Network Connectivity Center roles and permissions

This page lists the IAM roles and permissions for Network Connectivity Center. To search through all roles and permissions, see the role and permission index.

Network Connectivity Center roles

Role Permissions

Role	Permissions
Service Automation Consumer Network Admin (`roles/networkconnectivity.consumerNetworkAdmin`) Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.	`networkconnectivity.serviceConnectionPolicies.*` `networkconnectivity.serviceConnectionPolicies.create` `networkconnectivity.serviceConnectionPolicies.delete` `networkconnectivity.serviceConnectionPolicies.get` `networkconnectivity.serviceConnectionPolicies.list` `networkconnectivity.serviceConnectionPolicies.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Group Admin (`roles/networkconnectivity.groupAdmin`) Enables full access to group resources and read-only access to hub and spoke resources	`networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.groups.` `networkconnectivity.groups.acceptSpoke` `networkconnectivity.groups.acceptSpokeUpdate` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.groups.rejectSpoke` `networkconnectivity.groups.rejectSpokeUpdate` `networkconnectivity.groups.setIamPolicy` `networkconnectivity.groups.use` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Group User (`roles/networkconnectivity.groupUser`) Enables use access on group resources	`networkconnectivity.groups.use`
Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Enables full access to hub and spoke resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.` `networkconnectivity.gatewayAdvertisedRoutes.create` `networkconnectivity.gatewayAdvertisedRoutes.delete` `networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.gatewayAdvertisedRoutes.update` `networkconnectivity.groups.` `networkconnectivity.groups.acceptSpoke` `networkconnectivity.groups.acceptSpokeUpdate` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.groups.rejectSpoke` `networkconnectivity.groups.rejectSpokeUpdate` `networkconnectivity.groups.setIamPolicy` `networkconnectivity.groups.use` `networkconnectivity.hubRouteTables.` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRouteTables.setIamPolicy` `networkconnectivity.hubRoutes.` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubRoutes.setIamPolicy` `networkconnectivity.hubs.` `networkconnectivity.hubs.create` `networkconnectivity.hubs.delete` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.hubs.listSpokes` `networkconnectivity.hubs.queryStatus` `networkconnectivity.hubs.setIamPolicy` `networkconnectivity.hubs.update` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.` `networkconnectivity.operations.cancel` `networkconnectivity.operations.delete` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.` `networkconnectivity.spokes.create` `networkconnectivity.spokes.delete` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `networkconnectivity.spokes.setIamPolicy` `networkconnectivity.spokes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Enables read-only access to hub and spoke resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.groups.get` `networkconnectivity.groups.getIamPolicy` `networkconnectivity.groups.list` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.hubs.listSpokes` `networkconnectivity.hubs.queryStatus` `networkconnectivity.locations.*` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Full access to all Multicloud Data Transfer Config resources.	`networkconnectivity.multicloudDataTransferConfigs.` `networkconnectivity.multicloudDataTransferConfigs.create` `networkconnectivity.multicloudDataTransferConfigs.delete` `networkconnectivity.multicloudDataTransferConfigs.get` `networkconnectivity.multicloudDataTransferConfigs.list` `networkconnectivity.multicloudDataTransferConfigs.update` `networkconnectivity.multicloudDataTransferDestinations.` `networkconnectivity.multicloudDataTransferDestinations.create` `networkconnectivity.multicloudDataTransferDestinations.delete` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferDestinations.update` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Multicloud Data Transfer Config Viewer (`roles/networkconnectivity.multicloudDataTransferConfigViewer`) Read-only access to all Multicloud Data Transfer Config resources.	`networkconnectivity.multicloudDataTransferConfigs.get` `networkconnectivity.multicloudDataTransferConfigs.list` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`) Access to all Destination resources.	`networkconnectivity.multicloudDataTransferDestinations.` `networkconnectivity.multicloudDataTransferDestinations.create` `networkconnectivity.multicloudDataTransferDestinations.delete` `networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferDestinations.update` `networkconnectivity.multicloudDataTransferSupportedServices.` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Destination Viewer (`roles/networkconnectivity.multicloudDataTransferDestinationViewer`) Read-only access to all Destination resources.	