Identity-Aware Proxy roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Identity-Aware Proxy. To search through all roles and permissions, see the role and permission index.

Identity-Aware Proxy roles

Role Permissions

Role	Permissions
IAP Policy Admin (`roles/iap.admin`) Provides full access to Identity-Aware Proxy resources.	`iap.tunnel.` `iap.tunnel.getIamPolicy` `iap.tunnel.setIamPolicy` `iap.tunnelDestGroups.getIamPolicy` `iap.tunnelDestGroups.setIamPolicy` `iap.tunnelInstances.getIamPolicy` `iap.tunnelInstances.setIamPolicy` `iap.tunnelLocations.` `iap.tunnelLocations.getIamPolicy` `iap.tunnelLocations.setIamPolicy` `iap.tunnelZones.*` `iap.tunnelZones.getIamPolicy` `iap.tunnelZones.setIamPolicy` `iap.web.getIamPolicy` `iap.web.setIamPolicy` `iap.webServiceVersions.getIamPolicy` `iap.webServiceVersions.setIamPolicy` `iap.webServices.getIamPolicy` `iap.webServices.setIamPolicy` `iap.webTypes.getIamPolicy` `iap.webTypes.setIamPolicy`
IAP-secured Web App User (`roles/iap.httpsResourceAccessor`) Provides permission to access HTTPS resources which use Identity-Aware Proxy.	`iap.webServiceVersions.accessViaIAP`
IAP-secured Resource Remediator User ^Beta (`roles/iap.remediatorUser`) Remediate IAP resource	`iap.tunnelDestGroups.remediate` `iap.tunnelinstances.remediate` `iap.webServiceVersions.remediate`
IAP Settings Admin (`roles/iap.settingsAdmin`) Administrator of IAP Settings.	`iap.projects.*` `iap.projects.getSettings` `iap.projects.updateSettings` `iap.web.getSettings` `iap.web.updateSettings` `iap.webServiceVersions.getSettings` `iap.webServiceVersions.updateSettings` `iap.webServices.getSettings` `iap.webServices.updateSettings` `iap.webTypes.getSettings` `iap.webTypes.updateSettings`
IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`) Edit Tunnel Destination Group resources which use Identity-Aware Proxy	`iap.tunnelDestGroups.create` `iap.tunnelDestGroups.delete` `iap.tunnelDestGroups.get` `iap.tunnelDestGroups.list` `iap.tunnelDestGroups.update`
IAP-secured Tunnel Destination Group Viewer (`roles/iap.tunnelDestGroupViewer`) View Tunnel Destination Group resources which use Identity-Aware Proxy	`iap.tunnelDestGroups.get` `iap.tunnelDestGroups.list`
IAP-secured Tunnel User (`roles/iap.tunnelResourceAccessor`) Access Tunnel resources which use Identity-Aware Proxy	`iap.tunnelDestGroups.accessViaIAP` `iap.tunnelInstances.accessViaIAP`

IAP Policy Admin

(roles/iap.admin)

Provides full access to Identity-Aware Proxy resources.

iap.tunnel.*

iap.tunnel.getIamPolicy
iap.tunnel.setIamPolicy

iap.tunnelDestGroups.getIamPolicy

iap.tunnelDestGroups.setIamPolicy

iap.tunnelInstances.getIamPolicy

iap.tunnelInstances.setIamPolicy

iap.tunnelLocations.*

iap.tunnelLocations.getIamPolicy
iap.tunnelLocations.setIamPolicy

iap.tunnelZones.*

iap.tunnelZones.getIamPolicy
iap.tunnelZones.setIamPolicy

iap.web.getIamPolicy

iap.web.setIamPolicy

iap.webServiceVersions.getIamPolicy

iap.webServiceVersions.setIamPolicy

iap.webServices.getIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.getIamPolicy

iap.webTypes.setIamPolicy

IAP-secured Web App User

(roles/iap.httpsResourceAccessor)

Provides permission to access HTTPS resources which use Identity-Aware Proxy.

iap.webServiceVersions.accessViaIAP

IAP-secured Resource Remediator User ^Beta

(roles/iap.remediatorUser)

