastore.indexes.list
  • datastore.locations.list
  • datastore.namespaces.getIamPolicy
  • datastore.namespaces.list
  • datastore.operations.list
  • datastore.statistics.list
  • datastream.connectionProfiles.getIamPolicy
  • datastream.connectionProfiles.list
  • datastream.locations.list
  • datastream.operations.list
  • datastream.privateConnections.getIamPolicy
  • datastream.privateConnections.list
  • datastream.routes.getIamPolicy
  • datastream.routes.list
  • datastream.streams.getIamPolicy
  • datastream.streams.list
  • deploymentmanager.compositeTypes.list
  • deploymentmanager.deployments.getIamPolicy
  • deploymentmanager.deployments.list
  • deploymentmanager.manifests.list
  • deploymentmanager.operations.list
  • deploymentmanager.resources.list
  • deploymentmanager.typeProviders.list
  • deploymentmanager.types.list
  • dialogflow.agents.list
  • dialogflow.answerrecords.list
  • dialogflow.callMatchers.list
  • dialogflow.changelogs.list
  • dialogflow.contexts.list
  • dialogflow.conversationDatasets.list
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.list
  • dialogflow.conversations.list
  • dialogflow.documents.list
  • dialogflow.entityTypes.list
  • dialogflow.environments.list
  • dialogflow.flows.list
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.list
  • dialogflow.messages.*
  • dialogflow.modelEvaluations.list
  • dialogflow.pages.list
  • dialogflow.participants.list
  • dialogflow.phoneNumberOrders.list
  • dialogflow.phoneNumbers.list
  • dialogflow.securitySettings.list
  • dialogflow.sessionEntityTypes.list
  • dialogflow.smartMessagingEntries.list
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.list
  • dialogflow.webhooks.list
  • dlp.analyzeRiskTemplates.list
  • dlp.columnDataProfiles.list
  • dlp.deidentifyTemplates.list
  • dlp.estimates.list
  • dlp.inspectFindings.*
  • dlp.inspectTemplates.list
  • dlp.jobTriggers.list
  • dlp.jobs.list
  • dlp.projectDataProfiles.list
  • dlp.storedInfoTypes.list
  • dlp.tableDataProfiles.list
  • dns.changes.list
  • dns.dnsKeys.list
  • dns.managedZoneOperations.list
  • dns.managedZones.list
  • dns.policies.getIamPolicy
  • dns.policies.list
  • dns.resourceRecordSets.list
  • dns.responsePolicies.list
  • dns.responsePolicyRules.list
  • documentai.evaluations.list
  • documentai.labelerPools.list
  • documentai.locations.list
  • documentai.processorTypes.*
  • documentai.processorVersions.list
  • documentai.processors.list
  • domains.locations.list
  • domains.operations.list
  • domains.registrations.getIamPolicy
  • domains.registrations.list
  • earlyaccesscenter.campaigns.list
  • earlyaccesscenter.customerAllowlists.list
  • earthengine.assets.getIamPolicy
  • earthengine.assets.list
  • earthengine.operations.list
  • errorreporting.applications.*
  • errorreporting.errorEvents.list
  • errorreporting.groups.*
  • essentialcontacts.contacts.list
  • eventarc.locations.list
  • eventarc.operations.list
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • fcmdata.*
  • file.backups.list
  • file.instances.list
  • file.locations.list
  • file.operations.list
  • firebase.clients.list
  • firebase.links.list
  • firebase.playLinks.list
  • firebaseabt.experiments.list
  • firebaseappdistro.groups.list
  • firebaseappdistro.releases.list
  • firebaseappdistro.testers.list
  • firebasecrashlytics.issues.list
  • firebasedatabase.instances.list
  • firebasedynamiclinks.destinations.list
  • firebasedynamiclinks.domains.list
  • firebasedynamiclinks.links.list
  • firebaseextensions.configs.list
  • firebasehosting.sites.list
  • firebaseinappmessaging.campaigns.list
  • firebaseml.compressionjobs.list
  • firebaseml.models.list
  • firebaseml.modelversions.list
  • firebasenotifications.messages.list
  • firebasepredictions.predictions.list
  • firebaserules.releases.list
  • firebaserules.rulesets.list
  • firebasestorage.buckets.list
  • fleetengine.vehicles.list
  • gameservices.gameServerClusters.list
  • gameservices.gameServerConfigs.list
  • gameservices.gameServerDeployments.list
  • gameservices.locations.list
  • gameservices.operations.list
  • gameservices.realms.list
  • gcp.redisenterprise.com/databases.list
  • gcp.redisenterprise.com/subscriptions.list
  • genomics.datasets.getIamPolicy
  • genomics.datasets.list
  • genomics.operations.list
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.gateway.getIamPolicy
  • gkehub.locations.list
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.operations.list
  • gkemulticloud.awsClusters.list
  • gkemulticloud.awsNodePools.list
  • gkemulticloud.azureClients.list
  • gkemulticloud.azureClusters.list
  • gkemulticloud.azureNodePools.list
  • gkemulticloud.operations.list
  • gsuiteaddons.deployments.list
  • healthcare.annotationStores.getIamPolicy
  • healthcare.annotationStores.list
  • healthcare.annotations.list
  • healthcare.attributeDefinitions.list
  • healthcare.consentArtifacts.list
  • healthcare.consentStores.getIamPolicy
  • healthcare.consentStores.list
  • healthcare.consents.list
  • healthcare.datasets.getIamPolicy
  • healthcare.datasets.list
  • healthcare.dicomStores.getIamPolicy
  • healthcare.dicomStores.list
  • healthcare.fhirStores.getIamPolicy
  • healthcare.fhirStores.list
  • healthcare.hl7V2Messages.list
  • healthcare.hl7V2Stores.getIamPolicy
  • healthcare.hl7V2Stores.list
  • healthcare.locations.list
  • healthcare.operations.list
  • healthcare.userDataMappings.list
  • iam.googleapis.com/workloadIdentityPoolProviders.list
  • iam.googleapis.com/workloadIdentityPools.list
  • iam.roles.get
  • iam.roles.list
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • iap.tunnel.getIamPolicy
  • iap.tunnelInstances.getIamPolicy
  • iap.tunnelZones.getIamPolicy
  • iap.web.getIamPolicy
  • iap.webServiceVersions.getIamPolicy
  • iap.webServices.getIamPolicy
  • iap.webTypes.getIamPolicy
  • integrations.apigeeAuthConfigs.list
  • integrations.apigeeCertificates.list
  • integrations.apigeeExecutions.*
  • integrations.apigeeIntegrationVers.list
  • integrations.apigeeIntegrations.list
  • integrations.apigeeSfdcChannels.list
  • integrations.apigeeSfdcInstances.list
  • integrations.apigeeSuspensions.list
  • integrations.securityAuthConfigs.list
  • integrations.securityExecutions.list
  • integrations.securityIntegTempVers.list
  • integrations.securityIntegrationVers.list
  • integrations.securityIntegrations.list
  • lifesciences.operations.list
  • livestream.channels.list
  • livestream.events.list
  • livestream.inputs.list
  • livestream.locations.list
  • livestream.operations.list
  • logging.buckets.list
  • logging.exclusions.list
  • logging.locations.list
  • logging.logEntries.list
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.notificationRules.list
  • logging.operations.list
  • logging.privateLogEntries.*
  • logging.queries.list
  • logging.sinks.list
  • logging.views.list
  • managedidentities.domains.getIamPolicy
  • managedidentities.domains.list
  • managedidentities.locations.list
  • managedidentities.operations.list
  • managedidentities.peerings.getIamPolicy
  • managedidentities.peerings.list
  • managedidentities.sqlintegrations.list
  • memcache.instances.list
  • memcache.locations.list
  • memcache.operations.list
  • metastore.backups.list
  • metastore.imports.list
  • metastore.locations.list
  • metastore.operations.list
  • metastore.services.getIamPolicy
  • metastore.services.list
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.locations.list
  • ml.models.getIamPolicy
  • ml.models.list
  • ml.operations.list
  • ml.studies.getIamPolicy
  • ml.studies.list
  • ml.trials.list
  • ml.versions.list
  • monitoring.alertPolicies.list
  • monitoring.dashboards.list
  • monitoring.groups.list
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.list
  • monitoring.notificationChannelDescriptors.list
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.list
  • monitoring.services.list
  • monitoring.slos.list
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.list
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.locations.list
  • networkconnectivity.operations.list
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • networkmanagement.connectivitytests.getIamPolicy
  • networkmanagement.connectivitytests.list
  • networkmanagement.locations.list
  • networkmanagement.operations.list
  • networksecurity.authorizationPolicies.getIamPolicy
  • networksecurity.authorizationPolicies.list
  • networksecurity.clientTlsPolicies.getIamPolicy
  • networksecurity.clientTlsPolicies.list
  • networksecurity.locations.list
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.getIamPolicy
  • networksecurity.serverTlsPolicies.list
  • networkservices.endpointConfigSelectors.getIamPolicy
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointPolicies.getIamPolicy
  • networkservices.endpointPolicies.list
  • networkservices.httpFilters.getIamPolicy
  • networkservices.httpFilters.list
  • networkservices.httpfilters.getIamPolicy
  • networkservices.httpfilters.list
  • networkservices.locations.list
  • networkservices.operations.list
  • notebooks.environments.getIamPolicy
  • notebooks.environments.list
  • notebooks.executions.getIamPolicy
  • notebooks.executions.list
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
  • notebooks.locations.list
  • notebooks.operations.list
  • notebooks.runtimes.getIamPolicy
  • notebooks.runtimes.list
  • notebooks.schedules.getIamPolicy
  • notebooks.schedules.list
  • ondemandscanning.operations.list
  • opsconfigmonitoring.resourceMetadata.list
  • orgpolicy.constraints.*
  • orgpolicy.policies.list
  • osconfig.guestPolicies.list
  • osconfig.instanceOSPoliciesCompliances.list
  • osconfig.inventories.list
  • osconfig.osPolicyAssignmentReports.list
  • osconfig.osPolicyAssignments.list
  • osconfig.patchDeployments.list
  • osconfig.patchJobs.list
  • osconfig.vulnerabilityReports.list
  • paymentsresellersubscription.products.*
  • paymentsresellersubscription.promotions.*
  • policysimulator.replayResults.*
  • policysimulator.replays.list
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.locations.list
  • privateca.operations.list
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • proximitybeacon.attachments.list
  • proximitybeacon.beacons.getIamPolicy
  • proximitybeacon.beacons.list
  • proximitybeacon.namespaces.getIamPolicy
  • proximitybeacon.namespaces.list
  • pubsub.schemas.getIamPolicy
  • pubsub.schemas.list
  • pubsub.snapshots.getIamPolicy
  • pubsub.snapshots.list
  • pubsub.subscriptions.getIamPolicy
  • pubsub.subscriptions.list
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsublite.operations.list
  • pubsublite.reservations.list
  • pubsublite.subscriptions.list
  • pubsublite.topics.list
  • recaptchaenterprise.keys.list
  • recommender.bigqueryCapacityCommitmentsInsights.list
  • recommender.bigqueryCapacityCommitmentsRecommendations.list
  • recommender.cloudAssetInsights.list
  • recommender.cloudsqlIdleInstanceRecommendations.list
  • recommender.cloudsqlInstanceActivityInsights.list
  • recommender.cloudsqlInstanceCpuUsageInsights.list
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.list
  • recommender.cloudsqlInstanceMemoryUsageInsights.list
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.list
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.list
  • recommender.commitmentUtilizationInsights.list
  • recommender.computeAddressIdleResourceInsights.list
  • recommender.computeAddressIdleResourceRecommendations.list
  • recommender.computeDiskIdleResourceInsights.list
  • recommender.computeDiskIdleResourceRecommendations.list
  • recommender.computeFirewallInsights.list
  • recommender.computeImageIdleResourceInsights.list
  • recommender.computeImageIdleResourceRecommendations.list
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
  • recommender.computeInstanceIdleResourceRecommendations.list
  • recommender.computeInstanceMachineTypeRecommendations.list
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyLateralMovementInsights.list
  • recommender.iamPolicyRecommendations.list
  • recommender.iamServiceAccountInsights.list
  • recommender.locations.list
  • recommender.loggingProductSuggestionContainerInsights.list
  • recommender.loggingProductSuggestionContainerRecommendations.list
  • recommender.monitoringProductSuggestionComputeInsights.list
  • recommender.monitoringProductSuggestionComputeRecommendations.list
  • recommender.resourcemanagerProjectUtilizationInsights.list
  • recommender.resourcemanagerProjectUtilizationRecommendations.list
  • recommender.usageCommitmentRecommendations.list
  • redis.instances.list
  • redis.locations.list
  • redis.operations.list
  • remotebuildexecution.instances.list
  • remotebuildexecution.workerpools.list
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.list
  • resourcemanager.hierarchyNodes.listTagBindings
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • resourcemanager.tagKeys.getIamPolicy
  • resourcemanager.tagKeys.list
  • resourcemanager.tagValues.getIamPolicy
  • resourcemanager.tagValues.list
  • resourcesettings.settings.list
  • retail.catalogs.list
  • retail.operations.list
  • retail.products.list
  • riskmanager.operations.list
  • riskmanager.policies.list
  • riskmanager.reports.list
  • run.configurations.list
  • run.locations.*
  • run.revisions.list
  • run.routes.list
  • run.services.getIamPolicy
  • run.services.list
  • runtimeconfig.configs.getIamPolicy
  • runtimeconfig.configs.list
  • runtimeconfig.operations.list
  • runtimeconfig.variables.getIamPolicy
  • runtimeconfig.variables.list
  • runtimeconfig.waiters.getIamPolicy
  • runtimeconfig.waiters.list
  • secretmanager.locations.list
  • secretmanager.secrets.getIamPolicy
  • secretmanager.secrets.list
  • secretmanager.versions.list
  • securitycenter.assets.list
  • securitycenter.findings.list
  • securitycenter.notificationconfig.list
  • securitycenter.sources.getIamPolicy
  • securitycenter.sources.list
  • servicebroker.bindingoperations.list
  • servicebroker.bindings.getIamPolicy
  • servicebroker.bindings.list
  • servicebroker.catalogs.getIamPolicy
  • servicebroker.catalogs.list
  • servicebroker.instanceoperations.list
  • servicebroker.instances.getIamPolicy
  • servicebroker.instances.list
  • serviceconsumermanagement.tenancyu.list
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.locations.list
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicemanagement.services.getIamPolicy
  • servicemanagement.services.list
  • servicenetworking.operations.list
  • serviceusage.operations.list
  • serviceusage.services.list
  • source.repos.getIamPolicy
  • source.repos.list
  • spanner.backupOperations.list
  • spanner.backups.getIamPolicy
  • spanner.backups.list
  • spanner.databaseOperations.list
  • spanner.databases.getIamPolicy
  • spanner.databases.list
  • spanner.instanceConfigs.list
  • spanner.instanceOperations.list
  • spanner.instances.getIamPolicy
  • spanner.instances.list
  • spanner.sessions.list
  • speech.customClasses.list
  • speech.phraseSets.list
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.hmacKeys.list
  • storage.multipartUploads.list
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storagetransfer.agentpools.list
  • storagetransfer.jobs.list
  • storagetransfer.operations.list
  • tpu.acceleratortypes.list
  • tpu.locations.list
  • tpu.nodes.list
  • tpu.operations.list
  • tpu.tensorflowversions.list
  • transcoder.jobTemplates.list
  • transcoder.jobs.list
  • translationhub.portals.list
  • visualinspection.annotationSets.list
  • visualinspection.annotationSpecs.list
  • visualinspection.annotations.list
  • visualinspection.datasets.list
  • visualinspection.images.list
  • visualinspection.locations.list
  • visualinspection.modelEvaluations.list
  • visualinspection.models.list
  • visualinspection.modules.list
  • visualinspection.operations.list
  • visualinspection.solutionArtifacts.list
  • visualinspection.solutions.list
  • vmmigration.cloneJobs.list
  • vmmigration.cutoverJobs.list
  • vmmigration.datacenterConnectors.list
  • vmmigration.deployments.list
  • vmmigration.groups.list
  • vmmigration.locations.list
  • vmmigration.migratingVms.list
  • vmmigration.operations.list
  • vmmigration.sources.list
  • vmmigration.targets.list
  • vmmigration.utilizationReports.list
  • vpcaccess.connectors.list
  • vpcaccess.locations.*
  • vpcaccess.operations.list
  • workflows.executions.list
  • workflows.locations.list
  • workflows.operations.list
  • workflows.workflows.getIamPolicy
  • workflows.workflows.list

Kubernetes Engine Admin

roles/container.admin

Provides access to full management of clusters and their Kubernetes API objects. To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the Compute Engine default service account.

  • container.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Kubernetes Engine Cluster Admin

roles/container.clusterAdmin

Provides access to management of clusters. To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the Compute Engine default service account.

  • container.clusters.create
  • container.clusters.delete
  • container.clusters.get
  • container.clusters.list
  • container.clusters.update
  • container.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Kubernetes Engine Cluster Viewer

roles/container.clusterViewer

Get and list access to GKE Clusters.

  • container.clusters.get
  • container.clusters.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Kubernetes Engine Developer

roles/container.developer

Provides access to Kubernetes API objects inside clusters.

  • container.apiServices.*
  • container.auditSinks.*
  • container.backendConfigs.*
  • container.bindings.*
  • container.certificateSigningRequests.create
  • container.certificateSigningRequests.delete
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.list
  • container.certificateSigningRequests.update
  • container.certificateSigningRequests.updateStatus
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.*
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.*
  • container.csiDrivers.*
  • container.csiNodeInfos.*
  • container.csiNodes.*
  • container.customResourceDefinitions.*
  • container.daemonSets.*
  • container.deployments.*
  • container.endpointSlices.*
  • container.endpoints.*
  • container.events.*
  • container.frontendConfigs.*
  • container.horizontalPodAutoscalers.*
  • container.ingresses.*
  • container.initializerConfigurations.*
  • container.jobs.*
  • container.leases.*
  • container.limitRanges.*
  • container.localSubjectAccessReviews.*
  • container.managedCertificates.*
  • container.mutatingWebhookConfigurations.get
  • container.mutatingWebhookConfigurations.list
  • container.namespaces.*
  • container.networkPolicies.*
  • container.nodes.*
  • container.persistentVolumeClaims.*
  • container.persistentVolumes.*
  • container.petSets.*
  • container.podDisruptionBudgets.*
  • container.podPresets.*
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.*
  • container.pods.*
  • container.priorityClasses.*
  • container.replicaSets.*
  • container.replicationControllers.*
  • container.resourceQuotas.*
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.*
  • container.scheduledJobs.*
  • container.secrets.*
  • container.selfSubjectAccessReviews.*
  • container.selfSubjectRulesReviews.*
  • container.serviceAccounts.*
  • container.services.*
  • container.statefulSets.*
  • container.storageClasses.*
  • container.storageStates.*
  • container.storageVersionMigrations.*
  • container.subjectAccessReviews.*
  • container.thirdPartyObjects.*
  • container.thirdPartyResources.*
  • container.tokenReviews.*
  • container.updateInfos.*
  • container.validatingWebhookConfigurations.get
  • container.validatingWebhookConfigurations.list
  • container.volumeAttachments.*
  • container.volumeSnapshotClasses.*
  • container.volumeSnapshotContents.*
  • container.volumeSnapshots.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Kubernetes Engine Host Service Agent User

roles/container.hostServiceAgentUser

Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project.

  • compute.firewalls.get
  • container.hostServiceAgent.*
  • dns.networks.bindDNSResponsePolicy
  • dns.networks.bindPrivateDNSPolicy
  • dns.networks.bindPrivateDNSZone
  • dns.responsePolicies.*
  • dns.responsePolicyRules.*

Kubernetes Engine Viewer

roles/container.viewer

Provides read-only access to GKE resources.

  • container.apiServices.get
  • container.apiServices.getStatus
  • container.apiServices.list
  • container.auditSinks.get
  • container.auditSinks.list
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.bindings.get
  • container.bindings.list
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.getStatus
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.get
  • container.configMaps.list
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiNodeInfos.get
  • container.csiNodeInfos.list
  • container.csiNodes.get
  • container.csiNodes.list
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.getStatus
  • container.customResourceDefinitions.list
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.deployments.get
  • container.deployments.getScale
  • container.deployments.getStatus
  • container.deployments.list
  • container.endpointSlices.get
  • container.endpointSlices.list
  • container.endpoints.get
  • container.endpoints.list
  • container.events.get
  • container.events.list
  • container.frontendConfigs.get
  • container.frontendConfigs.list
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.leases.get
  • container.leases.list
  • container.limitRanges.get
  • container.limitRanges.list
  • container.managedCertificates.get
  • container.managedCertificates.list
  • container.mutatingWebhookConfigurations.get
  • container.mutatingWebhookConfigurations.list
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.operations.*
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.petSets.get
  • container.petSets.list
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podPresets.get
  • container.podPresets.list
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.get
  • container.podTemplates.list
  • container.pods.get
  • container.pods.getStatus
  • container.pods.list
  • container.priorityClasses.get
  • container.priorityClasses.list
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.statefulSets.get
  • container.statefulSets.getScale
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.storageClasses.get
  • container.storageClasses.list
  • container.storageStates.get
  • container.storageStates.getStatus
  • container.storageStates.list
  • container.storageVersionMigrations.get
  • container.storageVersionMigrations.getStatus
  • container.storageVersionMigrations.list
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.tokenReviews.*
  • container.updateInfos.get
  • container.updateInfos.list
  • container.validatingWebhookConfigurations.get
  • container.validatingWebhookConfigurations.list
  • container.volumeAttachments.get
  • container.volumeAttachments.getStatus
  • container.volumeAttachments.list
  • container.volumeSnapshotClasses.get
  • container.volumeSnapshotClasses.list
  • container.volumeSnapshotContents.get
  • container.volumeSnapshotContents.getStatus
  • container.volumeSnapshotContents.list
  • container.volumeSnapshots.get
  • container.volumeSnapshots.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Live Stream Editor

roles/livestream.editor

Full access to Live Stream resources.

