| Name |
Management API server permissions |
Kubernetes cluster permissions |
Escalates to |
| AI OCR Developer |
OCR resources: Read and write |
N/A |
N/A |
| AI Speech Chirp Developer |
Speech Chirp resources: Read and write |
N/A |
N/A |
| AI Speech Developer |
Speech resources: Read and write |
N/A |
N/A |
| AI Text Embedding Developer |
Text Embedding resources: Read and write |
N/A |
N/A |
| AI Text Embedding Multilingual Developer |
Text Embedding Multilingual resources: Read and write |
N/A |
N/A |
| AI Translation Developer |
Translation resources: Read and write |
N/A |
N/A |
| Backup Creator |
N/A |
- Manual backups and restores: Create, read, and delete
- Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read
|
N/A |
| Certificate Authority Service Admin |
Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch |
N/A |
N/A |
| Custom Role Project Admin |
RoleBinding: Create, read, update, and delete- List project namespace
|
N/A |
All other AO roles |
| Dashboard Editor |
Dashboard custom resources: Get, read, create, update, delete, and patch |
N/A |
N/A |
| Dashboard Viewer |
Dashboard: Get and read |
N/A |
N/A |
| Discovery Engine Admin |
Discovery Engine: Get, read, create, update, delete, and patch |
N/A |
N/A |
| Discovery Engine Developer |
Discovery Engine: Get and read |
N/A |
N/A |
| Discovery Engine Reader |
Discovery Engine: Read |
N/A |
N/A |
| Global Load Balancer Admin |
N/A |
HealthCheck: Get, watch, list, create, patch, update, and deleteBackendService: Get, watch, list, create, patch, update, and deleteForwardingRuleExternal: Get, watch, list, create, patch, update, and deleteForwardingRuleInternal: Get, watch, list, create, patch, update, and delete
|
N/A |
| Harbor Instance Admin |
Harbor instances: Create, read, update, delete, and patch |
N/A |
N/A |
| Harbor Instance Viewer |
Harbor instances: Read |
N/A |
N/A |
| Harbor Project Creator |
Harbor instance projects: Create, get, and watch |
N/A |
N/A |
| K8s NetworkPolicy Admin |
NetworkPolicy resources: Create, read, get, update, delete, and patch |
N/A |
N/A |
| KMS Admin |
AEADKey: Create, read, update, delete, patch, encrypt, and decryptSigningKey: Create, read, update, delete, patch, and signKeyImport and KeyExport: Read
|
N/A |
N/A |
| KMS Creator |
AEADKey and SigningKey: Create and read
|
N/A |
N/A |
| KMS Developer |
AEADKey in the project namespace: Read, encrypt, and decryptSigningKey in the project namespace: Read and sign
|
N/A |
N/A |
| KMS Key Export Admin |
KeyExport resource: Create, read, update, patch, and delete
|
N/A |
N/A |
| KMS Key Import Admin |
KeyImport resource: Create, read, update, patch, and delete
|
N/A |
N/A |
| KMS Viewer |
AEADKey, SigningKey, KeyImport, KeyExport: Read
|
N/A |
N/A |
| Load Balancer Admin |
N/A |
Backend: Get, watch, list, create, patch, update, and deleteHealthCheck: Get, watch, list, create, patch, update, and deleteBackendService: Get, watch, list, create, patch, update, and deleteForwardingRuleExternal: Get, watch, list, create, patch, update, and deleteForwardingRuleInternal: Get, watch, list, create, patch, update, and delete
|
N/A |
| LoggingRule Creator |
LoggingRule custom resources: Create, read, update, delete, and patch |
N/A |
N/A |
| LoggingRule Editor |
LoggingRule custom resources: Create, read, update, delete, and patch |
N/A |
N/A |
| LoggingRule Viewer |
LoggingRule custom resources: Read |
N/A |
N/A |
| LoggingTarget Creator |
LoggingTarget custom resources: Create, read, update, delete, and patch |
N/A |
N/A |
| LoggingTarget Editor |
LoggingTarget custom resources: Create, read, update, delete, and patch |
N/A |
N/A |
| LoggingTarget Viewer |