`networkconnectivity.multicloudDataTransferDestinations.get` `networkconnectivity.multicloudDataTransferDestinations.list` `networkconnectivity.multicloudDataTransferSupportedServices.*` `networkconnectivity.multicloudDataTransferSupportedServices.get` `networkconnectivity.multicloudDataTransferSupportedServices.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Regional Endpoint Admin (`roles/networkconnectivity.regionalEndpointAdmin`) Full access to all Regional Endpoint resources.	`networkconnectivity.regionalEndpoints.*` `networkconnectivity.regionalEndpoints.create` `networkconnectivity.regionalEndpoints.delete` `networkconnectivity.regionalEndpoints.get` `networkconnectivity.regionalEndpoints.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Regional Endpoint Viewer (`roles/networkconnectivity.regionalEndpointViewer`) Read-only access to all Regional Endpoint resources.	`networkconnectivity.regionalEndpoints.get` `networkconnectivity.regionalEndpoints.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources. Warning: Do not grant service agent roles to any principals except service agents.	`compute.addresses.create` `compute.addresses.createInternal` `compute.addresses.delete` `compute.addresses.deleteInternal` `compute.addresses.get` `compute.addresses.setLabels` `compute.addresses.use` `compute.forwardingRules.create` `compute.forwardingRules.delete` `compute.forwardingRules.get` `compute.forwardingRules.pscCreate` `compute.forwardingRules.pscDelete` `compute.forwardingRules.pscSetLabels` `compute.forwardingRules.pscUpdate` `compute.forwardingRules.setLabels` `compute.instances.get` `compute.interconnectAttachments.get` `compute.networks.get` `compute.networks.use` `compute.projects.get` `compute.regionOperations.get` `compute.routers.get` `compute.subnetworks.create` `compute.subnetworks.delete` `compute.subnetworks.get` `compute.subnetworks.getIamPolicy` `compute.subnetworks.list` `compute.subnetworks.setIamPolicy` `compute.subnetworks.use` `compute.vpnTunnels.get` `dns.managedZones.create` `dns.networks.bindPrivateDNSZone` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.list` `networkconnectivity.internalRanges.create` `networkconnectivity.internalRanges.delete` `networkconnectivity.internalRanges.get` `networkconnectivity.internalRanges.list` `networkconnectivity.operations.get` `servicedirectory.namespaces.associatePrivateZone` `servicedirectory.namespaces.create` `servicedirectory.namespaces.delete` `servicedirectory.services.create` `servicedirectory.services.delete`
Service Class User (`roles/networkconnectivity.serviceClassUser`) Service Class User uses a ServiceClass	`networkconnectivity.serviceClasses.get` `networkconnectivity.serviceClasses.list` `networkconnectivity.serviceClasses.use` `resourcemanager.projects.get` `resourcemanager.projects.list`
Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps	`networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.serviceClasses.` `networkconnectivity.serviceClasses.create` `networkconnectivity.serviceClasses.delete` `networkconnectivity.serviceClasses.get` `networkconnectivity.serviceClasses.list` `networkconnectivity.serviceClasses.update` `networkconnectivity.serviceClasses.use` `networkconnectivity.serviceConnectionMaps.` `networkconnectivity.serviceConnectionMaps.create` `networkconnectivity.serviceConnectionMaps.delete` `networkconnectivity.serviceConnectionMaps.get` `networkconnectivity.serviceConnectionMaps.list` `networkconnectivity.serviceConnectionMaps.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Enables full access to spoke resources and read-only access to hub resources. Lowest-level resources where you can grant this role: Project	`networkconnectivity.gatewayAdvertisedRoutes.` `networkconnectivity.gatewayAdvertisedRoutes.create` `networkconnectivity.gatewayAdvertisedRoutes.delete` `networkconnectivity.gatewayAdvertisedRoutes.get` `networkconnectivity.gatewayAdvertisedRoutes.list` `networkconnectivity.gatewayAdvertisedRoutes.update` `networkconnectivity.hubRouteTables.get` `networkconnectivity.hubRouteTables.getIamPolicy` `networkconnectivity.hubRouteTables.list` `networkconnectivity.hubRoutes.get` `networkconnectivity.hubRoutes.getIamPolicy` `networkconnectivity.hubRoutes.list` `networkconnectivity.hubs.get` `networkconnectivity.hubs.getIamPolicy` `networkconnectivity.hubs.list` `networkconnectivity.locations.` `networkconnectivity.locations.get` `networkconnectivity.locations.list` `networkconnectivity.operations.get` `networkconnectivity.operations.list` `networkconnectivity.spokes.*` `networkconnectivity.spokes.create` `networkconnectivity.spokes.delete` `networkconnectivity.spokes.get` `networkconnectivity.spokes.getIamPolicy` `networkconnectivity.spokes.list` `networkconnectivity.spokes.setIamPolicy` `networkconnectivity.spokes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`