  • livestream.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Live Stream Viewer

roles/livestream.viewer

Read access to Live Stream resources.

  • livestream.channels.get
  • livestream.channels.list
  • livestream.events.get
  • livestream.events.list
  • livestream.inputs.get
  • livestream.inputs.list
  • livestream.locations.*
  • livestream.operations.get
  • livestream.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Logging Admin

roles/logging.admin

Provides all permissions necessary to use all features of Cloud Logging.

  • logging.buckets.copyLogEntries
  • logging.buckets.create
  • logging.buckets.delete
  • logging.buckets.get
  • logging.buckets.list
  • logging.buckets.undelete
  • logging.buckets.update
  • logging.cmekSettings.*
  • logging.exclusions.*
  • logging.fields.*
  • logging.locations.*
  • logging.logEntries.*
  • logging.logMetrics.*
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.*
  • logging.notificationRules.*
  • logging.operations.*
  • logging.privateLogEntries.*
  • logging.queries.*
  • logging.sinks.*
  • logging.usage.*
  • logging.views.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Logs Bucket Writer

roles/logging.bucketWriter

Ability to write logs to a log bucket.

  • logging.buckets.write

Logs Configuration Writer

roles/logging.configWriter

Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.

  • logging.buckets.create
  • logging.buckets.delete
  • logging.buckets.get
  • logging.buckets.list
  • logging.buckets.undelete
  • logging.buckets.update
  • logging.cmekSettings.*
  • logging.exclusions.*
  • logging.locations.*
  • logging.logMetrics.*
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.notificationRules.*
  • logging.operations.*
  • logging.sinks.*
  • logging.views.create
  • logging.views.delete
  • logging.views.get
  • logging.views.list
  • logging.views.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Log Field Accessor

roles/logging.fieldAccessor

Ability to read restricted fields in a log bucket.

  • logging.fields.*

Logs Writer

roles/logging.logWriter

Provides the permissions to write log entries.

  • logging.logEntries.create

Private Logs Viewer

roles/logging.privateLogViewer

Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.

  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.locations.*
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • logging.queries.create
  • logging.queries.delete
  • logging.queries.get
  • logging.queries.list
  • logging.queries.listShared
  • logging.queries.update
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • logging.views.access
  • logging.views.get
  • logging.views.list
  • resourcemanager.projects.get

Logs View Accessor

roles/logging.viewAccessor

Ability to read logs in a view.

  • logging.logEntries.download
  • logging.views.access
  • logging.views.listLogs
  • logging.views.listResourceKeys
  • logging.views.listResourceValues

Logs Viewer

roles/logging.viewer

Provides access to view logs.

  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.locations.*
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.operations.get
  • logging.operations.list
  • logging.queries.create
  • logging.queries.delete
  • logging.queries.get
  • logging.queries.list
  • logging.queries.listShared
  • logging.queries.update
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • logging.views.get
  • logging.views.list
  • resourcemanager.projects.get

Cloud Memorystore Memcached Admin

roles/memcache.admin

Full access to Memcached instances and related resources.

  • compute.networks.list
  • memcache.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Memorystore Memcached Editor

roles/memcache.editor

Read-Write access to Memcached instances and related resources.

  • memcache.instances.applyParameters
  • memcache.instances.get
  • memcache.instances.list
  • memcache.instances.update
  • memcache.instances.updateParameters
  • memcache.locations.*
  • memcache.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Memorystore Memcached Viewer

roles/memcache.viewer

Read-only access to Memcached instances and related resources.

  • memcache.instances.get
  • memcache.instances.list
  • memcache.locations.*
  • memcache.operations.get
  • memcache.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Memorystore Redis Admin

roles/redis.admin

Full control for all Memorystore for Redis resources.

  • compute.networks.list
  • redis.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Cloud Memorystore Redis Editor

roles/redis.editor

Manage Memorystore for Redis instances. Can't create or delete instances.

  • compute.networks.list
  • redis.instances.failover
  • redis.instances.get
  • redis.instances.list
  • redis.instances.update
  • redis.locations.*
  • redis.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Cloud Memorystore Redis Viewer

roles/redis.viewer

Read-only access to all Memorystore for Redis resources.

  • redis.instances.get
  • redis.instances.list
  • redis.locations.*
  • redis.operations.get
  • redis.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use

Monitoring Admin

roles/monitoring.admin

Provides the same access as the Monitoring Editor role (roles/monitoring.editor).

  • cloudnotifications.*
  • monitoring.*
  • opsconfigmonitoring.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.enable
  • stackdriver.*

Monitoring AlertPolicy Editor

roles/monitoring.alertPolicyEditor

Read/write access to alerting policies.

  • monitoring.alertPolicies.*

Monitoring AlertPolicy Viewer

roles/monitoring.alertPolicyViewer

Read-only access to alerting policies.

  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list

Monitoring Dashboard Configuration Editor

roles/monitoring.dashboardEditor

Read/write access to dashboard configurations.

  • monitoring.dashboards.*

Monitoring Dashboard Configuration Viewer

roles/monitoring.dashboardViewer

Read-only access to dashboard configurations.

  • monitoring.dashboards.get
  • monitoring.dashboards.list

Monitoring Editor

roles/monitoring.editor

Provides full access to information about all monitoring data and configurations.

  • cloudnotifications.*
  • monitoring.alertPolicies.*
  • monitoring.dashboards.*
  • monitoring.groups.*
  • monitoring.metricDescriptors.*
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.create
  • monitoring.notificationChannels.delete
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.notificationChannels.sendVerificationCode
  • monitoring.notificationChannels.update
  • monitoring.notificationChannels.verify
  • monitoring.publicWidgets.*
  • monitoring.services.*
  • monitoring.slos.*
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.*
  • opsconfigmonitoring.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.enable
  • stackdriver.*

Monitoring Metric Writer

roles/monitoring.metricWriter

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create

Monitoring Metrics Scopes Admin

roles/monitoring.metricsScopesAdmin

Access to add and remove monitored projects from metrics scopes.

  • monitoring.metricsScopes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Monitoring Metrics Scopes Viewer

roles/monitoring.metricsScopesViewer

Read-only access to metrics scopes and their monitored projects.

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Monitoring NotificationChannel Editor

roles/monitoring.notificationChannelEditor

Read/write access to notification channels.

  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.create
  • monitoring.notificationChannels.delete
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.notificationChannels.sendVerificationCode
  • monitoring.notificationChannels.update
  • monitoring.notificationChannels.verify

Monitoring NotificationChannel Viewer

roles/monitoring.notificationChannelViewer

Read-only access to notification channels.

  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list

Monitoring Services Editor

roles/monitoring.servicesEditor

Read/write access to services.

  • monitoring.services.*
  • monitoring.slos.*

Monitoring Services Viewer

roles/monitoring.servicesViewer

Read-only access to services.

  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list

Monitoring Uptime Check Configuration Editor

roles/monitoring.uptimeCheckConfigEditor

Read/write access to uptime check configurations.

  • monitoring.uptimeCheckConfigs.*

Monitoring Uptime Check Configuration Viewer

roles/monitoring.uptimeCheckConfigViewer

Read-only access to uptime check configurations.

  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list

Monitoring Viewer

roles/monitoring.viewer

Provides read-only access to get and list information about all monitoring data and configurations.

  • cloudnotifications.*
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • opsconfigmonitoring.resourceMetadata.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get

Hub & Spoke Admin

roles/networkconnectivity.hubAdmin

Enables full access to hub and spoke resources.

  • networkconnectivity.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Hub & Spoke Viewer

roles/networkconnectivity.hubViewer

Enables read-only access to hub and spoke resources.

  • networkconnectivity.hubs.get
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.locations.*
  • networkconnectivity.spokes.get
  • networkconnectivity.spokes.getIamPolicy
  • networkconnectivity.spokes.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Spoke Admin

roles/networkconnectivity.spokeAdmin

Enables full access to spoke resources and read-only access to hub resources.

  • networkconnectivity.hubs.get
  • networkconnectivity.hubs.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.locations.*
  • networkconnectivity.spokes.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Network Management Admin

roles/networkmanagement.admin

Full access to Network Management resources.

  • networkmanagement.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Network Management Viewer

roles/networkmanagement.viewer

Read-only access to Network Management resources.

  • networkmanagement.connectivitytests.get
  • networkmanagement.connectivitytests.getIamPolicy
  • networkmanagement.connectivitytests.list
  • networkmanagement.locations.*
  • networkmanagement.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

On-Demand Scanning Admin

roles/ondemandscanning.admin

All permissions for On-Demand Scanning

  • ondemandscanning.*

Ops Config Monitoring Resource Metadata Viewer

roles/opsconfigmonitoring.resourceMetadata.viewer

Read-only access to resource metadata.

  • opsconfigmonitoring.resourceMetadata.list

Ops Config Monitoring Resource Metadata Writer

roles/opsconfigmonitoring.resourceMetadata.writer

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

  • opsconfigmonitoring.resourceMetadata.write

Access Transparency Admin

roles/axt.admin

Enable Access Transparency for Organization

  • axt.*
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Organization Policy Administrator

roles/orgpolicy.policyAdmin

Provides access to define what restrictions an organization wants to place on the configuration of cloud resources by setting Organization Policies.

  • orgpolicy.*

Organization Policy Viewer

roles/orgpolicy.policyViewer

Provides access to view Organization Policies on resources.

  • orgpolicy.constraints.*
  • orgpolicy.policies.list
  • orgpolicy.policy.get

Autoscaling Metrics Writer

roles/autoscaling.metricsWriter

Access to write metrics for autoscaling site

  • autoscaling.sites.writeMetrics

Autoscaling Recommendations Reader

roles/autoscaling.recommendationsReader

Access to read recommendations from autoscaling site

  • autoscaling.sites.readRecommendations

Autoscaling Site Admin

roles/autoscaling.sitesAdmin

Full access to all autoscaling site features

  • autoscaling.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Autoscaling State Writer

roles/autoscaling.stateWriter

Access to write state for autoscaling site

  • autoscaling.sites.writeState

Bare Metal Solution Admin

roles/baremetalsolution.admin

Administrator of Bare Metal Solution resources

  • baremetalsolution.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Bare Metal Solution Editor

roles/baremetalsolution.editor

Editor of Bare Metal Solution resources

  • baremetalsolution.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Bare Metal Solution Instances Admin

roles/baremetalsolution.instancesadmin

Admin of Bare Metal Solution Instance resources

  • baremetalsolution.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Bare Metal Solution Instances Viewer

roles/baremetalsolution.instancesviewer

Viewer of Bare Metal Solution Instance resources

  • baremetalsolution.instances.get
  • baremetalsolution.instances.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Bare Metal Solution Viewer

roles/baremetalsolution.viewer

Viewer of Bare Metal Solution resources

  • baremetalsolution.instances.get
  • baremetalsolution.instances.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Chronicle Service Admin

roles/chroniclesm.admin

Admins can view and modify Chronicle service details.

  • chroniclesm.*

Chronicle Service Viewer

roles/chroniclesm.viewer

Viewers can see Chronicle service details but not change them.

  • chroniclesm.gcpAssociations.get
  • chroniclesm.gcpSettings.get

Contact Center AI Insights editor

roles/contactcenterinsights.editor

Grants read and write access to all Contact Center AI Insights resources.

  • contactcenterinsights.*

Contact Center AI Insights viewer

roles/contactcenterinsights.viewer

Grants read access to all Contact Center AI Insights resources.

  • contactcenterinsights.analyses.get
  • contactcenterinsights.analyses.list
  • contactcenterinsights.conversations.get
  • contactcenterinsights.conversations.list
  • contactcenterinsights.issueModels.get
  • contactcenterinsights.issueModels.list
  • contactcenterinsights.issues.get
  • contactcenterinsights.issues.list
  • contactcenterinsights.operations.*
  • contactcenterinsights.phraseMatchers.get
  • contactcenterinsights.phraseMatchers.list
  • contactcenterinsights.settings.get

Data Processing Controls Resource Admin

roles/dataprocessing.admin

Data processing controls admin who can fully manage data processing controls settings and view all datasource data.

  • billing.accounts.get
  • billing.accounts.list
  • dataprocessing.*

Early Access Center Administrator

roles/earlyaccesscenter.admin

Grants full access to the Early Access Center, including access to all DATA_READ and DATA_WRITE permissions. Including the ability to enroll into Early Access Campaigns.

  • earlyaccesscenter.*

Early Access Center Viewer

roles/earlyaccesscenter.viewer

Grants view access to the Early Access Center, including access to all DATA_READ but no DATA_WRITE permissions.

  • earlyaccesscenter.campaigns.get
  • earlyaccesscenter.campaigns.list
  • earlyaccesscenter.customerAllowlists.*

Essential Contacts Admin

roles/essentialcontacts.admin

Full access to all essential contacts

  • essentialcontacts.*

Essential Contacts Viewer

roles/essentialcontacts.viewer

Viewer for all essential contacts

  • essentialcontacts.contacts.get
  • essentialcontacts.contacts.list

Firebase Crash Symbol Uploader

roles/firebasecrash.symbolMappingsAdmin

Full read/write access to symbol mapping file resources for Firebase Crash Reporting.

  • firebase.clients.get
  • firebase.clients.list
  • resourcemanager.projects.get

Identity Platform Admin

roles/identityplatform.admin

Full access to Identity Platform resources.

  • firebaseauth.*

Identity Platform Viewer

roles/identityplatform.viewer

Read access to Identity Platform resources.

  • firebaseauth.configs.get
  • firebaseauth.users.get

Identity Toolkit Admin

roles/identitytoolkit.admin

Full access to Identity Toolkit resources.

  • firebaseauth.*

Identity Toolkit Viewer

roles/identitytoolkit.viewer

Read access to Identity Toolkit resources.

  • firebaseauth.configs.get
  • firebaseauth.users.get

Apigee Integration Admin

roles/integrations.apigeeIntegrationAdminRole

A user that has full access to all Apigee integrations.

  • integrations.apigeeAuthConfigs.*
  • integrations.apigeeCertificates.*
  • integrations.apigeeExecutions.*
  • integrations.apigeeIntegrationVers.*
  • integrations.apigeeIntegrations.*
  • integrations.apigeeSfdcChannels.*
  • integrations.apigeeSfdcInstances.*
  • integrations.apigeeSuspensions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Integration Deployer

roles/integrations.apigeeIntegrationDeployerRole

A developer that can deploy/undeploy Apigee integrations to the integration runtime.

  • integrations.apigeeIntegrationVers.deploy
  • integrations.apigeeIntegrationVers.get
  • integrations.apigeeIntegrationVers.list
  • integrations.apigeeIntegrations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Integration Editor

roles/integrations.apigeeIntegrationEditorRole

A developer that can list, create and update Apigee integrations.

  • integrations.apigeeAuthConfigs.create
  • integrations.apigeeAuthConfigs.get
  • integrations.apigeeAuthConfigs.list
  • integrations.apigeeAuthConfigs.update
  • integrations.apigeeCertificates.create
  • integrations.apigeeCertificates.get
  • integrations.apigeeCertificates.list
  • integrations.apigeeCertificates.update
  • integrations.apigeeExecutions.*
  • integrations.apigeeIntegrationVers.*
  • integrations.apigeeIntegrations.*
  • integrations.apigeeSfdcChannels.create
  • integrations.apigeeSfdcChannels.get
  • integrations.apigeeSfdcChannels.list
  • integrations.apigeeSfdcChannels.update
  • integrations.apigeeSfdcInstances.create
  • integrations.apigeeSfdcInstances.get
  • integrations.apigeeSfdcInstances.list
  • integrations.apigeeSfdcInstances.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Integration Invoker

roles/integrations.apigeeIntegrationInvokerRole

A role that can invoke Apigee integrations.

  • integrations.apigeeExecutions.*
  • integrations.apigeeIntegrationVers.get
  • integrations.apigeeIntegrationVers.list
  • integrations.apigeeIntegrations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Integration Viewer

roles/integrations.apigeeIntegrationsViewer

A developer that can list and view Apigee integrations.

  • integrations.apigeeAuthConfigs.list
  • integrations.apigeeCertificates.list
  • integrations.apigeeIntegrationVers.get
  • integrations.apigeeIntegrationVers.list
  • integrations.apigeeIntegrations.list
  • integrations.apigeeSfdcChannels.list
  • integrations.apigeeSfdcInstances.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Apigee Integration Approver

roles/integrations.apigeeSuspensionResolver

A role that can approve / reject Apigee integrations that contain a suspension/wait task.

  • integrations.apigeeSuspensions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Security Integration Admin

roles/integrations.securityIntegrationAdmin

A user that has full access to all Security integrations.

  • integrations.securityAuthConfigs.*
  • integrations.securityExecutions.*
  • integrations.securityIntegTempVers.*
  • integrations.securityIntegrationVers.*
  • integrations.securityIntegrations.*

OAuth Config Editor

roles/oauthconfig.editor

Read/write access to OAuth config resources

  • clientauthconfig.*
  • oauthconfig.*

OAuth Config Viewer

roles/oauthconfig.viewer

Read-only access to OAuth config resources

  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.clients.get
  • clientauthconfig.clients.list
  • oauthconfig.clientpolicy.*
  • oauthconfig.testusers.get
  • oauthconfig.verification.get

Payments Reseller Admin

roles/paymentsresellersubscription.partnerAdmin

Full access to all Payments Reseller resources, including subscriptions, products and promotions

  • paymentsresellersubscription.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Payments Reseller Viewer

roles/paymentsresellersubscription.partnerViewer

Read access to all Payments Reseller resources, including subscriptions, products and promotions

  • paymentsresellersubscription.products.*
  • paymentsresellersubscription.promotions.*
  • paymentsresellersubscription.subscriptions.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Payments Reseller Products Viewer

roles/paymentsresellersubscription.productViewer

Read access to Payments Reseller Product resource

  • paymentsresellersubscription.products.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Payments Reseller Promotions Viewer

roles/paymentsresellersubscription.promotionViewer

Read access to Payments Reseller Promotion resource

  • paymentsresellersubscription.promotions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Payments Reseller Subscriptions Editor

roles/paymentsresellersubscription.subscriptionEditor

Write access to Payments Reseller Subscription resource

  • paymentsresellersubscription.subscriptions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Payments Reseller Subscriptions Viewer

roles/paymentsresellersubscription.subscriptionViewer

Read access to Payments Reseller Subscription resource

  • paymentsresellersubscription.subscriptions.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Activity Analysis Viewer

roles/policyanalyzer.activityAnalysisViewer

Viewer user that can read all activity analysis.

  • policyanalyzer.*

Simulator Admin

roles/policysimulator.admin

Admin user that can run and access replays.

  • policysimulator.*

Recommendations Exporter

roles/recommender.exporter

Exporter of Recommendations

  • recommender.resources.*

Remote Build Execution Action Cache Writer

roles/remotebuildexecution.actionCacheWriter

Remote Build Execution Action Cache Writer

  • remotebuildexecution.actions.set
  • remotebuildexecution.blobs.create

Remote Build Execution Artifact Admin

roles/remotebuildexecution.artifactAdmin

Remote Build Execution Artifact Admin

  • remotebuildexecution.actions.create
  • remotebuildexecution.actions.delete
  • remotebuildexecution.actions.get
  • remotebuildexecution.blobs.*
  • remotebuildexecution.logstreams.*

Remote Build Execution Artifact Creator

roles/remotebuildexecution.artifactCreator

Remote Build Execution Artifact Creator

  • remotebuildexecution.actions.create
  • remotebuildexecution.actions.get
  • remotebuildexecution.blobs.*
  • remotebuildexecution.logstreams.*

Remote Build Execution Artifact Viewer

roles/remotebuildexecution.artifactViewer

Remote Build Execution Artifact Viewer

  • remotebuildexecution.actions.get
  • remotebuildexecution.blobs.get
  • remotebuildexecution.logstreams.get

Remote Build Execution Configuration Admin

roles/remotebuildexecution.configurationAdmin

Remote Build Execution Configuration Admin

  • remotebuildexecution.instances.*
  • remotebuildexecution.workerpools.*

Remote Build Execution Configuration Viewer

roles/remotebuildexecution.configurationViewer

Remote Build Execution Configuration Viewer

  • remotebuildexecution.instances.get
  • remotebuildexecution.instances.list
  • remotebuildexecution.workerpools.get
  • remotebuildexecution.workerpools.list

Remote Build Execution Logstream Writer

roles/remotebuildexecution.logstreamWriter

Remote Build Execution Logstream Writer

  • remotebuildexecution.logstreams.create
  • remotebuildexecution.logstreams.update

Remote Build Execution Reservation Admin

roles/remotebuildexecution.reservationAdmin

Remote Build Execution Reservation Admin

  • remotebuildexecution.actions.create
  • remotebuildexecution.actions.delete
  • remotebuildexecution.actions.get

Remote Build Execution Worker

roles/remotebuildexecution.worker

Remote Build Execution Worker

  • remotebuildexecution.actions.update
  • remotebuildexecution.blobs.*
  • remotebuildexecution.botsessions.*
  • remotebuildexecution.logstreams.create
  • remotebuildexecution.logstreams.update

Retail Admin

roles/retail.admin

Full access to Retail api resources.

