Access Approval roles
Permissions
Access Approval Approver
(roles/)
Ability to view or act on access approval requests and view configuration.
accessapproval.requests.*
accessapproval.
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Config Editor
(roles/)
Ability to update the Access Approval configuration
accessapproval.
accessapproval.settings.*
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Invalidator
(roles/)
Ability to invalidate existing approved approval requests
accessapproval.
accessapproval.
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Approval Viewer
(roles/)
Ability to view access approval requests and configuration
accessapproval.requests.get
accessapproval.requests.list
accessapproval.
accessapproval.settings.get
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager roles
Permissions
Cloud Access Binding Admin
(roles/)
Create, edit, and change Cloud access bindings.
accesscontextmanager.
Cloud Access Binding Reader
(roles/)
Read access to Cloud access bindings.
accesscontextmanager.
accesscontextmanager.
Access Context Manager Admin
(roles/)
Full access to policies, access levels, access zones and authorized orgs descs.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
cloudasset.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager Editor
(roles/)
Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
cloudasset.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Access Context Manager Reader
(roles/)
Read access to policies, access levels, access zones and authorized orgs descs.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
VPC Service Controls Troubleshooter Viewer
(roles/)
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
logging.exclusions.get
logging.exclusions.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.sinks.get
logging.sinks.list
logging.usage.get
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Actions roles
Permissions
Actions Admin
(roles/)
Access to edit and deploy an action
actions.*
firebase.projects.get
firebase.projects.update
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Actions Viewer
(roles/)
Access to view an action
actions.agent.get
actions.agentVersions.get
actions.agentVersions.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
AI Notebooks roles
Permissions
Notebooks Admin
(roles/)
Full access to Notebooks, all resources.
Lowest-level resources where you can grant this role:
aiplatform.
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Legacy Admin
(roles/)
Full access to Notebooks all resources through compute API.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.*
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Legacy Viewer
(roles/)
Read-only access to Notebooks all resources through compute API.
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.
notebooks.environments.list
notebooks.executions.get
notebooks.
notebooks.executions.list
notebooks.
notebooks.instances.get
notebooks.instances.getHealth
notebooks.
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.get
notebooks.
notebooks.runtimes.list
notebooks.schedules.get
notebooks.
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Runner
(roles/)
Restricted access for running scheduled Notebooks.
aiplatform.
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.
notebooks.environments.list
notebooks.executions.create
notebooks.executions.get
notebooks.
notebooks.executions.list
notebooks.
notebooks.instances.create
notebooks.instances.get
notebooks.instances.getHealth
notebooks.
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.create
notebooks.runtimes.get
notebooks.
notebooks.runtimes.list
notebooks.schedules.create
notebooks.schedules.get
notebooks.
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Notebooks Viewer
(roles/)
Read-only access to Notebooks, all resources.
Lowest-level resources where you can grant this role:
aiplatform.
aiplatform.
aiplatform.schedules.get
aiplatform.schedules.list
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
notebooks.environments.get
notebooks.
notebooks.environments.list
notebooks.executions.get
notebooks.
notebooks.executions.list
notebooks.
notebooks.instances.get
notebooks.instances.getHealth
notebooks.
notebooks.instances.list
notebooks.locations.*
notebooks.operations.get
notebooks.operations.list
notebooks.runtimes.get
notebooks.
notebooks.runtimes.list
notebooks.schedules.get
notebooks.
notebooks.schedules.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Permissions
AI Platform Admin
(roles/)
Provides full access to AI Platform resources, and its jobs,
operations, models, and versions.
Lowest-level resources where you can grant this role:
ml.*
resourcemanager.projects.get
AI Platform Developer
(roles/)
Provides ability to use AI Platform resources for creating models,
versions, jobs for training and prediction, and sending online prediction
requests.