Service Automation Consumer Network Admin

(roles/networkconnectivity.consumerNetworkAdmin)

Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.

networkconnectivity.serviceConnectionPolicies.*

networkconnectivity.serviceConnectionPolicies.create
networkconnectivity.serviceConnectionPolicies.delete
networkconnectivity.serviceConnectionPolicies.get
networkconnectivity.serviceConnectionPolicies.list
networkconnectivity.serviceConnectionPolicies.update

resourcemanager.projects.get

resourcemanager.projects.list

Group Admin

(roles/networkconnectivity.groupAdmin)

Enables full access to group resources and read-only access to hub and spoke resources

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.*

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.acceptSpokeUpdate
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.rejectSpokeUpdate
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

Group User

(roles/networkconnectivity.groupUser)

Enables use access on group resources

networkconnectivity.groups.use

Hub & Spoke Admin

(roles/networkconnectivity.hubAdmin)

Enables full access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.*

networkconnectivity.gatewayAdvertisedRoutes.create
networkconnectivity.gatewayAdvertisedRoutes.delete
networkconnectivity.gatewayAdvertisedRoutes.get
networkconnectivity.gatewayAdvertisedRoutes.list
networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.groups.*

networkconnectivity.groups.acceptSpoke
networkconnectivity.groups.acceptSpokeUpdate
networkconnectivity.groups.get
networkconnectivity.groups.getIamPolicy
networkconnectivity.groups.list
networkconnectivity.groups.rejectSpoke
networkconnectivity.groups.rejectSpokeUpdate
networkconnectivity.groups.setIamPolicy
networkconnectivity.groups.use

networkconnectivity.hubRouteTables.*

networkconnectivity.hubRouteTables.get
networkconnectivity.hubRouteTables.getIamPolicy
networkconnectivity.hubRouteTables.list
networkconnectivity.hubRouteTables.setIamPolicy

networkconnectivity.hubRoutes.*

networkconnectivity.hubRoutes.get
networkconnectivity.hubRoutes.getIamPolicy
networkconnectivity.hubRoutes.list
networkconnectivity.hubRoutes.setIamPolicy

networkconnectivity.hubs.*

networkconnectivity.hubs.create
networkconnectivity.hubs.delete
networkconnectivity.hubs.get
networkconnectivity.hubs.getIamPolicy
networkconnectivity.hubs.list
networkconnectivity.hubs.listSpokes
networkconnectivity.hubs.queryStatus
networkconnectivity.hubs.setIamPolicy
networkconnectivity.hubs.update

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.*

networkconnectivity.operations.cancel
networkconnectivity.operations.delete
networkconnectivity.operations.get
networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Hub & Spoke Viewer

(roles/networkconnectivity.hubViewer)

Enables read-only access to hub and spoke resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.get

networkconnectivity.gatewayAdvertisedRoutes.list

networkconnectivity.groups.get

networkconnectivity.groups.getIamPolicy

networkconnectivity.groups.list

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.hubs.listSpokes

networkconnectivity.hubs.queryStatus

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.spokes.get

networkconnectivity.spokes.getIamPolicy

networkconnectivity.spokes.list

resourcemanager.projects.get

resourcemanager.projects.list

Multicloud Data Transfer Config Admin

(roles/networkconnectivity.multicloudDataTransferConfigAdmin)

