The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:
- Name: The name of a role displayed in the user interface (UI).
- Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
- Level: The specification of whether this role is scoped by the organization or a project.
- Type: The type of this role. For example, some possible values are
Role,ProjectRole,ClusterRole, orOrganizationRole. - Binding type: The type of binding that you must apply to this role.
- Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
- Escalates to: The specification of whether this role escalates to other roles or not.
AO persona, predefined identity, and access roles
| AO persona | ||||
|---|---|---|---|---|
| Name | Kubernetes resource name | Initial admin | Level | Type |
| Project IAM Admin | project-iam-admin |
True | Project | Role |
| AI OCR Developer | ai-ocr-developer |
False | Project | Role |
| AI Platform Viewer | ai-platform-viewer |
False | Project | Role |
| AI Speech Developer | ai-speech-developer |
False | Project | Role |
| AI Translation Developer | ai-translation-developer |
False | Project | Role |
| Artifact Management Admin | artifact-management-admin |
False | Project | Role |
| Artifact Management Editor | artifact-management-editor |
False | Project | Role |
| Backup Creator | backup-creator |
False | Project | ProjectRole |
| Dashboard Editor | dashboard-editor |
False | Project | Role |
| Dashboard Viewer | dashboard-viewer |
False | Project | Role |
| K8s NetworkPolicy Admin | k8s-networkpolicy-admin |
False | Project | ProjectRole |
| KMS Admin | kms-admin |
False | Project | Role |
| KMS Creator | kms-creator |
False | Project | Role |
| KMS Developer | kms-developer |
False | Project | Role |
| KMS Key Export Admin | kms-keyexport-admin |
False | Project | Role |
| KMS Key Import Admin | kms-keyimport-admin |
False | Project | Role |
| KMS Viewer | kms-viewer |
False | Project | Role |
| Marketplace Editor | marketplace-editor |
False | Project | Role |
| MonitoringRule Editor | monitoringrule-editor |
False | Project | Role |
| MonitoringRule Viewer | monitoringrule-viewer |
False | Project | Role |
| MonitoringTarget Editor | monitoringtarget-editor |
False | Project | Role |
| MonitoringTarget Viewer | monitoringtarget-viewer |
False | Project | Role |
| Namespace Admin | namespace-admin |
False | Project | ProjectRole |
| NAT Viewer | nat-viewer |
False | Project | ProjectRole |
| ObservabilityPipeline Editor | observabilitypipeline-editor |
False | Project | Role |
| ObservabilityPipeline Viewer | observabilitypipeline-viewer |
False | Project | Role |
| Project Bucket Admin | project-bucket-admin |
False | Project | Role |
| Project Bucket Object Admin | project-bucket-object-admin |
False | Project | Role |
| Project Bucket Object Viewer | project-bucket-object-viewer |
False | Project | Role |
| Project NetworkPolicy Admin | project-networkpolicy-admin |
False | Project | Role |
| Project DB Admin | project-db-admin |
False | Project | Role |
| Project DB Editor | project-db-editor |
False | Project | Role |
| Project DB Viewer | project-db-viewer |
False | Project | Role |
| Project Viewer | project-viewer |
False | Project | Role |
| Project VirtualMachine Admin | project-vm-admin |
False | Project | Role |
| Project VirtualMachine Image Admin | project-vm-image-admin |
False | Project | Role |
| Secret Admin | secret-admin |
False | Project | Role |
| Secret Viewer | secret-viewer |
False | Project | Role |
| Service Configuration Admin | service-configuration-admin |
False | Project | Role |
| Service Configuration Viewer | service-configuration-viewer |
False | Project | Role |
| Vertex AI Prediction User | vertex-ai-prediction-user |
False | Project | Role |
| Workbench Notebooks Admin | workbench-notebooks-admin |
False | Project | Role |
| Workbench Notebooks Viewer | workbench-notebooks-viewer |
False | Project | Role |
AO persona, predefined identity, and access roles
| AO persona | ||||
|---|---|---|---|---|
| Name | Binding type | Org admin cluster permissions | User cluster permissions | Escalates to |
| Project IAM Admin | RoleBinding |
|
N/A | All other AO roles |
| AI OCR Developer | RoleBinding |
OCR resources: Read and write | N/A | N/A |
| AI Speech Developer | RoleBinding |
Speech resources: Read and write | N/A | N/A |
| AI Translation Developer | RoleBinding |
Translation resources: Read and write | N/A | N/A |
| Backup Creator | ProjectRoleBinding |
N/A |
|
N/A |
| Dashboard Editor | RoleBinding |
Dashboard custom resources: Get, read, create, update, delete, and patch |
N/A | N/A |
| Dashboard Viewer | RoleBinding |
Dashboard: Get and read |
N/A | N/A |
| K8s NetworkPolicy Admin | ProjectRoleBinding |
NetworkPolicy resources: Create, read, get, update, delete, and patch |
N/A | N/A |
| KMS Admin | RoleBinding |
|
N/A | N/A |
| KMS Creator | RoleBinding |
AEADKey and SigningKey: Create and read
|