Remediate IAP resource

iap.tunnelDestGroups.remediate

iap.tunnelinstances.remediate

iap.webServiceVersions.remediate

IAP Settings Admin

(roles/iap.settingsAdmin)

Administrator of IAP Settings.

iap.projects.*

iap.projects.getSettings
iap.projects.updateSettings

iap.web.getSettings

iap.web.updateSettings

iap.webServiceVersions.getSettings

iap.webServiceVersions.updateSettings

iap.webServices.getSettings

iap.webServices.updateSettings

iap.webTypes.getSettings

iap.webTypes.updateSettings

IAP-secured Tunnel Destination Group Editor

(roles/iap.tunnelDestGroupEditor)

Edit Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.create

iap.tunnelDestGroups.delete

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

iap.tunnelDestGroups.update

IAP-secured Tunnel Destination Group Viewer

(roles/iap.tunnelDestGroupViewer)

View Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

IAP-secured Tunnel User

(roles/iap.tunnelResourceAccessor)

Access Tunnel resources which use Identity-Aware Proxy

iap.tunnelDestGroups.accessViaIAP

iap.tunnelInstances.accessViaIAP

Identity-Aware Proxy permissions

Permission	Included in roles
`iap.projects.getSettings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.projects.updateSettings`	Owner (`roles/owner`) Editor (`roles/editor`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.tunnel.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnel.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelDestGroups.accessViaIAP`	Owner (`roles/owner`) IAP-secured Tunnel User (`roles/iap.tunnelResourceAccessor`)
`iap.tunnelDestGroups.create`	Owner (`roles/owner`) Editor (`roles/editor`) IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`)
`iap.tunnelDestGroups.delete`	Owner (`roles/owner`) Editor (`roles/editor`) IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`)
`iap.tunnelDestGroups.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`) IAP-secured Tunnel Destination Group Viewer (`roles/iap.tunnelDestGroupViewer`)
`iap.tunnelDestGroups.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelDestGroups.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`) IAP-secured Tunnel Destination Group Viewer (`roles/iap.tunnelDestGroupViewer`)
`iap.tunnelDestGroups.remediate`	Owner (`roles/owner`) IAP-secured Resource Remediator User (`roles/iap.remediatorUser`)
`iap.tunnelDestGroups.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelDestGroups.update`	Owner (`roles/owner`) Editor (`roles/editor`) IAP-secured Tunnel Destination Group Editor (`roles/iap.tunnelDestGroupEditor`)
`iap.tunnelInstances.accessViaIAP`	Owner (`roles/owner`) IAP-secured Tunnel User (`roles/iap.tunnelResourceAccessor`)
`iap.tunnelInstances.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelInstances.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelLocations.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelLocations.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelZones.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelZones.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.tunnelinstances.remediate`	Owner (`roles/owner`) IAP-secured Resource Remediator User (`roles/iap.remediatorUser`)
`iap.web.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.web.getSettings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.web.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.web.updateSettings`	Owner (`roles/owner`) Editor (`roles/editor`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webServiceVersions.accessViaIAP`	IAP-secured Web App User (`roles/iap.httpsResourceAccessor`)
`iap.webServiceVersions.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.webServiceVersions.getSettings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webServiceVersions.remediate`	Owner (`roles/owner`) IAP-secured Resource Remediator User (`roles/iap.remediatorUser`)
`iap.webServiceVersions.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.webServiceVersions.updateSettings`	Owner (`roles/owner`) Editor (`roles/editor`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webServices.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.webServices.getSettings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webServices.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.webServices.updateSettings`	Owner (`roles/owner`) Editor (`roles/editor`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webTypes.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) IAP Policy Admin (`roles/iap.admin`)
`iap.webTypes.getSettings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) IAP Settings Admin (`roles/iap.settingsAdmin`)
`iap.webTypes.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) IAP Policy Admin (`roles/iap.admin`)
`iap.webTypes.updateSettings`	Owner (`roles/owner`) Editor (`roles/editor`) IAP Settings Admin (`roles/iap.settingsAdmin`)

Identity-Aware Proxy roles and permissions Stay organized with collections Save and categorize content based on your preferences.