Pub/Sub roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Pub/Sub. To search through all roles and permissions, see the role and permission index.

Pub/Sub roles

Role Permissions

Role	Permissions
Pub/Sub Admin (`roles/pubsub.admin`) Provides full access to topics and subscriptions. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	`pubsub.*` `pubsub.messageTransforms.validate` `pubsub.schemas.attach` `pubsub.schemas.commit` `pubsub.schemas.create` `pubsub.schemas.delete` `pubsub.schemas.get` `pubsub.schemas.getIamPolicy` `pubsub.schemas.list` `pubsub.schemas.listRevisions` `pubsub.schemas.rollback` `pubsub.schemas.setIamPolicy` `pubsub.schemas.validate` `pubsub.snapshots.create` `pubsub.snapshots.delete` `pubsub.snapshots.get` `pubsub.snapshots.getIamPolicy` `pubsub.snapshots.list` `pubsub.snapshots.seek` `pubsub.snapshots.setIamPolicy` `pubsub.snapshots.update` `pubsub.subscriptions.consume` `pubsub.subscriptions.create` `pubsub.subscriptions.delete` `pubsub.subscriptions.get` `pubsub.subscriptions.getIamPolicy` `pubsub.subscriptions.list` `pubsub.subscriptions.setIamPolicy` `pubsub.subscriptions.update` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.delete` `pubsub.topics.detachSubscription` `pubsub.topics.get` `pubsub.topics.getIamPolicy` `pubsub.topics.list` `pubsub.topics.publish` `pubsub.topics.setIamPolicy` `pubsub.topics.update` `pubsub.topics.updateTag` `resourcemanager.projects.get` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`
Pub/Sub Editor (`roles/pubsub.editor`) Provides access to modify topics and subscriptions, and access to publish and consume messages. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	`pubsub.messageTransforms.validate` `pubsub.schemas.attach` `pubsub.schemas.commit` `pubsub.schemas.create` `pubsub.schemas.delete` `pubsub.schemas.get` `pubsub.schemas.list` `pubsub.schemas.listRevisions` `pubsub.schemas.rollback` `pubsub.schemas.validate` `pubsub.snapshots.create` `pubsub.snapshots.delete` `pubsub.snapshots.get` `pubsub.snapshots.list` `pubsub.snapshots.seek` `pubsub.snapshots.update` `pubsub.subscriptions.consume` `pubsub.subscriptions.create` `pubsub.subscriptions.delete` `pubsub.subscriptions.get` `pubsub.subscriptions.list` `pubsub.subscriptions.update` `pubsub.topics.attachSubscription` `pubsub.topics.create` `pubsub.topics.delete` `pubsub.topics.detachSubscription` `pubsub.topics.get` `pubsub.topics.list` `pubsub.topics.publish` `pubsub.topics.update` `pubsub.topics.updateTag` `resourcemanager.projects.get` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`
Pub/Sub Publisher (`roles/pubsub.publisher`) Provides access to publish messages to a topic. Lowest-level resources where you can grant this role: Topic	`pubsub.topics.publish`
Cloud Pub/Sub Service Agent (`roles/pubsub.serviceAgent`) Grants Cloud Pub/Sub Service Account access to manage resources. Warning: Do not grant service agent roles to any principals except service agents.	`iam.serviceAccounts.get` `iam.serviceAccounts.getAccessToken` `iam.serviceAccounts.getOpenIdToken` `iam.serviceAccounts.implicitDelegation` `iam.serviceAccounts.list` `iam.serviceAccounts.signBlob` `iam.serviceAccounts.signJwt` `resourcemanager.projects.get` `resourcemanager.projects.list`
Pub/Sub Subscriber (`roles/pubsub.subscriber`) Provides access to consume messages from a subscription and to attach subscriptions to a topic. Lowest-level resources where you can grant this role: Snapshot Subscription Topic	`pubsub.snapshots.seek` `pubsub.subscriptions.consume` `pubsub.topics.attachSubscription`
Pub/Sub Viewer (`roles/pubsub.viewer`) Provides access to view topics and subscriptions. Lowest-level resources where you can grant this role: Schema Snapshot Subscription Topic	`pubsub.messageTransforms.validate` `pubsub.schemas.get` `pubsub.schemas.list` `pubsub.schemas.listRevisions` `pubsub.schemas.validate` `pubsub.snapshots.get` `pubsub.snapshots.list` `pubsub.subscriptions.get` `pubsub.subscriptions.list` `pubsub.topics.get` `pubsub.topics.list` `resourcemanager.projects.get` `serviceusage.quotas.get` `serviceusage.services.get` `serviceusage.services.list`