  • automlrecommendations.apiKeys.create
  • automlrecommendations.apiKeys.delete
  • automlrecommendations.catalogItems.*
  • automlrecommendations.catalogs.*
  • automlrecommendations.eventStores.*
  • automlrecommendations.events.*
  • automlrecommendations.placements.*
  • automlrecommendations.recommendations.*
  • retail.*

Retail Editor

roles/retail.editor

Full access to Retail api resources except purge, rejoin, and setSponsorship.

  • automlrecommendations.apiKeys.create
  • automlrecommendations.apiKeys.delete
  • automlrecommendations.catalogItems.*
  • automlrecommendations.catalogs.*
  • automlrecommendations.eventStores.*
  • automlrecommendations.events.create
  • automlrecommendations.events.list
  • automlrecommendations.placements.*
  • automlrecommendations.recommendations.*
  • retail.catalogs.*
  • retail.operations.*
  • retail.placements.*
  • retail.products.create
  • retail.products.delete
  • retail.products.export
  • retail.products.get
  • retail.products.import
  • retail.products.list
  • retail.products.update
  • retail.userEvents.create
  • retail.userEvents.import

Retail Viewer

roles/retail.viewer

Grants access to read all resources in Retail.

  • automlrecommendations.catalogItems.get
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogs.getStats
  • automlrecommendations.catalogs.list
  • automlrecommendations.eventStores.*
  • automlrecommendations.events.list
  • automlrecommendations.placements.getStats
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.list
  • retail.catalogs.completeQuery
  • retail.catalogs.list
  • retail.operations.*
  • retail.placements.*
  • retail.products.export
  • retail.products.get
  • retail.products.list

Cloud RuntimeConfig Admin

roles/runtimeconfig.admin

Full access to RuntimeConfig resources.

  • runtimeconfig.*

Cloud Speech Administrator

roles/speech.admin

Grants full access to all resources in Speech-to-text

  • speech.*

Cloud Speech Client

roles/speech.client

Grants access to the recognition APIs.

  • speech.adaptations.*

Cloud Speech Editor

roles/speech.editor

Grants access to edit resources in Speech-to-text

  • speech.*

Subscribe with Google Developer

roles/subscribewithgoogledeveloper.developer

Access DevTools for Subscribe with Google

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • subscribewithgoogledeveloper.*

Traffic Director Client

roles/trafficdirector.client

Fetch service configurations and report metrics.

  • trafficdirector.*

Translation Hub Admin

roles/translationhub.admin

Admin of Translation Hub

  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • cloudtranslate.glossaries.create
  • cloudtranslate.glossaries.delete
  • cloudtranslate.glossaries.get
  • cloudtranslate.glossaries.list
  • cloudtranslate.glossaries.predict
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • translationhub.*

Translation Hub Portal User

roles/translationhub.portalUser

Portal user of Translation Hub

  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • cloudtranslate.glossaries.get
  • cloudtranslate.glossaries.list
  • cloudtranslate.glossaries.predict
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • translationhub.portals.get
  • translationhub.portals.list

Visual Inspection AI Solution Editor

roles/visualinspection.editor

Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics

  • visualinspection.annotationSets.*
  • visualinspection.annotationSpecs.*
  • visualinspection.annotations.*
  • visualinspection.datasets.*
  • visualinspection.images.*
  • visualinspection.locations.get
  • visualinspection.locations.list
  • visualinspection.modelEvaluations.*
  • visualinspection.models.*
  • visualinspection.modules.*
  • visualinspection.operations.*
  • visualinspection.solutionArtifacts.*
  • visualinspection.solutions.*

Visual Inspection AI Usage Metrics Reporter

roles/visualinspection.usageMetricsReporter

ReportUsageMetric access to Visual Inspection AI Service

  • visualinspection.locations.reportUsageMetrics

Visual Inspection AI Viewer

roles/visualinspection.viewer

Read access to Visual Inspection AI resources

  • visualinspection.annotationSets.get
  • visualinspection.annotationSets.list
  • visualinspection.annotationSpecs.get
  • visualinspection.annotationSpecs.list
  • visualinspection.annotations.get
  • visualinspection.annotations.list
  • visualinspection.datasets.export
  • visualinspection.datasets.get
  • visualinspection.datasets.list
  • visualinspection.images.get
  • visualinspection.images.list
  • visualinspection.locations.get
  • visualinspection.locations.list
  • visualinspection.modelEvaluations.*
  • visualinspection.models.get
  • visualinspection.models.list
  • visualinspection.modules.get
  • visualinspection.modules.list
  • visualinspection.operations.*
  • visualinspection.solutionArtifacts.get
  • visualinspection.solutionArtifacts.list
  • visualinspection.solutionArtifacts.predict
  • visualinspection.solutions.get
  • visualinspection.solutions.list

Browser

roles/browser

Read access to browse the hierarchy for a project, including the folder, organization, and IAM policy. This role doesn't include permission to view resources in the project.

  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Beacon Attachment Editor

roles/proximitybeacon.attachmentEditor

Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.

  • proximitybeacon.attachments.*
  • proximitybeacon.beacons.get
  • proximitybeacon.beacons.list
  • proximitybeacon.namespaces.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Beacon Attachment Publisher

roles/proximitybeacon.attachmentPublisher

Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.

  • proximitybeacon.beacons.attach
  • proximitybeacon.beacons.get
  • proximitybeacon.beacons.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Beacon Attachment Viewer

roles/proximitybeacon.attachmentViewer

Can view all attachments under a namespace; no beacon or namespace permissions.

  • proximitybeacon.attachments.get
  • proximitybeacon.attachments.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Beacon Editor

roles/proximitybeacon.beaconEditor

Necessary access to register, modify, and view beacons; no attachment or namespace permissions.

  • proximitybeacon.beacons.create
  • proximitybeacon.beacons.get
  • proximitybeacon.beacons.list
  • proximitybeacon.beacons.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Pub/Sub Admin

roles/pubsub.admin

Provides full access to topics and subscriptions.

  • pubsub.*
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Pub/Sub Editor

roles/pubsub.editor

Provides access to modify topics and subscriptions, and access to publish and consume messages.

  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Pub/Sub Publisher

roles/pubsub.publisher

Provides access to publish messages to a topic.

  • pubsub.topics.publish

Pub/Sub Subscriber

roles/pubsub.subscriber

Provides access to consume messages from a subscription and to attach subscriptions to a topic.

  • pubsub.snapshots.seek
  • pubsub.subscriptions.consume
  • pubsub.topics.attachSubscription

Pub/Sub Viewer

roles/pubsub.viewer

Provides access to view topics and subscriptions.

  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.topics.get
  • pubsub.topics.list
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Pub/Sub Lite Admin

roles/pubsublite.admin

Full access to topics, subscriptions and reservations.

  • pubsublite.*

Pub/Sub Lite Editor

roles/pubsublite.editor

Modify topics, subscriptions and reservations, publish and consume messages.

  • pubsublite.*

Pub/Sub Lite Publisher

roles/pubsublite.publisher

Publish messages to a topic.

  • pubsublite.topics.getPartitions
  • pubsublite.topics.publish

Pub/Sub Lite Subscriber

roles/pubsublite.subscriber

Subscribe to and read messages from a topic.

  • pubsublite.operations.get
  • pubsublite.subscriptions.getCursor
  • pubsublite.subscriptions.seek
  • pubsublite.subscriptions.setCursor
  • pubsublite.subscriptions.subscribe
  • pubsublite.topics.computeHeadCursor
  • pubsublite.topics.computeMessageStats
  • pubsublite.topics.computeTimeCursor
  • pubsublite.topics.getPartitions
  • pubsublite.topics.subscribe

Pub/Sub Lite Viewer

roles/pubsublite.viewer

View topics, subscriptions and reservations.

  • pubsublite.operations.*
  • pubsublite.reservations.get
  • pubsublite.reservations.list
  • pubsublite.reservations.listTopics
  • pubsublite.subscriptions.get
  • pubsublite.subscriptions.getCursor
  • pubsublite.subscriptions.list
  • pubsublite.topics.get
  • pubsublite.topics.getPartitions
  • pubsublite.topics.list
  • pubsublite.topics.listSubscriptions

reCAPTCHA Enterprise Admin

roles/recaptchaenterprise.admin

Access to view and modify reCAPTCHA Enterprise keys

  • monitoring.timeSeries.list
  • recaptchaenterprise.keys.*
  • recaptchaenterprise.metrics.*
  • recaptchaenterprise.projectmetadata.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

reCAPTCHA Enterprise Agent

roles/recaptchaenterprise.agent

Access to create and annotate reCAPTCHA Enterprise assessments

  • recaptchaenterprise.assessments.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

reCAPTCHA Enterprise Viewer

roles/recaptchaenterprise.viewer

Access to view reCAPTCHA Enterprise keys and metrics

  • monitoring.timeSeries.list
  • recaptchaenterprise.keys.get
  • recaptchaenterprise.keys.list
  • recaptchaenterprise.metrics.*
  • recaptchaenterprise.projectmetadata.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Recommendations AI Admin

roles/automlrecommendations.admin

Full access to all Recommendations AI resources.

  • automlrecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • retail.catalogs.list
  • retail.catalogs.update
  • retail.operations.*
  • retail.placements.*
  • retail.products.create
  • retail.products.delete
  • retail.products.export
  • retail.products.get
  • retail.products.import
  • retail.products.list
  • retail.products.update
  • retail.userEvents.*
  • serviceusage.services.get
  • serviceusage.services.list

Recommendations AI Admin Viewer

roles/automlrecommendations.adminViewer

Viewer of all Recommendations AI resources.

  • automlrecommendations.apiKeys.list
  • automlrecommendations.catalogItems.get
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogs.getStats
  • automlrecommendations.catalogs.list
  • automlrecommendations.eventStores.*
  • automlrecommendations.events.list
  • automlrecommendations.placements.getStats
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • retail.catalogs.list
  • retail.operations.*
  • retail.placements.*
  • retail.products.export
  • retail.products.get
  • retail.products.list
  • serviceusage.services.get
  • serviceusage.services.list

Recommendations AI Editor

roles/automlrecommendations.editor

Editor of all Recommendations AI resources.

  • automlrecommendations.apiKeys.create
  • automlrecommendations.apiKeys.list
  • automlrecommendations.catalogItems.*
  • automlrecommendations.catalogs.getStats
  • automlrecommendations.catalogs.list
  • automlrecommendations.eventStores.*
  • automlrecommendations.events.create
  • automlrecommendations.events.list
  • automlrecommendations.placements.create
  • automlrecommendations.placements.getStats
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.create
  • automlrecommendations.recommendations.list
  • automlrecommendations.recommendations.pause
  • automlrecommendations.recommendations.resume
  • automlrecommendations.recommendations.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • retail.catalogs.list
  • retail.catalogs.update
  • retail.operations.*
  • retail.placements.*
  • retail.products.create
  • retail.products.delete
  • retail.products.export
  • retail.products.get
  • retail.products.import
  • retail.products.list
  • retail.products.update
  • retail.userEvents.create
  • retail.userEvents.import
  • serviceusage.services.get
  • serviceusage.services.list

Recommendations AI Viewer

roles/automlrecommendations.viewer

Viewer of all Recommendations AI resources except apiKeys. To view all resources, including apiKeys, grant the Recommendations AI Admin Viewer role (roles/automlrecommendations.adminViewer).

  • automlrecommendations.catalogItems.get
  • automlrecommendations.catalogItems.list
  • automlrecommendations.catalogs.getStats
  • automlrecommendations.catalogs.list
  • automlrecommendations.eventStores.*
  • automlrecommendations.events.list
  • automlrecommendations.placements.getStats
  • automlrecommendations.placements.list
  • automlrecommendations.recommendations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • retail.catalogs.list
  • retail.operations.*
  • retail.placements.*
  • retail.products.export
  • retail.products.get
  • retail.products.list
  • serviceusage.services.get
  • serviceusage.services.list

Bigquery Slot Recommender Admin

roles/recommender.bigQueryCapacityCommitmentsAdmin

Admin of Bigquery Capacity Commitments insights and recommendations.

  • recommender.bigqueryCapacityCommitmentsInsights.*
  • recommender.bigqueryCapacityCommitmentsRecommendations.*
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Bigquery Recommender Billing Account Admin

roles/recommender.bigQueryCapacityCommitmentsBillingAccountAdmin

Billing Account Admin of Bigquery Capacity Commitments insights and recommendations.

  • billing.accounts.get
  • billing.accounts.list
  • recommender.bigqueryCapacityCommitmentsInsights.*
  • recommender.bigqueryCapacityCommitmentsRecommendations.*

Bigquery Recommender Billing Account Viewer

roles/recommender.bigQueryCapacityCommitmentsBillingAccountViewer

Billing Account Viewer of Bigquery Capacity Commitments insights and recommendations.

  • billing.accounts.get
  • billing.accounts.list
  • recommender.bigqueryCapacityCommitmentsInsights.get
  • recommender.bigqueryCapacityCommitmentsInsights.list
  • recommender.bigqueryCapacityCommitmentsRecommendations.get
  • recommender.bigqueryCapacityCommitmentsRecommendations.list

Bigquery Recommender Project Admin

roles/recommender.bigQueryCapacityCommitmentsProjectAdmin

Project Admin of Bigquery Capacity Commitments insights and recommendations.

  • recommender.bigqueryCapacityCommitmentsInsights.*
  • recommender.bigqueryCapacityCommitmentsRecommendations.*
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Bigquery Recommender Project Viewer

roles/recommender.bigQueryCapacityCommitmentsProjectViewer

Project Viewer of Bigquery Capacity Commitments insights and recommendations.

  • recommender.bigqueryCapacityCommitmentsInsights.get
  • recommender.bigqueryCapacityCommitmentsInsights.list
  • recommender.bigqueryCapacityCommitmentsRecommendations.get
  • recommender.bigqueryCapacityCommitmentsRecommendations.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Bigquery Slot Recommender Viewer

roles/recommender.bigQueryCapacityCommitmentsViewer

Viewer of Bigquery Capacity Commitments insights and recommendations.

  • recommender.bigqueryCapacityCommitmentsInsights.get
  • recommender.bigqueryCapacityCommitmentsInsights.list
  • recommender.bigqueryCapacityCommitmentsRecommendations.get
  • recommender.bigqueryCapacityCommitmentsRecommendations.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Billing Account Usage Commitment Recommender Admin

roles/recommender.billingAccountCudAdmin

Admin of Billing Account Usage Commitment Recommender.

  • billing.accounts.get
  • billing.accounts.list
  • recommender.commitmentUtilizationInsights.*
  • recommender.usageCommitmentRecommendations.*

Billing Account Usage Commitment Recommender Viewer

roles/recommender.billingAccountCudViewer

Viewer of Billing Account Usage Commitment Recommender.

  • billing.accounts.get
  • billing.accounts.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list

Cloud Asset Insights Admin

roles/recommender.cloudAssetInsightsAdmin

Admin of all Cloud Asset insights.

  • recommender.cloudAssetInsights.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Asset Insights Viewer

roles/recommender.cloudAssetInsightsViewer

Viewer of all Cloud Asset insights.

  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud SQL Recommender Admin

roles/recommender.cloudsqlAdmin

Admin of Cloud SQL insights and recommendations.

  • recommender.cloudsqlIdleInstanceRecommendations.*
  • recommender.cloudsqlInstanceActivityInsights.*
  • recommender.cloudsqlInstanceCpuUsageInsights.*
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.*
  • recommender.cloudsqlInstanceMemoryUsageInsights.*
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.*
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud SQL Recommender Viewer

roles/recommender.cloudsqlViewer

Viewer of Cloud SQL insights and recommendations.

  • recommender.cloudsqlIdleInstanceRecommendations.get
  • recommender.cloudsqlIdleInstanceRecommendations.list
  • recommender.cloudsqlInstanceActivityInsights.get
  • recommender.cloudsqlInstanceActivityInsights.list
  • recommender.cloudsqlInstanceCpuUsageInsights.get
  • recommender.cloudsqlInstanceCpuUsageInsights.list
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.get
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.list
  • recommender.cloudsqlInstanceMemoryUsageInsights.get
  • recommender.cloudsqlInstanceMemoryUsageInsights.list
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.get
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.list
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.get
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Compute Recommender Admin

roles/recommender.computeAdmin

Admin of compute recommendations.

  • recommender.computeAddressIdleResourceInsights.*
  • recommender.computeAddressIdleResourceRecommendations.*
  • recommender.computeDiskIdleResourceInsights.*
  • recommender.computeDiskIdleResourceRecommendations.*
  • recommender.computeImageIdleResourceInsights.*
  • recommender.computeImageIdleResourceRecommendations.*
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.*
  • recommender.computeInstanceIdleResourceRecommendations.*
  • recommender.computeInstanceMachineTypeRecommendations.*
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Compute Recommender Viewer

roles/recommender.computeViewer

Viewer of compute recommendations.

  • recommender.computeAddressIdleResourceInsights.get
  • recommender.computeAddressIdleResourceInsights.list
  • recommender.computeAddressIdleResourceRecommendations.get
  • recommender.computeAddressIdleResourceRecommendations.list
  • recommender.computeDiskIdleResourceInsights.get
  • recommender.computeDiskIdleResourceInsights.list
  • recommender.computeDiskIdleResourceRecommendations.get
  • recommender.computeDiskIdleResourceRecommendations.list
  • recommender.computeImageIdleResourceInsights.get
  • recommender.computeImageIdleResourceInsights.list
  • recommender.computeImageIdleResourceRecommendations.get
  • recommender.computeImageIdleResourceRecommendations.list
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.get
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
  • recommender.computeInstanceIdleResourceRecommendations.get
  • recommender.computeInstanceIdleResourceRecommendations.list
  • recommender.computeInstanceMachineTypeRecommendations.get
  • recommender.computeInstanceMachineTypeRecommendations.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firewall Recommender Admin

roles/recommender.firewallAdmin

Admin of Firewall insights and recommendations.

  • recommender.computeFirewallInsights.*
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firewall Recommender Viewer

roles/recommender.firewallViewer

Viewer of Firewall insights and recommendations.

  • recommender.computeFirewallInsights.get
  • recommender.computeFirewallInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

IAM Recommender Admin

roles/recommender.iamAdmin

Admin of IAM recommendations.

  • recommender.iamPolicyInsights.*
  • recommender.iamPolicyLateralMovementInsights.*
  • recommender.iamPolicyRecommendations.*
  • recommender.iamServiceAccountInsights.*
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

IAM Recommender Viewer

roles/recommender.iamViewer

Viewer of IAM recommendations.

  • recommender.iamPolicyInsights.get
  • recommender.iamPolicyInsights.list
  • recommender.iamPolicyLateralMovementInsights.get
  • recommender.iamPolicyLateralMovementInsights.list
  • recommender.iamPolicyRecommendations.get
  • recommender.iamPolicyRecommendations.list
  • recommender.iamServiceAccountInsights.get
  • recommender.iamServiceAccountInsights.list
  • recommender.locations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Product Suggestion Recommenders Admin

roles/recommender.productSuggestionAdmin

Admin of all Product Suggestion insights and recommendations.

  • recommender.locations.*
  • recommender.loggingProductSuggestionContainerInsights.*
  • recommender.loggingProductSuggestionContainerRecommendations.*
  • recommender.monitoringProductSuggestionComputeInsights.*
  • recommender.monitoringProductSuggestionComputeRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Product Suggestion Recommenders Viewer

roles/recommender.productSuggestionViewer

Viewer of all Product Suggestion insights and recommendations.

  • recommender.locations.*
  • recommender.loggingProductSuggestionContainerInsights.get
  • recommender.loggingProductSuggestionContainerInsights.list
  • recommender.loggingProductSuggestionContainerRecommendations.get
  • recommender.loggingProductSuggestionContainerRecommendations.list
  • recommender.monitoringProductSuggestionComputeInsights.get
  • recommender.monitoringProductSuggestionComputeInsights.list
  • recommender.monitoringProductSuggestionComputeRecommendations.get
  • recommender.monitoringProductSuggestionComputeRecommendations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Project Usage Commitment Recommender Admin

roles/recommender.projectCudAdmin

Admin of Project Usage Commitment Recommender.

  • recommender.commitmentUtilizationInsights.*
  • recommender.locations.*
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Project Usage Commitment Recommender Viewer

roles/recommender.projectCudViewer

Viewer of Project Usage Commitment Recommender.

  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.locations.*
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Project Utilization Recommender Admin

roles/recommender.projectUtilAdmin

Admin of Project Utilization insights and recommendations.

  • recommender.resourcemanagerProjectUtilizationInsights.*
  • recommender.resourcemanagerProjectUtilizationRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Project Utilization Recommender Viewer

roles/recommender.projectUtilViewer

Viewer of Project Utilization insights and recommendations.