LoggingTarget custom resources: Read |
N/A |
N/A |
| Marketplace Editor |
N/A |
Service instances: Create, update, and delete |
N/A |
| MonitoringRule Editor |
MonitoringRule custom resources: Create, read, update, delete, and patch |
N/A |
N/A |
| MonitoringRule Viewer |
MonitoringRule custom resources: Read |
N/A |
N/A |
| MonitoringTarget Editor |
MonitoringTarget custom resources: Create, read, update, delete, and patch |
N/A |
N/A |
| MonitoringTarget Viewer |
MonitoringTarget custom resources: Read |
N/A |
N/A |
| Namespace Admin |
N/A |
All resources: Read and write access in the project namespace |
N/A |
| NAT Viewer |
N/A |
Deployments: Get and read |
N/A |
| ObservabilityPipeline Editor |
ObservabilityPipeline resources: Get, read, create, update, delete, and patch |
N/A |
N/A |
| ObservabilityPipeline Viewer |
ObservabilityPipeline resources: Get and read |
N/A |
N/A |
| Project Bucket Admin |
Bucket: Read and write in the project namespace |
N/A |
N/A |
| Project Bucket Object Admin |
- Bucket: Read
- Objects: Read and write
|
N/A |
N/A |
| Project Bucket Object Viewer |
Bucket and objects: Read |
N/A |
N/A |
| Project IAM Admin |
IAMRoleBinding and IAMRole: Create, read, update, delete, and bindProjectServiceAccount: Create, read, update, and delete- List project namespace
|
N/A |
All other AO roles |
| Project NetworkPolicy Admin |
Project network policies: Read and write in the project namespace |
N/A |
N/A |
| Project DB Admin |
- Database versions, flags, maintenance policies, software libraries, and database project properties: Read
- Backup plans and database clusters: Create, read, update, and delete
- Imports, exports, and restores: Create, read, and delete
- Secrets: Create, delete, and update
- Migrations and external servers: Create, read, update, delete, and patch
|
N/A |
N/A |
| Project DB Editor |
- Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read
- Imports: Create, read, and delete
- Database clusters: Read and update
- Secrets: Create and delete
|
N/A |
N/A |
| Project DB Viewer |
Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read |
N/A |
N/A |
| Project Viewer |
All resources in the project namespace: Read |
N/A |
N/A |
| Project VirtualMachine Admin |
- Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete
- Virtual machine restart: Put
- Virtual machine images, backup plans, and backup plan templates: Read
|
N/A |
N/A |
| Project VirtualMachine Image Admin |
- VM images: Read
- VM image imports: Read and write
- Buckets: Create
- "vm-images-bucket" Bucket: Read and write
|
N/A |
N/A |
| Secret Admin |
Kubernetes secrets: Read, create, update, delete, and patch
|
N/A |
N/A |
| Secret Viewer |
Kubernetes secrets: Read
|
N/A |
N/A |
| Service Configuration Admin |
ServiceConfigurations: Read and write
|
N/A |
N/A |
| Service Configuration Viewer |
ServiceConfigurations: Read
|
N/A |
N/A |
| Subnet Project Admin |
Subnets: Create, read, update, and delete.
|
N/A |
N/A |
| Subnet Project Operator |
Subnets: Create, read, update, and delete.
|
N/A |
N/A |
| Vertex AI Prediction User |
Online Predictions: Read and write
|
N/A |
N/A |
| Volume Replication Admin |
Volume failovers, volume relationship replicas:
Create, get, list, watch, delete
|
N/A |
N/A |
| Workbench Notebooks Admin |
N/A |
- Notebook custom resources (CR) in the project namespace: Create, read, update, and delete
ClusterInfo objects: Read
|
N/A |
| Workbench Notebooks Viewer |
N/A |
- Notebook custom resources (CR) in the project namespace: Read
|
N/A |
| Workload Viewer |
N/A |
- Pod custom resources in the project namespace: Read
- Deployment custom resources in the project namespace: Read
|
N/A |
