Role definitions for projects

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

Name: The name of a role displayed in the user interface (UI).
Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
Level: The specification of whether this role is scoped by the organization or a project.
Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or OrganizationRole.
Binding type: The type of binding that you must apply to this role.
Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
Escalates to: The specification of whether this role escalates to other roles or not.

AO persona, predefined identity, and access roles

AO persona
Name	Kubernetes resource name	Initial admin	Level	Type
Project IAM Admin	`project-iam-admin`	True	Project	`Role`
AI OCR Developer	`ai-ocr-developer`	False	Project	`Role`
AI Platform Viewer	`ai-platform-viewer`	False	Project	`Role`
AI Speech Developer	`ai-speech-developer`	False	Project	`Role`
AI Translation Developer	`ai-translation-developer`	False	Project	`Role`
Artifact Management Admin	`artifact-management-admin`	False	Project	`Role`
Artifact Management Editor	`artifact-management-editor`	False	Project	`Role`
Backup Creator	`backup-creator`	False	Project	`ProjectRole`
Dashboard Editor	`dashboard-editor`	False	Project	`Role`
Dashboard Viewer	`dashboard-viewer`	False	Project	`Role`
K8s NetworkPolicy Admin	`k8s-networkpolicy-admin`	False	Project	`ProjectRole`
KMS Admin	`kms-admin`	False	Project	`Role`
KMS Creator	`kms-creator`	False	Project	`Role`
KMS Developer	`kms-developer`	False	Project	`Role`
KMS Key Export Admin	`kms-keyexport-admin`	False	Project	`Role`
KMS Key Import Admin	`kms-keyimport-admin`	False	Project	`Role`
KMS Viewer	`kms-viewer`	False	Project	`Role`
Kubernetes Network Policy Admin	`k8s-networkpolicy-admin`	False	Project	`ProjectRole`
Marketplace Editor	`marketplace-editor`	False	Project	`Role`
MonitoringRule Editor	`monitoringrule-editor`	False	Project	`Role`
MonitoringRule Viewer	`monitoringrule-viewer`	False	Project	`Role`
MonitoringTarget Editor	`monitoringtarget-editor`	False	Project	`Role`
MonitoringTarget Viewer	`monitoringtarget-viewer`	False	Project	`Role`
Namespace Admin	`namespace-admin`	False	Project	`ProjectRole`
NAT Viewer	`nat-viewer`	False	Project	`ProjectRole`
ObservabilityPipeline Editor	`observabilitypipeline-editor`	False	Project	`Role`
ObservabilityPipeline Viewer	`observabilitypipeline-viewer`	False	Project	`Role`
Project Bucket Admin	`project-bucket-admin`	False	Project	`Role`
Project Bucket Object Admin	`project-bucket-object-admin`	False	Project	`Role`
Project Bucket Object Viewer	`project-bucket-object-viewer`	False	Project	`Role`
Project NetworkPolicy Admin	`project-networkpolicy-admin`	False	Project	`Role`
Project DB Admin	`project-db-admin`	False	Project	`Role`
Project DB Editor	`project-db-editor`	False	Project	`Role`
Project DB Viewer	`project-db-viewer`	False	Project	`Role`
Project Viewer	`project-viewer`	False	Project	`Role`
Project VirtualMachine Admin	`project-vm-admin`	False	Project	`Role`
Project VirtualMachine Image Admin	`project-vm-image-admin`	False	Project	`Role`
Secret Admin	`secret-admin`	False	Project	`Role`
Secret Viewer	`secret-viewer`	False	Project	`Role`
Service Configuration Admin	`service-configuration-admin`	False	Project	`Role`
Service Configuration Viewer	`service-configuration-viewer`	False	Project	`Role`
Vertex AI Prediction User	`vertex-ai-prediction-user`	False	Project	`Role`
Workbench Notebooks Admin	`workbench-notebooks-admin`	False	Project	`Role`
Workbench Notebooks Viewer	`workbench-notebooks-viewer`	False	Project	`Role`

