Config Delivery roles and permissions

This page lists the IAM roles and permissions for Config Delivery. To search through all roles and permissions, see the role and permission index.

Config Delivery roles

Role Permissions

Role	Permissions
ConfigDelivery Admin ^Beta (`roles/configdelivery.configDeliveryAdmin`) Grants full access to all Config Delivery resources. Lets users create, remove and manage fleet packages and resource bundles.	`configdelivery.*` `configdelivery.fleetPackages.create` `configdelivery.fleetPackages.delete` `configdelivery.fleetPackages.get` `configdelivery.fleetPackages.list` `configdelivery.fleetPackages.update` `configdelivery.locations.get` `configdelivery.locations.list` `configdelivery.operations.cancel` `configdelivery.operations.delete` `configdelivery.operations.get` `configdelivery.operations.list` `configdelivery.releases.create` `configdelivery.releases.delete` `configdelivery.releases.get` `configdelivery.releases.list` `configdelivery.releases.update` `configdelivery.resourceBundles.create` `configdelivery.resourceBundles.delete` `configdelivery.resourceBundles.get` `configdelivery.resourceBundles.list` `configdelivery.resourceBundles.update` `configdelivery.rollouts.abort` `configdelivery.rollouts.get` `configdelivery.rollouts.list` `configdelivery.rollouts.resume` `configdelivery.rollouts.suspend` `resourcemanager.projects.get` `resourcemanager.projects.list`
ConfigDelivery Viewer ^Beta (`roles/configdelivery.configDeliveryViewer`) Grants read access to all Config Delivery resources. Lets users view existing fleet packages and resource bundles, but they will not be able to make any changes.	`configdelivery.fleetPackages.get` `configdelivery.fleetPackages.list` `configdelivery.locations.*` `configdelivery.locations.get` `configdelivery.locations.list` `configdelivery.operations.get` `configdelivery.operations.list` `configdelivery.releases.get` `configdelivery.releases.list` `configdelivery.resourceBundles.get` `configdelivery.resourceBundles.list` `configdelivery.rollouts.get` `configdelivery.rollouts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Config Delivery Resource Bundle Publisher ^Beta (`roles/configdelivery.resourceBundlePublisher`) Grants read and write permissions to Config Delivery ResourceBundles and Releases.	`configdelivery.locations.*` `configdelivery.locations.get` `configdelivery.locations.list` `configdelivery.operations.get` `configdelivery.operations.list` `configdelivery.releases.create` `configdelivery.releases.get` `configdelivery.releases.list` `configdelivery.releases.update` `configdelivery.resourceBundles.create` `configdelivery.resourceBundles.get` `configdelivery.resourceBundles.list` `configdelivery.resourceBundles.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Config Delivery Service Agent (`roles/configdelivery.serviceAgent`) Gives the Config Delivery service account permission to manage resources Warning: Do not grant service agent roles to any principals except service agents.	`artifactregistry.dockerimages.` `artifactregistry.dockerimages.get` `artifactregistry.dockerimages.list` `artifactregistry.projectsettings.get` `artifactregistry.repositories.create` `artifactregistry.repositories.downloadArtifacts` `artifactregistry.repositories.get` `artifactregistry.repositories.getIamPolicy` `artifactregistry.repositories.list` `artifactregistry.repositories.listEffectiveTags` `artifactregistry.repositories.listTagBindings` `artifactregistry.repositories.setIamPolicy` `artifactregistry.repositories.uploadArtifacts` `artifactregistry.tags.` `artifactregistry.tags.create` `artifactregistry.tags.delete` `artifactregistry.tags.get` `artifactregistry.tags.list` `artifactregistry.tags.update` `artifactregistry.versions.delete` `artifactregistry.versions.get` `artifactregistry.versions.list` `cloudbuild.builds.create` `cloudbuild.builds.get` `cloudbuild.builds.list` `cloudbuild.builds.update` `cloudbuild.repositories.get` `container.customResourceDefinitions.get` `container.customResourceDefinitions.list` `container.serviceAccounts.get` `container.serviceAccounts.list` `container.thirdPartyObjects.*` `container.thirdPartyObjects.create` `container.thirdPartyObjects.delete` `container.thirdPartyObjects.get` `container.thirdPartyObjects.list` `container.thirdPartyObjects.update` `gkehub.gateway.delete` `gkehub.gateway.generateCredentials` `gkehub.gateway.get` `gkehub.gateway.patch` `gkehub.gateway.post` `gkehub.gateway.put` `gkehub.memberships.get` `iam.serviceAccounts.actAs`

ConfigDelivery Admin ^Beta

(roles/configdelivery.configDeliveryAdmin)

Grants full access to all Config Delivery resources. Lets users create, remove and manage fleet packages and resource bundles.

