API Gateway roles and permissions

This page lists the IAM roles and permissions for API Gateway. To search through all roles and permissions, see the role and permission index.

API Gateway roles

Role Permissions

Role	Permissions
ApiGateway Admin (`roles/apigateway.admin`) Full access to ApiGateway and related resources.	`apigateway.*` `apigateway.apiconfigs.create` `apigateway.apiconfigs.delete` `apigateway.apiconfigs.get` `apigateway.apiconfigs.getIamPolicy` `apigateway.apiconfigs.list` `apigateway.apiconfigs.setIamPolicy` `apigateway.apiconfigs.update` `apigateway.apis.create` `apigateway.apis.createTagBinding` `apigateway.apis.delete` `apigateway.apis.deleteTagBinding` `apigateway.apis.get` `apigateway.apis.getIamPolicy` `apigateway.apis.list` `apigateway.apis.listEffectiveTags` `apigateway.apis.listTagBindings` `apigateway.apis.setIamPolicy` `apigateway.apis.update` `apigateway.gateways.create` `apigateway.gateways.createTagBinding` `apigateway.gateways.delete` `apigateway.gateways.deleteTagBinding` `apigateway.gateways.get` `apigateway.gateways.getIamPolicy` `apigateway.gateways.list` `apigateway.gateways.listEffectiveTags` `apigateway.gateways.listTagBindings` `apigateway.gateways.setIamPolicy` `apigateway.gateways.update` `apigateway.locations.get` `apigateway.locations.list` `apigateway.operations.cancel` `apigateway.operations.delete` `apigateway.operations.get` `apigateway.operations.list` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.get` `monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `servicemanagement.services.get` `serviceusage.services.get` `serviceusage.services.list`
Cloud API Gateway Service Agent (`roles/apigateway.serviceAgent`) Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts. Warning: Do not grant service agent roles to any principals except service agents.	`iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `servicemanagement.services.check` `servicemanagement.services.quota` `servicemanagement.services.report`
ApiGateway Viewer (`roles/apigateway.viewer`) Read-only access to ApiGateway and related resources.	`apigateway.apiconfigs.get` `apigateway.apiconfigs.getIamPolicy` `apigateway.apiconfigs.list` `apigateway.apis.get` `apigateway.apis.getIamPolicy` `apigateway.apis.list` `apigateway.apis.listEffectiveTags` `apigateway.apis.listTagBindings` `apigateway.gateways.get` `apigateway.gateways.getIamPolicy` `apigateway.gateways.list` `apigateway.gateways.listEffectiveTags` `apigateway.gateways.listTagBindings` `apigateway.locations.*` `apigateway.locations.get` `apigateway.locations.list` `apigateway.operations.get` `apigateway.operations.list` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.get` `monitoring.timeSeries.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `servicemanagement.services.get` `serviceusage.services.get` `serviceusage.services.list`
Cloud API Gateway Management Service Agent (`roles/apigateway_management.serviceAgent`) Gives Cloud API Gateway service account access to retrieve a Service configuration. Warning: Do not grant service agent roles to any principals except service agents.	`iam.serviceAccounts.get` `servicemanagement.services.create` `servicemanagement.services.delete` `servicemanagement.services.get` `servicemanagement.services.list` `servicemanagement.services.update` `serviceusage.services.get`

ApiGateway Admin

(roles/apigateway.admin)

Full access to ApiGateway and related resources.