AO persona, predefined identity, and access roles

AO persona
Name	Binding type	Org admin cluster permissions	User cluster permissions	Escalates to
Project IAM Admin	`RoleBinding`	`RoleBinding`, `ClusterRoleBinding`, `Role`, `ClusterRole`, `ProjectRole`, `ProjectClusterRole`, `ProjectRoleBinding`, and `ProjectClusterRoleBinding`: Create, read, update, delete, and bind `ProjectServiceAccount`: Create, read, update, and delete List project namespace	N/A	All other AO roles
AI OCR Developer	`RoleBinding`	OCR resources: Read and write	N/A	N/A
AI Speech Developer	`RoleBinding`	Speech resources: Read and write	N/A	N/A
AI Translation Developer	`RoleBinding`	Translation resources: Read and write	N/A	N/A
Backup Creator	`ProjectRoleBinding`	N/A	Manual backups and restores: Create, read, and delete Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read	N/A
Dashboard Editor	`RoleBinding`	`Dashboard` custom resources: Get, read, create, update, delete, and patch	N/A	N/A
Dashboard Viewer	`RoleBinding`	`Dashboard`: Get and read	N/A	N/A
K8s NetworkPolicy Admin	`ProjectRoleBinding`	`NetworkPolicy` resources: Create, read, get, update, delete, and patch	N/A	N/A
KMS Admin	`RoleBinding`	`AEADKey`: Create, read, update, delete, patch, encrypt, and decrypt `SigningKey`: Create, read, update, delete, patch, and sign `KeyImport` and `KeyExport`: Read	N/A	N/A
KMS Creator	`RoleBinding`	`AEADKey` and `SigningKey`: Create and read	N/A	N/A
KMS Developer	`RoleBinding`	`AEADKey` in the project namespace: Read, encrypt, and decrypt `SigningKey` in the project namespace: Read and sign	N/A	N/A
KMS Key Export Admin	`RoleBinding`	`KeyExport` resource: Create, read, update, patch, and delete	N/A	N/A
KMS Key Import Admin	`RoleBinding`	`KeyImport` resource: Create, read, update, patch, and delete	N/A	N/A
KMS Viewer	`RoleBinding`	`AEADKey`, `SigningKey`, `KeyImport`, `KeyExport`: Read	N/A	N/A
Kubernetes Network Policy Admin	`ProjectRoleBinding`	N/A	Kubernetes network policies: Read and write in the user cluster	N/A
Marketplace Editor	`RoleBinding`	N/A	Service instances: Create, update, and delete	N/A
MonitoringRule Editor	`RoleBinding`	`MonitoringRule` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringRule Viewer	`RoleBinding`	`MonitoringRule` custom resources: Read	N/A	N/A
MonitoringTarget Editor	`RoleBinding`	`MonitoringTarget` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringTarget Viewer	`RoleBinding`	`MonitoringTarget` custom resources: Read	N/A	N/A
Namespace Admin	`ProjectRoleBinding`	N/A	All resources: Read and write access in the project namespace, excluding the system cluster	N/A
NAT Viewer	`ProjectRoleBinding`	N/A	Deployments: Get and read	N/A
ObservabilityPipeline Editor	`RoleBinding`	`ObservabilityPipeline` resources: Get, read, create, update, delete, and patch	N/A	N/A
ObservabilityPipeline Viewer	`RoleBinding`	`ObservabilityPipeline` resources: Get and read	N/A	N/A
Project Bucket Admin	`RoleBinding`	Bucket: Read and write in the project namespace	N/A	N/A
Project Bucket Object Admin	`RoleBinding`	Bucket: Read Objects: Read and write	N/A	N/A
Project Bucket Object Viewer	`RoleBinding`	Bucket and objects: Read	N/A	N/A
Project NetworkPolicy Admin	`RoleBinding`	Project network policies: Read and write in the project namespace	N/A	N/A
Project DB Admin	`RoleBinding`	Database versions, flags, maintenance policies, software libraries, and database project properties: Read Backup plans and database clusters: Create, read, update, and delete Imports, exports, and restores: Create, read, and delete Secrets: Create, delete, and update Migrations and external servers: Create, read, update, delete, and patch	N/A	N/A
Project DB Editor	`RoleBinding`	Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read Imports: Create, read, and delete Database clusters: Read and update Secrets: Create and delete	N/A	N/A
Project DB Viewer	`RoleBinding`	Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read	N/A	N/A
Project Viewer	`RoleBinding`	All resources in the project namespace: Read	N/A	N/A
Project VirtualMachine Admin	`RoleBinding`	Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete Virtual machine restart: Put Virtual machine images, backup plans, and backup plan templates: Read	N/A	N/A
Project VirtualMachine Image Admin	`RoleBinding`	VM images: Read VM image imports: Read and write	N/A	N/A
Secret Admin	`RoleBinding`	Kubernetes secrets: Read, create, update, delete, and patch	N/A	N/A
Secret Viewer	`RoleBinding`	Kubernetes secrets: Read	N/A	N/A
Service Configuration Admin	`RoleBinding`	`ServiceConfigurations`: Read and write	N/A	N/A
Service Configuration Viewer	`RoleBinding`	`ServiceConfigurations`: Read	N/A	N/A
Workbench Notebooks Admin	`RoleBinding`	N/A	Notebook custom resources (CR) in the project namespace: Create, read, update, and delete `ClusterInfo` objects: Read	N/A
Workbench Notebooks Viewer	`RoleBinding`	N/A	Notebook custom resources (CR) in the project namespace: Read	N/A