Pub/Sub Admin

(roles/pubsub.admin)

Provides full access to topics and subscriptions.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

pubsub.*

pubsub.messageTransforms.validate
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.setIamPolicy
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.setIamPolicy
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.subscriptions.setIamPolicy
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.setIamPolicy
pubsub.topics.update
pubsub.topics.updateTag

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Pub/Sub Editor

(roles/pubsub.editor)

Provides access to modify topics and subscriptions, and access to publish and consume messages.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

pubsub.messageTransforms.validate

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.delete

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.snapshots.seek

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.update

pubsub.topics.updateTag

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Pub/Sub Publisher

(roles/pubsub.publisher)

Provides access to publish messages to a topic.

Lowest-level resources where you can grant this role:

Topic

pubsub.topics.publish

Cloud Pub/Sub Service Agent

(roles/pubsub.serviceAgent)

Grants Cloud Pub/Sub Service Account access to manage resources.

iam.serviceAccounts.get

iam.serviceAccounts.getAccessToken

iam.serviceAccounts.getOpenIdToken

iam.serviceAccounts.implicitDelegation

iam.serviceAccounts.list

iam.serviceAccounts.signBlob

iam.serviceAccounts.signJwt

resourcemanager.projects.get

resourcemanager.projects.list

Pub/Sub Subscriber

(roles/pubsub.subscriber)

Provides access to consume messages from a subscription and to attach subscriptions to a topic.

Lowest-level resources where you can grant this role:

Snapshot
Subscription
Topic

pubsub.snapshots.seek

pubsub.subscriptions.consume

pubsub.topics.attachSubscription

Pub/Sub Viewer

(roles/pubsub.viewer)

Provides access to view topics and subscriptions.

Lowest-level resources where you can grant this role:

Schema
Snapshot
Subscription
Topic

pubsub.messageTransforms.validate

pubsub.schemas.get

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.validate

pubsub.snapshots.get

pubsub.snapshots.list

pubsub.subscriptions.get

pubsub.subscriptions.list

pubsub.topics.get

pubsub.topics.list

resourcemanager.projects.get

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Pub/Sub permissions

Permission	Included in roles
`pubsub.messageTransforms.validate`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.attach`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`pubsub.schemas.commit`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.create`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.listRevisions`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.rollback`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.schemas.validate`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.create`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.seek`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Subscriber (`roles/pubsub.subscriber`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.snapshots.update`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.subscriptions.consume`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Subscriber (`roles/pubsub.subscriber`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.subscriptions.create`	Owner (`roles/owner`) Editor (`roles/editor`) Assured OSS Admin (`roles/assuredoss.admin`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Security Center Admin (`roles/securitycenter.admin`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.subscriptions.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.subscriptions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.subscriptions.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.subscriptions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.subscriptions.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.subscriptions.update`	Owner (`roles/owner`) Editor (`roles/editor`) Assured OSS Admin (`roles/assuredoss.admin`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Security Center Admin (`roles/securitycenter.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.topics.attachSubscription`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Subscriber (`roles/pubsub.subscriber`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.topics.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.topics.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`pubsub.topics.detachSubscription`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.topics.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Viewer (`roles/datacatalog.viewer`) Firebase Rules System (`roles/firebaserules.system`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`pubsub.topics.getIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`pubsub.topics.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Assured OSS Admin (`roles/assuredoss.admin`) Assured OSS Project Admin (`roles/assuredoss.projectAdmin`) Assured OSS Reader (`roles/assuredoss.reader`) Composer Worker (`roles/composer.worker`) Firebase Rules System (`roles/firebaserules.system`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Viewer (`roles/pubsub.viewer`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Source Viewer (`roles/run.sourceViewer`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Security Center Admin (`roles/securitycenter.admin`) Security Center Admin Editor (`roles/securitycenter.adminEditor`) Security Center Admin Viewer (`roles/securitycenter.adminViewer`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Functions Service Agent (`roles/cloudfunctions.serviceAgent`)
`pubsub.topics.publish`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Composer Worker (`roles/composer.worker`) Firebase Rules System (`roles/firebaserules.system`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Pub/Sub Publisher (`roles/pubsub.publisher`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Cloud Run Service Agent (`roles/serverless.serviceAgent`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Google Batch Service Agent (`roles/batch.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud IoT Core Service Agent (`roles/cloudiot.serviceAgent`) Cloud Scheduler Service Agent (`roles/cloudscheduler.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Container Registry Service Agent (`roles/containerregistry.ServiceAgent`) Content Warehouse Service Agent (`roles/contentwarehouse.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Firebase Realtime Database Service Agent (`roles/firebasedatabase.serviceAgent`) Genomics Service Agent (`roles/genomics.serviceAgent`) Healthcare Service Agent (`roles/healthcare.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Cloud Life Sciences Service Agent (`roles/lifesciences.serviceAgent`) Media Asset Service Agent (`roles/mediaasset.serviceAgent`) Pub/Sub Lite Service Agent (`roles/pubsublite.serviceAgent`) Security Center Notification Service Agent (`roles/securitycenter.notificationServiceAgent`) Google Cloud Security Response Service Agent (`roles/securitycenter.securityResponseServiceAgent`) Cloud Source Repositories Service Agent (`roles/sourcerepo.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Transcoder Service Agent (`roles/transcoder.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Artifact Registry Service Agent (`roles/artifactregistry.serviceAgent`)
`pubsub.topics.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Pub/Sub Admin (`roles/pubsub.admin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)
`pubsub.topics.update`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Eventarc Service Agent (`roles/eventarc.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Storage Transfer Service Agent (`roles/storagetransfer.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`pubsub.topics.updateTag`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Tag Editor (`roles/datacatalog.tagEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Pub/Sub Admin (`roles/pubsub.admin`) Pub/Sub Editor (`roles/pubsub.editor`) Cloud Run Source Developer (`roles/run.sourceDeveloper`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Container Analysis Service Agent (`roles/containeranalysis.ServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Application Integration Service Agent (`roles/integrations.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`)