Full access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.*

networkconnectivity.multicloudDataTransferConfigs.create
networkconnectivity.multicloudDataTransferConfigs.delete
networkconnectivity.multicloudDataTransferConfigs.get
networkconnectivity.multicloudDataTransferConfigs.list
networkconnectivity.multicloudDataTransferConfigs.update

networkconnectivity.multicloudDataTransferDestinations.*

networkconnectivity.multicloudDataTransferDestinations.create
networkconnectivity.multicloudDataTransferDestinations.delete
networkconnectivity.multicloudDataTransferDestinations.get
networkconnectivity.multicloudDataTransferDestinations.list
networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Multicloud Data Transfer Config Viewer

(roles/networkconnectivity.multicloudDataTransferConfigViewer)

Read-only access to all Multicloud Data Transfer Config resources.

networkconnectivity.multicloudDataTransferConfigs.get

networkconnectivity.multicloudDataTransferConfigs.list

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Destination Admin

(roles/networkconnectivity.multicloudDataTransferDestinationAdmin)

Access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.*

networkconnectivity.multicloudDataTransferDestinations.create
networkconnectivity.multicloudDataTransferDestinations.delete
networkconnectivity.multicloudDataTransferDestinations.get
networkconnectivity.multicloudDataTransferDestinations.list
networkconnectivity.multicloudDataTransferDestinations.update

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Destination Viewer

(roles/networkconnectivity.multicloudDataTransferDestinationViewer)

Read-only access to all Destination resources.

networkconnectivity.multicloudDataTransferDestinations.get

networkconnectivity.multicloudDataTransferDestinations.list

networkconnectivity.multicloudDataTransferSupportedServices.*

networkconnectivity.multicloudDataTransferSupportedServices.get
networkconnectivity.multicloudDataTransferSupportedServices.list

resourcemanager.projects.get

resourcemanager.projects.list

Regional Endpoint Admin

(roles/networkconnectivity.regionalEndpointAdmin)

Full access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.*

networkconnectivity.regionalEndpoints.create
networkconnectivity.regionalEndpoints.delete
networkconnectivity.regionalEndpoints.get
networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

Regional Endpoint Viewer

(roles/networkconnectivity.regionalEndpointViewer)

Read-only access to all Regional Endpoint resources.

networkconnectivity.regionalEndpoints.get

networkconnectivity.regionalEndpoints.list

resourcemanager.projects.get

resourcemanager.projects.list

Network Connectivity Service Agent

(roles/networkconnectivity.serviceAgent)

Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.setLabels

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.forwardingRules.pscSetLabels

compute.forwardingRules.pscUpdate

compute.forwardingRules.setLabels

compute.instances.get

compute.interconnectAttachments.get

compute.networks.get

compute.networks.use

compute.projects.get

compute.regionOperations.get

compute.routers.get

compute.subnetworks.create

compute.subnetworks.delete

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.setIamPolicy

compute.subnetworks.use

compute.vpnTunnels.get

dns.managedZones.create

dns.networks.bindPrivateDNSZone

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.list

networkconnectivity.internalRanges.create

networkconnectivity.internalRanges.delete

networkconnectivity.internalRanges.get

networkconnectivity.internalRanges.list

networkconnectivity.operations.get

servicedirectory.namespaces.associatePrivateZone

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

Service Class User

(roles/networkconnectivity.serviceClassUser)

Service Class User uses a ServiceClass

networkconnectivity.serviceClasses.get

networkconnectivity.serviceClasses.list

networkconnectivity.serviceClasses.use

resourcemanager.projects.get

resourcemanager.projects.list

Service Automation Service Producer Admin

(roles/networkconnectivity.serviceProducerAdmin)

Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.serviceClasses.*

networkconnectivity.serviceClasses.create
networkconnectivity.serviceClasses.delete
networkconnectivity.serviceClasses.get
networkconnectivity.serviceClasses.list
networkconnectivity.serviceClasses.update
networkconnectivity.serviceClasses.use

networkconnectivity.serviceConnectionMaps.*

networkconnectivity.serviceConnectionMaps.create
networkconnectivity.serviceConnectionMaps.delete
networkconnectivity.serviceConnectionMaps.get
networkconnectivity.serviceConnectionMaps.list
networkconnectivity.serviceConnectionMaps.update

resourcemanager.projects.get

resourcemanager.projects.list

Spoke Admin

(roles/networkconnectivity.spokeAdmin)

Enables full access to spoke resources and read-only access to hub resources.

