Access Context Manager roles and permissions

This page lists the IAM roles and permissions for Access Context Manager. To search through all roles and permissions, see the role and permission index.

Access Context Manager roles

Role Permissions

Role	Permissions
Cloud Access Binding Admin (`roles/accesscontextmanager.gcpAccessAdmin`) Create, edit, and change Cloud access bindings.	`accesscontextmanager.gcpUserAccessBindings.*` `accesscontextmanager.gcpUserAccessBindings.create` `accesscontextmanager.gcpUserAccessBindings.delete` `accesscontextmanager.gcpUserAccessBindings.get` `accesscontextmanager.gcpUserAccessBindings.list` `accesscontextmanager.gcpUserAccessBindings.update`
Cloud Access Binding Reader (`roles/accesscontextmanager.gcpAccessReader`) Read access to Cloud access bindings.	`accesscontextmanager.gcpUserAccessBindings.get` `accesscontextmanager.gcpUserAccessBindings.list`
Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Full access to policies, access levels, access zones and authorized orgs descs.	`accesscontextmanager.accessLevels.` `accesscontextmanager.accessLevels.create` `accesscontextmanager.accessLevels.delete` `accesscontextmanager.accessLevels.get` `accesscontextmanager.accessLevels.list` `accesscontextmanager.accessLevels.replaceAll` `accesscontextmanager.accessLevels.update` `accesscontextmanager.authorizedOrgsDescs.` `accesscontextmanager.authorizedOrgsDescs.create` `accesscontextmanager.authorizedOrgsDescs.delete` `accesscontextmanager.authorizedOrgsDescs.get` `accesscontextmanager.authorizedOrgsDescs.list` `accesscontextmanager.authorizedOrgsDescs.update` `accesscontextmanager.policies.` `accesscontextmanager.policies.create` `accesscontextmanager.policies.delete` `accesscontextmanager.policies.get` `accesscontextmanager.policies.getIamPolicy` `accesscontextmanager.policies.list` `accesscontextmanager.policies.setIamPolicy` `accesscontextmanager.policies.update` `accesscontextmanager.servicePerimeters.` `accesscontextmanager.servicePerimeters.commit` `accesscontextmanager.servicePerimeters.create` `accesscontextmanager.servicePerimeters.delete` `accesscontextmanager.servicePerimeters.get` `accesscontextmanager.servicePerimeters.list` `accesscontextmanager.servicePerimeters.replaceAll` `accesscontextmanager.servicePerimeters.update` `cloudasset.assets.searchAllResources` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs.	`accesscontextmanager.accessLevels.` `accesscontextmanager.accessLevels.create` `accesscontextmanager.accessLevels.delete` `accesscontextmanager.accessLevels.get` `accesscontextmanager.accessLevels.list` `accesscontextmanager.accessLevels.replaceAll` `accesscontextmanager.accessLevels.update` `accesscontextmanager.authorizedOrgsDescs.` `accesscontextmanager.authorizedOrgsDescs.create` `accesscontextmanager.authorizedOrgsDescs.delete` `accesscontextmanager.authorizedOrgsDescs.get` `accesscontextmanager.authorizedOrgsDescs.list` `accesscontextmanager.authorizedOrgsDescs.update` `accesscontextmanager.policies.create` `accesscontextmanager.policies.delete` `accesscontextmanager.policies.get` `accesscontextmanager.policies.getIamPolicy` `accesscontextmanager.policies.list` `accesscontextmanager.policies.update` `accesscontextmanager.servicePerimeters.*` `accesscontextmanager.servicePerimeters.commit` `accesscontextmanager.servicePerimeters.create` `accesscontextmanager.servicePerimeters.delete` `accesscontextmanager.servicePerimeters.get` `accesscontextmanager.servicePerimeters.list` `accesscontextmanager.servicePerimeters.replaceAll` `accesscontextmanager.servicePerimeters.update` `cloudasset.assets.searchAllResources` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) Read access to policies, access levels, access zones and authorized orgs descs.	`accesscontextmanager.accessLevels.get` `accesscontextmanager.accessLevels.list` `accesscontextmanager.authorizedOrgsDescs.get` `accesscontextmanager.authorizedOrgsDescs.list` `accesscontextmanager.policies.get` `accesscontextmanager.policies.getIamPolicy` `accesscontextmanager.policies.list` `accesscontextmanager.servicePerimeters.get` `accesscontextmanager.servicePerimeters.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`)	`accesscontextmanager.accessLevels.get` `accesscontextmanager.accessLevels.list` `accesscontextmanager.authorizedOrgsDescs.get` `accesscontextmanager.authorizedOrgsDescs.list` `accesscontextmanager.policies.get` `accesscontextmanager.policies.getIamPolicy` `accesscontextmanager.policies.list` `accesscontextmanager.servicePerimeters.get` `accesscontextmanager.servicePerimeters.list` `logging.exclusions.get` `logging.exclusions.list` `logging.logEntries.list` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.sinks.get` `logging.sinks.list` `logging.usage.get` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`

