Cloud Key Management Service roles and permissions

This page lists the IAM roles and permissions for Cloud Key Management Service. To search through all roles and permissions, see the role and permission index.

Cloud Key Management Service roles

Role Permissions

(roles/cloudkms.admin)

Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.autokeyConfigs.*

  • cloudkms.autokeyConfigs.get
  • cloudkms.autokeyConfigs.update

cloudkms.cryptoKeyVersions.create

cloudkms.cryptoKeyVersions.destroy

cloudkms.cryptoKeyVersions.get

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeyVersions.restore

cloudkms.cryptoKeyVersions.update

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.cryptoKeys.*

  • cloudkms.cryptoKeys.create
  • cloudkms.cryptoKeys.get
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.cryptoKeys.setIamPolicy
  • cloudkms.cryptoKeys.update

cloudkms.ekmConfigs.*

  • cloudkms.ekmConfigs.get
  • cloudkms.ekmConfigs.getIamPolicy
  • cloudkms.ekmConfigs.setIamPolicy
  • cloudkms.ekmConfigs.update

cloudkms.ekmConnections.*

  • cloudkms.ekmConnections.create
  • cloudkms.ekmConnections.get
  • cloudkms.ekmConnections.getIamPolicy
  • cloudkms.ekmConnections.list
  • cloudkms.ekmConnections.setIamPolicy
  • cloudkms.ekmConnections.update
  • cloudkms.ekmConnections.use
  • cloudkms.ekmConnections.verifyConnectivity

cloudkms.importJobs.*

  • cloudkms.importJobs.create
  • cloudkms.importJobs.get
  • cloudkms.importJobs.getIamPolicy
  • cloudkms.importJobs.list
  • cloudkms.importJobs.setIamPolicy
  • cloudkms.importJobs.useToImport

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.keyRings.*

  • cloudkms.keyRings.create
  • cloudkms.keyRings.createTagBinding
  • cloudkms.keyRings.deleteTagBinding
  • cloudkms.keyRings.get
  • cloudkms.keyRings.getIamPolicy
  • cloudkms.keyRings.list
  • cloudkms.keyRings.listEffectiveTags
  • cloudkms.keyRings.listTagBindings
  • cloudkms.keyRings.setIamPolicy

cloudkms.locations.get

cloudkms.locations.list

cloudkms.locations.optOutKeyDeletionMsa

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

resourcemanager.projects.get

(roles/cloudkms.autokeyAdmin)

Enables management of AutokeyConfig.

cloudkms.autokeyConfigs.*

  • cloudkms.autokeyConfigs.get
  • cloudkms.autokeyConfigs.update

cloudkms.projects.showEffectiveAutokeyConfig

(roles/cloudkms.autokeyUser)

Grants ability to use KeyHandle resources.

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

(roles/cloudkms.cryptoKeyDecrypter)

Provides ability to use Cloud KMS resources for decrypt operations only.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Enables Decrypt operations via other Google Cloud services

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.cryptoKeyEncrypter)

Provides ability to use Cloud KMS resources for encrypt operations only.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.cryptoKeyEncrypterDecrypter)

Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Enables Encrypt and Decrypt operations via other Google Cloud services

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.cryptoKeyEncrypterViaDelegation)

Enables Encrypt operations via other Google Cloud services

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.cryptoOperator)

Enables all Crypto Operations.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.generateRandomBytes

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.ekmConnectionsAdmin)

Enables management of EkmConnections.

cloudkms.ekmConfigs.get

cloudkms.ekmConfigs.update

cloudkms.ekmConnections.create

cloudkms.ekmConnections.get

cloudkms.ekmConnections.list

cloudkms.ekmConnections.update

cloudkms.ekmConnections.verifyConnectivity

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.expertRawAesCbc)

Enables raw AES-CBC keys management.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.manageRawAesCbcKeys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.expertRawAesCtr)

Enables raw AES-CTR keys management.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.manageRawAesCtrKeys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.expertRawPKCS1)

Enables raw PKCS#1 keys management.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.manageRawPKCS1Keys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudkms.importer)

Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations

cloudkms.importJobs.create

cloudkms.importJobs.get

cloudkms.importJobs.list

cloudkms.importJobs.useToImport

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.orgServiceAgent)

Gives Cloud KMS organization-level service account access to managed resources.

cloudasset.assets.searchAllResources

(roles/cloudkms.protectedResourcesViewer)

Enables viewing protected resources.

cloudkms.protectedResources.search

(roles/cloudkms.publicKeyViewer)

Enables GetPublicKey operations

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.serviceAgent)

Gives Cloud KMS service account access to managed resources.

cloudasset.assets.listCloudkmsCryptoKeys

(roles/cloudkms.signer)

Enables Sign operations

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToSign

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.signerVerifier)

Enables Sign, Verify, and GetPublicKey operations

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.verifier)

Enables Verify and GetPublicKey operations

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

(roles/cloudkms.viewer)

Enables Get and List operations.

Lowest-level resources where you can grant this role:

  • CryptoKey

cloudkms.autokeyConfigs.get

cloudkms.cryptoKeyVersions.get

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.list

cloudkms.ekmConfigs.get

cloudkms.ekmConnections.get

cloudkms.ekmConnections.list

cloudkms.importJobs.get

cloudkms.importJobs.list

cloudkms.keyHandles.get

cloudkms.keyHandles.list

cloudkms.keyRings.get

cloudkms.keyRings.list

cloudkms.locations.get

cloudkms.locations.list

cloudkms.operations.get

resourcemanager.projects.get

(roles/cloudkmskacls.serviceAgent)

Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption.

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.cryptoKeys.get

Cloud Key Management Service permissions

Permission Included in roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey Admin (roles/cloudkms.autokeyAdmin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey Admin (roles/cloudkms.autokeyAdmin)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Owner (roles/owner)

Cloud KMS Expert Raw AES-CBC Key Manager (roles/cloudkms.expertRawAesCbc)

Owner (roles/owner)

Cloud KMS Expert Raw AES-CTR Key Manager (roles/cloudkms.expertRawAesCtr)

Owner (roles/owner)

Cloud KMS Expert Raw PKCS#1 Key Manager (roles/cloudkms.expertRawPKCS1)

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Owner (roles/owner)

Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter)

Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Service agent roles

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS CryptoKey Decrypter Via Delegation (roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Owner (roles/owner)

Cloud KMS CryptoKey Encrypter (roles/cloudkms.cryptoKeyEncrypter)

Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Service agent roles

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterViaDelegation)

Owner (roles/owner)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS CryptoKey Signer (roles/cloudkms.signer)

Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

Owner (roles/owner)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

Cloud KMS CryptoKey Verifier (roles/cloudkms.verifier)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

Owner (roles/owner)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS CryptoKey Public Key Viewer (roles/cloudkms.publicKeyViewer)

Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

Cloud KMS CryptoKey Verifier (roles/cloudkms.verifier)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Service agent roles

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS EkmConnections Admin (roles/cloudkms.ekmConnectionsAdmin)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Importer (roles/cloudkms.importer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Importer (roles/cloudkms.importer)

Cloud KMS Viewer (roles/cloudkms.viewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Importer (roles/cloudkms.importer)

Cloud KMS Viewer (roles/cloudkms.viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Importer (roles/cloudkms.importer)

Owner (roles/owner)

Editor (roles/editor)

Cloud AlloyDB Admin (roles/alloydb.admin)

Artifact Registry Administrator (roles/artifactregistry.admin)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Bigtable Administrator (roles/bigtable.admin)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey User (roles/cloudkms.autokeyUser)

Cloud SQL Admin (roles/cloudsql.admin)

Composer Administrator (roles/composer.admin)

Environment and Storage Object Administrator (roles/composer.environmentAndStorageObjectAdmin)

Composer Worker (roles/composer.worker)

Compute Admin (roles/compute.admin)

Compute Instance Admin (beta) (roles/compute.instanceAdmin)

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

Compute Storage Admin (roles/compute.storageAdmin)

Dataflow Admin (roles/dataflow.admin)

Dataflow Developer (roles/dataflow.developer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Notebooks Legacy Admin (roles/notebooks.legacyAdmin)