  • recommender.resourcemanagerProjectUtilizationInsights.get
  • recommender.resourcemanagerProjectUtilizationInsights.list
  • recommender.resourcemanagerProjectUtilizationRecommendations.get
  • recommender.resourcemanagerProjectUtilizationRecommendations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Folder Admin

roles/resourcemanager.folderAdmin

Provides all available permissions for working with folders.

  • orgpolicy.constraints.*
  • orgpolicy.policies.list
  • orgpolicy.policy.get
  • resourcemanager.folders.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • resourcemanager.projects.move
  • resourcemanager.projects.setIamPolicy

Folder Creator

roles/resourcemanager.folderCreator

Provides permissions needed to browse the hierarchy and create folders.

  • orgpolicy.constraints.*
  • orgpolicy.policies.list
  • orgpolicy.policy.get
  • resourcemanager.folders.create
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Folder Editor

roles/resourcemanager.folderEditor

Provides permission to modify folders as well as to view a folder's IAM policy.

  • orgpolicy.constraints.*
  • orgpolicy.policies.list
  • orgpolicy.policy.get
  • resourcemanager.folders.delete
  • resourcemanager.folders.get
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.list
  • resourcemanager.folders.undelete
  • resourcemanager.folders.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Folder IAM Admin

roles/resourcemanager.folderIamAdmin

Provides permissions to administer IAM policies on folders.

  • resourcemanager.folders.get
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.setIamPolicy

Folder Mover

roles/resourcemanager.folderMover

Provides permission to move projects and folders into and out of a parent organization or folder.

  • resourcemanager.folders.move
  • resourcemanager.projects.move

Folder Viewer

roles/resourcemanager.folderViewer

Provides permission to get a folder and list the folders and projects below a resource.

  • orgpolicy.constraints.*
  • orgpolicy.policies.list
  • orgpolicy.policy.get
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Project Lien Modifier

roles/resourcemanager.lienModifier

Provides access to modify Liens on projects.

  • resourcemanager.projects.updateLiens

Organization Administrator

roles/resourcemanager.organizationAdmin

Access to administer all resources belonging to the organization.

  • orgpolicy.constraints.*
  • orgpolicy.policies.list
  • orgpolicy.policy.get
  • resourcemanager.folders.get
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.list
  • resourcemanager.folders.setIamPolicy
  • resourcemanager.organizations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • resourcemanager.projects.setIamPolicy

Organization Viewer

roles/resourcemanager.organizationViewer

Provides access to view an organization.

  • resourcemanager.organizations.get

Project Creator

roles/resourcemanager.projectCreator

Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.

  • resourcemanager.organizations.get
  • resourcemanager.projects.create

Project Deleter

roles/resourcemanager.projectDeleter

Provides access to delete Google Cloud projects.

  • resourcemanager.projects.delete

Project IAM Admin

roles/resourcemanager.projectIamAdmin

Provides permissions to administer IAM policies on projects.

  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy

Project Mover

roles/resourcemanager.projectMover

Provides access to update and move projects.

  • resourcemanager.projects.get
  • resourcemanager.projects.move
  • resourcemanager.projects.update

Tag Administrator

roles/resourcemanager.tagAdmin

Access to create, delete, update, and manage access to Tags

  • resourcemanager.tagKeys.*
  • resourcemanager.tagValues.*

Tag User

roles/resourcemanager.tagUser

Access to list Tags and manage their associations with resources

  • cloudkms.keyRings.createTagBinding
  • cloudkms.keyRings.deleteTagBinding
  • cloudkms.keyRings.listTagBindings
  • cloudsql.instances.createTagBinding
  • cloudsql.instances.deleteTagBinding
  • cloudsql.instances.listTagBindings
  • resourcemanager.hierarchyNodes.*
  • resourcemanager.projects.get
  • resourcemanager.tagKeys.get
  • resourcemanager.tagKeys.list
  • resourcemanager.tagValueBindings.*
  • resourcemanager.tagValues.get
  • resourcemanager.tagValues.list
  • storage.buckets.createTagBinding
  • storage.buckets.deleteTagBinding
  • storage.buckets.listTagBindings

Tag Viewer

roles/resourcemanager.tagViewer

Access to list Tags and their associations with resources

  • cloudkms.keyRings.listTagBindings
  • cloudsql.instances.listTagBindings
  • resourcemanager.hierarchyNodes.listTagBindings
  • resourcemanager.tagKeys.get
  • resourcemanager.tagKeys.list
  • resourcemanager.tagValues.get
  • resourcemanager.tagValues.list
  • storage.buckets.listTagBindings

Resource Settings Administrator

roles/resourcesettings.admin

Provides admin capabilities to set Resource Setting Values on resources.

  • resourcesettings.*

Resource Settings Viewer

roles/resourcesettings.viewer

Provides capabilities to view Resource Settings and Resource Setting Values on resources.

  • resourcesettings.settings.get
  • resourcesettings.settings.list

Risk Manager Admin

roles/riskmanager.admin

Grants all Risk Manager permissions

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • riskmanager.*

Risk Manager Editor

roles/riskmanager.editor

Access to edit Risk Manager resources

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • riskmanager.operations.*
  • riskmanager.policies.*
  • riskmanager.reports.create
  • riskmanager.reports.delete
  • riskmanager.reports.get
  • riskmanager.reports.list
  • riskmanager.serviceAccount.*
  • riskmanager.settings.*

Risk Manager Report Reviewer

roles/riskmanager.reviewer

Access to review Risk Manager reports

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • riskmanager.operations.get
  • riskmanager.operations.list
  • riskmanager.reports.get
  • riskmanager.reports.list
  • riskmanager.reports.review

Risk Manager Viewer

roles/riskmanager.viewer

Access to view Risk Manager resources

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • riskmanager.operations.get
  • riskmanager.operations.list
  • riskmanager.policies.*
  • riskmanager.reports.get
  • riskmanager.reports.list
  • riskmanager.settings.get

Organization Role Administrator

roles/iam.organizationRoleAdmin

Provides access to administer all custom roles in the organization and the projects below it.

  • iam.roles.*
  • resourcemanager.organizations.get
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Organization Role Viewer

roles/iam.organizationRoleViewer

Provides read access to all custom roles in the organization and the projects below it.

  • iam.roles.get
  • iam.roles.list
  • resourcemanager.organizations.get
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

Role Administrator

roles/iam.roleAdmin

Provides access to all custom roles in the project.

  • iam.roles.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy

Role Viewer

roles/iam.roleViewer

Provides read access to all custom roles in the project.

  • iam.roles.get
  • iam.roles.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy

Secret Manager Admin

roles/secretmanager.admin

Full access to administer Secret Manager resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • secretmanager.*

Secret Manager Secret Accessor

roles/secretmanager.secretAccessor

Allows accessing the payload of secrets.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • secretmanager.versions.access

Secret Manager Secret Version Adder

roles/secretmanager.secretVersionAdder

Allows adding versions to existing secrets.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • secretmanager.versions.add

Secret Manager Secret Version Manager

roles/secretmanager.secretVersionManager

Allows creating and managing versions of existing secrets.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • secretmanager.versions.add
  • secretmanager.versions.destroy
  • secretmanager.versions.disable
  • secretmanager.versions.enable
  • secretmanager.versions.get
  • secretmanager.versions.list

Secret Manager Viewer

roles/secretmanager.viewer

Allows viewing metadata of all Secret Manager resources

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • secretmanager.locations.*
  • secretmanager.secrets.get
  • secretmanager.secrets.getIamPolicy
  • secretmanager.secrets.list
  • secretmanager.versions.get
  • secretmanager.versions.list

Security Center Admin

roles/securitycenter.admin

Admin(super user) access to security center

  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Security Center Admin Editor

roles/securitycenter.adminEditor

Admin Read-write access to security center

  • appengine.applications.get
  • cloudsecurityscanner.*
  • compute.addresses.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Security Center Admin Viewer

roles/securitycenter.adminViewer

Admin Read access to security center

  • cloudsecurityscanner.crawledurls.*
  • cloudsecurityscanner.results.*
  • cloudsecurityscanner.scanruns.get
  • cloudsecurityscanner.scanruns.getSummary
  • cloudsecurityscanner.scanruns.list
  • cloudsecurityscanner.scans.get
  • cloudsecurityscanner.scans.list
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Security Center Asset Security Marks Writer

roles/securitycenter.assetSecurityMarksWriter

Write access to asset security marks

  • securitycenter.assetsecuritymarks.*
  • securitycenter.userinterfacemetadata.*

Security Center Assets Discovery Runner

roles/securitycenter.assetsDiscoveryRunner

Run asset discovery access to assets

  • securitycenter.assets.runDiscovery
  • securitycenter.userinterfacemetadata.*

Security Center Assets Viewer

roles/securitycenter.assetsViewer

Read access to assets

  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.userinterfacemetadata.*

Security Center Finding Security Marks Writer

roles/securitycenter.findingSecurityMarksWriter

Write access to finding security marks

  • securitycenter.findingsecuritymarks.*
  • securitycenter.userinterfacemetadata.*

Security Center Findings Editor

roles/securitycenter.findingsEditor

Read-write access to findings

  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.findings.setState
  • securitycenter.findings.update
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.userinterfacemetadata.*

Security Center Findings State Setter

roles/securitycenter.findingsStateSetter

Set state access to findings

  • securitycenter.findings.setState
  • securitycenter.userinterfacemetadata.*

Security Center Findings Viewer

roles/securitycenter.findingsViewer

Read access to findings

  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.userinterfacemetadata.*

Security Center Findings Workflow State Setter

roles/securitycenter.findingsWorkflowStateSetter

Set workflow state access to findings

  • securitycenter.findings.setWorkflowState
  • securitycenter.userinterfacemetadata.*

Security Center Notification Configurations Editor

roles/securitycenter.notificationConfigEditor

Write access to notification configurations

  • securitycenter.notificationconfig.*
  • securitycenter.userinterfacemetadata.*

Security Center Notification Configurations Viewer

roles/securitycenter.notificationConfigViewer

Read access to notification configurations

  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.userinterfacemetadata.*

Security Center Settings Admin

roles/securitycenter.settingsAdmin

Admin(super user) access to security center settings

  • securitycenter.containerthreatdetectionsettings.*
  • securitycenter.eventthreatdetectionsettings.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.*
  • securitycenter.securitycentersettings.*
  • securitycenter.securityhealthanalyticssettings.*
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.*

Security Center Settings Editor

roles/securitycenter.settingsEditor

Read-Write access to security center settings

  • securitycenter.containerthreatdetectionsettings.*
  • securitycenter.eventthreatdetectionsettings.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.*
  • securitycenter.securitycentersettings.*
  • securitycenter.securityhealthanalyticssettings.*
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.*

Security Center Settings Viewer

roles/securitycenter.settingsViewer

Read access to security center settings

  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get

Security Center Sources Admin

roles/securitycenter.sourcesAdmin

Admin access to sources

  • resourcemanager.organizations.get
  • securitycenter.sources.*
  • securitycenter.userinterfacemetadata.*

Security Center Sources Editor

roles/securitycenter.sourcesEditor

Read-write access to sources

  • resourcemanager.organizations.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.userinterfacemetadata.*

Security Center Sources Viewer

roles/securitycenter.sourcesViewer

Read access to sources

  • resourcemanager.organizations.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.userinterfacemetadata.*

Serverless VPC Access Admin

roles/vpcaccess.admin

Full access to all Serverless VPC Access resources

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • vpcaccess.*

Serverless VPC Access User

roles/vpcaccess.user

User of Serverless VPC Access connectors

  • compute.networks.access
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • vpcaccess.connectors.get
  • vpcaccess.connectors.list
  • vpcaccess.connectors.use
  • vpcaccess.locations.*
  • vpcaccess.operations.*

Serverless VPC Access Viewer

roles/vpcaccess.viewer

Viewer of all Serverless VPC Access resources

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • vpcaccess.connectors.get
  • vpcaccess.connectors.list
  • vpcaccess.locations.*
  • vpcaccess.operations.*

Service Account Admin

roles/iam.serviceAccountAdmin

Create and manage service accounts.

  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.disable
  • iam.serviceAccounts.enable
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • iam.serviceAccounts.setIamPolicy
  • iam.serviceAccounts.undelete
  • iam.serviceAccounts.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Create Service Accounts

roles/iam.serviceAccountCreator

Access to create service accounts.

  • iam.serviceAccounts.create
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Delete Service Accounts

roles/iam.serviceAccountDeleter

Access to delete service accounts.

  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Service Account Key Admin

roles/iam.serviceAccountKeyAdmin

Create and manage (and rotate) service account keys.

  • iam.serviceAccountKeys.*
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Service Account Token Creator

roles/iam.serviceAccountTokenCreator

Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).

  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.list
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Service Account User

roles/iam.serviceAccountUser

Run operations as the service account.

  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Workload Identity User

roles/iam.workloadIdentityUser

Impersonate service accounts from GKE Workloads

  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.list

Vertex AI Custom Code Service Agent

roles/aiplatform.customCodeServiceAgent

Gives Vertex AI Custom Code the proper permissions.

  • aiplatform.annotationSpecs.*
  • aiplatform.annotations.*
  • aiplatform.artifacts.*
  • aiplatform.batchPredictionJobs.*
  • aiplatform.contexts.*
  • aiplatform.customJobs.*
  • aiplatform.dataItems.*
  • aiplatform.dataLabelingJobs.*
  • aiplatform.datasets.*
  • aiplatform.edgeDeploymentJobs.*
  • aiplatform.edgeDeviceDebugInfo.*
  • aiplatform.edgeDevices.*
  • aiplatform.endpoints.*
  • aiplatform.entityTypes.*
  • aiplatform.executions.*
  • aiplatform.features.*
  • aiplatform.featurestores.*
  • aiplatform.humanInTheLoops.*
  • aiplatform.hyperparameterTuningJobs.*
  • aiplatform.indexEndpoints.*
  • aiplatform.indexes.*
  • aiplatform.locations.*
  • aiplatform.metadataSchemas.*
  • aiplatform.metadataStores.*
  • aiplatform.modelDeploymentMonitoringJobs.*
  • aiplatform.modelEvaluationSlices.*
  • aiplatform.modelEvaluations.*
  • aiplatform.models.*
  • aiplatform.nasJobs.*
  • aiplatform.operations.*
  • aiplatform.pipelineJobs.*
  • aiplatform.specialistPools.*
  • aiplatform.studies.*
  • aiplatform.tensorboardExperiments.*
  • aiplatform.tensorboardRuns.*
  • aiplatform.tensorboardTimeSeries.*
  • aiplatform.tensorboards.*
  • aiplatform.trainingPipelines.*
  • aiplatform.trials.*
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.versions.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.readsessions.create
  • bigquery.readsessions.getData
  • bigquery.tables.create
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.update
  • bigquery.tables.updateData
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.list
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • logging.logEntries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Vertex AI Service Agent

roles/aiplatform.serviceAgent

Gives Vertex AI the permissions it needs to function.

  • aiplatform.annotationSpecs.*
  • aiplatform.annotations.*
  • aiplatform.artifacts.*
  • aiplatform.batchPredictionJobs.*
  • aiplatform.contexts.*
  • aiplatform.customJobs.*
  • aiplatform.dataItems.*
  • aiplatform.dataLabelingJobs.*
  • aiplatform.datasets.*
  • aiplatform.edgeDeploymentJobs.*
  • aiplatform.edgeDeviceDebugInfo.*
  • aiplatform.edgeDevices.*
  • aiplatform.endpoints.*
  • aiplatform.entityTypes.*
  • aiplatform.executions.*
  • aiplatform.features.*
  • aiplatform.featurestores.*
  • aiplatform.humanInTheLoops.*
  • aiplatform.hyperparameterTuningJobs.*
  • aiplatform.indexEndpoints.*
  • aiplatform.indexes.*
  • aiplatform.locations.*
  • aiplatform.metadataSchemas.*
  • aiplatform.metadataStores.*
  • aiplatform.modelDeploymentMonitoringJobs.*
  • aiplatform.modelEvaluationSlices.*
  • aiplatform.modelEvaluations.*
  • aiplatform.models.*
  • aiplatform.nasJobs.*
  • aiplatform.operations.*
  • aiplatform.pipelineJobs.*
  • aiplatform.specialistPools.*
  • aiplatform.studies.*
  • aiplatform.tensorboardExperiments.*
  • aiplatform.tensorboardRuns.*
  • aiplatform.tensorboardTimeSeries.*
  • aiplatform.tensorboards.*
  • aiplatform.trainingPipelines.*
  • aiplatform.trials.*
  • artifactregistry.repositories.create
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.get
  • artifactregistry.versions.get
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.list
  • automl.modelEvaluations.list
  • automl.models.get
  • automl.models.list
  • automl.operations.get
  • automl.tableSpecs.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.readsessions.create
  • bigquery.tables.create
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.readRows
  • compute.machineTypes.get
  • dataflow.*
  • datalabeling.annotateddatasets.get
  • datalabeling.datasets.export
  • datalabeling.datasets.get
  • datalabeling.datasets.list
  • datalabeling.operations.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.getAccessToken
  • logging.logEntries.create
  • ml.models.list
  • ml.operations.get
  • ml.versions.get
  • ml.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Anthos Service Agent

roles/anthos.serviceAgent

Gives the Anthos service agent access to Google Cloud resources.

  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list
  • serviceusage.services.get
  • serviceusage.services.list

Anthos Audit Service Agent

roles/anthosaudit.serviceAgent

Gives the Anthos Audit service agent access to Cloud Platform resources.

  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list

Anthos Config Management Service Agent

roles/anthosconfigmanagement.serviceAgent

Gives the Anthos Config Management service agent access to Google Cloud resources.

  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list

Anthos Identity Service Agent

roles/anthosidentityservice.serviceAgent

Gives the Anthos Identity service agent access to Google Cloud resources.

  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list

Anthos Service Mesh Service Agent

roles/anthosservicemesh.serviceAgent

Gives the Anthos Service Mesh service agent access to Cloud Platform resources.

  • container.clusterRoleBindings.*
  • container.clusterRoles.bind
  • container.clusterRoles.create
  • container.clusterRoles.delete
  • container.clusterRoles.escalate
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.configMaps.*
  • container.customResourceDefinitions.create
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.list
  • container.customResourceDefinitions.update
  • container.daemonSets.create
  • container.daemonSets.delete
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.daemonSets.update
  • container.deployments.get
  • container.deployments.list
  • container.events.get
  • container.events.list
  • container.mutatingWebhookConfigurations.create
  • container.mutatingWebhookConfigurations.get
  • container.mutatingWebhookConfigurations.list
  • container.mutatingWebhookConfigurations.update
  • container.namespaces.get
  • container.namespaces.list
  • container.pods.get
  • container.pods.list
  • container.serviceAccounts.create
  • container.serviceAccounts.delete
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.serviceAccounts.update
  • container.services.get
  • container.services.list
  • container.thirdPartyObjects.create
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyObjects.update
  • container.validatingWebhookConfigurations.create
  • container.validatingWebhookConfigurations.get
  • container.validatingWebhookConfigurations.list
  • container.validatingWebhookConfigurations.update
  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list

Cloud API Gateway Service Agent

roles/apigateway.serviceAgent

Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.

  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • servicemanagement.services.check
  • servicemanagement.services.quota
  • servicemanagement.services.report

Cloud API Gateway Management Service Agent

roles/apigateway_management.serviceAgent

Gives Cloud API Gateway service account access to retrieve a Service configuration.

  • iam.serviceAccounts.get
  • servicemanagement.services.create
  • servicemanagement.services.delete
  • servicemanagement.services.get
  • servicemanagement.services.list
  • servicemanagement.services.update
  • serviceusage.services.get

Apigee Service Agent

roles/apigee.serviceAgent

Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.

  • apigee.apiproducts.get
  • apigee.apiproducts.list
  • apigee.appkeys.create
  • apigee.appkeys.delete
  • apigee.appkeys.manage
  • apigee.apps.get
  • apigee.canaryevaluations.*
  • apigee.developerapps.*
  • apigee.developers.create
  • apigee.developers.get
  • apigee.environments.get
  • apigee.environments.getDataLocation
  • apigee.environments.manageRuntime
  • apigee.ingressconfigs.*
  • apigee.instances.reportStatus
  • apigee.operations.*
  • apigee.organizations.get
  • apigee.proxyrevisions.get
  • apigee.runtimeconfigs.*
  • cloudtrace.traces.patch
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • logging.buckets.create
  • logging.buckets.get
  • logging.buckets.list
  • logging.views.create
  • logging.views.get
  • logging.views.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create

App Development Experience Service Agent

roles/appdevelopmentexperience.serviceAgent

Give the App Development Experience service agent access to Cloud Platform resources.

  • container.clusters.get
  • container.clusters.update
  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list

App Engine flexible environment Service Agent

roles/appengineflex.serviceAgent

Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.

