Knative serving roles and permissions

This page lists the IAM roles and permissions for Knative serving. To search through all roles and permissions, see the role and permission index.

Knative serving roles

Role Permissions

Role	Permissions
KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Service account role used to setup authentication for the control plane used by KubeRun Events. Warning: Do not grant service agent roles to any principals except service agents.	`cloudscheduler.jobs.create` `cloudscheduler.jobs.delete` `cloudscheduler.jobs.get` `logging.sinks.create` `logging.sinks.delete` `logging.sinks.get` `pubsub.subscriptions.create` `pubsub.subscriptions.delete` `pubsub.subscriptions.get` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.delete` `pubsub.topics.get` `pubsub.topics.getIamPolicy` `pubsub.topics.setIamPolicy` `resourcemanager.projects.get` `storage.buckets.get` `storage.buckets.update`
KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Service account role used to setup authentication for the data plane used by KubeRun Events. Warning: Do not grant service agent roles to any principals except service agents.	`cloudtrace.traces.patch` `monitoring.timeSeries.create` `pubsub.subscriptions.consume` `pubsub.subscriptions.get` `pubsub.topics.get` `pubsub.topics.publish` `resourcemanager.projects.get`

(roles/kuberun.eventsControlPlaneServiceAgent)

Service account role used to setup authentication for the control plane used by KubeRun Events.

cloudscheduler.jobs.create

cloudscheduler.jobs.delete

cloudscheduler.jobs.get

logging.sinks.create

logging.sinks.delete

logging.sinks.get

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.setIamPolicy

resourcemanager.projects.get

storage.buckets.get

storage.buckets.update

(roles/kuberun.eventsDataPlaneServiceAgent)

Service account role used to setup authentication for the data plane used by KubeRun Events.

cloudtrace.traces.patch

monitoring.timeSeries.create

pubsub.subscriptions.consume

pubsub.subscriptions.get

pubsub.topics.get

pubsub.topics.publish

resourcemanager.projects.get

There are no IAM permissions for this service.