Common predefined identity and access roles

Common roles
Name	Kubernetes resource name	Initial admin	Level	Type
AI Platform Viewer	`ai-platform-viewer`	False	Project	`Role`
DB UI Viewer	`db-ui-viewer`	False	Project	`ClusterRole`
DB Options Viewer	`db-options-viewer`	False	Project	`ClusterRole`
DNS Suffix Viewer	`dnssuffix-viewer`	False	Organization	`Role`
Flow Log Admin	`flowlog-admin`	False	Organization	`ClusterRole`
Flow Log Viewer	`flowlog-viewer`	False	Project	`ClusterRole`
Marketplace Viewer	`marketplace-viewer`	False	Project	`ClusterRole`
Pricing Calculator User	`pricingcalculator-user`	False	Project	`ClusterRole`
Project Discovery Viewer	`projectdiscovery-viewer`	False	Project	`ClusterRole`
Public Image Viewer	`public-image-viewer`	False	Organization	`Role`
Virtual Machine Type Viewer	`virtualmachinetype-viewer`	True	Organization	`OrganizationRole`
VM Type Viewer	`vmtype-viewer`	False	Organization	`Role`

Common predefined identity and access roles

Common roles
Name	Binding type	Admin cluster permissions	User cluster permissions	Escalates to
AI Platform Viewer	`RoleBinding`	Pre-trained services: Read	N/A	N/A
DB Options Viewer	`ClusterRoleBinding`	DBS configurations: Read	N/A	N/A
DB UI Viewer	`ClusterRoleBinding`	DBS UI configurations: Read	N/A	N/A
DNS Suffix Viewer	`RoleBinding`	DNS suffix config maps: Read	N/A	N/A
Flow Log Admin	`ClusterRoleBinding`	Flow log resources: Get and read	Flow log resources: Get and read	N/A
Flow Log Viewer	`ClusterRoleBinding`	Flow log resources: Create, get, read, patch, update, and delete	Flow log resources: Create, get, read, patch, update, and delete	N/A
Marketplace Viewer	`ClusterRoleBinding`	Service versions and service instances: Read	N/A	N/A
Pricing Calculator User	`ClusterRoleBinding`	N/A	`SkuDescriptions`: Read	N/A
Project Discovery Viewer	`ClusterRoleBinding`	Projects: Read	N/A	N/A
Public Image Viewer	`RoleBinding`	VM images: Read	N/A	N/A
VM Type Viewer	`ClusterRoleBinding`	VM types: Read	N/A	N/A