configdelivery.*

configdelivery.fleetPackages.create
configdelivery.fleetPackages.delete
configdelivery.fleetPackages.get
configdelivery.fleetPackages.list
configdelivery.fleetPackages.update
configdelivery.locations.get
configdelivery.locations.list
configdelivery.operations.cancel
configdelivery.operations.delete
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.create
configdelivery.releases.delete
configdelivery.releases.get
configdelivery.releases.list
configdelivery.releases.update
configdelivery.resourceBundles.create
configdelivery.resourceBundles.delete
configdelivery.resourceBundles.get
configdelivery.resourceBundles.list
configdelivery.resourceBundles.update
configdelivery.rollouts.abort
configdelivery.rollouts.get
configdelivery.rollouts.list
configdelivery.rollouts.resume
configdelivery.rollouts.suspend

resourcemanager.projects.get

resourcemanager.projects.list

ConfigDelivery Viewer ^Beta

(roles/configdelivery.configDeliveryViewer)

Grants read access to all Config Delivery resources. Lets users view existing fleet packages and resource bundles, but they will not be able to make any changes.

configdelivery.fleetPackages.get

configdelivery.fleetPackages.list

configdelivery.locations.*

configdelivery.locations.get
configdelivery.locations.list

configdelivery.operations.get

configdelivery.operations.list

configdelivery.releases.get

configdelivery.releases.list

configdelivery.resourceBundles.get

configdelivery.resourceBundles.list

configdelivery.rollouts.get

configdelivery.rollouts.list

resourcemanager.projects.get

resourcemanager.projects.list

Config Delivery Resource Bundle Publisher ^Beta

(roles/configdelivery.resourceBundlePublisher)

Grants read and write permissions to Config Delivery ResourceBundles and Releases.

configdelivery.locations.*

configdelivery.locations.get
configdelivery.locations.list

configdelivery.operations.get

configdelivery.operations.list

configdelivery.releases.create

configdelivery.releases.get

configdelivery.releases.list

configdelivery.releases.update

configdelivery.resourceBundles.create

configdelivery.resourceBundles.get

configdelivery.resourceBundles.list

configdelivery.resourceBundles.update

resourcemanager.projects.get

resourcemanager.projects.list

Config Delivery Service Agent

(roles/configdelivery.serviceAgent)

Gives the Config Delivery service account permission to manage resources

artifactregistry.dockerimages.*

artifactregistry.dockerimages.get
artifactregistry.dockerimages.list

artifactregistry.projectsettings.get

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.setIamPolicy

artifactregistry.repositories.uploadArtifacts

artifactregistry.tags.*

artifactregistry.tags.create
artifactregistry.tags.delete
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update

artifactregistry.versions.delete

artifactregistry.versions.get

artifactregistry.versions.list

cloudbuild.builds.create

cloudbuild.builds.get

cloudbuild.builds.list

cloudbuild.builds.update

cloudbuild.repositories.get

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.serviceAccounts.get

container.serviceAccounts.list

container.thirdPartyObjects.*

container.thirdPartyObjects.create
container.thirdPartyObjects.delete
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyObjects.update

gkehub.gateway.delete

gkehub.gateway.generateCredentials

gkehub.gateway.get

gkehub.gateway.patch

gkehub.gateway.post

gkehub.gateway.put

gkehub.memberships.get

iam.serviceAccounts.actAs

Config Delivery permissions

Permission	Included in roles
`configdelivery.fleetPackages.create`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`)
`configdelivery.fleetPackages.delete`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`)
`configdelivery.fleetPackages.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Support User (`roles/iam.supportUser`)
`configdelivery.fleetPackages.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`configdelivery.fleetPackages.update`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`)
`configdelivery.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`) Support User (`roles/iam.supportUser`)
`configdelivery.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`configdelivery.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`)
`configdelivery.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`)
`configdelivery.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`) Support User (`roles/iam.supportUser`)
`configdelivery.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`configdelivery.releases.create`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`)
`configdelivery.releases.delete`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`)
`configdelivery.releases.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`) Support User (`roles/iam.supportUser`)
`configdelivery.releases.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`configdelivery.releases.update`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`)
`configdelivery.resourceBundles.create`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`)
`configdelivery.resourceBundles.delete`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`)
`configdelivery.resourceBundles.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`) Support User (`roles/iam.supportUser`)
`configdelivery.resourceBundles.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`configdelivery.resourceBundles.update`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) Config Delivery Resource Bundle Publisher (`roles/configdelivery.resourceBundlePublisher`)
`configdelivery.rollouts.abort`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`)
`configdelivery.rollouts.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Support User (`roles/iam.supportUser`)
`configdelivery.rollouts.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`) ConfigDelivery Viewer (`roles/configdelivery.configDeliveryViewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`)
`configdelivery.rollouts.resume`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`)
`configdelivery.rollouts.suspend`	Owner (`roles/owner`) Editor (`roles/editor`) ConfigDelivery Admin (`roles/configdelivery.configDeliveryAdmin`)

Config Delivery roles and permissions