Identity-Aware Proxy roles and permissions

This page lists the IAM roles and permissions for Identity-Aware Proxy. To search through all roles and permissions, see the role and permission index.

Identity-Aware Proxy roles

Role Permissions

(roles/iap.admin)

Provides full access to Identity-Aware Proxy resources.

iap.tunnel.*

  • iap.tunnel.getIamPolicy
  • iap.tunnel.setIamPolicy

iap.tunnelDestGroups.getIamPolicy

iap.tunnelDestGroups.setIamPolicy

iap.tunnelInstances.getIamPolicy

iap.tunnelInstances.setIamPolicy

iap.tunnelLocations.*

  • iap.tunnelLocations.getIamPolicy
  • iap.tunnelLocations.setIamPolicy

iap.tunnelZones.*

  • iap.tunnelZones.getIamPolicy
  • iap.tunnelZones.setIamPolicy

iap.web.getIamPolicy

iap.web.setIamPolicy

iap.webServiceVersions.getIamPolicy

iap.webServiceVersions.setIamPolicy

iap.webServices.getIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.getIamPolicy

iap.webTypes.setIamPolicy

(roles/iap.httpsResourceAccessor)

Provides permission to access HTTPS resources which use Identity-Aware Proxy.

iap.webServiceVersions.accessViaIAP

(roles/iap.remediatorUser)

Remediate IAP resource

iap.tunnelDestGroups.remediate

iap.tunnelinstances.remediate

iap.webServiceVersions.remediate

(roles/iap.settingsAdmin)

Administrator of IAP Settings.

iap.projects.*

  • iap.projects.getSettings
  • iap.projects.updateSettings

iap.web.getSettings

iap.web.updateSettings

iap.webServiceVersions.getSettings

iap.webServiceVersions.updateSettings

iap.webServices.getSettings

iap.webServices.updateSettings

iap.webTypes.getSettings

iap.webTypes.updateSettings

(roles/iap.tunnelDestGroupEditor)

Edit Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.create

iap.tunnelDestGroups.delete

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

iap.tunnelDestGroups.update

(roles/iap.tunnelDestGroupViewer)

View Tunnel Destination Group resources which use Identity-Aware Proxy

iap.tunnelDestGroups.get

iap.tunnelDestGroups.list

(roles/iap.tunnelResourceAccessor)

Access Tunnel resources which use Identity-Aware Proxy

iap.tunnelDestGroups.accessViaIAP

iap.tunnelInstances.accessViaIAP

Identity-Aware Proxy permissions

Permission Included in roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

IAP Settings Admin (roles/iap.settingsAdmin)

Owner (roles/owner)

Editor (roles/editor)

IAP Settings Admin (roles/iap.settingsAdmin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

IAP-secured Tunnel User (roles/iap.tunnelResourceAccessor)

Owner (roles/owner)

Editor (roles/editor)

IAP-secured Tunnel Destination Group Editor (roles/iap.tunnelDestGroupEditor)

Owner (roles/owner)

Editor (roles/editor)

IAP-secured Tunnel Destination Group Editor (roles/iap.tunnelDestGroupEditor)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

IAP-secured Tunnel Destination Group Editor (roles/iap.tunnelDestGroupEditor)

IAP-secured Tunnel Destination Group Viewer (roles/iap.tunnelDestGroupViewer)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

IAP-secured Tunnel Destination Group Editor (roles/iap.tunnelDestGroupEditor)

IAP-secured Tunnel Destination Group Viewer (roles/iap.tunnelDestGroupViewer)

Owner (roles/owner)

IAP-secured Resource Remediator User (roles/iap.remediatorUser)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Editor (roles/editor)

IAP-secured Tunnel Destination Group Editor (roles/iap.tunnelDestGroupEditor)

Owner (roles/owner)

IAP-secured Tunnel User (roles/iap.tunnelResourceAccessor)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

IAP-secured Resource Remediator User (roles/iap.remediatorUser)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

IAP Settings Admin (roles/iap.settingsAdmin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Editor (roles/editor)

IAP Settings Admin (roles/iap.settingsAdmin)

IAP-secured Web App User (roles/iap.httpsResourceAccessor)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

IAP Settings Admin (roles/iap.settingsAdmin)

Owner (roles/owner)

IAP-secured Resource Remediator User (roles/iap.remediatorUser)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Editor (roles/editor)

IAP Settings Admin (roles/iap.settingsAdmin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

IAP Settings Admin (roles/iap.settingsAdmin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Editor (roles/editor)

IAP Settings Admin (roles/iap.settingsAdmin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

IAP Settings Admin (roles/iap.settingsAdmin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

IAP Policy Admin (roles/iap.admin)

Owner (roles/owner)

Editor (roles/editor)

IAP Settings Admin (roles/iap.settingsAdmin)