Google Distributed Cloud roles and permissions

This page lists the IAM roles and permissions for Google Distributed Cloud. To search through all roles and permissions, see the role and permission index.

Google Distributed Cloud roles

Role Permissions

Role	Permissions
GKE on-prem Admin (`roles/gkeonprem.admin`) Full access to GKE on-prem all resources.	`gkeonprem.*` `gkeonprem.bareMetalAdminClusters.connect` `gkeonprem.bareMetalAdminClusters.create` `gkeonprem.bareMetalAdminClusters.createTagBinding` `gkeonprem.bareMetalAdminClusters.deleteTagBinding` `gkeonprem.bareMetalAdminClusters.enroll` `gkeonprem.bareMetalAdminClusters.get` `gkeonprem.bareMetalAdminClusters.getIamPolicy` `gkeonprem.bareMetalAdminClusters.list` `gkeonprem.bareMetalAdminClusters.listEffectiveTags` `gkeonprem.bareMetalAdminClusters.listTagBindings` `gkeonprem.bareMetalAdminClusters.queryVersionConfig` `gkeonprem.bareMetalAdminClusters.setIamPolicy` `gkeonprem.bareMetalAdminClusters.unenroll` `gkeonprem.bareMetalAdminClusters.update` `gkeonprem.bareMetalClusters.create` `gkeonprem.bareMetalClusters.createTagBinding` `gkeonprem.bareMetalClusters.delete` `gkeonprem.bareMetalClusters.deleteTagBinding` `gkeonprem.bareMetalClusters.enroll` `gkeonprem.bareMetalClusters.get` `gkeonprem.bareMetalClusters.getIamPolicy` `gkeonprem.bareMetalClusters.list` `gkeonprem.bareMetalClusters.listEffectiveTags` `gkeonprem.bareMetalClusters.listTagBindings` `gkeonprem.bareMetalClusters.queryVersionConfig` `gkeonprem.bareMetalClusters.setIamPolicy` `gkeonprem.bareMetalClusters.unenroll` `gkeonprem.bareMetalClusters.update` `gkeonprem.bareMetalNodePools.create` `gkeonprem.bareMetalNodePools.delete` `gkeonprem.bareMetalNodePools.enroll` `gkeonprem.bareMetalNodePools.get` `gkeonprem.bareMetalNodePools.getIamPolicy` `gkeonprem.bareMetalNodePools.list` `gkeonprem.bareMetalNodePools.setIamPolicy` `gkeonprem.bareMetalNodePools.unenroll` `gkeonprem.bareMetalNodePools.update` `gkeonprem.locations.get` `gkeonprem.locations.list` `gkeonprem.operations.cancel` `gkeonprem.operations.delete` `gkeonprem.operations.get` `gkeonprem.operations.list` `gkeonprem.vmwareAdminClusters.connect` `gkeonprem.vmwareAdminClusters.createTagBinding` `gkeonprem.vmwareAdminClusters.deleteTagBinding` `gkeonprem.vmwareAdminClusters.enroll` `gkeonprem.vmwareAdminClusters.get` `gkeonprem.vmwareAdminClusters.getIamPolicy` `gkeonprem.vmwareAdminClusters.list` `gkeonprem.vmwareAdminClusters.listEffectiveTags` `gkeonprem.vmwareAdminClusters.listTagBindings` `gkeonprem.vmwareAdminClusters.setIamPolicy` `gkeonprem.vmwareAdminClusters.unenroll` `gkeonprem.vmwareAdminClusters.update` `gkeonprem.vmwareClusters.create` `gkeonprem.vmwareClusters.createTagBinding` `gkeonprem.vmwareClusters.delete` `gkeonprem.vmwareClusters.deleteTagBinding` `gkeonprem.vmwareClusters.enroll` `gkeonprem.vmwareClusters.get` `gkeonprem.vmwareClusters.getIamPolicy` `gkeonprem.vmwareClusters.list` `gkeonprem.vmwareClusters.listEffectiveTags` `gkeonprem.vmwareClusters.listTagBindings` `gkeonprem.vmwareClusters.queryVersionConfig` `gkeonprem.vmwareClusters.setIamPolicy` `gkeonprem.vmwareClusters.unenroll` `gkeonprem.vmwareClusters.update` `gkeonprem.vmwareNodePools.create` `gkeonprem.vmwareNodePools.delete` `gkeonprem.vmwareNodePools.enroll` `gkeonprem.vmwareNodePools.get` `gkeonprem.vmwareNodePools.getIamPolicy` `gkeonprem.vmwareNodePools.list` `gkeonprem.vmwareNodePools.setIamPolicy` `gkeonprem.vmwareNodePools.unenroll` `gkeonprem.vmwareNodePools.