Pub/Sub roles and permissions Stay organized with collections Save and categorize content based on your preferences.

Pub/Sub roles

Pub/Sub Admin

Pub/Sub Editor

Pub/Sub Publisher

Cloud Pub/Sub Service Agent

Pub/Sub Subscriber

Pub/Sub Viewer

Pub/Sub permissions

pubsub.messageTransforms.validate

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.create

pubsub.schemas.delete

pubsub.schemas.get

pubsub.schemas.getIamPolicy

pubsub.schemas.list

pubsub.schemas.listRevisions

pubsub.schemas.rollback

pubsub.schemas.setIamPolicy

pubsub.schemas.validate

pubsub.snapshots.create

pubsub.snapshots.delete

pubsub.snapshots.get

pubsub.snapshots.getIamPolicy

pubsub.snapshots.list

pubsub.snapshots.seek

pubsub.snapshots.setIamPolicy

pubsub.snapshots.update

pubsub.subscriptions.consume

pubsub.subscriptions.create

pubsub.subscriptions.delete

pubsub.subscriptions.get

pubsub.subscriptions.getIamPolicy

pubsub.subscriptions.list

pubsub.subscriptions.setIamPolicy

pubsub.subscriptions.update

pubsub.topics.attachSubscription

pubsub.topics.create

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.get

pubsub.topics.getIamPolicy

pubsub.topics.list

pubsub.topics.publish

pubsub.topics.setIamPolicy

pubsub.topics.update

pubsub.topics.updateTag

Pub/Sub roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

`pubsub.messageTransforms.validate`

`pubsub.schemas.attach`

`pubsub.schemas.commit`

`pubsub.schemas.create`

`pubsub.schemas.delete`

`pubsub.schemas.get`

`pubsub.schemas.getIamPolicy`

`pubsub.schemas.list`

`pubsub.schemas.listRevisions`

`pubsub.schemas.rollback`

`pubsub.schemas.setIamPolicy`

`pubsub.schemas.validate`

`pubsub.snapshots.create`

`pubsub.snapshots.delete`

`pubsub.snapshots.get`

`pubsub.snapshots.getIamPolicy`

`pubsub.snapshots.list`

`pubsub.snapshots.seek`

`pubsub.snapshots.setIamPolicy`

`pubsub.snapshots.update`

`pubsub.subscriptions.consume`

`pubsub.subscriptions.create`

`pubsub.subscriptions.delete`

`pubsub.subscriptions.get`

`pubsub.subscriptions.getIamPolicy`

`pubsub.subscriptions.list`

`pubsub.subscriptions.setIamPolicy`

`pubsub.subscriptions.update`

`pubsub.topics.attachSubscription`

`pubsub.topics.create`

`pubsub.topics.delete`

`pubsub.topics.detachSubscription`

`pubsub.topics.get`

`pubsub.topics.getIamPolicy`

`pubsub.topics.list`

`pubsub.topics.publish`

`pubsub.topics.setIamPolicy`

`pubsub.topics.update`

`pubsub.topics.updateTag`