N/A | N/A |
| KMS Developer | RoleBinding |
|
N/A | N/A |
| KMS Key Export Admin | RoleBinding |
KeyExport resource: Create, read, update, patch, and delete
|
N/A | N/A |
| KMS Key Import Admin | RoleBinding |
KeyImport resource: Create, read, update, patch, and delete
|
N/A | N/A |
| KMS Viewer | RoleBinding |
AEADKey, SigningKey, KeyImport, KeyExport: Read
|
N/A | N/A |
| Marketplace Editor | RoleBinding |
N/A | Service instances: Create, update, and delete | N/A |
| MonitoringRule Editor | RoleBinding |
MonitoringRule custom resources: Create, read, update, delete, and patch |
N/A | N/A |
| MonitoringRule Viewer | RoleBinding |
MonitoringRule custom resources: Read |
N/A | N/A |
| MonitoringTarget Editor | RoleBinding |
MonitoringTarget custom resources: Create, read, update, delete, and patch |
N/A | N/A |
| MonitoringTarget Viewer | RoleBinding |
MonitoringTarget custom resources: Read |
N/A | N/A |
| Namespace Admin | ProjectRoleBinding |
N/A | All resources: Read and write access in the project namespace, excluding the system cluster | N/A |
| NAT Viewer | ProjectRoleBinding |
N/A | Deployments: Get and read | N/A |
| ObservabilityPipeline Editor | RoleBinding |
ObservabilityPipeline resources: Get, read, create, update, delete, and patch |
N/A | N/A |
| ObservabilityPipeline Viewer | RoleBinding |
ObservabilityPipeline resources: Get and read |
N/A | N/A |
| Project Bucket Admin | RoleBinding |
Bucket: Read and write in the project namespace | N/A | N/A |
| Project Bucket Object Admin | RoleBinding |
|
N/A | N/A |
| Project Bucket Object Viewer | RoleBinding |
Bucket and objects: Read | N/A | N/A |
| Project NetworkPolicy Admin | RoleBinding |
Project network policies: Read and write in the project namespace | N/A | N/A |
| Project DB Admin | RoleBinding |
|
N/A | N/A |
| Project DB Editor | RoleBinding |
|
N/A | N/A |
| Project DB Viewer | RoleBinding |
Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read | N/A | N/A |
| Project Viewer | RoleBinding |
All resources in the project namespace: Read | N/A | N/A |
| Project VirtualMachine Admin | RoleBinding |
|
N/A | N/A |
| Project VirtualMachine Image Admin | RoleBinding |
|
N/A | N/A |
| Secret Admin | RoleBinding |
Kubernetes secrets: Read, create, update, delete, and patch | N/A | N/A |
| Secret Viewer | RoleBinding |
Kubernetes secrets: Read | N/A | N/A |
| Service Configuration Admin | RoleBinding |
ServiceConfigurations: Read and write
|
N/A | N/A |
| Service Configuration Viewer | RoleBinding |
ServiceConfigurations: Read
|
N/A | N/A |
| Workbench Notebooks Admin | RoleBinding |
N/A |
|
N/A |
| Workbench Notebooks Viewer | RoleBinding |
N/A |
|
N/A |
Common predefined identity and access roles
| Common roles | ||||
|---|---|---|---|---|
| Name | Kubernetes resource name | Initial admin | Level | Type |
| AI Platform Viewer | ai-platform-viewer |
False | Project | Role |
| DB UI Viewer | db-ui-viewer |
False | Project | ClusterRole |
| DB Options Viewer | db-options-viewer |
False | Project | ClusterRole |
| DNS Suffix Viewer | dnssuffix-viewer |
False | Organization | Role |
| Flow Log Admin | flowlog-admin |
False | Organization | ClusterRole |
| Flow Log Viewer | flowlog-viewer |
False | Project | ClusterRole |
| Marketplace Viewer | marketplace-viewer |
False | Project | ClusterRole |
| Pricing Calculator User | pricingcalculator-user |
False | Project | ClusterRole |
| Project Discovery Viewer | projectdiscovery-viewer |
False | Project | ClusterRole |
| Public Image Viewer | public-image-viewer |
False | Organization | Role |
| Virtual Machine Type Viewer | virtualmachinetype-viewer |
True | Organization | OrganizationRole |
| VM Type Viewer | vmtype-viewer |
False | Organization | Role |
Common predefined identity and access roles
| Common roles | ||||
|---|---|---|---|---|
| Name | Binding type | Admin cluster permissions | User cluster permissions | Escalates to |
| AI Platform Viewer | RoleBinding |
Pre-trained services: Read | N/A | N/A |
| DB Options Viewer | ClusterRoleBinding |
DBS configurations: Read | N/A | N/A |
| DB UI Viewer | ClusterRoleBinding |
DBS UI configurations: Read | N/A | N/A |
| DNS Suffix Viewer | RoleBinding |
DNS suffix config maps: Read | N/A | N/A |
| Flow Log Admin | ClusterRoleBinding |
Flow log resources: Get and read | Flow log resources: Get and read | N/A |
| Flow Log Viewer | ClusterRoleBinding |
Flow log resources: Create, get, read, patch, update, and delete | Flow log resources: Create, get, read, patch, update, and delete | N/A |
| Marketplace Viewer | ClusterRoleBinding |
Service versions and service instances: Read | N/A | N/A |
| Pricing Calculator User | ClusterRoleBinding |
N/A | SkuDescriptions: Read |
N/A |
| Project Discovery Viewer | ClusterRoleBinding |
Projects: Read | N/A | N/A |
| Public Image Viewer | RoleBinding |
VM images: Read | N/A | N/A |
| VM Type Viewer | ClusterRoleBinding |
VM types: Read | N/A | N/A |