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`) Gives the GKE On-Prem service agent access to Cloud Platform resources. Warning: Do not grant service agent roles to any principals except service agents.	`gkehub.memberships.delete` `gkehub.memberships.get` `gkehub.memberships.update` `gkeonprem.bareMetalAdminClusters.connect` `gkeonprem.bareMetalAdminClusters.enroll` `gkeonprem.bareMetalAdminClusters.get` `gkeonprem.bareMetalAdminClusters.unenroll` `gkeonprem.bareMetalClusters.enroll` `gkeonprem.bareMetalClusters.get` `gkeonprem.bareMetalClusters.unenroll` `gkeonprem.bareMetalNodePools.enroll` `gkeonprem.bareMetalNodePools.get` `gkeonprem.bareMetalNodePools.unenroll` `gkeonprem.operations.get` `gkeonprem.operations.list` `gkeonprem.vmwareAdminClusters.connect` `gkeonprem.vmwareAdminClusters.enroll` `gkeonprem.vmwareAdminClusters.get` `gkeonprem.vmwareAdminClusters.unenroll` `gkeonprem.vmwareClusters.enroll` `gkeonprem.vmwareClusters.get` `gkeonprem.vmwareClusters.unenroll` `gkeonprem.vmwareNodePools.enroll` `gkeonprem.vmwareNodePools.get` `gkeonprem.vmwareNodePools.unenroll`
GKE on-prem Viewer (`roles/gkeonprem.viewer`) Read-only access to GKE on-prem all resources.	`gkeonprem.bareMetalAdminClusters.connect` `gkeonprem.bareMetalAdminClusters.get` `gkeonprem.bareMetalAdminClusters.getIamPolicy` `gkeonprem.bareMetalAdminClusters.list` `gkeonprem.bareMetalAdminClusters.listEffectiveTags` `gkeonprem.bareMetalAdminClusters.listTagBindings` `gkeonprem.bareMetalAdminClusters.queryVersionConfig` `gkeonprem.bareMetalClusters.get` `gkeonprem.bareMetalClusters.getIamPolicy` `gkeonprem.bareMetalClusters.list` `gkeonprem.bareMetalClusters.listEffectiveTags` `gkeonprem.bareMetalClusters.listTagBindings` `gkeonprem.bareMetalClusters.queryVersionConfig` `gkeonprem.bareMetalNodePools.get` `gkeonprem.bareMetalNodePools.getIamPolicy` `gkeonprem.bareMetalNodePools.list` `gkeonprem.locations.*` `gkeonprem.locations.get` `gkeonprem.locations.list` `gkeonprem.operations.get` `gkeonprem.operations.list` `gkeonprem.vmwareAdminClusters.connect` `gkeonprem.vmwareAdminClusters.get` `gkeonprem.vmwareAdminClusters.getIamPolicy` `gkeonprem.vmwareAdminClusters.list` `gkeonprem.vmwareAdminClusters.listEffectiveTags` `gkeonprem.vmwareAdminClusters.listTagBindings` `gkeonprem.vmwareClusters.get` `gkeonprem.vmwareClusters.getIamPolicy` `gkeonprem.vmwareClusters.list` `gkeonprem.vmwareClusters.listEffectiveTags` `gkeonprem.vmwareClusters.listTagBindings` `gkeonprem.vmwareClusters.queryVersionConfig` `gkeonprem.vmwareNodePools.get` `gkeonprem.vmwareNodePools.getIamPolicy` `gkeonprem.vmwareNodePools.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

GKE on-prem Admin

(roles/gkeonprem.admin)

Full access to GKE on-prem all resources.