Cloud Memorystore Redis Admin (roles/redis.admin)

Secret Manager Admin (roles/secretmanager.admin)

Cloud Spanner Admin (roles/spanner.admin)

Cloud Spanner Database Admin (roles/spanner.databaseAdmin)

Storage Admin (roles/storage.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud AlloyDB Admin (roles/alloydb.admin)

Artifact Registry Administrator (roles/artifactregistry.admin)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Bigtable Administrator (roles/bigtable.admin)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey User (roles/cloudkms.autokeyUser)

Cloud KMS Viewer (roles/cloudkms.viewer)

Cloud SQL Admin (roles/cloudsql.admin)

Composer Administrator (roles/composer.admin)

Environment and Storage Object Administrator (roles/composer.environmentAndStorageObjectAdmin)

Composer Worker (roles/composer.worker)

Compute Admin (roles/compute.admin)

Compute Instance Admin (beta) (roles/compute.instanceAdmin)

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

Compute Storage Admin (roles/compute.storageAdmin)

Dataflow Admin (roles/dataflow.admin)

Dataflow Developer (roles/dataflow.developer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Notebooks Legacy Admin (roles/notebooks.legacyAdmin)

Cloud Memorystore Redis Admin (roles/redis.admin)

Secret Manager Admin (roles/secretmanager.admin)

Cloud Spanner Admin (roles/spanner.admin)

Cloud Spanner Database Admin (roles/spanner.databaseAdmin)

Storage Admin (roles/storage.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud AlloyDB Admin (roles/alloydb.admin)

Artifact Registry Administrator (roles/artifactregistry.admin)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Bigtable Administrator (roles/bigtable.admin)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey User (roles/cloudkms.autokeyUser)

Cloud KMS Viewer (roles/cloudkms.viewer)

Cloud SQL Admin (roles/cloudsql.admin)

Composer Administrator (roles/composer.admin)

Environment and Storage Object Administrator (roles/composer.environmentAndStorageObjectAdmin)

Composer Worker (roles/composer.worker)

Compute Admin (roles/compute.admin)

Compute Instance Admin (beta) (roles/compute.instanceAdmin)

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

Compute Storage Admin (roles/compute.storageAdmin)

Dataflow Admin (roles/dataflow.admin)

Dataflow Developer (roles/dataflow.developer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Notebooks Legacy Admin (roles/notebooks.legacyAdmin)

Cloud Memorystore Redis Admin (roles/redis.admin)

Secret Manager Admin (roles/secretmanager.admin)

Cloud Spanner Admin (roles/spanner.admin)

Cloud Spanner Database Admin (roles/spanner.databaseAdmin)

Storage Admin (roles/storage.admin)

Owner (roles/owner)

Editor (roles/editor)

Cloud KMS Admin (roles/cloudkms.admin)

Service agent roles

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Viewer (roles/cloudkms.viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Security Admin (roles/iam.securityAdmin)

SLZ BQDW Blueprint Project Level Remediator (roles/securedlandingzone.bqdwProjectRemediator)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter)

Cloud KMS CryptoKey Decrypter Via Delegation (roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter (roles/cloudkms.cryptoKeyEncrypter)

Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterViaDelegation)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS Expert Raw AES-CBC Key Manager (roles/cloudkms.expertRawAesCbc)

Cloud KMS Expert Raw AES-CTR Key Manager (roles/cloudkms.expertRawAesCtr)

Cloud KMS Expert Raw PKCS#1 Key Manager (roles/cloudkms.expertRawPKCS1)

Cloud KMS Importer (roles/cloudkms.importer)

Cloud KMS CryptoKey Public Key Viewer (roles/cloudkms.publicKeyViewer)

Cloud KMS CryptoKey Signer (roles/cloudkms.signer)

Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

Cloud KMS CryptoKey Verifier (roles/cloudkms.verifier)

Cloud KMS Viewer (roles/cloudkms.viewer)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter)

Cloud KMS CryptoKey Decrypter Via Delegation (roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter (roles/cloudkms.cryptoKeyEncrypter)

Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Cloud KMS CryptoKey Encrypter Via Delegation (roles/cloudkms.cryptoKeyEncrypterViaDelegation)