Lowest-level resources where you can grant this role:
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.create
ml.models.get
ml.models.getIamPolicy
ml.models.list
ml.models.predict
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.*
ml.trials.*
ml.versions.get
ml.versions.list
ml.versions.predict
resourcemanager.projects.get
AI Platform Job Owner
(roles/)
Provides full access to all permissions for a particular job resource. This
role is automatically granted to the user who creates the job.
Lowest-level resources where you can grant this role:
ml.jobs.*
AI Platform Model Owner
(roles/)
Provides full access to the model and its versions. This role is
automatically granted to the user who creates the model.
Lowest-level resources where you can grant this role:
ml.models.*
ml.versions.*
AI Platform Model User
(roles/)
Provides permissions to read the model and its versions, and use them for
prediction.
Lowest-level resources where you can grant this role:
ml.models.get
ml.models.predict
ml.versions.get
ml.versions.list
ml.versions.predict
AI Platform Operation Owner
(roles/)
Provides full access to all permissions for a particular operation resource.
Lowest-level resources where you can grant this role:
ml.operations.*
AI Platform Viewer
(roles/)
Provides read-only access to AI Platform resources.
Lowest-level resources where you can grant this role:
ml.jobs.get
ml.jobs.list
ml.locations.*
ml.models.get
ml.models.list
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.get
ml.studies.getIamPolicy
ml.studies.list
ml.trials.get
ml.trials.list
ml.versions.get
ml.versions.list
resourcemanager.projects.get
Analytics Hub roles
Permissions
Analytics Hub Admin
(roles/)
Administer Data Exchanges and Listings
analyticshub.
analyticshub.
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.
analyticshub.
analyticshub.
analyticshub.listings.create
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
analyticshub.
analyticshub.listings.update
analyticshub.
analyticshub.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Listing Admin
(roles/)
Grants full control over the Listing, including updating, deleting and setting ACLs
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.listings.delete
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
analyticshub.
analyticshub.listings.update
analyticshub.
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Publisher
(roles/)
Can publish to Data Exchanges thus creating Listings
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.listings.create
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Subscriber
(roles/)
Can browse Data Exchanges and subscribe to Listings
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
analyticshub.
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Subscription Owner
(roles/)
Grants full control over the Subscription, including updating and deleting
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
analyticshub.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Analytics Hub Viewer
(roles/)
Can browse Data Exchanges and Listings
analyticshub.dataExchanges.get
analyticshub.
analyticshub.
analyticshub.listings.get
analyticshub.
analyticshub.listings.list
resourcemanager.projects.get
resourcemanager.projects.list
Android Management roles
Permissions
Android Management User
(roles/)
Full access to manage devices.
androidmanagement.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Anthos Multi-cloud roles
Permissions
Anthos Multi-cloud Admin
(roles/)
Admin access to Anthos Multi-cloud resources.
gkemulticloud.*
resourcemanager.projects.get
resourcemanager.projects.list
Anthos Multi-cloud Telemetry Writer
(roles/)
Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
opsconfigmonitoring.
Anthos Multi-cloud Viewer
(roles/)
Viewer access to Anthos Multi-cloud resources.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.awsClusters.get
gkemulticloud.awsClusters.list
gkemulticloud.awsNodePools.get
gkemulticloud.
gkemulticloud.
gkemulticloud.azureClients.get
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.operations.get
gkemulticloud.operations.list
gkemulticloud.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
API Gateway roles
Permissions
ApiGateway Admin
(roles/)
Full access to ApiGateway and related resources.
apigateway.*
monitoring.
monitoring.
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.get
serviceusage.services.list
ApiGateway Viewer
(roles/)
Read-only access to ApiGateway and related resources.
apigateway.apiconfigs.get
apigateway.
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.gateways.get
apigateway.
apigateway.gateways.list
apigateway.locations.*
apigateway.operations.get
apigateway.operations.list
monitoring.
monitoring.