gkeonprem.*

gkeonprem.bareMetalAdminClusters.connect
gkeonprem.bareMetalAdminClusters.create
gkeonprem.bareMetalAdminClusters.createTagBinding
gkeonprem.bareMetalAdminClusters.deleteTagBinding
gkeonprem.bareMetalAdminClusters.enroll
gkeonprem.bareMetalAdminClusters.get
gkeonprem.bareMetalAdminClusters.getIamPolicy
gkeonprem.bareMetalAdminClusters.list
gkeonprem.bareMetalAdminClusters.listEffectiveTags
gkeonprem.bareMetalAdminClusters.listTagBindings
gkeonprem.bareMetalAdminClusters.queryVersionConfig
gkeonprem.bareMetalAdminClusters.setIamPolicy
gkeonprem.bareMetalAdminClusters.unenroll
gkeonprem.bareMetalAdminClusters.update
gkeonprem.bareMetalClusters.create
gkeonprem.bareMetalClusters.createTagBinding
gkeonprem.bareMetalClusters.delete
gkeonprem.bareMetalClusters.deleteTagBinding
gkeonprem.bareMetalClusters.enroll
gkeonprem.bareMetalClusters.get
gkeonprem.bareMetalClusters.getIamPolicy
gkeonprem.bareMetalClusters.list
gkeonprem.bareMetalClusters.listEffectiveTags
gkeonprem.bareMetalClusters.listTagBindings
gkeonprem.bareMetalClusters.queryVersionConfig
gkeonprem.bareMetalClusters.setIamPolicy
gkeonprem.bareMetalClusters.unenroll
gkeonprem.bareMetalClusters.update
gkeonprem.bareMetalNodePools.create
gkeonprem.bareMetalNodePools.delete
gkeonprem.bareMetalNodePools.enroll
gkeonprem.bareMetalNodePools.get
gkeonprem.bareMetalNodePools.getIamPolicy
gkeonprem.bareMetalNodePools.list
gkeonprem.bareMetalNodePools.setIamPolicy
gkeonprem.bareMetalNodePools.unenroll
gkeonprem.bareMetalNodePools.update
gkeonprem.locations.get
gkeonprem.locations.list
gkeonprem.operations.cancel
gkeonprem.operations.delete
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.vmwareAdminClusters.connect
gkeonprem.vmwareAdminClusters.createTagBinding
gkeonprem.vmwareAdminClusters.deleteTagBinding
gkeonprem.vmwareAdminClusters.enroll
gkeonprem.vmwareAdminClusters.get
gkeonprem.vmwareAdminClusters.getIamPolicy
gkeonprem.vmwareAdminClusters.list
gkeonprem.vmwareAdminClusters.listEffectiveTags
gkeonprem.vmwareAdminClusters.listTagBindings
gkeonprem.vmwareAdminClusters.setIamPolicy
gkeonprem.vmwareAdminClusters.unenroll
gkeonprem.vmwareAdminClusters.update
gkeonprem.vmwareClusters.create
gkeonprem.vmwareClusters.createTagBinding
gkeonprem.vmwareClusters.delete
gkeonprem.vmwareClusters.deleteTagBinding
gkeonprem.vmwareClusters.enroll
gkeonprem.vmwareClusters.get
gkeonprem.vmwareClusters.getIamPolicy
gkeonprem.vmwareClusters.list
gkeonprem.vmwareClusters.listEffectiveTags
gkeonprem.vmwareClusters.listTagBindings
gkeonprem.vmwareClusters.queryVersionConfig
gkeonprem.vmwareClusters.setIamPolicy
gkeonprem.vmwareClusters.unenroll
gkeonprem.vmwareClusters.update
gkeonprem.vmwareNodePools.create
gkeonprem.vmwareNodePools.delete
gkeonprem.vmwareNodePools.enroll
gkeonprem.vmwareNodePools.get
gkeonprem.vmwareNodePools.getIamPolicy
gkeonprem.vmwareNodePools.list
gkeonprem.vmwareNodePools.setIamPolicy
gkeonprem.vmwareNodePools.unenroll
gkeonprem.vmwareNodePools.update

resourcemanager.projects.get

resourcemanager.projects.list

GKE On-Prem Service Agent

(roles/gkeonprem.serviceAgent)

