Role definitions for projects

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

  • Name: The name of a role displayed in the user interface (UI).
  • Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
  • Level: The specification of whether this role is scoped by the organization or a project.
  • Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or OrganizationRole.
  • Binding type: The type of binding that you must apply to this role.
  • Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
  • Escalates to: The specification of whether this role escalates to other roles or not.

AO persona, predefined identity, and access roles

AO persona
Name Kubernetes resource name Initial admin Level Type
Project IAM Admin project-iam-admin True Project Role
AI OCR Developer ai-ocr-developer False Project Role
AI Platform Viewer ai-platform-viewer False Project Role
AI Speech Developer ai-speech-developer False Project Role
AI Translation Developer ai-translation-developer False Project Role
Artifact Management Admin artifact-management-admin False Project Role
Artifact Management Editor artifact-management-editor False Project Role
Backup Creator backup-creator False Project ProjectRole
Dashboard Editor dashboard-editor False Project Role
Dashboard Viewer dashboard-viewer False Project Role
K8s NetworkPolicy Admin k8s-networkpolicy-admin False Project ProjectRole
KMS Admin kms-admin False Project Role
KMS Creator kms-creator False Project Role
KMS Developer kms-developer False Project Role
KMS Key Export Admin kms-keyexport-admin False Project Role
KMS Key Import Admin kms-keyimport-admin False Project Role
KMS Viewer kms-viewer False Project Role
Kubernetes Network Policy Admin k8s-networkpolicy-admin False Project ProjectRole
Marketplace Editor marketplace-editor False Project Role
MonitoringRule Editor monitoringrule-editor False Project Role
MonitoringRule Viewer monitoringrule-viewer False Project Role
MonitoringTarget Editor monitoringtarget-editor False Project Role
MonitoringTarget Viewer monitoringtarget-viewer False Project Role
Namespace Admin namespace-admin False Project ProjectRole
NAT Viewer nat-viewer False Project ProjectRole
ObservabilityPipeline Editor observabilitypipeline-editor False Project Role
ObservabilityPipeline Viewer observabilitypipeline-viewer False Project Role
Project Bucket Admin project-bucket-admin False Project Role
Project Bucket Object Admin project-bucket-object-admin False Project Role
Project Bucket Object Viewer project-bucket-object-viewer False Project Role
Project NetworkPolicy Admin project-networkpolicy-admin False Project Role
Project DB Admin project-db-admin False Project Role
Project DB Editor project-db-editor False Project Role
Project DB Viewer project-db-viewer False Project Role
Project Viewer project-viewer False Project Role
Project VirtualMachine Admin project-vm-admin False Project Role
Project VirtualMachine Image Admin project-vm-image-admin False Project Role
Secret Admin secret-admin False Project Role
Secret Viewer secret-viewer False Project Role
Service Configuration Admin service-configuration-admin False Project Role
Service Configuration Viewer service-configuration-viewer False Project Role
Vertex AI Prediction User vertex-ai-prediction-user False Project Role
Workbench Notebooks Admin workbench-notebooks-admin False Project Role
Workbench Notebooks Viewer workbench-notebooks-viewer False Project Role

