Network Management API roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Network Management API. To search through all roles and permissions, see the role and permission index.

Network Management API roles

Role Permissions

Role	Permissions
Network Management Admin (`roles/networkmanagement.admin`) Full access to Network Management resources. Lowest-level resources where you can grant this role: Project	`networkmanagement.*` `networkmanagement.connectivitytests.create` `networkmanagement.connectivitytests.delete` `networkmanagement.connectivitytests.get` `networkmanagement.connectivitytests.getIamPolicy` `networkmanagement.connectivitytests.list` `networkmanagement.connectivitytests.rerun` `networkmanagement.connectivitytests.setIamPolicy` `networkmanagement.connectivitytests.update` `networkmanagement.locations.get` `networkmanagement.locations.list` `networkmanagement.operations.cancel` `networkmanagement.operations.delete` `networkmanagement.operations.get` `networkmanagement.operations.list` `networkmanagement.vpcflowlogsconfigs.create` `networkmanagement.vpcflowlogsconfigs.delete` `networkmanagement.vpcflowlogsconfigs.get` `networkmanagement.vpcflowlogsconfigs.list` `networkmanagement.vpcflowlogsconfigs.update` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
GCP Network Management Service Agent (`roles/networkmanagement.serviceAgent`) Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine. Warning: Do not grant service agent roles to any principals except service agents.	`cloudsql.instances.get` `cloudsql.instances.list` `compute.addresses.get` `compute.addresses.list` `compute.backendServices.get` `compute.backendServices.list` `compute.externalVpnGateways.get` `compute.externalVpnGateways.list` `compute.firewalls.get` `compute.firewalls.list` `compute.forwardingRules.get` `compute.forwardingRules.list` `compute.globalAddresses.get` `compute.globalAddresses.list` `compute.globalForwardingRules.get` `compute.globalForwardingRules.list` `compute.globalNetworkEndpointGroups.get` `compute.globalNetworkEndpointGroups.list` `compute.healthChecks.get` `compute.healthChecks.list` `compute.httpHealthChecks.get` `compute.httpHealthChecks.list` `compute.httpsHealthChecks.get` `compute.httpsHealthChecks.list` `compute.instanceGroups.get` `compute.instanceGroups.list` `compute.instances.get` `compute.instances.list` `compute.networkEndpointGroups.get` `compute.networkEndpointGroups.list` `compute.networks.get` `compute.networks.getEffectiveFirewalls` `compute.networks.list` `compute.networks.listPeeringRoutes` `compute.packetMirrorings.get` `compute.packetMirrorings.list` `compute.regionBackendServices.get` `compute.regionBackendServices.list` `compute.regionHealthChecks.get` `compute.regionHealthChecks.list` `compute.regionNetworkEndpointGroups.get` `compute.regionNetworkEndpointGroups.list` `compute.regionTargetHttpProxies.get` `compute.regionTargetHttpProxies.list` `compute.regionTargetHttpsProxies.get` `compute.regionTargetHttpsProxies.list` `compute.regionTargetTcpProxies.get` `compute.regionTargetTcpProxies.list` `compute.regionUrlMaps.get` `compute.regionUrlMaps.list` `compute.routers.get` `compute.routers.list` `compute.routes.get` `compute.routes.list` `compute.subnetworks.get` `compute.subnetworks.list` `compute.targetGrpcProxies.get` `compute.targetGrpcProxies.list` `compute.targetHttpProxies.get` `compute.targetHttpProxies.list` `compute.targetHttpsProxies.get` `compute.targetHttpsProxies.list` `compute.targetInstances.get` `compute.targetInstances.list` `compute.targetPools.get` `compute.targetPools.list` `compute.targetSslProxies.get` `compute.targetSslProxies.list` `compute.targetTcpProxies.get` `compute.targetTcpProxies.list` `compute.targetVpnGateways.get` `compute.targetVpnGateways.list` `compute.urlMaps.get` `compute.urlMaps.list` `compute.vpnGateways.get` `compute.vpnGateways.list` `compute.vpnTunnels.get` `compute.vpnTunnels.list` `container.clusters.get` `container.clusters.list` `container.nodes.get` `container.nodes.list`
Network Management Viewer (`roles/networkmanagement.viewer`) Read-only access to Network Management resources. Lowest-level resources where you can grant this role: Project	`networkmanagement.connectivitytests.get` `networkmanagement.connectivitytests.getIamPolicy` `networkmanagement.connectivitytests.list` `networkmanagement.locations.*` `networkmanagement.locations.get` `networkmanagement.locations.list` `networkmanagement.operations.get` `networkmanagement.operations.list` `networkmanagement.vpcflowlogsconfigs.get` `networkmanagement.vpcflowlogsconfigs.list` `resourcemanager.organizations.get` `resourcemanager.projects.get` `resourcemanager.projects.list`

Network Management Admin

(roles/networkmanagement.admin)

Full access to Network Management resources.