Gives the GKE On-Prem service agent access to Cloud Platform resources.

gkehub.memberships.delete

gkehub.memberships.get

gkehub.memberships.update

gkeonprem.bareMetalAdminClusters.connect

gkeonprem.bareMetalAdminClusters.enroll

gkeonprem.bareMetalAdminClusters.get

gkeonprem.bareMetalAdminClusters.unenroll

gkeonprem.bareMetalClusters.enroll

gkeonprem.bareMetalClusters.get

gkeonprem.bareMetalClusters.unenroll

gkeonprem.bareMetalNodePools.enroll

gkeonprem.bareMetalNodePools.get

gkeonprem.bareMetalNodePools.unenroll

gkeonprem.operations.get

gkeonprem.operations.list

gkeonprem.vmwareAdminClusters.connect

gkeonprem.vmwareAdminClusters.enroll

gkeonprem.vmwareAdminClusters.get

gkeonprem.vmwareAdminClusters.unenroll

gkeonprem.vmwareClusters.enroll

gkeonprem.vmwareClusters.get

gkeonprem.vmwareClusters.unenroll

gkeonprem.vmwareNodePools.enroll

gkeonprem.vmwareNodePools.get

gkeonprem.vmwareNodePools.unenroll

GKE on-prem Viewer

(roles/gkeonprem.viewer)

Read-only access to GKE on-prem all resources.

gkeonprem.bareMetalAdminClusters.connect

gkeonprem.bareMetalAdminClusters.get

gkeonprem.bareMetalAdminClusters.getIamPolicy

gkeonprem.bareMetalAdminClusters.list

gkeonprem.bareMetalAdminClusters.listEffectiveTags

gkeonprem.bareMetalAdminClusters.listTagBindings

gkeonprem.bareMetalAdminClusters.queryVersionConfig

gkeonprem.bareMetalClusters.get

gkeonprem.bareMetalClusters.getIamPolicy

gkeonprem.bareMetalClusters.list

gkeonprem.bareMetalClusters.listEffectiveTags

gkeonprem.bareMetalClusters.listTagBindings

gkeonprem.bareMetalClusters.queryVersionConfig

gkeonprem.bareMetalNodePools.get

gkeonprem.bareMetalNodePools.getIamPolicy

gkeonprem.bareMetalNodePools.list

gkeonprem.locations.*

gkeonprem.locations.get
gkeonprem.locations.list

gkeonprem.operations.get

gkeonprem.operations.list

gkeonprem.vmwareAdminClusters.connect

gkeonprem.vmwareAdminClusters.get

gkeonprem.vmwareAdminClusters.getIamPolicy

gkeonprem.vmwareAdminClusters.list

gkeonprem.vmwareAdminClusters.listEffectiveTags

gkeonprem.vmwareAdminClusters.listTagBindings

gkeonprem.vmwareClusters.get

gkeonprem.vmwareClusters.getIamPolicy

gkeonprem.vmwareClusters.list

gkeonprem.vmwareClusters.listEffectiveTags

gkeonprem.vmwareClusters.listTagBindings

gkeonprem.vmwareClusters.queryVersionConfig

gkeonprem.vmwareNodePools.get

gkeonprem.vmwareNodePools.getIamPolicy

gkeonprem.vmwareNodePools.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Distributed Cloud permissions