  • billing.accounts.get
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • compute.addresses.create
  • compute.addresses.delete
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.create
  • compute.autoscalers.delete
  • compute.autoscalers.get
  • compute.autoscalers.update
  • compute.backendServices.create
  • compute.backendServices.delete
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.backendServices.update
  • compute.backendServices.use
  • compute.disks.list
  • compute.firewalls.*
  • compute.forwardingRules.create
  • compute.forwardingRules.delete
  • compute.forwardingRules.get
  • compute.globalAddresses.create
  • compute.globalAddresses.delete
  • compute.globalAddresses.get
  • compute.globalAddresses.use
  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.get
  • compute.globalOperations.get
  • compute.healthChecks.create
  • compute.healthChecks.delete
  • compute.healthChecks.get
  • compute.healthChecks.update
  • compute.healthChecks.useReadOnly
  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly
  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly
  • compute.images.get
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.update
  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.useReadOnly
  • compute.instances.attachDisk
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.detachDisk
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.reset
  • compute.instances.setLabels
  • compute.instances.setMetadata
  • compute.instances.setTags
  • compute.instances.start
  • compute.instances.stop
  • compute.instances.use
  • compute.machineTypes.get
  • compute.networks.create
  • compute.networks.delete
  • compute.networks.get
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.create
  • compute.regionBackendServices.delete
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionBackendServices.update
  • compute.regionBackendServices.use
  • compute.regionOperations.get
  • compute.regions.get
  • compute.subnetworks.delete
  • compute.targetHttpProxies.create
  • compute.targetHttpProxies.delete
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.use
  • compute.targetHttpsProxies.create
  • compute.targetHttpsProxies.delete
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.setSslCertificates
  • compute.targetHttpsProxies.use
  • compute.urlMaps.create
  • compute.urlMaps.delete
  • compute.urlMaps.get
  • compute.urlMaps.update
  • compute.urlMaps.use
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.typeProviders.create
  • deploymentmanager.typeProviders.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • logging.logEntries.create
  • logging.logMetrics.create
  • logging.logMetrics.delete
  • logging.logMetrics.get
  • logging.logMetrics.update
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list

Artifact Registry Service Agent

roles/artifactregistry.serviceAgent

Gives the Artifact Registry service account access to managed resources.

  • artifactregistry.repositories.downloadArtifacts
  • pubsub.topics.publish

Assured Workloads Service Agent

roles/assuredworkloads.serviceAgent

Gives the Assured Workloads service account access to create KMS keyrings and keys, and to monitor Assured Workloads.

  • cloudasset.assets.exportResource
  • cloudasset.feeds.create
  • cloudasset.feeds.delete
  • cloudasset.feeds.get
  • cloudasset.feeds.update
  • cloudkms.cryptoKeys.create
  • cloudkms.keyRings.create
  • serviceusage.services.enable
  • serviceusage.services.use

AutoML Service Agent

roles/automl.serviceAgent

AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.tables.create
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigtable.tables.get
  • bigtable.tables.list
  • bigtable.tables.readRows
  • serviceusage.services.use
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Recommendations AI Service Agent

roles/automlrecommendations.serviceAgent

Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.update
  • bigquery.tables.create
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.updateData
  • cloudnotifications.*
  • logging.logEntries.create
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • opsconfigmonitoring.resourceMetadata.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get
  • storage.buckets.create
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

BigQuery Connection Service Agent

roles/bigqueryconnection.serviceAgent

Gives BigQuery Connection Service access to Cloud SQL instances in user projects.

  • cloudsql.instances.connect
  • cloudsql.instances.get
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create

BigQuery Data Transfer Service Agent

roles/bigquerydatatransfer.serviceAgent

Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project.

  • bigquery.jobs.create
  • iam.serviceAccounts.getAccessToken
  • logging.logEntries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Binary Authorization Service Agent

roles/binaryauthorization.serviceAgent

Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.

  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.verifyImageAttested
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.listOccurrences
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Asset Service Agent

roles/cloudasset.serviceAgent

Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.

  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.tables.create
  • bigquery.tables.delete
  • bigquery.tables.get
  • bigquery.tables.update
  • bigquery.tables.updateData
  • pubsub.topics.publish
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get

Cloud Build Service Agent

roles/cloudbuild.serviceAgent

Gives Cloud Build service account access to managed resources.

  • artifactregistry.aptartifacts.*
  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.uploadArtifacts
  • artifactregistry.tags.create
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.tags.update
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • artifactregistry.yumartifacts.*
  • binaryauthorization.attestors.create
  • binaryauthorization.attestors.delete
  • binaryauthorization.attestors.get
  • binaryauthorization.attestors.list
  • binaryauthorization.attestors.update
  • binaryauthorization.attestors.verifyImageAttested
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.networks.get
  • compute.subnetworks.get
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.update
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • logging.logEntries.create
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.publish
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use
  • source.repos.get
  • source.repos.list
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Cloud Deploy Service Agent

roles/clouddeploy.serviceAgent

Gives Cloud Deploy Service Account access to managed resources.

  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.workerpools.use
  • iam.serviceAccounts.actAs
  • logging.logEntries.create
  • pubsub.topics.get
  • pubsub.topics.publish
  • servicemanagement.services.report
  • serviceusage.services.use
  • storage.buckets.create
  • storage.buckets.get

Cloud Functions Service Agent

roles/cloudfunctions.serviceAgent

Gives Cloud Functions service account access to managed resources.

  • artifactregistry.*
  • clientauthconfig.clients.list
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • cloudbuild.workerpools.use
  • cloudfunctions.functions.invoke
  • compute.globalOperations.get
  • compute.networks.access
  • eventarc.locations.*
  • eventarc.operations.*
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.undelete
  • eventarc.triggers.update
  • firebasedatabase.instances.get
  • firebasedatabase.instances.update
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.signBlob
  • pubsub.subscriptions.*
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.get
  • pubsub.topics.list
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.*
  • run.routes.*
  • run.services.create
  • run.services.delete
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • run.services.update
  • serviceusage.quotas.get
  • serviceusage.services.disable
  • serviceusage.services.enable
  • serviceusage.services.use
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • vpcaccess.connectors.get
  • vpcaccess.connectors.use

Cloud IoT Core Service Agent

roles/cloudiot.serviceAgent

Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.

  • logging.logEntries.create
  • pubsub.topics.publish

Cloud KMS Service Agent

roles/cloudkms.serviceAgent

Gives Cloud KMS service account access to managed resources.

  • cloudasset.assets.listCloudkmsCryptoKeys

Cloud Optimization Service Agent

roles/cloudoptimization.serviceAgent

Grants Cloud Optimization Service Account access to read and write data in the user project.

  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Cloud Scheduler Service Agent

roles/cloudscheduler.serviceAgent

Grants Cloud Scheduler Service Account access to manage resources.

  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • logging.logEntries.create
  • pubsub.topics.publish

Cloud SQL Service Agent

roles/cloudsql.serviceAgent

Grants Cloud SQL access to services and APIs in the user project

  • cloudsql.instances.get

Cloud Tasks Service Agent

roles/cloudtasks.serviceAgent

Grants Cloud Tasks Service Account access to manage resources.

  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • logging.logEntries.create

Cloud TPU V2 API Service Agent

roles/cloudtpu.serviceAgent

Give Cloud TPUs service account access to managed resources

  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.*
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.firewalls.*
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.*
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.serviceAttachments.*
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • networkconnectivity.locations.*
  • networkconnectivity.operations.*
  • networksecurity.*
  • networkservices.*
  • pubsub.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • trafficdirector.*

Cloud Translation API Service Agent

roles/cloudtranslate.serviceAgent

Gives Cloud Translation Service Account access to consumer resources.

  • storage.buckets.get
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list

Compliance Scanning Service Agent

roles/compliancescanning.ServiceAgent

Gives Compliance Scanning the access it needs to analyze containers and VMs for compliance and create occurrences using the Container Analysis API

  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • compute.images.get
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.list
  • compute.zones.*
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.update
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.get
  • storage.objects.list

Cloud Composer API Service Agent

roles/composer.serviceAgent

Cloud Composer API service agent can manage environments.

  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.operations.*
  • appengine.runtimes.*
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • artifactregistry.repositories.create
  • artifactregistry.repositories.delete
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.repositories.update
  • cloudnotifications.*
  • cloudsql.*
  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.*
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.*
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.serviceAttachments.*
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • container.*
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.deployments.cancelPreview
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.stop
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • firebase.projects.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • logging.buckets.create
  • logging.buckets.delete
  • logging.buckets.get
  • logging.buckets.list
  • logging.buckets.undelete
  • logging.buckets.update
  • logging.cmekSettings.*
  • logging.exclusions.*
  • logging.locations.*
  • logging.logEntries.create
  • logging.logMetrics.*
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.notificationRules.*
  • logging.operations.*
  • logging.sinks.*
  • logging.views.create
  • logging.views.delete
  • logging.views.get
  • logging.views.list
  • logging.views.update
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • networkconnectivity.locations.*
  • networkconnectivity.operations.*
  • networksecurity.*
  • networkservices.*
  • opsconfigmonitoring.resourceMetadata.list
  • orgpolicy.policy.get
  • pubsub.*
  • recommender.cloudsqlIdleInstanceRecommendations.*
  • recommender.cloudsqlInstanceActivityInsights.*
  • recommender.cloudsqlInstanceCpuUsageInsights.*
  • recommender.cloudsqlInstanceDiskUsageTrendInsights.*
  • recommender.cloudsqlInstanceMemoryUsageInsights.*
  • recommender.cloudsqlInstanceOutOfDiskRecommendations.*
  • recommender.cloudsqlOverprovisionedInstanceRecommendations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*
  • trafficdirector.*

Compute Engine Service Agent

roles/compute.serviceAgent

Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.

  • cloudnotifications.*
  • compute.instanceGroupManagers.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.signJwt
  • logging.logEntries.create
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • opsconfigmonitoring.resourceMetadata.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get

Contact Center AI Insights Service Agent

roles/contactcenterinsights.serviceAgent

Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.tables.create
  • bigquery.tables.get
  • bigquery.tables.update
  • bigquery.tables.updateData
  • datalabeling.dataitems.*
  • datalabeling.datasets.create
  • datalabeling.datasets.delete
  • datalabeling.datasets.export
  • datalabeling.datasets.get
  • datalabeling.datasets.import
  • datalabeling.operations.get
  • datalabeling.operations.list
  • dialogflow.conversationDatasets.*
  • dialogflow.conversationModels.*
  • dialogflow.documents.*
  • dialogflow.operations.*
  • dialogflow.participants.suggest
  • dialogflow.sessions.detectIntent
  • pubsub.topics.get
  • pubsub.topics.publish
  • storage.objects.get
  • storage.objects.list

Kubernetes Engine Service Agent

roles/container.serviceAgent

Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.tables.create
  • bigquery.tables.get
  • bigquery.tables.update
  • bigquery.tables.updateData
  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.*
  • compute.firewallPolicies.*
  • compute.firewalls.*
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.*
  • compute.nodeGroups.get
  • compute.packetMirrorings.*
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.*
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.*
  • compute.serviceAttachments.*
  • compute.snapshots.*
  • compute.sslCertificates.*
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • container.*
  • dns.changes.*
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.*
  • dns.networks.*
  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.list
  • dns.policies.update
  • dns.projects.*
  • dns.resourceRecordSets.*
  • dns.responsePolicies.*
  • dns.responsePolicyRules.*
  • file.*
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.timeSeries.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.*
  • networksecurity.*
  • networkservices.*
  • pubsub.topics.create
  • pubsub.topics.get
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • tpu.locations.*
  • tpu.nodes.create
  • tpu.nodes.delete
  • tpu.nodes.get
  • tpu.nodes.list
  • tpu.operations.*
  • trafficdirector.*

Container Analysis Service Agent

roles/containeranalysis.ServiceAgent

Gives Container Analysis API the access it needs to function

  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • pubsub.schemas.attach
  • pubsub.schemas.create
  • pubsub.schemas.delete
  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.schemas.validate
  • pubsub.snapshots.create
  • pubsub.snapshots.delete
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.snapshots.seek
  • pubsub.snapshots.update
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • pubsub.topics.updateTag
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.objects.get
  • storage.objects.list

Container Registry Service Agent

roles/containerregistry.ServiceAgent

Access for Container Registry

  • pubsub.topics.publish
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list

Container Scanner Service Agent

roles/containerscanning.ServiceAgent

Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API

  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.get
  • storage.objects.list

Container Threat Detection Service Agent

roles/containerthreatdetection.serviceAgent

Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.

  • container.apiServices.get
  • container.apiServices.getStatus
  • container.apiServices.list
  • container.auditSinks.get
  • container.auditSinks.list
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.bindings.get
  • container.bindings.list
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.getStatus
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.*
  • container.clusterRoles.bind
  • container.clusterRoles.create
  • container.clusterRoles.delete
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusterRoles.update
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.get
  • container.configMaps.list
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiNodeInfos.get
  • container.csiNodeInfos.list
  • container.csiNodes.get
  • container.csiNodes.list
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.getStatus
  • container.customResourceDefinitions.list
  • container.daemonSets.*
  • container.deployments.get
  • container.deployments.getScale
  • container.deployments.getStatus
  • container.deployments.list
  • container.endpointSlices.get
  • container.endpointSlices.list
  • container.endpoints.get
  • container.endpoints.list
  • container.events.get
  • container.events.list
  • container.frontendConfigs.get
  • container.frontendConfigs.list
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.leases.get
  • container.leases.list
  • container.limitRanges.get
  • container.limitRanges.list
  • container.managedCertificates.get
  • container.managedCertificates.list
  • container.mutatingWebhookConfigurations.get
  • container.mutatingWebhookConfigurations.list
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.networkPolicies.update
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.operations.*
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.petSets.get
  • container.petSets.list
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podPresets.get
  • container.podPresets.list
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.get
  • container.podTemplates.list
  • container.pods.attach
  • container.pods.create
  • container.pods.delete
  • container.pods.exec
  • container.pods.get
  • container.pods.getLogs
  • container.pods.getStatus
  • container.pods.list
  • container.pods.portForward
  • container.pods.update
  • container.priorityClasses.get
  • container.priorityClasses.list
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.roleBindings.*
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.secrets.create
  • container.secrets.delete
  • container.secrets.list
  • container.secrets.update
  • container.serviceAccounts.create
  • container.serviceAccounts.delete
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.serviceAccounts.update
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.statefulSets.get
  • container.statefulSets.getScale
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.storageClasses.get
  • container.storageClasses.list
  • container.storageStates.get
  • container.storageStates.getStatus
  • container.storageStates.list
  • container.storageVersionMigrations.get
  • container.storageVersionMigrations.getStatus
  • container.storageVersionMigrations.list
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.tokenReviews.*
  • container.updateInfos.get
  • container.updateInfos.list
  • container.validatingWebhookConfigurations.get
  • container.validatingWebhookConfigurations.list
  • container.volumeAttachments.get
  • container.volumeAttachments.getStatus
  • container.volumeAttachments.list
  • container.volumeSnapshotClasses.get
  • container.volumeSnapshotClasses.list
  • container.volumeSnapshotContents.get
  • container.volumeSnapshotContents.getStatus
  • container.volumeSnapshotContents.list
  • container.volumeSnapshots.get
  • container.volumeSnapshots.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Content Warehouse Service Agent

roles/contentwarehouse.serviceAgent

Gives the Content Warehouse service account to manage customer resources

  • cloudfunctions.functions.invoke
  • pubsub.topics.publish
  • pubsublite.topics.publish
  • storage.objects.get
  • storage.objects.list

Cloud Dataflow Service Agent

roles/dataflow.serviceAgent

Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.

  • bigquery.bireservations.*
  • bigquery.capacityCommitments.*
  • bigquery.config.*
  • bigquery.connections.*
  • bigquery.datasets.*
  • bigquery.jobs.*
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.*
  • bigquery.reservations.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.savedqueries.*
  • bigquery.tables.*
  • bigquery.transfers.*
  • clouddebugger.breakpoints.list
  • clouddebugger.breakpoints.listActive
  • clouddebugger.breakpoints.update
  • clouddebugger.debuggees.create
  • cloudnotifications.*
  • compute.acceleratorTypes.*
  • compute.addresses.*
  • compute.autoscalers.*
  • compute.backendBuckets.*
  • compute.backendServices.*
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.*
  • compute.firewallPolicies.get
  • compute.firewallPolicies.list
  • compute.firewallPolicies.use
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.*
  • compute.globalAddresses.*
  • compute.globalForwardingRules.*
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.delete
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.globalPublicDelegatedPrefixes.update
  • compute.globalPublicDelegatedPrefixes.updatePolicy
  • compute.healthChecks.*
  • compute.httpHealthChecks.*
  • compute.httpsHealthChecks.*
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.*
  • compute.interconnectLocations.*
  • compute.interconnects.*
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.*
  • compute.projects.get
  • compute.publicDelegatedPrefixes.delete
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.publicDelegatedPrefixes.update
  • compute.publicDelegatedPrefixes.updatePolicy
  • compute.regionBackendServices.*
  • compute.regionHealthCheckServices.*
  • compute.regionHealthChecks.*
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.*
  • compute.routes.*
  • compute.securityPolicies.get
  • compute.securityPolicies.list
  • compute.securityPolicies.use
  • compute.serviceAttachments.*
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.*
  • compute.subnetworks.*
  • compute.targetGrpcProxies.*
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetInstances.*
  • compute.targetPools.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.targetVpnGateways.*
  • compute.urlMaps.*
  • compute.vpnGateways.*
  • compute.vpnTunnels.*
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • firebase.projects.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.list
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • logging.buckets.create
  • logging.buckets.delete
  • logging.buckets.get
  • logging.buckets.list
  • logging.buckets.undelete
  • logging.buckets.update
  • logging.cmekSettings.*
  • logging.exclusions.*
  • logging.locations.*
  • logging.logEntries.create
  • logging.logMetrics.*
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.notificationRules.*
  • logging.operations.*
  • logging.sinks.*
  • logging.views.create
  • logging.views.delete
  • logging.views.get
  • logging.views.list
  • logging.views.update
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • networkconnectivity.locations.*
  • networkconnectivity.operations.*
  • networksecurity.*
  • networkservices.*
  • opsconfigmonitoring.resourceMetadata.list
  • pubsub.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicenetworking.operations.get
  • servicenetworking.services.addPeering
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*
  • trafficdirector.*

Cloud Data Fusion API Service Agent

roles/datafusion.serviceAgent

Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.

  • bigquery.datasets.*
  • bigquery.jobs.create
  • bigquery.models.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.tables.*
  • bigtable.*
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalOperations.get
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.machineTypes.*
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.update
  • compute.projects.get
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zones.*
  • dataproc.autoscalingPolicies.create
  • dataproc.autoscalingPolicies.delete
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.update
  • dataproc.autoscalingPolicies.use
  • dataproc.clusters.create
  • dataproc.clusters.delete
  • dataproc.clusters.get
  • dataproc.clusters.list
  • dataproc.clusters.start
  • dataproc.clusters.stop
  • dataproc.clusters.update
  • dataproc.clusters.use
  • dataproc.jobs.cancel
  • dataproc.jobs.create
  • dataproc.jobs.delete
  • dataproc.jobs.get
  • dataproc.jobs.list
  • dataproc.jobs.update
  • dataproc.operations.delete
  • dataproc.operations.get
  • dataproc.operations.list
  • dataproc.workflowTemplates.create
  • dataproc.workflowTemplates.delete
  • dataproc.workflowTemplates.get
  • dataproc.workflowTemplates.instantiate
  • dataproc.workflowTemplates.instantiateInline
  • dataproc.workflowTemplates.list
  • dataproc.workflowTemplates.update
  • firebase.projects.get
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.*
  • networkconnectivity.locations.*
  • networkconnectivity.operations.get
  • networkconnectivity.operations.list
  • networksecurity.authorizationPolicies.get
  • networksecurity.authorizationPolicies.list
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.locations.*
  • networksecurity.operations.get
  • networksecurity.operations.list
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointPolicies.get
  • networkservices.endpointPolicies.list
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.locations.*
  • networkservices.operations.get
  • networkservices.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicenetworking.services.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • spanner.databaseOperations.*
  • spanner.databases.beginOrRollbackReadWriteTransaction
  • spanner.databases.beginPartitionedDmlTransaction
  • spanner.databases.beginReadOnlyTransaction
  • spanner.databases.getDdl
  • spanner.databases.list
  • spanner.databases.partitionQuery
  • spanner.databases.partitionRead
  • spanner.databases.read
  • spanner.databases.select
  • spanner.databases.updateDdl
  • spanner.databases.write
  • spanner.instanceConfigs.*
  • spanner.instances.get
  • spanner.instances.list
  • spanner.sessions.*
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*
  • trafficdirector.*

Data Labeling Service Agent

roles/datalabeling.serviceAgent

Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.

  • automl.annotationSpecs.*
  • automl.annotations.*
  • automl.columnSpecs.*
  • automl.datasets.create
  • automl.datasets.delete
  • automl.datasets.export
  • automl.datasets.get
  • automl.datasets.import
  • automl.datasets.list
  • automl.datasets.update
  • automl.examples.*
  • automl.humanAnnotationTasks.*
  • automl.locations.get
  • automl.locations.list
  • automl.modelEvaluations.*
  • automl.models.create
  • automl.models.delete
  • automl.models.deploy
  • automl.models.export
  • automl.models.get
  • automl.models.list
  • automl.models.predict
  • automl.models.undeploy
  • automl.operations.*
  • automl.tableSpecs.*
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.tables.create
  • bigquery.tables.get
  • bigquery.tables.getData
  • ml.jobs.create
  • ml.jobs.get
  • ml.jobs.getIamPolicy
  • ml.jobs.list
  • ml.locations.*
  • ml.models.*
  • ml.operations.get
  • ml.operations.list
  • ml.projects.*
  • ml.studies.*
  • ml.trials.*
  • ml.versions.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.list
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Datapipelines Service Agent

roles/datapipelines.serviceAgent

Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project.

