Binary Authorization roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Binary Authorization. To search through all roles and permissions, see the role and permission index.

Binary Authorization roles

Role Permissions

Role	Permissions
Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Administrator of Binary Authorization Attestors	`binaryauthorization.attestors.*` `binaryauthorization.attestors.create` `binaryauthorization.attestors.delete` `binaryauthorization.attestors.get` `binaryauthorization.attestors.getIamPolicy` `binaryauthorization.attestors.list` `binaryauthorization.attestors.setIamPolicy` `binaryauthorization.attestors.update` `binaryauthorization.attestors.verifyImageAttested` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Editor of Binary Authorization Attestors	`binaryauthorization.attestors.create` `binaryauthorization.attestors.delete` `binaryauthorization.attestors.get` `binaryauthorization.attestors.list` `binaryauthorization.attestors.update` `binaryauthorization.attestors.verifyImageAttested` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Caller of Binary Authorization Attestors VerifyImageAttested	`binaryauthorization.attestors.get` `binaryauthorization.attestors.list` `binaryauthorization.attestors.verifyImageAttested` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Attestor Viewer (`roles/binaryauthorization.attestorsViewer`) Viewer of Binary Authorization Attestors	`binaryauthorization.attestors.get` `binaryauthorization.attestors.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Administrator of Binary Authorization Policy	`binaryauthorization.continuousValidationConfig.` `binaryauthorization.continuousValidationConfig.get` `binaryauthorization.continuousValidationConfig.getIamPolicy` `binaryauthorization.continuousValidationConfig.setIamPolicy` `binaryauthorization.continuousValidationConfig.update` `binaryauthorization.platformPolicies.` `binaryauthorization.platformPolicies.create` `binaryauthorization.platformPolicies.delete` `binaryauthorization.platformPolicies.evaluatePolicy` `binaryauthorization.platformPolicies.get` `binaryauthorization.platformPolicies.list` `binaryauthorization.platformPolicies.replace` `binaryauthorization.policy.*` `binaryauthorization.policy.evaluatePolicy` `binaryauthorization.policy.get` `binaryauthorization.policy.getIamPolicy` `binaryauthorization.policy.setIamPolicy` `binaryauthorization.policy.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Editor of Binary Authorization Policy	`binaryauthorization.continuousValidationConfig.get` `binaryauthorization.continuousValidationConfig.update` `binaryauthorization.platformPolicies.*` `binaryauthorization.platformPolicies.create` `binaryauthorization.platformPolicies.delete` `binaryauthorization.platformPolicies.evaluatePolicy` `binaryauthorization.platformPolicies.get` `binaryauthorization.platformPolicies.list` `binaryauthorization.platformPolicies.replace` `binaryauthorization.policy.evaluatePolicy` `binaryauthorization.policy.get` `binaryauthorization.policy.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Evaluator of Binary Authorization Policy	`binaryauthorization.platformPolicies.evaluatePolicy` `binaryauthorization.platformPolicies.get` `binaryauthorization.platformPolicies.list` `binaryauthorization.policy.evaluatePolicy` `binaryauthorization.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Viewer of Binary Authorization Policy	`binaryauthorization.continuousValidationConfig.get` `binaryauthorization.platformPolicies.get` `binaryauthorization.platformPolicies.list` `binaryauthorization.policy.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`) Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures. Warning: Do not grant service agent roles to any principals except service agents.	`artifactregistry.dockerimages.get` `artifactregistry.repositories.downloadArtifacts` `binaryauthorization.attestors.get` `binaryauthorization.attestors.list` `binaryauthorization.attestors.verifyImageAttested` `binaryauthorization.platformPolicies.evaluatePolicy` `binaryauthorization.policy.evaluatePolicy` `cloudasset.assets.exportResource` `cloudasset.feeds.create` `cloudasset.feeds.delete` `cloudasset.feeds.get` `cloudasset.feeds.update` `containeranalysis.notes.get` `containeranalysis.notes.list` `containeranalysis.notes.listOccurrences` `containeranalysis.occurrences.get` `containeranalysis.occurrences.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.objects.list`

Binary Authorization Attestor Admin

(roles/binaryauthorization.attestorsAdmin)

Administrator of Binary Authorization Attestors

binaryauthorization.attestors.*

binaryauthorization.attestors.create
binaryauthorization.attestors.delete
binaryauthorization.attestors.get
binaryauthorization.attestors.getIamPolicy
binaryauthorization.attestors.list
binaryauthorization.attestors.setIamPolicy
binaryauthorization.attestors.update
binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Attestor Editor

(roles/binaryauthorization.attestorsEditor)

Editor of Binary Authorization Attestors

binaryauthorization.attestors.create

binaryauthorization.attestors.delete

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.update

binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Attestor Image Verifier

(roles/binaryauthorization.attestorsVerifier)