Permission	Included in roles
`gkeonprem.bareMetalAdminClusters.connect`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.bareMetalAdminClusters.create`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.bareMetalAdminClusters.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) Tag User (`roles/resourcemanager.tagUser`)
`gkeonprem.bareMetalAdminClusters.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) Tag User (`roles/resourcemanager.tagUser`)
`gkeonprem.bareMetalAdminClusters.enroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.bareMetalAdminClusters.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.bareMetalAdminClusters.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.bareMetalAdminClusters.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.bareMetalAdminClusters.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`gkeonprem.bareMetalAdminClusters.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`gkeonprem.bareMetalAdminClusters.queryVersionConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`)
`gkeonprem.bareMetalAdminClusters.setIamPolicy`	Owner (`roles/owner`) GKE on-prem Admin (`roles/gkeonprem.admin`) Security Admin (`roles/iam.securityAdmin`)
`gkeonprem.bareMetalAdminClusters.unenroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.bareMetalAdminClusters.update`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.bareMetalClusters.create`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.bareMetalClusters.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) Tag User (`roles/resourcemanager.tagUser`)
`gkeonprem.bareMetalClusters.delete`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.bareMetalClusters.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) Tag User (`roles/resourcemanager.tagUser`)
`gkeonprem.bareMetalClusters.enroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.bareMetalClusters.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`)
`gkeonprem.bareMetalClusters.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.bareMetalClusters.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.bareMetalClusters.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`gkeonprem.bareMetalClusters.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`gkeonprem.bareMetalClusters.queryVersionConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`)
`gkeonprem.bareMetalClusters.setIamPolicy`	Owner (`roles/owner`) GKE on-prem Admin (`roles/gkeonprem.admin`) Security Admin (`roles/iam.securityAdmin`)
`gkeonprem.bareMetalClusters.unenroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.bareMetalClusters.update`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.bareMetalNodePools.create`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.bareMetalNodePools.delete`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.bareMetalNodePools.enroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.bareMetalNodePools.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.bareMetalNodePools.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.bareMetalNodePools.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.bareMetalNodePools.setIamPolicy`	Owner (`roles/owner`) GKE on-prem Admin (`roles/gkeonprem.admin`) Security Admin (`roles/iam.securityAdmin`)
`gkeonprem.bareMetalNodePools.unenroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.bareMetalNodePools.update`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`)
`gkeonprem.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.vmwareAdminClusters.connect`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.vmwareAdminClusters.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) Tag User (`roles/resourcemanager.tagUser`)
`gkeonprem.vmwareAdminClusters.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) Tag User (`roles/resourcemanager.tagUser`)
`gkeonprem.vmwareAdminClusters.enroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.vmwareAdminClusters.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.vmwareAdminClusters.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.vmwareAdminClusters.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.vmwareAdminClusters.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`gkeonprem.vmwareAdminClusters.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`gkeonprem.vmwareAdminClusters.setIamPolicy`	Owner (`roles/owner`) GKE on-prem Admin (`roles/gkeonprem.admin`) Security Admin (`roles/iam.securityAdmin`)
`gkeonprem.vmwareAdminClusters.unenroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.vmwareAdminClusters.update`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.vmwareClusters.create`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.vmwareClusters.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) Tag User (`roles/resourcemanager.tagUser`)
`gkeonprem.vmwareClusters.delete`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.vmwareClusters.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) Tag User (`roles/resourcemanager.tagUser`)
`gkeonprem.vmwareClusters.enroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.vmwareClusters.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`)
`gkeonprem.vmwareClusters.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.vmwareClusters.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.vmwareClusters.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`gkeonprem.vmwareClusters.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`gkeonprem.vmwareClusters.queryVersionConfig`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`)
`gkeonprem.vmwareClusters.setIamPolicy`	Owner (`roles/owner`) GKE on-prem Admin (`roles/gkeonprem.admin`) Security Admin (`roles/iam.securityAdmin`)
`gkeonprem.vmwareClusters.unenroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.vmwareClusters.update`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.vmwareNodePools.create`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.vmwareNodePools.delete`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)
`gkeonprem.vmwareNodePools.enroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.vmwareNodePools.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.vmwareNodePools.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.vmwareNodePools.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) GKE on-prem Admin (`roles/gkeonprem.admin`) GKE on-prem Viewer (`roles/gkeonprem.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`gkeonprem.vmwareNodePools.setIamPolicy`	Owner (`roles/owner`) GKE on-prem Admin (`roles/gkeonprem.admin`) Security Admin (`roles/iam.securityAdmin`)
`gkeonprem.vmwareNodePools.unenroll`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. GKE On-Prem Service Agent (`roles/gkeonprem.serviceAgent`)
`gkeonprem.vmwareNodePools.update`	Owner (`roles/owner`) Editor (`roles/editor`) GKE on-prem Admin (`roles/gkeonprem.admin`)

Google Distributed Cloud roles and permissions Stay organized with collections Save and categorize content based on your preferences.