  • appengine.applications.get
  • cloudscheduler.*
  • compute.machineTypes.get
  • dataflow.*
  • firebase.projects.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*

Dataprep Service Agent

roles/dataprep.serviceAgent

Dataprep service identity. Includes access to service accounts.

  • bigquery.bireservations.get
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.config.get
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.updateTag
  • bigquery.jobs.create
  • bigquery.jobs.list
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.reservationAssignments.list
  • bigquery.reservationAssignments.search
  • bigquery.reservations.get
  • bigquery.reservations.list
  • bigquery.routines.*
  • bigquery.savedqueries.get
  • bigquery.savedqueries.list
  • bigquery.tables.create
  • bigquery.tables.createSnapshot
  • bigquery.tables.delete
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.getIamPolicy
  • bigquery.tables.list
  • bigquery.tables.restoreSnapshot
  • bigquery.tables.update
  • bigquery.tables.updateData
  • bigquery.tables.updateTag
  • bigquery.transfers.get
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • dataflow.*
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.get
  • storage.buckets.list
  • storage.objects.*

Dataproc Service Agent

roles/dataproc.serviceAgent

Gives Cloud Dataproc service account access to Compute, and Storage resources and Service Accounts.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.diskTypes.*
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.resize
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.nodeGroups.get
  • compute.nodeTypes.get
  • compute.projects.get
  • compute.regionNetworkEndpointGroups.*
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • dataproc.autoscalingPolicies.get
  • dataproc.autoscalingPolicies.list
  • dataproc.autoscalingPolicies.use
  • dataproc.clusters.*
  • dataproc.jobs.*
  • firebase.projects.get
  • iam.serviceAccounts.actAs
  • metastore.services.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*

Data Studio Service Agent

roles/datastudio.serviceAgent

Grants Data Studio Service Account access to manage resources.

  • bigquery.jobs.create

Dialogflow Service Agent

roles/dialogflow.serviceAgent

Gives Dialogflow Service Account access to resources on behalf of user project for intent detection in integrations (Facebook Messenger, Slack, Telephony, etc.).

  • cloudfunctions.functions.invoke
  • dialogflow.agents.export
  • dialogflow.agents.get
  • dialogflow.agents.list
  • dialogflow.agents.search
  • dialogflow.agents.searchResources
  • dialogflow.answerrecords.get
  • dialogflow.answerrecords.list
  • dialogflow.callMatchers.list
  • dialogflow.changelogs.*
  • dialogflow.contexts.*
  • dialogflow.conversationDatasets.get
  • dialogflow.conversationDatasets.list
  • dialogflow.conversationModels.get
  • dialogflow.conversationModels.list
  • dialogflow.conversationProfiles.get
  • dialogflow.conversationProfiles.list
  • dialogflow.conversations.*
  • dialogflow.documents.get
  • dialogflow.documents.list
  • dialogflow.entityTypes.get
  • dialogflow.entityTypes.list
  • dialogflow.environments.get
  • dialogflow.environments.list
  • dialogflow.flows.get
  • dialogflow.flows.list
  • dialogflow.fulfillments.get
  • dialogflow.intents.get
  • dialogflow.intents.list
  • dialogflow.knowledgeBases.get
  • dialogflow.knowledgeBases.list
  • dialogflow.messages.*
  • dialogflow.modelEvaluations.*
  • dialogflow.operations.*
  • dialogflow.pages.get
  • dialogflow.pages.list
  • dialogflow.participants.*
  • dialogflow.phoneNumberOrders.get
  • dialogflow.phoneNumberOrders.list
  • dialogflow.phoneNumbers.list
  • dialogflow.securitySettings.get
  • dialogflow.securitySettings.list
  • dialogflow.sessionEntityTypes.*
  • dialogflow.sessions.*
  • dialogflow.smartMessagingEntries.get
  • dialogflow.smartMessagingEntries.list
  • dialogflow.transitionRouteGroups.get
  • dialogflow.transitionRouteGroups.list
  • dialogflow.versions.get
  • dialogflow.versions.list
  • dialogflow.webhooks.get
  • dialogflow.webhooks.list
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • logging.logEntries.create
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.use
  • storage.objects.get
  • storage.objects.list

DLP API Service Agent

roles/dlp.serviceAgent

Gives the Cloud DLP API service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub, and Cloud KMS.

  • appengine.applications.get
  • bigquery.datasets.*
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.update
  • bigquery.models.*
  • bigquery.readsessions.*
  • bigquery.routines.*
  • bigquery.rowAccessPolicies.create
  • bigquery.rowAccessPolicies.delete
  • bigquery.rowAccessPolicies.getIamPolicy
  • bigquery.rowAccessPolicies.list
  • bigquery.rowAccessPolicies.setIamPolicy
  • bigquery.rowAccessPolicies.update
  • bigquery.tables.*
  • cloudasset.assets.analyzeIamPolicy
  • cloudasset.assets.exportResource
  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.locations.get
  • cloudkms.locations.list
  • datacatalog.categories.fineGrainedGet
  • datacatalog.tagTemplates.*
  • datastore.databases.get
  • datastore.databases.getMetadata
  • datastore.entities.*
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.list
  • datastore.statistics.*
  • dlp.analyzeRiskTemplates.get
  • dlp.analyzeRiskTemplates.list
  • dlp.inspectTemplates.get
  • dlp.inspectTemplates.list
  • dlp.jobs.*
  • dlp.kms.*
  • firebase.projects.get
  • pubsub.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.use
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*

DocumentAI Core Service Agent

roles/documentaicore.serviceAgent

Gives DocumentAI Core Service Account access to consumer resources.

  • automl.models.predict
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Cloud Endpoints Service Agent

roles/endpoints.serviceAgent

Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.

  • servicemanagement.services.check
  • servicemanagement.services.get
  • servicemanagement.services.quota
  • servicemanagement.services.report

Endpoints Portal Service Agent

roles/endpointsportal.serviceAgent

Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.

  • servicemanagement.services.get
  • servicemanagement.services.list
  • source.repos.get

Enterprise Knowledge Graph Service Agent

roles/enterpriseknowledgegraph.serviceAgent

Gives Enterprise Knowledge Graph Service Account access to consumer resources.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.readsessions.create
  • bigquery.tables.create
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.update
  • bigquery.tables.updateData
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.objects.get
  • storage.objects.list

Eventarc Service Agent

roles/eventarc.serviceAgent

Gives Eventarc service account access to managed resources.

  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.getAccessToken
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • pubsub.topics.update
  • run.services.get
  • serviceusage.services.use
  • storage.buckets.get
  • storage.buckets.update
  • workflows.workflows.get

Cloud Filestore Service Agent

roles/file.serviceAgent

Gives Cloud Filestore service account access to managed resources.

  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.update
  • compute.networks.updatePeering
  • compute.routes.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Firebase App Distribution Admin SDK Service Agent

roles/firebase.appDistributionSdkServiceAgent

Read and write access to Firebase App Distribution with the Admin SDK

  • firebaseappdistro.*

Firebase Service Management Service Agent

roles/firebase.managementServiceAgent

Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.

  • apikeys.keys.create
  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.update
  • appengine.applications.*
  • appengine.operations.get
  • appengine.services.list
  • clientauthconfig.brands.create
  • clientauthconfig.brands.update
  • clientauthconfig.clients.create
  • clientauthconfig.clients.getWithSecret
  • clientauthconfig.clients.list
  • clientauthconfig.clients.update
  • firebase.clients.create
  • firebase.clients.delete
  • firebase.clients.get
  • firebase.projects.*
  • firebaseauth.configs.create
  • firebaseauth.configs.get
  • firebaseauth.configs.update
  • firebaserules.releases.create
  • firebaserules.releases.delete
  • firebaserules.releases.get
  • firebaserules.rulesets.create
  • iam.roles.get
  • iam.serviceAccounts.create
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
  • resourcemanager.projects.update
  • servicemanagement.services.bind
  • serviceusage.services.enable
  • serviceusage.services.get
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy

Firebase Admin SDK Administrator Service Agent

roles/firebase.sdkAdminServiceAgent

Read and write access to Firebase products available in the Admin SDK

  • appengine.applications.get
  • cloudconfig.*
  • cloudmessaging.*
  • datastore.databases.get
  • datastore.databases.getMetadata
  • datastore.databases.list
  • datastore.entities.*
  • datastore.indexes.get
  • datastore.indexes.list
  • datastore.namespaces.get
  • datastore.namespaces.list
  • datastore.statistics.*
  • firebase.clients.*
  • firebase.projects.get
  • firebase.projects.update
  • firebaseappcheck.*
  • firebaseauth.configs.create
  • firebaseauth.configs.get
  • firebaseauth.configs.update
  • firebaseauth.users.*
  • firebasedatabase.*
  • firebasehosting.*
  • firebaseml.*
  • firebasenotifications.*
  • firebaserules.releases.get
  • firebaserules.releases.list
  • firebaserules.releases.update
  • firebaserules.rulesets.create
  • firebaserules.rulesets.delete
  • firebaserules.rulesets.get
  • firebaserules.rulesets.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • resourcemanager.projects.update
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.list
  • storage.buckets.update
  • storage.objects.*

Firebase SDK Provisioning Service Agent

roles/firebase.sdkProvisioningServiceAgent

Access to provision apps with the Admin SDK.

  • apikeys.keys.list
  • clientauthconfig.clients.list
  • cloudmessaging.*
  • firebase.clients.create
  • servicemanagement.services.bind
  • serviceusage.services.enable

Firebase Extensions API Service Agent

roles/firebasemods.serviceAgent

Grants Firebase Extensions API Service Account access to manage resources.

  • cloudfunctions.functions.getIamPolicy
  • cloudfunctions.functions.setIamPolicy
  • deploymentmanager.compositeTypes.*
  • deploymentmanager.deployments.cancelPreview
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.stop
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.resources.*
  • deploymentmanager.typeProviders.*
  • deploymentmanager.types.*
  • iam.serviceAccounts.create
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • resourcemanager.projects.updateLiens
  • run.services.getIamPolicy
  • run.services.setIamPolicy
  • serviceusage.quotas.get
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list

Cloud Storage for Firebase Service Agent

roles/firebasestorage.serviceAgent

Access to Cloud Storage for Firebase through API and SDK.

  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.update

Firestore Service Agent

roles/firestore.serviceAgent

Gives Firestore service account access to managed resources.

  • storage.buckets.get
  • storage.objects.create
  • storage.objects.get
  • storage.objects.list

Cloud Firewall Insights Service Agent

roles/firewallinsights.serviceAgent

Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.

  • compute.backendServices.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.list
  • compute.healthChecks.list
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.list
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.list
  • compute.networks.list
  • compute.projects.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.list
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.list
  • compute.targetPools.list
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.list
  • compute.urlMaps.list
  • compute.vpnGateways.list
  • compute.vpnTunnels.list

FleetEngine Service Agent

roles/fleetengine.serviceAgent

Grants the FleetEngine Service Account access to manage resources.

  • bigquery.jobs.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Game Services Service Agent

roles/gameservices.serviceAgent

Gives Game Services Service Account access to GCP resources.

  • container.apiServices.*
  • container.auditSinks.*
  • container.backendConfigs.*
  • container.bindings.*
  • container.certificateSigningRequests.create
  • container.certificateSigningRequests.delete
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.list
  • container.certificateSigningRequests.update
  • container.certificateSigningRequests.updateStatus
  • container.clusterRoleBindings.create
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoleBindings.update
  • container.clusterRoles.bind
  • container.clusterRoles.create
  • container.clusterRoles.escalate
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusterRoles.update
  • container.clusters.create
  • container.clusters.delete
  • container.clusters.get
  • container.clusters.list
  • container.clusters.update
  • container.componentStatuses.*
  • container.configMaps.*
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.*
  • container.csiDrivers.*
  • container.csiNodeInfos.*
  • container.csiNodes.*
  • container.customResourceDefinitions.*
  • container.daemonSets.*
  • container.deployments.*
  • container.endpointSlices.*
  • container.endpoints.*
  • container.events.*
  • container.frontendConfigs.*
  • container.horizontalPodAutoscalers.*
  • container.ingresses.*
  • container.initializerConfigurations.*
  • container.jobs.*
  • container.leases.*
  • container.limitRanges.*
  • container.localSubjectAccessReviews.*
  • container.managedCertificates.*
  • container.mutatingWebhookConfigurations.*
  • container.namespaces.*
  • container.networkPolicies.*
  • container.nodes.*
  • container.persistentVolumeClaims.*
  • container.persistentVolumes.*
  • container.petSets.*
  • container.podDisruptionBudgets.*
  • container.podPresets.*
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.*
  • container.pods.*
  • container.priorityClasses.*
  • container.replicaSets.*
  • container.replicationControllers.*
  • container.resourceQuotas.*
  • container.roleBindings.create
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.bind
  • container.roles.create
  • container.roles.escalate
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.*
  • container.scheduledJobs.*
  • container.secrets.*
  • container.selfSubjectAccessReviews.*
  • container.selfSubjectRulesReviews.*
  • container.serviceAccounts.*
  • container.services.*
  • container.statefulSets.*
  • container.storageClasses.*
  • container.storageStates.*
  • container.storageVersionMigrations.*
  • container.subjectAccessReviews.*
  • container.thirdPartyObjects.*
  • container.thirdPartyResources.*
  • container.tokenReviews.*
  • container.updateInfos.*
  • container.validatingWebhookConfigurations.get
  • container.validatingWebhookConfigurations.list
  • container.volumeAttachments.*
  • container.volumeSnapshotClasses.*
  • container.volumeSnapshotContents.*
  • container.volumeSnapshots.*
  • gkehub.features.get
  • gkehub.features.getIamPolicy
  • gkehub.features.list
  • gkehub.locations.*
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.get
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.list
  • gkehub.operations.get
  • gkehub.operations.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Genomics Service Agent

roles/genomics.serviceAgent

Gives Genomics Service Account access to compute resources. Includes access to service accounts.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • iam.serviceAccounts.actAs
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.use

GKE Hub Service Agent

roles/gkehub.serviceAgent

Gives the GKE Hub service agent access to Cloud Platform resources.

  • container.clusterRoleBindings.*
  • container.clusterRoles.*
  • container.clusters.get
  • container.customResourceDefinitions.create
  • container.customResourceDefinitions.delete
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.list
  • container.customResourceDefinitions.update
  • container.namespaces.get
  • container.thirdPartyObjects.*
  • gkehub.features.create
  • gkehub.features.get
  • gkehub.features.list
  • gkehub.locations.*
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.get
  • gkehub.memberships.list
  • gkehub.operations.get
  • gkemulticloud.awsClusters.get
  • gkemulticloud.azureClusters.get
  • serviceusage.services.get
  • serviceusage.services.list

Anthos Multi-Cloud Service Agent

roles/gkemulticloud.serviceAgent

Grants the Anthos Multi-Cloud Service Account access to manage resources.

  • gkehub.features.*
  • gkehub.locations.*
  • gkehub.memberships.*
  • gkehub.operations.*
  • gkemulticloud.awsClusters.delete
  • gkemulticloud.awsNodePools.delete
  • gkemulticloud.azureClients.delete
  • gkemulticloud.azureClusters.delete
  • gkemulticloud.azureNodePools.delete
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Healthcare Service Agent

roles/healthcare.serviceAgent

Gives the Healthcare Service Account access to networks,Kubernetes engine, and pubsub resources.

  • cloudnotifications.*
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • opsconfigmonitoring.resourceMetadata.list
  • pubsub.snapshots.seek
  • pubsub.subscriptions.consume
  • pubsub.topics.attachSubscription
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get

KubeRun Events Control Plane Service Agent

roles/kuberun.eventsControlPlaneServiceAgent

Service account role used to setup authentication for the control plane used by KubeRun Events.

  • cloudscheduler.jobs.create
  • cloudscheduler.jobs.delete
  • cloudscheduler.jobs.get
  • logging.sinks.create
  • logging.sinks.delete
  • logging.sinks.get
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.setIamPolicy
  • resourcemanager.projects.get
  • storage.buckets.get
  • storage.buckets.update

KubeRun Events Data Plane Service Agent

roles/kuberun.eventsDataPlaneServiceAgent

Service account role used to setup authentication for the data plane used by KubeRun Events.

  • cloudtrace.traces.patch
  • monitoring.timeSeries.create
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.get
  • pubsub.topics.get
  • pubsub.topics.publish
  • resourcemanager.projects.get

Cloud Life Sciences Service Agent

roles/lifesciences.serviceAgent

Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.

  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • iam.serviceAccounts.actAs
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.use

Live Stream Service Agent

roles/livestream.serviceAgent

Uploads media files to customer Cloud Storage buckets.

  • storage.objects.create
  • storage.objects.delete
  • storage.objects.update

Cloud Logging Service Agent

roles/logging.serviceAgent

Grants a Cloud Logging Service Account the ability to create Datasets and manage BigQuery Authorized Views inside those Datasets.

  • bigquery.datasets.create

Cloud Managed Identities Service Agent

roles/managedidentities.serviceAgent

Gives Managed Identities service account access to managed resources.

  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.update
  • compute.routes.list
  • dns.changes.*
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.*
  • dns.networks.bindPrivateDNSPolicy
  • dns.networks.bindPrivateDNSZone
  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.list
  • dns.policies.update
  • dns.projects.*
  • dns.resourceRecordSets.*
  • dns.responsePolicies.*
  • dns.responsePolicyRules.*
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Media Asset Service Agent

roles/mediaasset.serviceAgent

Downloads and uploads media files from and to customer Cloud Storage buckets.

  • pubsub.topics.get
  • pubsub.topics.publish
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • transcoder.jobs.create
  • transcoder.jobs.delete
  • transcoder.jobs.get

Cloud Memorystore Memcached Service Agent

roles/memcache.serviceAgent

Gives Cloud Memorystore Memcached service account access to managed resource

  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.update
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Mesh Config Service Agent

roles/meshconfig.serviceAgent

Apply mesh configuration

  • compute.backendServices.create
  • compute.backendServices.delete
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.backendServices.setSecurityPolicy
  • compute.backendServices.update
  • compute.backendServices.use
  • compute.firewalls.*
  • compute.globalForwardingRules.create
  • compute.globalForwardingRules.delete
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.setLabels
  • compute.globalForwardingRules.setTarget
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.*
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networkEndpointGroups.use
  • compute.networks.get
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.subnetworks.use
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.targetSslProxies.*
  • compute.targetTcpProxies.*
  • compute.urlMaps.*
  • networksecurity.clientTlsPolicies.create
  • networksecurity.clientTlsPolicies.delete
  • networksecurity.clientTlsPolicies.get
  • networksecurity.clientTlsPolicies.list
  • networksecurity.clientTlsPolicies.update
  • networksecurity.serverTlsPolicies.create
  • networksecurity.serverTlsPolicies.delete
  • networksecurity.serverTlsPolicies.get
  • networksecurity.serverTlsPolicies.list
  • networksecurity.serverTlsPolicies.update
  • networkservices.endpointConfigSelectors.create
  • networkservices.endpointConfigSelectors.delete
  • networkservices.endpointConfigSelectors.get
  • networkservices.endpointConfigSelectors.list
  • networkservices.endpointConfigSelectors.update
  • networkservices.httpFilters.create
  • networkservices.httpFilters.delete
  • networkservices.httpFilters.get
  • networkservices.httpFilters.list
  • networkservices.httpFilters.update
  • networkservices.httpfilters.create
  • networkservices.httpfilters.delete
  • networkservices.httpfilters.get
  • networkservices.httpfilters.list
  • networkservices.httpfilters.update

Mesh Data Plane Service Agent

roles/meshdataplane.serviceAgent

Run user-space Istio components

  • cloudtrace.traces.patch
  • compute.forwardingRules.get
  • compute.globalForwardingRules.get
  • logging.logEntries.create
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • serviceusage.services.use

Dataproc Metastore Service Agent

roles/metastore.serviceAgent

Gives the Dataproc Metastore service account access to managed resources.

  • compute.addresses.createInternal
  • compute.addresses.deleteInternal
  • compute.addresses.get
  • compute.addresses.use
  • compute.forwardingRules.create
  • compute.forwardingRules.delete
  • compute.forwardingRules.get
  • compute.forwardingRules.pscCreate
  • compute.forwardingRules.pscDelete
  • compute.globalAddresses.createInternal
  • compute.globalAddresses.deleteInternal
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.updatePeering
  • compute.networks.use
  • compute.regionOperations.get
  • compute.subnetworks.get
  • compute.subnetworks.use
  • metastore.services.get
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

AI Platform Service Agent

roles/ml.serviceAgent

AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.

  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.update
  • bigquery.tables.create
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.updateData
  • firebase.projects.get
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.list
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • logging.logEntries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*

Monitoring Notification Service Agent

roles/monitoring.notificationServiceAgent

Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.

  • serviceusage.services.use

Multi Cluster Ingress Service Agent

roles/multiclusteringress.serviceAgent

Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.