Cloud Access Binding Admin

(roles/accesscontextmanager.gcpAccessAdmin)

Create, edit, and change Cloud access bindings.

accesscontextmanager.gcpUserAccessBindings.*

accesscontextmanager.gcpUserAccessBindings.create
accesscontextmanager.gcpUserAccessBindings.delete
accesscontextmanager.gcpUserAccessBindings.get
accesscontextmanager.gcpUserAccessBindings.list
accesscontextmanager.gcpUserAccessBindings.update

Cloud Access Binding Reader

(roles/accesscontextmanager.gcpAccessReader)

Read access to Cloud access bindings.

accesscontextmanager.gcpUserAccessBindings.get

accesscontextmanager.gcpUserAccessBindings.list

Access Context Manager Admin

(roles/accesscontextmanager.policyAdmin)

Full access to policies, access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.*

accesscontextmanager.accessLevels.create
accesscontextmanager.accessLevels.delete
accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessLevels.replaceAll
accesscontextmanager.accessLevels.update

accesscontextmanager.authorizedOrgsDescs.*

accesscontextmanager.authorizedOrgsDescs.create
accesscontextmanager.authorizedOrgsDescs.delete
accesscontextmanager.authorizedOrgsDescs.get
accesscontextmanager.authorizedOrgsDescs.list
accesscontextmanager.authorizedOrgsDescs.update

accesscontextmanager.policies.*

accesscontextmanager.policies.create
accesscontextmanager.policies.delete
accesscontextmanager.policies.get
accesscontextmanager.policies.getIamPolicy
accesscontextmanager.policies.list
accesscontextmanager.policies.setIamPolicy
accesscontextmanager.policies.update

accesscontextmanager.servicePerimeters.*

accesscontextmanager.servicePerimeters.commit
accesscontextmanager.servicePerimeters.create
accesscontextmanager.servicePerimeters.delete
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
accesscontextmanager.servicePerimeters.replaceAll
accesscontextmanager.servicePerimeters.update

cloudasset.assets.searchAllResources

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Context Manager Editor

(roles/accesscontextmanager.policyEditor)

Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.*

accesscontextmanager.accessLevels.create
accesscontextmanager.accessLevels.delete
accesscontextmanager.accessLevels.get
accesscontextmanager.accessLevels.list
accesscontextmanager.accessLevels.replaceAll
accesscontextmanager.accessLevels.update

accesscontextmanager.authorizedOrgsDescs.*

accesscontextmanager.authorizedOrgsDescs.create
accesscontextmanager.authorizedOrgsDescs.delete
accesscontextmanager.authorizedOrgsDescs.get
accesscontextmanager.authorizedOrgsDescs.list
accesscontextmanager.authorizedOrgsDescs.update

accesscontextmanager.policies.create

accesscontextmanager.policies.delete

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.policies.update

accesscontextmanager.servicePerimeters.*

accesscontextmanager.servicePerimeters.commit
accesscontextmanager.servicePerimeters.create
accesscontextmanager.servicePerimeters.delete
accesscontextmanager.servicePerimeters.get
accesscontextmanager.servicePerimeters.list
accesscontextmanager.servicePerimeters.replaceAll
accesscontextmanager.servicePerimeters.update

cloudasset.assets.searchAllResources

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Context Manager Reader

(roles/accesscontextmanager.policyReader)