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.services.get
serviceusage.services.get
serviceusage.services.list
Apigee roles
Permissions
Apigee Organization Admin
(roles/)
Full access to all apigee resource features
apigee.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Apigee Analytics Agent
(roles/)
Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization
apigee.datalocation.get
apigee.
apigee.runtimeconfigs.get
Apigee Analytics Editor
(roles/)
Analytics editor for an Apigee Organization
apigee.datacollectors.*
apigee.datastores.*
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.*
apigee.hostqueries.*
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.queries.*
apigee.reports.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Analytics Viewer
(roles/)
Analytics viewer for an Apigee Organization
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datastores.get
apigee.datastores.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.queries.get
apigee.queries.list
apigee.reports.get
apigee.reports.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee API Admin
(roles/)
Full read/write access to all apigee API resources
apigee.apiproductattributes.*
apigee.apiproducts.*
apigee.deployments.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.proxies.*
apigee.proxyrevisions.*
apigee.sharedflowrevisions.*
apigee.sharedflows.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee API Reader
(roles/)
Reader of apigee resources
apigee.
apigee.
apigee.apiproducts.get
apigee.apiproducts.list
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.
apigee.sharedflowrevisions.get
apigee.
apigee.
apigee.sharedflows.get
apigee.sharedflows.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Deployment Invoker
(roles/)
Invoker of deployments in the apigee runtime
apigee.deployments.invoke
Apigee Developer Admin
(roles/)
Developer admin of apigee resources
apigee.
apigee.
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appgroupapps.*
apigee.appgroups.*
apigee.appkeys.*
apigee.apps.*
apigee.datacollectors.*
apigee.
apigee.developerapps.*
apigee.developerattributes.*
apigee.developerbalances.*
apigee.
apigee.developers.*
apigee.
apigee.entitlements.get
apigee.environments.get
apigee.environments.getStats
apigee.environments.list
apigee.hoststats.get
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.rateplans.get
apigee.rateplans.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Apigee Environment Admin
(roles/)
Full read/write access to apigee environment resources, including deployments.
apigee.addonsconfig.*
apigee.archivedeployments.*
apigee.datacollectors.get
apigee.datacollectors.list
apigee.deployments.*
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.
apigee.environments.getStats
apigee.environments.list
apigee.
apigee.environments.update
apigee.flowhooks.*
apigee.ingressconfigs.get
apigee.keystorealiases.*
apigee.keystores.*
apigee.keyvaluemapentries.*
apigee.keyvaluemaps.*
apigee.maskconfigs.*
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.deploy
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.proxyrevisions.undeploy
apigee.references.*
apigee.resourcefiles.*
apigee.
apigee.sharedflowrevisions.get
apigee.
apigee.
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.*
apigee.traceconfig.*
apigee.traceconfigoverrides.*
apigee.tracesessions.*
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Apigee Monetization Admin
(roles/)
All permissions related to monetization
apigee.apiproducts.get
apigee.apiproducts.list
apigee.developerbalances.*
apigee.
apigee.
apigee.entitlements.get
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.rateplans.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Portal Admin
(roles/)
Portal admin for an Apigee Organization
apigee.entitlements.get
apigee.organizations.get
apigee.organizations.list
apigee.portals.*
apigee.
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Read-only Admin
(roles/)
Viewer of all apigee resources
apigee.addonsconfig.get
apigee.
apigee.
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appgroupapps.get
apigee.appgroupapps.list
apigee.appgroups.get
apigee.appgroups.list
apigee.appkeys.get
apigee.apps.*
apigee.
apigee.archivedeployments.get
apigee.archivedeployments.list
apigee.caches.list
apigee.canaryevaluations.get
apigee.datacollectors.get
apigee.datacollectors.list
apigee.datalocation.get
apigee.datastores.get
apigee.datastores.list
apigee.deployments.get
apigee.deployments.list
apigee.
apigee.
apigee.developerapps.get
apigee.developerapps.list
apigee.developerattributes.get
apigee.
apigee.developerbalances.get
apigee.
apigee.developers.get
apigee.developers.list
apigee.
apigee.
apigee.endpointattachments.get
apigee.