Lowest-level resources where you can grant this role:

Project

networkconnectivity.gatewayAdvertisedRoutes.*

networkconnectivity.gatewayAdvertisedRoutes.create
networkconnectivity.gatewayAdvertisedRoutes.delete
networkconnectivity.gatewayAdvertisedRoutes.get
networkconnectivity.gatewayAdvertisedRoutes.list
networkconnectivity.gatewayAdvertisedRoutes.update

networkconnectivity.hubRouteTables.get

networkconnectivity.hubRouteTables.getIamPolicy

networkconnectivity.hubRouteTables.list

networkconnectivity.hubRoutes.get

networkconnectivity.hubRoutes.getIamPolicy

networkconnectivity.hubRoutes.list

networkconnectivity.hubs.get

networkconnectivity.hubs.getIamPolicy

networkconnectivity.hubs.list

networkconnectivity.locations.*

networkconnectivity.locations.get
networkconnectivity.locations.list

networkconnectivity.operations.get

networkconnectivity.operations.list

networkconnectivity.spokes.*

networkconnectivity.spokes.create
networkconnectivity.spokes.delete
networkconnectivity.spokes.get
networkconnectivity.spokes.getIamPolicy
networkconnectivity.spokes.list
networkconnectivity.spokes.setIamPolicy
networkconnectivity.spokes.update