Read access to policies, access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.get

accesscontextmanager.accessLevels.list

accesscontextmanager.authorizedOrgsDescs.get

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

VPC Service Controls Troubleshooter Viewer

(roles/accesscontextmanager.vpcScTroubleshooterViewer)

accesscontextmanager.accessLevels.get

accesscontextmanager.accessLevels.list

accesscontextmanager.authorizedOrgsDescs.get

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

logging.exclusions.get

logging.exclusions.list

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.sinks.get

logging.sinks.list

logging.usage.get

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Access Context Manager permissions

Permission	Included in roles
`accesscontextmanager.accessLevels.create`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`accesscontextmanager.accessLevels.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`accesscontextmanager.accessLevels.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`accesscontextmanager.accessLevels.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`accesscontextmanager.accessLevels.replaceAll`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)
`accesscontextmanager.accessLevels.update`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`accesscontextmanager.authorizedOrgsDescs.create`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)
`accesscontextmanager.authorizedOrgsDescs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)
`accesscontextmanager.authorizedOrgsDescs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`accesscontextmanager.authorizedOrgsDescs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`accesscontextmanager.authorizedOrgsDescs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)
`accesscontextmanager.gcpUserAccessBindings.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Access Binding Admin (`roles/accesscontextmanager.gcpAccessAdmin`)
`accesscontextmanager.gcpUserAccessBindings.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Access Binding Admin (`roles/accesscontextmanager.gcpAccessAdmin`)
`accesscontextmanager.gcpUserAccessBindings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Access Binding Admin (`roles/accesscontextmanager.gcpAccessAdmin`) Cloud Access Binding Reader (`roles/accesscontextmanager.gcpAccessReader`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Security Center Service Agent (`roles/securitycenter.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`)
`accesscontextmanager.gcpUserAccessBindings.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Access Binding Admin (`roles/accesscontextmanager.gcpAccessAdmin`) Cloud Access Binding Reader (`roles/accesscontextmanager.gcpAccessReader`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Security Center Service Agent (`roles/securitycenter.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`)
`accesscontextmanager.gcpUserAccessBindings.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Access Binding Admin (`roles/accesscontextmanager.gcpAccessAdmin`)
`accesscontextmanager.policies.create`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)
`accesscontextmanager.policies.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)
`accesscontextmanager.policies.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`accesscontextmanager.policies.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`accesscontextmanager.policies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`accesscontextmanager.policies.setIamPolicy`	Owner (`roles/owner`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Security Admin (`roles/iam.securityAdmin`)
`accesscontextmanager.policies.update`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)
`accesscontextmanager.servicePerimeters.commit`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)
`accesscontextmanager.servicePerimeters.create`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`accesscontextmanager.servicePerimeters.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`accesscontextmanager.servicePerimeters.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) SLZ BQDW Blueprint Organization Level Remediator (`roles/securedlandingzone.bqdwOrgRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`accesscontextmanager.servicePerimeters.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) Access Context Manager Reader (`roles/accesscontextmanager.policyReader`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) SLZ BQDW Blueprint Organization Level Remediator (`roles/securedlandingzone.bqdwOrgRemediator`)
`accesscontextmanager.servicePerimeters.replaceAll`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)
`accesscontextmanager.servicePerimeters.update`	Owner (`roles/owner`) Editor (`roles/editor`) Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`) Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`) SLZ BQDW Blueprint Organization Level Remediator (`roles/securedlandingzone.bqdwOrgRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)

Access Context Manager roles and permissions