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.
apigee.
apigee.environments.getStats
apigee.environments.list
apigee.exports.get
apigee.exports.list
apigee.flowhooks.getSharedFlow
apigee.flowhooks.list
apigee.hostqueries.get
apigee.hostqueries.list
apigee.hostsecurityreports.get
apigee.
apigee.hoststats.get
apigee.ingressconfigs.get
apigee.instanceattachments.get
apigee.
apigee.instances.get
apigee.instances.list
apigee.keystorealiases.get
apigee.keystorealiases.list
apigee.keystores.get
apigee.keystores.list
apigee.keyvaluemapentries.get
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.maskconfigs.get
apigee.nataddresses.get
apigee.nataddresses.list
apigee.operations.*
apigee.organizations.get
apigee.organizations.list
apigee.portals.get
apigee.portals.list
apigee.
apigee.proxies.get
apigee.proxies.list
apigee.proxyrevisions.get
apigee.proxyrevisions.list
apigee.queries.get
apigee.queries.list
apigee.rateplans.get
apigee.rateplans.list
apigee.references.get
apigee.references.list
apigee.reports.get
apigee.reports.list
apigee.resourcefiles.get
apigee.resourcefiles.list
apigee.runtimeconfigs.get
apigee.securityActions.get
apigee.securityActions.list
apigee.
apigee.
apigee.securityFeedback.get
apigee.securityFeedback.list
apigee.securityIncidents.get
apigee.securityIncidents.list
apigee.
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityProfilesV2.get
apigee.securityProfilesV2.list
apigee.securitySettings.get
apigee.securityStats.*
apigee.securityreports.get
apigee.securityreports.list
apigee.setupcontexts.get
apigee.sharedflowrevisions.get
apigee.
apigee.sharedflows.get
apigee.sharedflows.list
apigee.targetservers.get
apigee.targetservers.list
apigee.traceconfig.get
apigee.
apigee.
apigee.tracesessions.get
apigee.tracesessions.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Apigee Runtime Agent
(roles/)
Curated set of permissions for a runtime agent to access Apigee Organization resources
apigee.canaryevaluations.*
apigee.entitlements.get
apigee.environments.get
apigee.ingressconfigs.get
apigee.instances.reportStatus
apigee.operations.*
apigee.organizations.get
apigee.
apigee.runtimeconfigs.get
Apigee Security Admin
(roles/)
Security admin for an Apigee Organization
apigee.addonsconfig.get
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.*
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.securityActions.*
apigee.securityActionsConfig.*
apigee.
apigee.securityFeedback.*
apigee.securityIncidents.*
apigee.
apigee.securityProfiles.*
apigee.securityProfilesV2.*
apigee.securitySettings.*
apigee.securityStats.*
apigee.securityreports.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Security Viewer
(roles/)
Security viewer for an Apigee Organization
apigee.addonsconfig.get
apigee.entitlements.get
apigee.envgroupattachments.get
apigee.
apigee.envgroups.get
apigee.envgroups.list
apigee.environments.get
apigee.environments.list
apigee.hostsecurityreports.get
apigee.
apigee.organizations.get
apigee.organizations.list
apigee.
apigee.securityActions.get
apigee.securityActions.list
apigee.
apigee.
apigee.securityFeedback.get
apigee.securityFeedback.list
apigee.securityIncidents.get
apigee.securityIncidents.list
apigee.
apigee.securityProfiles.get
apigee.securityProfiles.list
apigee.securityProfilesV2.get
apigee.securityProfilesV2.list
apigee.securitySettings.get
apigee.securityStats.*
apigee.securityreports.get
apigee.securityreports.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Synchronizer Manager
(roles/)
Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization
apigee.environments.get
apigee.
apigee.ingressconfigs.get
Apigee Connect Admin
(roles/)
Admin of Apigee Connect
apigeeconnect.connections.list
Apigee Connect Agent
(roles/)
Ability to set up Apigee Connect agent between external clusters and Google.
apigeeconnect.
