The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:
- Name: The name of a role displayed in the user interface (UI).
- Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
- Level: The specification of whether this role is scoped by the organization or a project.
- Type: The type of this role. For example, some possible values are
Role
,ProjectRole
,ClusterRole
, orOrganizationRole
. - Binding type: The type of binding that you must apply to this role.
- Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
- Escalates to: The specification of whether this role escalates to other roles or not.
AO persona, predefined identity, and access roles
AO persona | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
Project IAM Admin | project-iam-admin |
True | Project | Role |
AI OCR Developer | ai-ocr-developer |
False | Project | Role |
AI Platform Viewer | ai-platform-viewer |
False | Project | Role |
AI Speech Developer | ai-speech-developer |
False | Project | Role |
AI Translation Developer | ai-translation-developer |
False | Project | Role |
Artifact Management Admin | artifact-management-admin |
False | Project | Role |
Artifact Management Editor | artifact-management-editor |
False | Project | Role |
Backup Creator | backup-creator |
False | Project | ProjectRole |
Dashboard Editor | dashboard-editor |
False | Project | Role |
Dashboard Viewer | dashboard-viewer |
False | Project | Role |
K8s NetworkPolicy Admin | k8s-networkpolicy-admin |
False | Project | ProjectRole |
KMS Admin | kms-admin |
False | Project | Role |
KMS Creator | kms-creator |
False | Project | Role |
KMS Developer | kms-developer |
False | Project | Role |
KMS Key Export Admin | kms-keyexport-admin |
False | Project | Role |
KMS Key Import Admin | kms-keyimport-admin |
False | Project | Role |
KMS Viewer | kms-viewer |
False | Project | Role |
Kubernetes Network Policy Admin | k8s-networkpolicy-admin |
False | Project | ProjectRole |
Marketplace Editor | marketplace-editor |
False | Project | Role |
MonitoringRule Editor | monitoringrule-editor |
False | Project | Role |
MonitoringRule Viewer | monitoringrule-viewer |
False | Project | Role |
MonitoringTarget Editor | monitoringtarget-editor |
False | Project | Role |
MonitoringTarget Viewer | monitoringtarget-viewer |
False | Project | Role |
Namespace Admin | namespace-admin |
False | Project | ProjectRole |
NAT Viewer | nat-viewer |
False | Project | ProjectRole |
ObservabilityPipeline Editor | observabilitypipeline-editor |
False | Project | Role |
ObservabilityPipeline Viewer | observabilitypipeline-viewer |
False | Project | Role |
Project Bucket Admin | project-bucket-admin |
False | Project | Role |
Project Bucket Object Admin | project-bucket-object-admin |
False | Project | Role |
Project Bucket Object Viewer | project-bucket-object-viewer |
False | Project | Role |
Project NetworkPolicy Admin | project-networkpolicy-admin |
False | Project | Role |
Project DB Admin | project-db-admin |
False | Project | Role |
Project DB Editor | project-db-editor |
False | Project | Role |
Project DB Viewer | project-db-viewer |
False | Project | Role |
Project Viewer | project-viewer |
False | Project | Role |
Project VirtualMachine Admin | project-vm-admin |
False | Project | Role |
Project VirtualMachine Image Admin | project-vm-image-admin |
False | Project | Role |
Secret Admin | secret-admin |
False | Project | Role |
Secret Viewer | secret-viewer |
False | Project | Role |
Service Configuration Admin | service-configuration-admin |
False | Project | Role |
Service Configuration Viewer | service-configuration-viewer |
False | Project | Role |
Vertex AI Prediction User | vertex-ai-prediction-user |
False | Project | Role |
Workbench Notebooks Admin | workbench-notebooks-admin |
False | Project | Role |
Workbench Notebooks Viewer | workbench-notebooks-viewer |
False | Project | Role |
AO persona, predefined identity, and access roles
AO persona | ||||
---|---|---|---|---|
Name | Binding type | Org admin cluster permissions | User cluster permissions | Escalates to |
Project IAM Admin | RoleBinding |
|
N/A | All other AO roles |
AI OCR Developer | RoleBinding |
OCR resources: Read and write | N/A | N/A |
AI Speech Developer | RoleBinding |
Speech resources: Read and write | N/A | N/A |
AI Translation Developer | RoleBinding |
Translation resources: Read and write | N/A | N/A |
Backup Creator | ProjectRoleBinding |
N/A |
|
N/A |
Dashboard Editor | RoleBinding |
Dashboard custom resources: Get, read, create, update, delete, and patch |
N/A | N/A |
Dashboard Viewer | RoleBinding |
Dashboard : Get and read |
N/A | N/A |
K8s NetworkPolicy Admin | ProjectRoleBinding |
NetworkPolicy resources: Create, read, get, update, delete, and patch |
N/A | N/A |
KMS Admin | RoleBinding |
|
N/A | N/A |
KMS Creator | RoleBinding |
AEADKey and SigningKey : Create and read
|
N/A | N/A |