Cloud KMS Crypto Operator (roles/cloudkms.cryptoOperator)

Cloud KMS Expert Raw AES-CBC Key Manager (roles/cloudkms.expertRawAesCbc)

Cloud KMS Expert Raw AES-CTR Key Manager (roles/cloudkms.expertRawAesCtr)

Cloud KMS Expert Raw PKCS#1 Key Manager (roles/cloudkms.expertRawPKCS1)

Cloud KMS Importer (roles/cloudkms.importer)

Cloud KMS CryptoKey Public Key Viewer (roles/cloudkms.publicKeyViewer)

Cloud KMS CryptoKey Signer (roles/cloudkms.signer)

Cloud KMS CryptoKey Signer/Verifier (roles/cloudkms.signerVerifier)

Cloud KMS CryptoKey Verifier (roles/cloudkms.verifier)

Cloud KMS Viewer (roles/cloudkms.viewer)

Kubernetes Engine KMS Crypto Key User (roles/container.cloudKmsKeyUser)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Service agent roles

Owner (roles/owner)

Cloud KMS Admin (roles/cloudkms.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud AlloyDB Admin (roles/alloydb.admin)

Artifact Registry Administrator (roles/artifactregistry.admin)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Bigtable Administrator (roles/bigtable.admin)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey User (roles/cloudkms.autokeyUser)

Cloud KMS Viewer (roles/cloudkms.viewer)

Cloud SQL Admin (roles/cloudsql.admin)

Composer Administrator (roles/composer.admin)

Environment and Storage Object Administrator (roles/composer.environmentAndStorageObjectAdmin)

Composer Worker (roles/composer.worker)

Compute Admin (roles/compute.admin)

Compute Instance Admin (beta) (roles/compute.instanceAdmin)

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

Compute Storage Admin (roles/compute.storageAdmin)

Dataflow Admin (roles/dataflow.admin)

Dataflow Developer (roles/dataflow.developer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Notebooks Legacy Admin (roles/notebooks.legacyAdmin)

Cloud Memorystore Redis Admin (roles/redis.admin)

Secret Manager Admin (roles/secretmanager.admin)

Cloud Spanner Admin (roles/spanner.admin)

Cloud Spanner Database Admin (roles/spanner.databaseAdmin)

Storage Admin (roles/storage.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud AlloyDB Admin (roles/alloydb.admin)

Artifact Registry Administrator (roles/artifactregistry.admin)

BigQuery Admin (roles/bigquery.admin)

BigQuery Data Editor (roles/bigquery.dataEditor)

BigQuery Data Owner (roles/bigquery.dataOwner)

BigQuery Studio Admin (roles/bigquery.studioAdmin)

BigQuery User (roles/bigquery.user)

Bigtable Administrator (roles/bigtable.admin)

Cloud KMS Admin (roles/cloudkms.admin)

Cloud KMS Autokey Admin (roles/cloudkms.autokeyAdmin)

Cloud KMS Autokey User (roles/cloudkms.autokeyUser)

Cloud SQL Admin (roles/cloudsql.admin)

Composer Administrator (roles/composer.admin)

Environment and Storage Object Administrator (roles/composer.environmentAndStorageObjectAdmin)

Composer Worker (roles/composer.worker)

Compute Admin (roles/compute.admin)

Compute Instance Admin (beta) (roles/compute.instanceAdmin)

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

Compute Storage Admin (roles/compute.storageAdmin)

Dataflow Admin (roles/dataflow.admin)

Dataflow Developer (roles/dataflow.developer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Firebase Admin (roles/firebase.admin)

Firebase Develop Admin (roles/firebase.developAdmin)

Notebooks Legacy Admin (roles/notebooks.legacyAdmin)

Cloud Memorystore Redis Admin (roles/redis.admin)

Secret Manager Admin (roles/secretmanager.admin)

Cloud Spanner Admin (roles/spanner.admin)

Cloud Spanner Database Admin (roles/spanner.databaseAdmin)

Storage Admin (roles/storage.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud KMS Protected Resources Viewer (roles/cloudkms.protectedResourcesViewer)