  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.backendServices.*
  • compute.firewalls.*
  • compute.forwardingRules.*
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.*
  • compute.healthChecks.*
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.use
  • compute.networks.updatePolicy
  • compute.networks.use
  • compute.regionBackendServices.*
  • compute.regionHealthChecks.*
  • compute.regionSslCertificates.*
  • compute.regionTargetHttpProxies.*
  • compute.regionTargetHttpsProxies.*
  • compute.regionUrlMaps.*
  • compute.securityPolicies.use
  • compute.sslCertificates.*
  • compute.sslPolicies.use
  • compute.subnetworks.list
  • compute.targetHttpProxies.*
  • compute.targetHttpsProxies.*
  • compute.urlMaps.*
  • container.backendConfigs.*
  • container.clusters.get
  • container.customResourceDefinitions.create
  • container.customResourceDefinitions.delete
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.update
  • container.deployments.*
  • container.events.create
  • container.events.update
  • container.frontendConfigs.*
  • container.namespaces.list
  • container.secrets.get
  • container.secrets.list
  • container.services.*
  • container.thirdPartyObjects.*
  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list
  • serviceusage.services.get
  • serviceusage.services.list

Multi-cluster metering Service Agent

roles/multiclustermetering.serviceAgent

Gives the Multi-cluster metering service agent access to CloudPlatform resources.

  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list

GCP Network Management Service Agent

roles/networkmanagement.serviceAgent

Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.

  • cloudsql.instances.get
  • cloudsql.instances.list
  • compute.addresses.get
  • compute.addresses.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instances.get
  • compute.instances.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • container.clusters.get
  • container.clusters.list
  • container.nodes.get
  • container.nodes.list

AI Platform Notebooks Service Agent

roles/notebooks.serviceAgent

Provide access for notebooks service agent to manage notebook instances in user projects

  • aiplatform.customJobs.cancel
  • aiplatform.customJobs.create
  • aiplatform.customJobs.get
  • aiplatform.customJobs.list
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers.*
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.*
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.*
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.*
  • compute.instanceGroupManagers.*
  • compute.instanceGroups.*
  • compute.instanceTemplates.*
  • compute.instances.*
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.*
  • compute.licenses.*
  • compute.machineImages.*
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.*
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.*
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.*
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.*
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • ml.jobs.create
  • ml.jobs.get
  • ml.jobs.list
  • notebooks.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Cloud OS Config Service Agent

roles/osconfig.serviceAgent

Grants OS Config Service Account access to Google Compute Engine instances.

  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.list
  • compute.instances.setMetadata
  • compute.zones.*
  • containeranalysis.notes.attachOccurrence
  • containeranalysis.notes.create
  • containeranalysis.notes.delete
  • containeranalysis.notes.get
  • containeranalysis.notes.list
  • containeranalysis.notes.update
  • containeranalysis.occurrences.create
  • containeranalysis.occurrences.delete
  • containeranalysis.occurrences.get
  • containeranalysis.occurrences.list
  • containeranalysis.occurrences.update
  • iam.serviceAccounts.actAs
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Pub/Sub Service Agent

roles/pubsub.serviceAgent

Grants Cloud Pub/Sub Service Account access to manage resources.

  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation
  • iam.serviceAccounts.list
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Memorystore Redis Service Agent

roles/redis.serviceAgent

Gives Cloud Memorystore Redis service account access to managed resource

  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.update
  • compute.projects.get
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Remote Build Execution Service Agent

roles/remotebuildexecution.serviceAgent

Gives Remote Build Execution service account access to managed resources.

  • remotebuildexecution.actions.update
  • remotebuildexecution.blobs.*
  • remotebuildexecution.botsessions.*
  • remotebuildexecution.logstreams.create
  • remotebuildexecution.logstreams.update

Retail Service Agent

roles/retail.serviceAgent

Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Google Cloud's operations suite metrics for customer projects.

  • bigquery.datasets.create
  • bigquery.datasets.get
  • bigquery.jobs.create
  • bigquery.jobs.get
  • bigquery.jobs.list
  • bigquery.jobs.update
  • bigquery.tables.create
  • bigquery.tables.export
  • bigquery.tables.get
  • bigquery.tables.getData
  • bigquery.tables.list
  • bigquery.tables.updateData
  • cloudnotifications.*
  • logging.logEntries.create
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.notificationChannelDescriptors.*
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.list
  • monitoring.publicWidgets.get
  • monitoring.publicWidgets.list
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.timeSeries.*
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • opsconfigmonitoring.resourceMetadata.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get
  • storage.buckets.create
  • storage.buckets.get
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Risk Manager Service Agent

roles/riskmanager.serviceAgent

Service agent that grants Risk Manager service access to fetch findings for generating Reports

  • cloudasset.assets.*
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • securitycenter.assets.group
  • securitycenter.assets.list
  • securitycenter.assets.listAssetPropertyNames
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.group
  • securitycenter.findings.list
  • securitycenter.findings.listFindingPropertyNames
  • securitycenter.notificationconfig.get
  • securitycenter.notificationconfig.list
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get

Cloud Run Service Agent

roles/run.serviceAgent

Gives Cloud Run service account access to managed resources.

  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • clientauthconfig.clients.list
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • compute.globalOperations.get
  • compute.networks.access
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.signBlob
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • run.routes.invoke
  • serviceusage.services.use
  • storage.objects.get
  • storage.objects.list
  • vpcaccess.connectors.get
  • vpcaccess.connectors.use

Secured Landing Zone Service Agent

roles/securedlandingzone.serviceAgent

Grants Secured Landing Zone service account permissions to manage resources in the customer project

  • cloudasset.assets.exportOrgPolicy
  • cloudasset.assets.exportResource
  • cloudasset.feeds.create
  • cloudasset.feeds.delete
  • cloudasset.feeds.update
  • logging.logEntries.list
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.detachSubscription
  • pubsub.topics.getIamPolicy
  • pubsub.topics.setIamPolicy
  • resourcemanager.projects.get
  • securitycenter.assetsecuritymarks.*
  • securitycenter.findings.list
  • securitycenter.findings.update
  • securitycenter.sources.list
  • securitycenter.sources.update
  • serviceusage.services.use

Security Center Automation Service Agent

roles/securitycenter.automationServiceAgent

Security Center automation service agent can configure GCP resources to enable security scanning.

  • cloudasset.feeds.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • serviceusage.services.enable

Security Center Control Service Agent

roles/securitycenter.controlServiceAgent

Security Center Control service agent can monitor and configure GCP resources and import security findings.

  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • bigquery.datasets.get
  • binaryauthorization.policy.get
  • cloudasset.*
  • cloudsecurityscanner.*
  • cloudsql.instances.connect
  • cloudsql.instances.get
  • cloudsql.users.list
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • container.apiServices.get
  • container.apiServices.getStatus
  • container.apiServices.list
  • container.auditSinks.get
  • container.auditSinks.list
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.bindings.get
  • container.bindings.list
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.getStatus
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.get
  • container.configMaps.list
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiNodeInfos.get
  • container.csiNodeInfos.list
  • container.csiNodes.get
  • container.csiNodes.list
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.getStatus
  • container.customResourceDefinitions.list
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.deployments.get
  • container.deployments.getScale
  • container.deployments.getStatus
  • container.deployments.list
  • container.endpointSlices.get
  • container.endpointSlices.list
  • container.endpoints.get
  • container.endpoints.list
  • container.events.get
  • container.events.list
  • container.frontendConfigs.get
  • container.frontendConfigs.list
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.leases.get
  • container.leases.list
  • container.limitRanges.get
  • container.limitRanges.list
  • container.managedCertificates.get
  • container.managedCertificates.list
  • container.mutatingWebhookConfigurations.get
  • container.mutatingWebhookConfigurations.list
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.operations.*
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.petSets.get
  • container.petSets.list
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podPresets.get
  • container.podPresets.list
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.get
  • container.podTemplates.list
  • container.pods.get
  • container.pods.getStatus
  • container.pods.list
  • container.priorityClasses.get
  • container.priorityClasses.list
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.statefulSets.get
  • container.statefulSets.getScale
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.storageClasses.get
  • container.storageClasses.list
  • container.storageStates.get
  • container.storageStates.getStatus
  • container.storageStates.list
  • container.storageVersionMigrations.get
  • container.storageVersionMigrations.getStatus
  • container.storageVersionMigrations.list
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.tokenReviews.*
  • container.updateInfos.get
  • container.updateInfos.list
  • container.validatingWebhookConfigurations.get
  • container.validatingWebhookConfigurations.list
  • container.volumeAttachments.get
  • container.volumeAttachments.getStatus
  • container.volumeAttachments.list
  • container.volumeSnapshotClasses.get
  • container.volumeSnapshotClasses.list
  • container.volumeSnapshotContents.get
  • container.volumeSnapshotContents.getStatus
  • container.volumeSnapshotContents.list
  • container.volumeSnapshots.get
  • container.volumeSnapshots.list
  • dlp.jobs.get
  • dlp.jobs.list
  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.locations.*
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.operations.get
  • logging.operations.list
  • logging.queries.create
  • logging.queries.delete
  • logging.queries.get
  • logging.queries.list
  • logging.queries.listShared
  • logging.queries.update
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • logging.views.get
  • logging.views.list
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • orgpolicy.policy.get
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list

Security Center Integration Executor Service Agent

roles/securitycenter.integrationExecutorServiceAgent

Gives Security Center access to execute Integrations.

  • integrations.securityExecutions.cancel
  • integrations.securityExecutions.list
  • integrations.securityIntegrations.invoke

Security Center Notification Service Agent

roles/securitycenter.notificationServiceAgent

Security Center service agent can publish notifications to Pub/Sub topics.

  • pubsub.topics.publish

Security Health Analytics Service Agent

roles/securitycenter.securityHealthAnalyticsServiceAgent

Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.

  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • bigquery.datasets.get
  • binaryauthorization.policy.get
  • cloudasset.*
  • cloudsecurityscanner.*
  • cloudsql.instances.connect
  • cloudsql.instances.get
  • cloudsql.users.list
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • container.clusters.get
  • container.clusters.list
  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.locations.*
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.operations.get
  • logging.operations.list
  • logging.queries.create
  • logging.queries.delete
  • logging.queries.get
  • logging.queries.list
  • logging.queries.listShared
  • logging.queries.update
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • logging.views.get
  • logging.views.list
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • orgpolicy.policy.get
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.folders.get
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get

Security Center Service Agent

roles/securitycenter.serviceAgent

Security Center service agent can scan GCP resources and import security scans.

  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • bigquery.datasets.get
  • binaryauthorization.policy.get
  • cloudasset.*
  • cloudsecurityscanner.*
  • cloudsql.instances.connect
  • cloudsql.instances.get
  • cloudsql.users.list
  • compute.acceleratorTypes.*
  • compute.addresses.get
  • compute.addresses.list
  • compute.autoscalers.get
  • compute.autoscalers.list
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.commitments.get
  • compute.commitments.list
  • compute.diskTypes.*
  • compute.disks.get
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.externalVpnGateways.get
  • compute.externalVpnGateways.list
  • compute.firewallPolicies.get
  • compute.firewallPolicies.getIamPolicy
  • compute.firewallPolicies.list
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalForwardingRules.pscGet
  • compute.globalNetworkEndpointGroups.get
  • compute.globalNetworkEndpointGroups.list
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.globalPublicDelegatedPrefixes.get
  • compute.globalPublicDelegatedPrefixes.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instances.get
  • compute.instances.getEffectiveFirewalls
  • compute.instances.getGuestAttributes
  • compute.instances.getIamPolicy
  • compute.instances.getScreenshot
  • compute.instances.getSerialPortOutput
  • compute.instances.getShieldedInstanceIdentity
  • compute.instances.getShieldedVmIdentity
  • compute.instances.list
  • compute.instances.listReferrers
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations.*
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes.get
  • compute.licenseCodes.getIamPolicy
  • compute.licenseCodes.list
  • compute.licenses.get
  • compute.licenses.getIamPolicy
  • compute.licenses.list
  • compute.machineImages.get
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.machineTypes.*
  • compute.maintenancePolicies.get
  • compute.maintenancePolicies.getIamPolicy
  • compute.maintenancePolicies.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.getIamPolicy
  • compute.networkEndpointGroups.list
  • compute.networks.get
  • compute.networks.getEffectiveFirewalls
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.nodeGroups.get
  • compute.nodeGroups.getIamPolicy
  • compute.nodeGroups.list
  • compute.nodeTemplates.get
  • compute.nodeTemplates.getIamPolicy
  • compute.nodeTemplates.list
  • compute.nodeTypes.*
  • compute.organizations.listAssociations
  • compute.projects.get
  • compute.publicAdvertisedPrefixes.get
  • compute.publicAdvertisedPrefixes.list
  • compute.publicDelegatedPrefixes.get
  • compute.publicDelegatedPrefixes.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionHealthCheckServices.get
  • compute.regionHealthCheckServices.list
  • compute.regionHealthChecks.get
  • compute.regionHealthChecks.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionNotificationEndpoints.get
  • compute.regionNotificationEndpoints.list
  • compute.regionOperations.get
  • compute.regionOperations.getIamPolicy
  • compute.regionOperations.list
  • compute.regionSslCertificates.get
  • compute.regionSslCertificates.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.regionUrlMaps.validate
  • compute.regions.*
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies.get
  • compute.resourcePolicies.list
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.securityPolicies.get
  • compute.securityPolicies.getIamPolicy
  • compute.securityPolicies.list
  • compute.serviceAttachments.get
  • compute.serviceAttachments.list
  • compute.snapshots.get
  • compute.snapshots.getIamPolicy
  • compute.snapshots.list
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
  • compute.targetGrpcProxies.get
  • compute.targetGrpcProxies.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.urlMaps.validate
  • compute.vpnGateways.get
  • compute.vpnGateways.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.getIamPolicy
  • compute.zoneOperations.list
  • compute.zones.*
  • container.apiServices.get
  • container.apiServices.getStatus
  • container.apiServices.list
  • container.auditSinks.get
  • container.auditSinks.list
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.bindings.get
  • container.bindings.list
  • container.certificateSigningRequests.get
  • container.certificateSigningRequests.getStatus
  • container.certificateSigningRequests.list
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusters.get
  • container.clusters.list
  • container.componentStatuses.*
  • container.configMaps.get
  • container.configMaps.list
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.cronJobs.get
  • container.cronJobs.getStatus
  • container.cronJobs.list
  • container.csiDrivers.get
  • container.csiDrivers.list
  • container.csiNodeInfos.get
  • container.csiNodeInfos.list
  • container.csiNodes.get
  • container.csiNodes.list
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.getStatus
  • container.customResourceDefinitions.list
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.deployments.get
  • container.deployments.getScale
  • container.deployments.getStatus
  • container.deployments.list
  • container.endpointSlices.get
  • container.endpointSlices.list
  • container.endpoints.get
  • container.endpoints.list
  • container.events.get
  • container.events.list
  • container.frontendConfigs.get
  • container.frontendConfigs.list
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.initializerConfigurations.get
  • container.initializerConfigurations.list
  • container.jobs.get
  • container.jobs.getStatus
  • container.jobs.list
  • container.leases.get
  • container.leases.list
  • container.limitRanges.get
  • container.limitRanges.list
  • container.managedCertificates.get
  • container.managedCertificates.list
  • container.mutatingWebhookConfigurations.get
  • container.mutatingWebhookConfigurations.list
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.networkPolicies.get
  • container.networkPolicies.list
  • container.nodes.get
  • container.nodes.getStatus
  • container.nodes.list
  • container.operations.*
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.petSets.get
  • container.petSets.list
  • container.podDisruptionBudgets.get
  • container.podDisruptionBudgets.getStatus
  • container.podDisruptionBudgets.list
  • container.podPresets.get
  • container.podPresets.list
  • container.podSecurityPolicies.get
  • container.podSecurityPolicies.list
  • container.podTemplates.get
  • container.podTemplates.list
  • container.pods.get
  • container.pods.getStatus
  • container.pods.list
  • container.priorityClasses.get
  • container.priorityClasses.list
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.resourceQuotas.get
  • container.resourceQuotas.getStatus
  • container.resourceQuotas.list
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roles.get
  • container.roles.list
  • container.runtimeClasses.get
  • container.runtimeClasses.list
  • container.scheduledJobs.get
  • container.scheduledJobs.list
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.statefulSets.get
  • container.statefulSets.getScale
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.storageClasses.get
  • container.storageClasses.list
  • container.storageStates.get
  • container.storageStates.getStatus
  • container.storageStates.list
  • container.storageVersionMigrations.get
  • container.storageVersionMigrations.getStatus
  • container.storageVersionMigrations.list
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyResources.get
  • container.thirdPartyResources.list
  • container.tokenReviews.*
  • container.updateInfos.get
  • container.updateInfos.list
  • container.validatingWebhookConfigurations.get
  • container.validatingWebhookConfigurations.list
  • container.volumeAttachments.get
  • container.volumeAttachments.getStatus
  • container.volumeAttachments.list
  • container.volumeSnapshotClasses.get
  • container.volumeSnapshotClasses.list
  • container.volumeSnapshotContents.get
  • container.volumeSnapshotContents.getStatus
  • container.volumeSnapshotContents.list
  • container.volumeSnapshots.get
  • container.volumeSnapshots.list
  • dlp.jobs.get
  • dlp.jobs.list
  • logging.buckets.get
  • logging.buckets.list
  • logging.exclusions.get
  • logging.exclusions.list
  • logging.locations.*
  • logging.logEntries.list
  • logging.logMetrics.get
  • logging.logMetrics.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.operations.get
  • logging.operations.list
  • logging.queries.create
  • logging.queries.delete
  • logging.queries.get
  • logging.queries.list
  • logging.queries.listShared
  • logging.queries.update
  • logging.sinks.get
  • logging.sinks.list
  • logging.usage.*
  • logging.views.get
  • logging.views.list
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • orgpolicy.policy.get
  • recommender.cloudAssetInsights.get
  • recommender.cloudAssetInsights.list
  • recommender.locations.*
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • securitycenter.assets.*
  • securitycenter.assetsecuritymarks.*
  • securitycenter.containerthreatdetectionsettings.calculate
  • securitycenter.containerthreatdetectionsettings.get
  • securitycenter.eventthreatdetectionsettings.calculate
  • securitycenter.eventthreatdetectionsettings.get
  • securitycenter.findings.*
  • securitycenter.findingsecuritymarks.*
  • securitycenter.notificationconfig.*
  • securitycenter.organizationsettings.get
  • securitycenter.securitycentersettings.get
  • securitycenter.securityhealthanalyticssettings.calculate
  • securitycenter.securityhealthanalyticssettings.get
  • securitycenter.sources.get
  • securitycenter.sources.list
  • securitycenter.sources.update
  • securitycenter.subscription.*
  • securitycenter.userinterfacemetadata.*
  • securitycenter.websecurityscannersettings.calculate
  • securitycenter.websecurityscannersettings.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • stackdriver.projects.get
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list

Service Directory Service Agent

roles/servicedirectory.serviceAgent

Give the Service Directory service agent access to Cloud Platform resources.

  • container.clusters.get
  • gkehub.features.get
  • gkehub.locations.*
  • gkehub.memberships.get
  • gkehub.memberships.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.endpoints.create
  • servicedirectory.endpoints.delete
  • servicedirectory.endpoints.get
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.endpoints.update
  • servicedirectory.locations.*
  • servicedirectory.namespaces.associatePrivateZone
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.namespaces.get
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.namespaces.update
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicedirectory.services.get
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicedirectory.services.resolve
  • servicedirectory.services.update

Service Networking Service Agent

roles/servicenetworking.serviceAgent

Gives permission to manage network configuration, such as establishing network peering, necessary for service producers

  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.create
  • compute.networks.delete
  • compute.networks.get
  • compute.networks.list
  • compute.networks.listPeeringRoutes
  • compute.networks.removePeering
  • compute.networks.update
  • compute.networks.updatePeering
  • compute.networks.updatePolicy
  • compute.projects.get
  • compute.regionOperations.get
  • compute.routers.get
  • compute.routers.list
  • compute.routes.list
  • compute.subnetworks.create
  • compute.subnetworks.delete
  • compute.subnetworks.get
  • compute.subnetworks.list
  • dns.changes.*
  • dns.dnsKeys.*
  • dns.managedZoneOperations.*
  • dns.managedZones.*
  • dns.networks.*
  • dns.policies.create
  • dns.policies.delete
  • dns.policies.get
  • dns.policies.list
  • dns.policies.update
  • dns.projects.*
  • dns.resourceRecordSets.*
  • dns.responsePolicies.*
  • dns.responsePolicyRules.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Cloud Source Repositories Service Agent

roles/sourcerepo.serviceAgent

Allow Cloud Source Repositories to integrate with other Cloud services.

  • iam.serviceAccounts.getAccessToken
  • pubsub.topics.publish

Cloud TPU API Service Agent

roles/tpu.serviceAgent

Give Cloud TPUs service account access to managed resources

  • compute.globalOperations.get
  • compute.networks.addPeering
  • compute.networks.get
  • compute.networks.removePeering
  • compute.networks.update
  • compute.routes.get
  • compute.routes.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.zones.*
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.monitoredResourceDescriptors.*
  • monitoring.timeSeries.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Transcoder Service Agent

roles/transcoder.serviceAgent

Downloads and uploads media files from and to customer Cloud Storage buckets. Publishes status updates to customer Pub/Sub.

  • pubsub.topics.publish
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • transcoder.jobs.delete

Visual Inspection AI Service Agent

roles/visualinspection.serviceAgent

Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs.