apigateway.*

apigateway.apiconfigs.create
apigateway.apiconfigs.delete
apigateway.apiconfigs.get
apigateway.apiconfigs.getIamPolicy
apigateway.apiconfigs.list
apigateway.apiconfigs.setIamPolicy
apigateway.apiconfigs.update
apigateway.apis.create
apigateway.apis.createTagBinding
apigateway.apis.delete
apigateway.apis.deleteTagBinding
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.apis.listEffectiveTags
apigateway.apis.listTagBindings
apigateway.apis.setIamPolicy
apigateway.apis.update
apigateway.gateways.create
apigateway.gateways.createTagBinding
apigateway.gateways.delete
apigateway.gateways.deleteTagBinding
apigateway.gateways.get
apigateway.gateways.getIamPolicy
apigateway.gateways.list
apigateway.gateways.listEffectiveTags
apigateway.gateways.listTagBindings
apigateway.gateways.setIamPolicy
apigateway.gateways.update
apigateway.locations.get
apigateway.locations.list
apigateway.operations.cancel
apigateway.operations.delete
apigateway.operations.get
apigateway.operations.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

serviceusage.services.get

serviceusage.services.list

Cloud API Gateway Service Agent

(roles/apigateway.serviceAgent)

Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

servicemanagement.services.check

servicemanagement.services.quota

servicemanagement.services.report

ApiGateway Viewer

(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get

apigateway.apiconfigs.getIamPolicy

apigateway.apiconfigs.list

apigateway.apis.get

apigateway.apis.getIamPolicy

apigateway.apis.list

apigateway.apis.listEffectiveTags

apigateway.apis.listTagBindings

apigateway.gateways.get

apigateway.gateways.getIamPolicy

apigateway.gateways.list

apigateway.gateways.listEffectiveTags

apigateway.gateways.listTagBindings

apigateway.locations.*

apigateway.locations.get
apigateway.locations.list

apigateway.operations.get

apigateway.operations.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

serviceusage.services.get

serviceusage.services.list

Cloud API Gateway Management Service Agent

(roles/apigateway_management.serviceAgent)

Gives Cloud API Gateway service account access to retrieve a Service configuration.

iam.serviceAccounts.get

servicemanagement.services.create

servicemanagement.services.delete

servicemanagement.services.get

servicemanagement.services.list

servicemanagement.services.update

serviceusage.services.get

API Gateway permissions

Permission	Included in roles
`apigateway.apiconfigs.create`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.apiconfigs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.apiconfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Attack Surface Management Scanner Service Agent (`roles/securitycenter.attackSurfaceManagementScannerServiceAgent`)
`apigateway.apiconfigs.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`apigateway.apiconfigs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`apigateway.apiconfigs.setIamPolicy`	Owner (`roles/owner`) ApiGateway Admin (`roles/apigateway.admin`) Security Admin (`roles/iam.securityAdmin`)
`apigateway.apiconfigs.update`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.apis.create`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.apis.createTagBinding`	Owner (`roles/owner`) ApiGateway Admin (`roles/apigateway.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`)
`apigateway.apis.delete`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.apis.deleteTagBinding`	Owner (`roles/owner`) ApiGateway Admin (`roles/apigateway.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`)
`apigateway.apis.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`apigateway.apis.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`apigateway.apis.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`apigateway.apis.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`apigateway.apis.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`apigateway.apis.setIamPolicy`	Owner (`roles/owner`) ApiGateway Admin (`roles/apigateway.admin`) Security Admin (`roles/iam.securityAdmin`)
`apigateway.apis.update`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.gateways.create`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.gateways.createTagBinding`	Owner (`roles/owner`) ApiGateway Admin (`roles/apigateway.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`)
`apigateway.gateways.delete`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.gateways.deleteTagBinding`	Owner (`roles/owner`) ApiGateway Admin (`roles/apigateway.admin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`)
`apigateway.gateways.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`apigateway.gateways.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`apigateway.gateways.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`apigateway.gateways.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`apigateway.gateways.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`apigateway.gateways.setIamPolicy`	Owner (`roles/owner`) ApiGateway Admin (`roles/apigateway.admin`) Security Admin (`roles/iam.securityAdmin`)
`apigateway.gateways.update`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`apigateway.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`apigateway.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) ApiGateway Admin (`roles/apigateway.admin`)
`apigateway.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`)
`apigateway.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ApiGateway Admin (`roles/apigateway.admin`) ApiGateway Viewer (`roles/apigateway.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)

API Gateway roles and permissions