resourcemanager.projects.get

resourcemanager.projects.list

Network Connectivity Center permissions

Permission	Included in roles
`networkconnectivity.gatewayAdvertisedRoutes.create`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.gatewayAdvertisedRoutes.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.gatewayAdvertisedRoutes.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.gatewayAdvertisedRoutes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.gatewayAdvertisedRoutes.update`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.groups.acceptSpoke`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.groups.acceptSpokeUpdate`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.groups.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`)
`networkconnectivity.groups.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`)
`networkconnectivity.groups.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`)
`networkconnectivity.groups.rejectSpoke`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.groups.rejectSpokeUpdate`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.groups.setIamPolicy`	Owner (`roles/owner`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.groups.use`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Group Admin (`roles/networkconnectivity.groupAdmin`) Group User (`roles/networkconnectivity.groupUser`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.hubRouteTables.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`)
`networkconnectivity.hubRouteTables.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.hubRouteTables.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`)
`networkconnectivity.hubRouteTables.setIamPolicy`	Owner (`roles/owner`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.hubRoutes.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`)
`networkconnectivity.hubRoutes.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.hubRoutes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`)
`networkconnectivity.hubRoutes.setIamPolicy`	Owner (`roles/owner`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.hubs.create`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.hubs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.hubs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.hubs.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.hubs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.hubs.listSpokes`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`)
`networkconnectivity.hubs.queryStatus`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`)
`networkconnectivity.hubs.setIamPolicy`	Owner (`roles/owner`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.hubs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`)
`networkconnectivity.internalRanges.create`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.internalRanges.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.internalRanges.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.internalRanges.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.internalRanges.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Service Networking Service Agent (`roles/servicenetworking.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.internalRanges.setIamPolicy`	Owner (`roles/owner`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.internalRanges.update`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.multicloudDataTransferConfigs.create`	Owner (`roles/owner`) Editor (`roles/editor`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`)
`networkconnectivity.multicloudDataTransferConfigs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`)
`networkconnectivity.multicloudDataTransferConfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Multicloud Data Transfer Config Viewer (`roles/networkconnectivity.multicloudDataTransferConfigViewer`)
`networkconnectivity.multicloudDataTransferConfigs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Multicloud Data Transfer Config Viewer (`roles/networkconnectivity.multicloudDataTransferConfigViewer`)
`networkconnectivity.multicloudDataTransferConfigs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`)
`networkconnectivity.multicloudDataTransferDestinations.create`	Owner (`roles/owner`) Editor (`roles/editor`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`)
`networkconnectivity.multicloudDataTransferDestinations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`)
`networkconnectivity.multicloudDataTransferDestinations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Multicloud Data Transfer Config Viewer (`roles/networkconnectivity.multicloudDataTransferConfigViewer`) Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`) Destination Viewer (`roles/networkconnectivity.multicloudDataTransferDestinationViewer`)
`networkconnectivity.multicloudDataTransferDestinations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Multicloud Data Transfer Config Viewer (`roles/networkconnectivity.multicloudDataTransferConfigViewer`) Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`) Destination Viewer (`roles/networkconnectivity.multicloudDataTransferDestinationViewer`)
`networkconnectivity.multicloudDataTransferDestinations.update`	Owner (`roles/owner`) Editor (`roles/editor`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`)
`networkconnectivity.multicloudDataTransferSupportedServices.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Support User (`roles/iam.supportUser`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Multicloud Data Transfer Config Viewer (`roles/networkconnectivity.multicloudDataTransferConfigViewer`) Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`) Destination Viewer (`roles/networkconnectivity.multicloudDataTransferDestinationViewer`)
`networkconnectivity.multicloudDataTransferSupportedServices.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Multicloud Data Transfer Config Admin (`roles/networkconnectivity.multicloudDataTransferConfigAdmin`) Multicloud Data Transfer Config Viewer (`roles/networkconnectivity.multicloudDataTransferConfigViewer`) Destination Admin (`roles/networkconnectivity.multicloudDataTransferDestinationAdmin`) Destination Viewer (`roles/networkconnectivity.multicloudDataTransferDestinationViewer`)
`networkconnectivity.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Network Connectivity Service Agent (`roles/networkconnectivity.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Oracle Database@Google Cloud Service Agent (`roles/oci.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.policyBasedRoutes.create`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.policyBasedRoutes.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.policyBasedRoutes.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.policyBasedRoutes.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.policyBasedRoutes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.policyBasedRoutes.setIamPolicy`	Owner (`roles/owner`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.regionalEndpoints.create`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Regional Endpoint Admin (`roles/networkconnectivity.regionalEndpointAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.regionalEndpoints.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Regional Endpoint Admin (`roles/networkconnectivity.regionalEndpointAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.regionalEndpoints.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Regional Endpoint Admin (`roles/networkconnectivity.regionalEndpointAdmin`) Regional Endpoint Viewer (`roles/networkconnectivity.regionalEndpointViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.regionalEndpoints.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Regional Endpoint Admin (`roles/networkconnectivity.regionalEndpointAdmin`) Regional Endpoint Viewer (`roles/networkconnectivity.regionalEndpointViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceClasses.create`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceClasses.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceClasses.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Service Class User (`roles/networkconnectivity.serviceClassUser`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceClasses.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service Class User (`roles/networkconnectivity.serviceClassUser`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceClasses.update`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceClasses.use`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service Class User (`roles/networkconnectivity.serviceClassUser`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceConnectionMaps.create`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceConnectionMaps.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceConnectionMaps.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceConnectionMaps.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceConnectionMaps.update`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service Automation Service Producer Admin (`roles/networkconnectivity.serviceProducerAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceConnectionPolicies.create`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service Automation Consumer Network Admin (`roles/networkconnectivity.consumerNetworkAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceConnectionPolicies.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service Automation Consumer Network Admin (`roles/networkconnectivity.consumerNetworkAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceConnectionPolicies.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Service Automation Consumer Network Admin (`roles/networkconnectivity.consumerNetworkAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceConnectionPolicies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Databases Admin (`roles/iam.databasesAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Service Automation Consumer Network Admin (`roles/networkconnectivity.consumerNetworkAdmin`) Cloud Memorystore Redis Admin (`roles/redis.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.serviceConnectionPolicies.update`	Owner (`roles/owner`) Editor (`roles/editor`) Compute Network Admin (`roles/compute.networkAdmin`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Service Automation Consumer Network Admin (`roles/networkconnectivity.consumerNetworkAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkconnectivity.spokes.create`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.spokes.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.spokes.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.spokes.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.spokes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Group Admin (`roles/networkconnectivity.groupAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Hub & Spoke Viewer (`roles/networkconnectivity.hubViewer`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.spokes.setIamPolicy`	Owner (`roles/owner`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)
`networkconnectivity.spokes.update`	Owner (`roles/owner`) Editor (`roles/editor`) Network Administrator (`roles/iam.networkAdmin`) Hub & Spoke Admin (`roles/networkconnectivity.hubAdmin`) Spoke Admin (`roles/networkconnectivity.spokeAdmin`)

Network Connectivity Center roles and permissions