KMS Developer | RoleBinding |
|
N/A | N/A |
KMS Key Export Admin | RoleBinding |
KeyExport resource: Create, read, update, patch, and delete
|
N/A | N/A |
KMS Key Import Admin | RoleBinding |
KeyImport resource: Create, read, update, patch, and delete
|
N/A | N/A |
KMS Viewer | RoleBinding |
AEADKey , SigningKey , KeyImport , KeyExport : Read
|
N/A | N/A |
Kubernetes Network Policy Admin | ProjectRoleBinding |
N/A | Kubernetes network policies: Read and write in the user cluster | N/A |
Marketplace Editor | RoleBinding |
N/A | Service instances: Create, update, and delete | N/A |
MonitoringRule Editor | RoleBinding |
MonitoringRule custom resources: Create, read, update, delete, and patch |
N/A | N/A |
MonitoringRule Viewer | RoleBinding |
MonitoringRule custom resources: Read |
N/A | N/A |
MonitoringTarget Editor | RoleBinding |
MonitoringTarget custom resources: Create, read, update, delete, and patch |
N/A | N/A |
MonitoringTarget Viewer | RoleBinding |
MonitoringTarget custom resources: Read |
N/A | N/A |
Namespace Admin | ProjectRoleBinding |
N/A | All resources: Read and write access in the project namespace, excluding the system cluster | N/A |
NAT Viewer | ProjectRoleBinding |
N/A | Deployments: Get and read | N/A |
ObservabilityPipeline Editor | RoleBinding |
ObservabilityPipeline resources: Get, read, create, update, delete, and patch |
N/A | N/A |
ObservabilityPipeline Viewer | RoleBinding |
ObservabilityPipeline resources: Get and read |
N/A | N/A |
Project Bucket Admin | RoleBinding |
Bucket: Read and write in the project namespace | N/A | N/A |
Project Bucket Object Admin | RoleBinding |
|
N/A | N/A |
Project Bucket Object Viewer | RoleBinding |
Bucket and objects: Read | N/A | N/A |
Project NetworkPolicy Admin | RoleBinding |
Project network policies: Read and write in the project namespace | N/A | N/A |
Project DB Admin | RoleBinding |
|
N/A | N/A |
Project DB Editor | RoleBinding |
|
N/A | N/A |
Project DB Viewer | RoleBinding |
Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read | N/A | N/A |
Project Viewer | RoleBinding |
All resources in the project namespace: Read | N/A | N/A |
Project VirtualMachine Admin | RoleBinding |
|
N/A | N/A |
Project VirtualMachine Image Admin | RoleBinding |
|
N/A | N/A |
Secret Admin | RoleBinding |
Kubernetes secrets: Read, create, update, delete, and patch | N/A | N/A |
Secret Viewer | RoleBinding |
Kubernetes secrets: Read | N/A | N/A |
Service Configuration Admin | RoleBinding |
ServiceConfigurations : Read and write
|
N/A | N/A |
Service Configuration Viewer | RoleBinding |
ServiceConfigurations : Read
|
N/A | N/A |
Workbench Notebooks Admin | RoleBinding |
N/A |
|
N/A |
Workbench Notebooks Viewer | RoleBinding |
N/A |
|
N/A |
Common predefined identity and access roles
Common roles | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
AI Platform Viewer | ai-platform-viewer |
False | Project | Role |
DB UI Viewer | db-ui-viewer |
False | Project | ClusterRole |
DB Options Viewer | db-options-viewer |
False | Project | ClusterRole |
DNS Suffix Viewer | dnssuffix-viewer |
False | Organization | Role |
Flow Log Admin | flowlog-admin |
False | Organization | ClusterRole |
Flow Log Viewer | flowlog-viewer |
False | Project | ClusterRole |
Marketplace Viewer | marketplace-viewer |
False | Project | ClusterRole |
Pricing Calculator User | pricingcalculator-user |
False | Project | ClusterRole |
Project Discovery Viewer | projectdiscovery-viewer |
False | Project | ClusterRole |
Public Image Viewer | public-image-viewer |
False | Organization | Role |
Virtual Machine Type Viewer | virtualmachinetype-viewer |
True | Organization | OrganizationRole |
VM Type Viewer | vmtype-viewer |
False | Organization | Role |
Common predefined identity and access roles
Common roles | ||||
---|---|---|---|---|
Name | Binding type | Admin cluster permissions | User cluster permissions | Escalates to |
AI Platform Viewer | RoleBinding |
Pre-trained services: Read | N/A | N/A |
DB Options Viewer | ClusterRoleBinding |
DBS configurations: Read | N/A | N/A |
DB UI Viewer | ClusterRoleBinding |
DBS UI configurations: Read | N/A | N/A |
DNS Suffix Viewer | RoleBinding |
DNS suffix config maps: Read | N/A | N/A |
Flow Log Admin | ClusterRoleBinding |
Flow log resources: Get and read | Flow log resources: Get and read | N/A |
Flow Log Viewer | ClusterRoleBinding |
Flow log resources: Create, get, read, patch, update, and delete | Flow log resources: Create, get, read, patch, update, and delete | N/A |
Marketplace Viewer | ClusterRoleBinding |
Service versions and service instances: Read | N/A | N/A |
Pricing Calculator User | ClusterRoleBinding |
N/A | SkuDescriptions : Read |
N/A |
Project Discovery Viewer | ClusterRoleBinding |
Projects: Read | N/A | N/A |
Public Image Viewer | RoleBinding |
VM images: Read | N/A | N/A |
VM Type Viewer | ClusterRoleBinding |
VM types: Read | N/A | N/A |