  • aiplatform.*
  • artifactregistry.*
  • firebase.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • storage.buckets.*
  • storage.multipartUploads.*
  • storage.objects.*

Serverless VPC Access Service Agent

roles/vpcaccess.serviceAgent

Can create and manage resources to support serverless application to connect to virtual private cloud.

  • billing.accounts.get
  • compute.autoscalers.*
  • compute.disks.create
  • compute.firewalls.*
  • compute.healthChecks.*
  • compute.httpHealthChecks.create
  • compute.httpHealthChecks.delete
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpHealthChecks.use
  • compute.httpHealthChecks.useReadOnly
  • compute.httpsHealthChecks.create
  • compute.httpsHealthChecks.delete
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.update
  • compute.httpsHealthChecks.use
  • compute.httpsHealthChecks.useReadOnly
  • compute.images.get
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.update
  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.useReadOnly
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.get
  • compute.instances.getGuestAttributes
  • compute.instances.list
  • compute.instances.reset
  • compute.instances.setLabels
  • compute.instances.setMetadata
  • compute.instances.setTags
  • compute.instances.start
  • compute.instances.stop
  • compute.instances.use
  • compute.machineTypes.get
  • compute.networks.get
  • compute.networks.use
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions.*
  • compute.subnetworks.create
  • compute.subnetworks.delete
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones.*
  • deploymentmanager.compositeTypes.get
  • deploymentmanager.deployments.create
  • deploymentmanager.deployments.delete
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.list
  • deploymentmanager.deployments.update
  • deploymentmanager.manifests.*
  • deploymentmanager.operations.*
  • deploymentmanager.typeProviders.create
  • deploymentmanager.typeProviders.get
  • logging.logEntries.create
  • logging.logMetrics.create
  • logging.logMetrics.delete
  • logging.logMetrics.get
  • logging.logMetrics.update
  • resourcemanager.projects.get

Cloud Web Security Scanner Service Agent

roles/websecurityscanner.serviceAgent

Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.

  • appengine.applications.get
  • compute.addresses.list
  • compute.backendServices.get
  • compute.forwardingRules.get
  • compute.globalForwardingRules.get
  • compute.sslCertificates.list
  • compute.targetHttpProxies.get
  • compute.targetHttpsProxies.get
  • compute.urlMaps.get

Cloud Workflows Service Agent

roles/workflows.serviceAgent

Gives Cloud Workflows service account access to managed resources.

  • iam.serviceAccounts.get
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken

Admin of Tenancy Units

roles/serviceconsumermanagement.tenancyUnitsAdmin

Administrate tenancy units

  • serviceconsumermanagement.tenancyu.*

Viewer of Tenancy Units

roles/serviceconsumermanagement.tenancyUnitsViewer

View tenancy units

  • serviceconsumermanagement.tenancyu.list

Service Directory Admin

roles/servicedirectory.admin

Full control of all Service Directory resources and permissions.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.endpoints.*
  • servicedirectory.locations.*
  • servicedirectory.namespaces.*
  • servicedirectory.services.*

Service Directory Editor

roles/servicedirectory.editor

Edit Service Directory resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.endpoints.create
  • servicedirectory.endpoints.delete
  • servicedirectory.endpoints.get
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.endpoints.update
  • servicedirectory.locations.*
  • servicedirectory.namespaces.associatePrivateZone
  • servicedirectory.namespaces.create
  • servicedirectory.namespaces.delete
  • servicedirectory.namespaces.get
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.namespaces.update
  • servicedirectory.services.create
  • servicedirectory.services.delete
  • servicedirectory.services.get
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicedirectory.services.resolve
  • servicedirectory.services.update

Private Service Connect Authorized Service

roles/servicedirectory.pscAuthorizedService

Gives access to VPC Networks via Service Directory

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.networks.*

Service Directory Viewer

roles/servicedirectory.viewer

View Service Directory resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • servicedirectory.endpoints.get
  • servicedirectory.endpoints.getIamPolicy
  • servicedirectory.endpoints.list
  • servicedirectory.locations.*
  • servicedirectory.namespaces.get
  • servicedirectory.namespaces.getIamPolicy
  • servicedirectory.namespaces.list
  • servicedirectory.services.get
  • servicedirectory.services.getIamPolicy
  • servicedirectory.services.list
  • servicedirectory.services.resolve

Cloud Run Service Agent

roles/serverless.serviceAgent

Gives Cloud Run service account access to managed resources.

  • artifactregistry.files.*
  • artifactregistry.packages.get
  • artifactregistry.packages.list
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.tags.get
  • artifactregistry.tags.list
  • artifactregistry.versions.get
  • artifactregistry.versions.list
  • clientauthconfig.clients.list
  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • compute.globalOperations.get
  • compute.networks.access
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.signBlob
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.publish
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
  • run.routes.invoke
  • serviceusage.services.use
  • storage.objects.get
  • storage.objects.list
  • vpcaccess.connectors.get
  • vpcaccess.connectors.use

Service Management Administrator

roles/servicemanagement.admin

Full control of Google Service Management resources.

  • monitoring.timeSeries.list
  • resourcemanager.folders.get
  • resourcemanager.folders.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceconsumermanagement.*
  • servicemanagement.*
  • serviceusage.quotas.get
  • serviceusage.services.get

Service Config Editor

roles/servicemanagement.configEditor

Access to update the service config and create rollouts.

  • servicemanagement.services.get
  • servicemanagement.services.update

Quota Administrator

roles/servicemanagement.quotaAdmin

Provides access to administer service quotas.

  • monitoring.timeSeries.list
  • resourcemanager.organizations.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.*
  • serviceusage.services.disable
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list

Quota Viewer

roles/servicemanagement.quotaViewer

Provides access to view service quotas.

  • monitoring.timeSeries.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Service Reporter

roles/servicemanagement.reporter

Can report usage of a service during runtime.

  • servicemanagement.services.report

Service Consumer

roles/servicemanagement.serviceConsumer

Can enable the service.

  • servicemanagement.services.bind

Service Controller

roles/servicemanagement.serviceController

Can check preconditions and report usage of a service during runtime.

  • servicemanagement.services.check
  • servicemanagement.services.get
  • servicemanagement.services.quota
  • servicemanagement.services.report

Service Networking Admin

roles/servicenetworking.networksAdmin

Full control of service networking with projects.

  • servicenetworking.*

API Keys Admin

roles/serviceusage.apiKeysAdmin

Ability to create, delete, update, get and list API keys for a project.

  • apikeys.*
  • serviceusage.apiKeys.*
  • serviceusage.operations.get

API Keys Viewer

roles/serviceusage.apiKeysViewer

Ability to get and list API keys for a project.

  • apikeys.keys.get
  • apikeys.keys.list
  • apikeys.keys.lookup

Service Usage Admin

roles/serviceusage.serviceUsageAdmin

Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.

  • monitoring.timeSeries.list
  • serviceusage.operations.*
  • serviceusage.quotas.*
  • serviceusage.services.*

Service Usage Consumer

roles/serviceusage.serviceUsageConsumer

Ability to inspect service states and operations, and consume quota and billing for a consumer project.

  • monitoring.timeSeries.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.use

Service Usage Viewer

roles/serviceusage.serviceUsageViewer

Ability to inspect service states and operations for a consumer project.

  • monitoring.timeSeries.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Source Repository Administrator

roles/source.admin

Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies.

  • source.*

Source Repository Reader

roles/source.reader

Provides permissions to list, clone, fetch, and browse repositories.

  • source.repos.get
  • source.repos.list

Source Repository Writer

roles/source.writer

Provides permissions to list, clone, fetch, browse, and update repositories.

  • source.repos.get
  • source.repos.list
  • source.repos.update

Stackdriver Accounts Editor

roles/stackdriver.accounts.editor

Read/write access to manage Stackdriver account structure.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.services.enable
  • stackdriver.projects.*

Stackdriver Accounts Viewer

roles/stackdriver.accounts.viewer

Read-only access to get and list information about Stackdriver account structure.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • stackdriver.projects.get

Stackdriver Resource Metadata Writer

roles/stackdriver.resourceMetadata.writer

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

  • stackdriver.resourceMetadata.*

Support Account Administrator

roles/cloudsupport.admin

Allows management of a support account without giving access to support cases. See the Cloud Support documentation for more information.

  • cloudsupport.accounts.*
  • cloudsupport.operations.*
  • cloudsupport.properties.*
  • resourcemanager.organizations.get

Tech Support Editor

roles/cloudsupport.techSupportEditor

Full read-write access to technical support cases (applicable for GCP Customer Care and Maps support).

  • cloudsupport.properties.*
  • cloudsupport.techCases.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Tech Support Viewer

roles/cloudsupport.techSupportViewer

Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).

  • cloudsupport.properties.*
  • cloudsupport.techCases.get
  • cloudsupport.techCases.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Support Account Viewer

roles/cloudsupport.viewer

Read-only access to details of a support account. This does not allow viewing cases.

  • cloudsupport.accounts.get
  • cloudsupport.accounts.getUserRoles
  • cloudsupport.accounts.list
  • cloudsupport.properties.*

Dell EMC Cloud OneFS Admin

roles/dellemccloudonefs.admin

This role is managed by Dell EMC, not Google.

  • cloudonefs.isiloncloud.com/*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dell EMC Cloud OneFS User

roles/dellemccloudonefs.user

This role is managed by Dell EMC, not Google.

  • cloudonefs.isiloncloud.com/clusters.create
  • cloudonefs.isiloncloud.com/clusters.delete
  • cloudonefs.isiloncloud.com/clusters.get
  • cloudonefs.isiloncloud.com/clusters.list
  • cloudonefs.isiloncloud.com/clusters.update
  • cloudonefs.isiloncloud.com/fileshares.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Dell EMC Cloud OneFS Viewer

roles/dellemccloudonefs.viewer

This role is managed by Dell EMC, not Google.

  • cloudonefs.isiloncloud.com/clusters.get
  • cloudonefs.isiloncloud.com/clusters.list
  • cloudonefs.isiloncloud.com/fileshares.get
  • cloudonefs.isiloncloud.com/fileshares.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

NetApp Cloud Volumes Admin

roles/netappcloudvolumes.admin

This role is managed by NetApp, not Google.

  • cloudvolumesgcp-api.netapp.com/*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

NetApp Cloud Volumes Viewer

roles/netappcloudvolumes.viewer

This role is managed by NetApp, not Google.

  • cloudvolumesgcp-api.netapp.com/activeDirectories.get
  • cloudvolumesgcp-api.netapp.com/activeDirectories.list
  • cloudvolumesgcp-api.netapp.com/ipRanges.*
  • cloudvolumesgcp-api.netapp.com/jobs.*
  • cloudvolumesgcp-api.netapp.com/regions.*
  • cloudvolumesgcp-api.netapp.com/serviceLevels.*
  • cloudvolumesgcp-api.netapp.com/snapshots.get
  • cloudvolumesgcp-api.netapp.com/snapshots.list
  • cloudvolumesgcp-api.netapp.com/volumes.get
  • cloudvolumesgcp-api.netapp.com/volumes.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Redis Enterprise Cloud Admin

roles/redisenterprisecloud.admin

This role is managed by Redis Labs, not Google.

  • gcp.redisenterprise.com/*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Redis Enterprise Cloud Viewer

roles/redisenterprisecloud.viewer

This role is managed by Redis Labs, not Google.

  • gcp.redisenterprise.com/databases.get
  • gcp.redisenterprise.com/databases.list
  • gcp.redisenterprise.com/subscriptions.get
  • gcp.redisenterprise.com/subscriptions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Transcoder Admin

roles/transcoder.admin

Full access to all transcoder resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • transcoder.*

Transcoder Viewer

roles/transcoder.viewer

Viewer of all transcoder resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • transcoder.jobTemplates.get
  • transcoder.jobTemplates.list
  • transcoder.jobs.get
  • transcoder.jobs.list

Vertex AI Administrator

roles/aiplatform.admin

Grants full access to all resources in Vertex AI

  • aiplatform.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Vertex AI Feature Store Admin

roles/aiplatform.featurestoreAdmin

Grants full access to all resources in Vertex AI Feature Store

  • aiplatform.entityTypes.*
  • aiplatform.features.*
  • aiplatform.featurestores.*
  • aiplatform.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Vertex AI Feature Store Data Viewer

roles/aiplatform.featurestoreDataViewer

This role provides permissions to read Feature data.

  • aiplatform.entityTypes.get
  • aiplatform.entityTypes.readFeatureValues
  • aiplatform.entityTypes.streamingReadFeatureValues
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.featurestores.batchReadFeatureValues

Vertex AI Feature Store Data Writer

roles/aiplatform.featurestoreDataWriter

This role provides permissions to read and write Feature data.

  • aiplatform.entityTypes.get
  • aiplatform.entityTypes.importFeatureValues
  • aiplatform.entityTypes.readFeatureValues
  • aiplatform.entityTypes.streamingReadFeatureValues
  • aiplatform.entityTypes.writeFeatureValues
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.featurestores.batchReadFeatureValues

Vertex AI Feature Store Instance Creator

roles/aiplatform.featurestoreInstanceCreator

Administer of Featurestore resources, but not the child resources under Featurestores.

  • aiplatform.featurestores.create
  • aiplatform.featurestores.delete
  • aiplatform.featurestores.get
  • aiplatform.featurestores.list
  • aiplatform.featurestores.update

Vertex AI Feature Store Resource Editor

roles/aiplatform.featurestoreResourceEditor

Manage all resources within Featurestores, but cannot create or update the Featurestores.

  • aiplatform.entityTypes.create
  • aiplatform.entityTypes.delete
  • aiplatform.entityTypes.get
  • aiplatform.entityTypes.list
  • aiplatform.entityTypes.update
  • aiplatform.features.*
  • aiplatform.featurestores.get
  • aiplatform.featurestores.list
  • aiplatform.operations.*

Vertex AI Feature Store Resource Viewer

roles/aiplatform.featurestoreResourceViewer

Viewer of all resources in Vertex AI Feature Store but cannot make changes.

  • aiplatform.entityTypes.get
  • aiplatform.entityTypes.list
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.featurestores.get
  • aiplatform.featurestores.list
  • aiplatform.operations.*

Vertex AI Feature Store User

roles/aiplatform.featurestoreUser

Deprecated. Use featurestoreAdmin instead.

  • aiplatform.entityTypes.*
  • aiplatform.features.*
  • aiplatform.featurestores.*
  • aiplatform.operations.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Vertex AI Migration Service User

roles/aiplatform.migrator

Grants access to use migration service in Vertex AI

  • aiplatform.migratableResources.*

Vertex AI User

roles/aiplatform.user

Grants access to use all resource in Vertex AI

  • aiplatform.annotationSpecs.*
  • aiplatform.annotations.*
  • aiplatform.artifacts.*
  • aiplatform.batchPredictionJobs.*
  • aiplatform.contexts.*
  • aiplatform.customJobs.*
  • aiplatform.dataItems.*
  • aiplatform.dataLabelingJobs.*
  • aiplatform.datasets.*
  • aiplatform.edgeDeploymentJobs.*
  • aiplatform.edgeDeviceDebugInfo.*
  • aiplatform.edgeDevices.*
  • aiplatform.endpoints.*
  • aiplatform.entityTypes.*
  • aiplatform.executions.*
  • aiplatform.features.*
  • aiplatform.featurestores.*
  • aiplatform.humanInTheLoops.*
  • aiplatform.hyperparameterTuningJobs.*
  • aiplatform.indexEndpoints.*
  • aiplatform.indexes.*
  • aiplatform.locations.*
  • aiplatform.metadataSchemas.*
  • aiplatform.metadataStores.*
  • aiplatform.modelDeploymentMonitoringJobs.*
  • aiplatform.modelEvaluationSlices.*
  • aiplatform.modelEvaluations.*
  • aiplatform.models.*
  • aiplatform.nasJobs.*
  • aiplatform.operations.*
  • aiplatform.pipelineJobs.*
  • aiplatform.specialistPools.*
  • aiplatform.studies.*
  • aiplatform.tensorboardExperiments.*
  • aiplatform.tensorboardRuns.*
  • aiplatform.tensorboardTimeSeries.*
  • aiplatform.tensorboards.*
  • aiplatform.trainingPipelines.*
  • aiplatform.trials.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Vertex AI Viewer

roles/aiplatform.viewer

Grants access to view all resource in Vertex AI

  • aiplatform.annotationSpecs.get
  • aiplatform.annotationSpecs.list
  • aiplatform.annotations.get
  • aiplatform.annotations.list
  • aiplatform.artifacts.get
  • aiplatform.artifacts.list
  • aiplatform.batchPredictionJobs.get
  • aiplatform.batchPredictionJobs.list
  • aiplatform.contexts.get
  • aiplatform.contexts.list
  • aiplatform.contexts.queryContextLineageSubgraph
  • aiplatform.customJobs.get
  • aiplatform.customJobs.list
  • aiplatform.dataItems.get
  • aiplatform.dataItems.list
  • aiplatform.dataLabelingJobs.get
  • aiplatform.dataLabelingJobs.list
  • aiplatform.datasets.get
  • aiplatform.datasets.list
  • aiplatform.edgeDeploymentJobs.get
  • aiplatform.edgeDeploymentJobs.list
  • aiplatform.edgeDeviceDebugInfo.*
  • aiplatform.edgeDevices.get
  • aiplatform.edgeDevices.list
  • aiplatform.endpoints.get
  • aiplatform.endpoints.list
  • aiplatform.entityTypes.get
  • aiplatform.entityTypes.list
  • aiplatform.executions.get
  • aiplatform.executions.list
  • aiplatform.executions.queryExecutionInputsAndOutputs
  • aiplatform.features.get
  • aiplatform.features.list
  • aiplatform.featurestores.get
  • aiplatform.featurestores.list
  • aiplatform.humanInTheLoops.get
  • aiplatform.humanInTheLoops.list
  • aiplatform.hyperparameterTuningJobs.get
  • aiplatform.hyperparameterTuningJobs.list
  • aiplatform.indexEndpoints.get
  • aiplatform.indexEndpoints.list
  • aiplatform.indexes.get
  • aiplatform.indexes.list
  • aiplatform.locations.*
  • aiplatform.metadataSchemas.get
  • aiplatform.metadataSchemas.list
  • aiplatform.metadataStores.get
  • aiplatform.metadataStores.list
  • aiplatform.modelDeploymentMonitoringJobs.get
  • aiplatform.modelDeploymentMonitoringJobs.list
  • aiplatform.modelDeploymentMonitoringJobs.searchStatsAnomalies
  • aiplatform.modelEvaluationSlices.*
  • aiplatform.modelEvaluations.get
  • aiplatform.modelEvaluations.list
  • aiplatform.models.get
  • aiplatform.models.list
  • aiplatform.nasJobs.get
  • aiplatform.nasJobs.list
  • aiplatform.operations.*
  • aiplatform.pipelineJobs.get
  • aiplatform.pipelineJobs.list
  • aiplatform.specialistPools.get
  • aiplatform.specialistPools.list
  • aiplatform.specialistPools.update
  • aiplatform.studies.get
  • aiplatform.studies.list
  • aiplatform.tensorboardExperiments.get
  • aiplatform.tensorboardExperiments.list
  • aiplatform.tensorboardRuns.get
  • aiplatform.tensorboardRuns.list
  • aiplatform.tensorboardTimeSeries.get
  • aiplatform.tensorboardTimeSeries.list
  • aiplatform.tensorboardTimeSeries.read
  • aiplatform.tensorboards.get
  • aiplatform.tensorboards.list
  • aiplatform.trainingPipelines.get
  • aiplatform.trainingPipelines.list
  • aiplatform.trials.get
  • aiplatform.trials.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list

VMware Engine Service Admin

roles/vmwareengine.vmwareengineAdmin

Admin has full access to VMware Engine Service

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • vmwareengine.*

VMware Engine Service Viewer

roles/vmwareengine.vmwareengineViewer

Viewer has read-only access to VMware Engine Service

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • vmwareengine.services.view

Workflows Admin

roles/workflows.admin

Full access to workflows and related resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.*

Workflows Editor

roles/workflows.editor

Read and write access to workflows and related resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.executions.*
  • workflows.locations.*
  • workflows.operations.*
  • workflows.workflows.create
  • workflows.workflows.delete
  • workflows.workflows.get
  • workflows.workflows.getIamPolicy
  • workflows.workflows.list
  • workflows.workflows.update

Workflows Invoker

roles/workflows.invoker

Access to execute workflows and manage the executions.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.executions.*

Workflows Viewer

roles/workflows.viewer

Read-only access to workflows and related resources.

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • workflows.executions.get
  • workflows.executions.list
  • workflows.locations.*
  • workflows.operations.get
  • workflows.operations.list
  • workflows.workflows.get
  • workflows.workflows.getIamPolicy
  • workflows.workflows.list

IAM Workload Identity Pool Admin

roles/iam.workloadIdentityPoolAdmin

Full rights to create and manage workload identity pools.

  • iam.workloadIdentityPoolProviders.*
  • iam.workloadIdentityPools.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list

IAM Workload Identity Pool Viewer

roles/iam.workloadIdentityPoolViewer

Read access to workload identity pools.

  • iam.googleapis.com/workloadIdentityPoolProviders.get
  • iam.googleapis.com/workloadIdentityPoolProviders.list
  • iam.googleapis.com/workloadIdentityPools.get
  • iam.googleapis.com/workloadIdentityPools.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list