Caller of Binary Authorization Attestors VerifyImageAttested

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Attestor Viewer

(roles/binaryauthorization.attestorsViewer)

Viewer of Binary Authorization Attestors

binaryauthorization.attestors.get

binaryauthorization.attestors.list

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Administrator

(roles/binaryauthorization.policyAdmin)

Administrator of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.*

binaryauthorization.continuousValidationConfig.get
binaryauthorization.continuousValidationConfig.getIamPolicy
binaryauthorization.continuousValidationConfig.setIamPolicy
binaryauthorization.continuousValidationConfig.update

binaryauthorization.platformPolicies.*

binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace

binaryauthorization.policy.*

binaryauthorization.policy.evaluatePolicy
binaryauthorization.policy.get
binaryauthorization.policy.getIamPolicy
binaryauthorization.policy.setIamPolicy
binaryauthorization.policy.update

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Editor

(roles/binaryauthorization.policyEditor)

Editor of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get

binaryauthorization.continuousValidationConfig.update

binaryauthorization.platformPolicies.*

binaryauthorization.platformPolicies.create
binaryauthorization.platformPolicies.delete
binaryauthorization.platformPolicies.evaluatePolicy
binaryauthorization.platformPolicies.get
binaryauthorization.platformPolicies.list
binaryauthorization.platformPolicies.replace

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

binaryauthorization.policy.update

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Evaluator

(roles/binaryauthorization.policyEvaluator)

Evaluator of Binary Authorization Policy

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Policy Viewer

(roles/binaryauthorization.policyViewer)

Viewer of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

Binary Authorization Service Agent

(roles/binaryauthorization.serviceAgent)

Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.

artifactregistry.dockerimages.get

artifactregistry.repositories.downloadArtifacts

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.verifyImageAttested

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.policy.evaluatePolicy

cloudasset.assets.exportResource

cloudasset.feeds.create

cloudasset.feeds.delete

cloudasset.feeds.get

cloudasset.feeds.update

containeranalysis.notes.get

containeranalysis.notes.list

containeranalysis.notes.listOccurrences

containeranalysis.occurrences.get

containeranalysis.occurrences.list

resourcemanager.projects.get

resourcemanager.projects.list

storage.objects.list

Binary Authorization permissions

Permission	Included in roles
`binaryauthorization.attestors.create`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`binaryauthorization.attestors.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`binaryauthorization.attestors.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Binary Authorization Attestor Viewer (`roles/binaryauthorization.attestorsViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`)
`binaryauthorization.attestors.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`binaryauthorization.attestors.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Binary Authorization Attestor Viewer (`roles/binaryauthorization.attestorsViewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`)
`binaryauthorization.attestors.setIamPolicy`	Owner (`roles/owner`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Security Admin (`roles/iam.securityAdmin`)
`binaryauthorization.attestors.update`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`binaryauthorization.attestors.verifyImageAttested`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Attestor Admin (`roles/binaryauthorization.attestorsAdmin`) Binary Authorization Attestor Editor (`roles/binaryauthorization.attestorsEditor`) Binary Authorization Attestor Image Verifier (`roles/binaryauthorization.attestorsVerifier`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`)
`binaryauthorization.continuousValidationConfig.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`)
`binaryauthorization.continuousValidationConfig.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`binaryauthorization.continuousValidationConfig.setIamPolicy`	Owner (`roles/owner`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Security Admin (`roles/iam.securityAdmin`)
`binaryauthorization.continuousValidationConfig.update`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`)
`binaryauthorization.platformPolicies.create`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`)
`binaryauthorization.platformPolicies.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`)
`binaryauthorization.platformPolicies.evaluatePolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`)
`binaryauthorization.platformPolicies.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`)
`binaryauthorization.platformPolicies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`)
`binaryauthorization.platformPolicies.replace`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`)
`binaryauthorization.policy.evaluatePolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`) Cloud Run Service Agent (`roles/run.serviceAgent`) Binary Authorization Service Agent (`roles/binaryauthorization.serviceAgent`)
`binaryauthorization.policy.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`) Binary Authorization Policy Evaluator (`roles/binaryauthorization.policyEvaluator`) Binary Authorization Policy Viewer (`roles/binaryauthorization.policyViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Health Analytics Service Agent (`roles/securitycenter.securityHealthAnalyticsServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`)
`binaryauthorization.policy.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`binaryauthorization.policy.setIamPolicy`	Owner (`roles/owner`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Security Admin (`roles/iam.securityAdmin`)
`binaryauthorization.policy.update`	Owner (`roles/owner`) Editor (`roles/editor`) Binary Authorization Policy Administrator (`roles/binaryauthorization.policyAdmin`) Binary Authorization Policy Editor (`roles/binaryauthorization.policyEditor`)

Binary Authorization roles and permissions
Stay organized with collections Save and categorize content based on your preferences.