AO persona, predefined identity, and access roles

AO persona
Name Binding type Org admin cluster permissions User cluster permissions Escalates to
Project IAM Admin RoleBinding
  • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, ProjectClusterRole, ProjectRoleBinding, and ProjectClusterRoleBinding: Create, read, update, delete, and bind
  • ProjectServiceAccount: Create, read, update, and delete
  • List project namespace
N/A All other AO roles
AI OCR Developer RoleBinding OCR resources: Read and write N/A N/A
AI Speech Developer RoleBinding Speech resources: Read and write N/A N/A
AI Translation Developer RoleBinding Translation resources: Read and write N/A N/A
Backup Creator ProjectRoleBinding N/A
  • Manual backups and restores: Create, read, and delete
  • Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read
N/A
Dashboard Editor RoleBinding Dashboard custom resources: Get, read, create, update, delete, and patch N/A N/A
Dashboard Viewer RoleBinding Dashboard: Get and read N/A N/A
K8s NetworkPolicy Admin ProjectRoleBinding NetworkPolicy resources: Create, read, get, update, delete, and patch N/A N/A
KMS Admin RoleBinding
  • AEADKey: Create, read, update, delete, patch, encrypt, and decrypt
  • SigningKey: Create, read, update, delete, patch, and sign
  • KeyImport and KeyExport: Read
N/A N/A
KMS Creator RoleBinding AEADKey and SigningKey: Create and read N/A N/A
KMS Developer RoleBinding
  • AEADKey in the project namespace: Read, encrypt, and decrypt
  • SigningKey in the project namespace: Read and sign
N/A N/A
KMS Key Export Admin RoleBinding KeyExport resource: Create, read, update, patch, and delete N/A N/A
KMS Key Import Admin RoleBinding KeyImport resource: Create, read, update, patch, and delete N/A N/A
KMS Viewer RoleBinding AEADKey, SigningKey, KeyImport, KeyExport: Read N/A N/A
Kubernetes Network Policy Admin ProjectRoleBinding N/A Kubernetes network policies: Read and write in the user cluster N/A
Marketplace Editor RoleBinding N/A Service instances: Create, update, and delete N/A
MonitoringRule Editor RoleBinding MonitoringRule custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringRule Viewer RoleBinding MonitoringRule custom resources: Read N/A N/A
MonitoringTarget Editor RoleBinding MonitoringTarget custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringTarget Viewer RoleBinding MonitoringTarget custom resources: Read N/A N/A
Namespace Admin ProjectRoleBinding N/A All resources: Read and write access in the project namespace, excluding the system cluster N/A
NAT Viewer ProjectRoleBinding N/A Deployments: Get and read N/A
ObservabilityPipeline Editor RoleBinding ObservabilityPipeline resources: Get, read, create, update, delete, and patch N/A N/A
ObservabilityPipeline Viewer RoleBinding ObservabilityPipeline resources: Get and read N/A N/A
Project Bucket Admin RoleBinding Bucket: Read and write in the project namespace N/A N/A
Project Bucket Object Admin RoleBinding
  • Bucket: Read
  • Objects: Read and write
N/A N/A
Project Bucket Object Viewer RoleBinding Bucket and objects: Read N/A N/A
Project NetworkPolicy Admin RoleBinding Project network policies: Read and write in the project namespace N/A N/A
Project DB Admin RoleBinding
  • Database versions, flags, maintenance policies, software libraries, and database project properties: Read
  • Backup plans and database clusters: Create, read, update, and delete
  • Imports, exports, and restores: Create, read, and delete
  • Secrets: Create, delete, and update
  • Migrations and external servers: Create, read, update, delete, and patch
N/A N/A
Project DB Editor RoleBinding
  • Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read
  • Imports: Create, read, and delete
  • Database clusters: Read and update
  • Secrets: Create and delete
N/A N/A
Project DB Viewer RoleBinding Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read N/A N/A
Project Viewer RoleBinding All resources in the project namespace: Read N/A N/A
Project VirtualMachine Admin RoleBinding
  • Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete
  • Virtual machine restart: Put
  • Virtual machine images, backup plans, and backup plan templates: Read
N/A N/A
Project VirtualMachine Image Admin RoleBinding
  • VM images: Read
  • VM image imports: Read and write
N/A N/A
Secret Admin RoleBinding Kubernetes secrets: Read, create, update, delete, and patch N/A N/A
Secret Viewer RoleBinding Kubernetes secrets: Read N/A N/A
Service Configuration Admin RoleBinding ServiceConfigurations: Read and write N/A N/A
Service Configuration Viewer RoleBinding ServiceConfigurations: Read N/A N/A
Workbench Notebooks Admin RoleBinding N/A
  • Notebook custom resources (CR) in the project namespace: Create, read, update, and delete
  • ClusterInfo objects: Read
N/A
Workbench Notebooks Viewer RoleBinding N/A
  • Notebook custom resources (CR) in the project namespace: Read
N/A

Common predefined identity and access roles

Common roles
Name Kubernetes resource name Initial admin Level Type
AI Platform Viewer ai-platform-viewer False Project Role
DB UI Viewer db-ui-viewer False Project ClusterRole
DB Options Viewer db-options-viewer False Project ClusterRole
DNS Suffix Viewer dnssuffix-viewer False Organization Role
Flow Log Admin flowlog-admin False Organization ClusterRole
Flow Log Viewer flowlog-viewer False Project ClusterRole
Marketplace Viewer marketplace-viewer False Project ClusterRole
Pricing Calculator User pricingcalculator-user False Project ClusterRole
Project Discovery Viewer projectdiscovery-viewer False Project ClusterRole
Public Image Viewer public-image-viewer False Organization Role
Virtual Machine Type Viewer virtualmachinetype-viewer True Organization OrganizationRole
VM Type Viewer vmtype-viewer False Organization Role

Common predefined identity and access roles

Common roles
Name Binding type Admin cluster permissions User cluster permissions Escalates to
AI Platform Viewer RoleBinding Pre-trained services: Read N/A N/A
DB Options Viewer ClusterRoleBinding DBS configurations: Read N/A N/A
DB UI Viewer ClusterRoleBinding DBS UI configurations: Read N/A N/A
DNS Suffix Viewer RoleBinding DNS suffix config maps: Read N/A N/A
Flow Log Admin ClusterRoleBinding Flow log resources: Get and read Flow log resources: Get and read N/A
Flow Log Viewer ClusterRoleBinding Flow log resources: Create, get, read, patch, update, and delete Flow log resources: Create, get, read, patch, update, and delete N/A
Marketplace Viewer ClusterRoleBinding Service versions and service instances: Read N/A N/A
Pricing Calculator User ClusterRoleBinding N/A SkuDescriptions: Read N/A
Project Discovery Viewer ClusterRoleBinding Projects: Read N/A N/A
Public Image Viewer RoleBinding VM images: Read N/A N/A
VM Type Viewer ClusterRoleBinding VM types: Read N/A N/A