Lowest-level resources where you can grant this role:

Project

networkmanagement.*

networkmanagement.connectivitytests.create
networkmanagement.connectivitytests.delete
networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.getIamPolicy
networkmanagement.connectivitytests.list
networkmanagement.connectivitytests.rerun
networkmanagement.connectivitytests.setIamPolicy
networkmanagement.connectivitytests.update
networkmanagement.locations.get
networkmanagement.locations.list
networkmanagement.operations.cancel
networkmanagement.operations.delete
networkmanagement.operations.get
networkmanagement.operations.list
networkmanagement.vpcflowlogsconfigs.create
networkmanagement.vpcflowlogsconfigs.delete
networkmanagement.vpcflowlogsconfigs.get
networkmanagement.vpcflowlogsconfigs.list
networkmanagement.vpcflowlogsconfigs.update

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

GCP Network Management Service Agent

(roles/networkmanagement.serviceAgent)

Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.

cloudsql.instances.get

cloudsql.instances.list

compute.addresses.get

compute.addresses.list

compute.backendServices.get

compute.backendServices.list

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.firewalls.get

compute.firewalls.list

compute.forwardingRules.get

compute.forwardingRules.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.healthChecks.get

compute.healthChecks.list

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.instanceGroups.get

compute.instanceGroups.list

compute.instances.get

compute.instances.list

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.list

compute.networks.listPeeringRoutes

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.regionBackendServices.get

compute.regionBackendServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.routers.get

compute.routers.list

compute.routes.get

compute.routes.list

compute.subnetworks.get

compute.subnetworks.list

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetInstances.get

compute.targetInstances.list

compute.targetPools.get

compute.targetPools.list

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.urlMaps.get

compute.urlMaps.list

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnTunnels.get

compute.vpnTunnels.list

container.clusters.get

container.clusters.list

container.nodes.get

container.nodes.list

Network Management Viewer

(roles/networkmanagement.viewer)

Read-only access to Network Management resources.

Lowest-level resources where you can grant this role:

Project

networkmanagement.connectivitytests.get

networkmanagement.connectivitytests.getIamPolicy

networkmanagement.connectivitytests.list

networkmanagement.locations.*

networkmanagement.locations.get
networkmanagement.locations.list

networkmanagement.operations.get

networkmanagement.operations.list

networkmanagement.vpcflowlogsconfigs.get

networkmanagement.vpcflowlogsconfigs.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Network Management API permissions

Permission	Included in roles
`networkmanagement.connectivitytests.create`	Owner (`roles/owner`) Editor (`roles/editor`) Network Management Admin (`roles/networkmanagement.admin`)
`networkmanagement.connectivitytests.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Network Management Admin (`roles/networkmanagement.admin`)
`networkmanagement.connectivitytests.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Network Management Admin (`roles/networkmanagement.admin`) Network Management Viewer (`roles/networkmanagement.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkmanagement.connectivitytests.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Network Management Admin (`roles/networkmanagement.admin`) Network Management Viewer (`roles/networkmanagement.viewer`)
`networkmanagement.connectivitytests.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Compute Network Admin (`roles/compute.networkAdmin`) Compute Network User (`roles/compute.networkUser`) Compute Network Viewer (`roles/compute.networkViewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Network Management Admin (`roles/networkmanagement.admin`) Network Management Viewer (`roles/networkmanagement.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Database Migration Service Agent (`roles/datamigration.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`networkmanagement.connectivitytests.rerun`	Owner (`roles/owner`) Editor (`roles/editor`) Network Management Admin (`roles/networkmanagement.admin`)
`networkmanagement.connectivitytests.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Network Management Admin (`roles/networkmanagement.admin`)
`networkmanagement.connectivitytests.update`	Owner (`roles/owner`) Editor (`roles/editor`) Network Management Admin (`roles/networkmanagement.admin`)
`networkmanagement.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Management Admin (`roles/networkmanagement.admin`) Network Management Viewer (`roles/networkmanagement.viewer`)
`networkmanagement.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Network Management Admin (`roles/networkmanagement.admin`) Network Management Viewer (`roles/networkmanagement.viewer`)
`networkmanagement.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Network Management Admin (`roles/networkmanagement.admin`)
`networkmanagement.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Network Management Admin (`roles/networkmanagement.admin`)
`networkmanagement.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Management Admin (`roles/networkmanagement.admin`) Network Management Viewer (`roles/networkmanagement.viewer`)
`networkmanagement.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Network Management Admin (`roles/networkmanagement.admin`) Network Management Viewer (`roles/networkmanagement.viewer`)
`networkmanagement.vpcflowlogsconfigs.create`	Owner (`roles/owner`) Editor (`roles/editor`) Network Management Admin (`roles/networkmanagement.admin`)
`networkmanagement.vpcflowlogsconfigs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Network Management Admin (`roles/networkmanagement.admin`)
`networkmanagement.vpcflowlogsconfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Network Management Admin (`roles/networkmanagement.admin`) Network Management Viewer (`roles/networkmanagement.viewer`)
`networkmanagement.vpcflowlogsconfigs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Network Management Admin (`roles/networkmanagement.admin`) Network Management Viewer (`roles/networkmanagement.viewer`)
`networkmanagement.vpcflowlogsconfigs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Network Management Admin (`roles/networkmanagement.admin`)

Network Management API roles and permissions
Stay organized with collections Save and categorize content based on your preferences.