Cloud Workstations roles and permissions

This page lists the IAM roles and permissions for Cloud Workstations. To search through all roles and permissions, see the role and permission index.

Cloud Workstations roles

Role Permissions

(roles/workstations.admin)

Grants CRUD access to all Workstation resources.

compute.acceleratorTypes.*

  • compute.acceleratorTypes.get
  • compute.acceleratorTypes.list

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.subnetworks.get

compute.subnetworks.list

compute.zones.*

  • compute.zones.get
  • compute.zones.list

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.get

workstations.workstationClusters.*

  • workstations.workstationClusters.create
  • workstations.workstationClusters.createTagBinding
  • workstations.workstationClusters.delete
  • workstations.workstationClusters.deleteTagBinding
  • workstations.workstationClusters.get
  • workstations.workstationClusters.list
  • workstations.workstationClusters.listEffectiveTags
  • workstations.workstationClusters.listTagBindings
  • workstations.workstationClusters.update

workstations.workstationConfigs.*

  • workstations.workstationConfigs.create
  • workstations.workstationConfigs.delete
  • workstations.workstationConfigs.get
  • workstations.workstationConfigs.getIamPolicy
  • workstations.workstationConfigs.list
  • workstations.workstationConfigs.setIamPolicy
  • workstations.workstationConfigs.update

workstations.workstations.create

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.getIamPolicy

workstations.workstations.list

workstations.workstations.setIamPolicy

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.update

(roles/workstations.networkAdmin)

Grants ability to connect a Workstation Cluster to a shared VPC network.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalOperations.get

compute.networks.get

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

(roles/workstations.operationViewer)

Grants ability to view Cloud Workstations API operations.

workstations.operations.get

(roles/workstations.policyAdmin)

Grants permission to set IAM policy on workstation.

workstations.workstations.getIamPolicy

workstations.workstations.setIamPolicy

(roles/workstations.serviceAgent)

Grants the Workstations Service Account access to manage resources in consumer project.

compute.addresses.create

compute.addresses.createInternal

compute.addresses.delete

compute.addresses.deleteInternal

compute.addresses.get

compute.addresses.use

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.deleteTagBinding

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.create

compute.firewalls.delete

compute.firewalls.get

compute.firewalls.update

compute.forwardingRules.create

compute.forwardingRules.delete

compute.forwardingRules.get

compute.forwardingRules.pscCreate

compute.forwardingRules.pscDelete

compute.globalOperations.get

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.deleteTagBinding

compute.instances.detachDisk

compute.instances.get

compute.instances.getGuestAttributes

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.networks.addPeering

compute.networks.get

compute.networks.removePeering

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.regionOperations.get

compute.regions.get

compute.snapshots.create

compute.snapshots.createTagBinding

compute.snapshots.delete

compute.snapshots.deleteTagBinding

compute.snapshots.get

compute.snapshots.listTagBindings

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.get

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.tagValueBindings.*

  • resourcemanager.tagValueBindings.create
  • resourcemanager.tagValueBindings.delete

servicedirectory.namespaces.create

servicedirectory.namespaces.delete

servicedirectory.services.create

servicedirectory.services.delete

serviceusage.services.get

(roles/workstations.user)

Grants runtime access to Workstation resources.

workstations.operations.get

workstations.workstations.delete

workstations.workstations.get

workstations.workstations.start

workstations.workstations.stop

workstations.workstations.update

workstations.workstations.use

(roles/workstations.workstationCreator)

Grants ability to create Workstation resources.

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.get

workstations.workstationClusters.get

workstations.workstationClusters.list

workstations.workstationConfigs.get

workstations.workstations.create

(roles/workstations.workstationLimitExemptedCreator)

Grants ability to create workstations with exemption from max_usable_workstations Limit.

resourcemanager.projects.get

resourcemanager.projects.list

workstations.operations.get

workstations.workstationConfigs.get

workstations.workstations.create

Cloud Workstations permissions

Permission Included in roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Operation Viewer (roles/workstations.operationViewer)

Cloud Workstations User (roles/workstations.user)

Cloud Workstations Creator (roles/workstations.workstationCreator)

Cloud Workstations Limit Exempted Creator (roles/workstations.workstationLimitExemptedCreator)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Creator (roles/workstations.workstationCreator)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Creator (roles/workstations.workstationCreator)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Creator (roles/workstations.workstationCreator)

Cloud Workstations Limit Exempted Creator (roles/workstations.workstationLimitExemptedCreator)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Creator (roles/workstations.workstationCreator)

Cloud Workstations Limit Exempted Creator (roles/workstations.workstationLimitExemptedCreator)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Policy Admin (roles/workstations.policyAdmin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

Cloud Workstations Admin (roles/workstations.admin)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations Policy Admin (roles/workstations.policyAdmin)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

Owner (roles/owner)

Editor (roles/editor)

Cloud Workstations Admin (roles/workstations.admin)

Cloud Workstations User (roles/workstations.user)

Cloud Workstations User (roles/workstations.user)