Apigee Registry roles
Permissions
Cloud Apigee Registry Admin
Beta
(roles/)
Full access to Cloud Apigee Registry Registry and Runtime resources.
apigeeregistry.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Editor
Beta
(roles/)
Edit access to Cloud Apigee Registry Registry resources.
apigeeregistry.apis.create
apigeeregistry.apis.delete
apigeeregistry.apis.get
apigeeregistry.
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.
apigeeregistry.
apigeeregistry.artifacts.get
apigeeregistry.
apigeeregistry.artifacts.list
apigeeregistry.
apigeeregistry.deployments.*
apigeeregistry.specs.create
apigeeregistry.specs.delete
apigeeregistry.specs.get
apigeeregistry.
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.create
apigeeregistry.versions.delete
apigeeregistry.versions.get
apigeeregistry.
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Viewer
Beta
(roles/)
Read-only access to Cloud Apigee Registry Registry resources.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.deployments.get
apigeeregistry.
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.versions.get
apigeeregistry.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Apigee Registry Worker
Beta
(roles/)
The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.
apigeeregistry.apis.get
apigeeregistry.apis.list
apigeeregistry.apis.update
apigeeregistry.
apigeeregistry.
apigeeregistry.artifacts.get
apigeeregistry.artifacts.list
apigeeregistry.
apigeeregistry.deployments.get
apigeeregistry.
apigeeregistry.
apigeeregistry.specs.get
apigeeregistry.specs.list
apigeeregistry.specs.update
apigeeregistry.versions.get
apigeeregistry.versions.list
apigeeregistry.versions.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine roles
Permissions
App Engine Admin
(roles/)
Read/Write/Modify access to all application configuration and settings.
To deploy new versions, a principal must have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account , and the Cloud Build Editor
(roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.
appengine.applications.update
appengine.instances.*
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Creator
(roles/)
Ability to create the App Engine resource for the project.
Lowest-level resources where you can grant this role:
appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Viewer
(roles/)
Read-only access to all application configuration and settings.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Code Viewer
(roles/)
Read-only access to all application configuration, settings, and deployed
source code.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.
appengine.versions.list
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Managed VM Debug Access
(roles/)
Ability to read or manage v2 instances.
appengine.applications.get
appengine.
appengine.instances.*
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Deployer
(roles/)
Read-only access to all application configuration and settings.
To deploy new versions, you must also have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account , and the Cloud
Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Cannot modify existing versions other than deleting versions that are not receiving traffic.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Memcache Data Admin
(roles/)
Can get, set, delete, and flush App Engine Memcache items.
appengine.applications.get
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Service Admin
(roles/)
Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
Lowest-level resources where you can grant this role:
appengine.applications.get
appengine.
appengine.instances.delete
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.services.*
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
Artifact Registry roles
Permissions
Artifact Registry Administrator
(roles/)
Administrator access to create and manage repositories.
artifactregistry.
artifactregistry.attachments.*
artifactregistry.
artifactregistry.files.*
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.
Container Registry -> Artifact Registry Migration Admin
(roles/)
Access to run migration tooling to migrate from Container Registry to Artifact Registry
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
cloudasset.
cloudasset.
cloudasset.
iam.roles.get
resourcemanager.projects.get
resourcemanager.
serviceusage.services.use
storage.objects.list
Artifact Registry Create-on-Push Repository Administrator
(roles/)
Access to manage artifacts in repositories, as well as create new repositories on push
artifactregistry.
artifactregistry.attachments.*
artifactregistry.
artifactregistry.files.*
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.
Artifact Registry Create-on-Push Writer
(roles/)
Access to read and write repository items, as well as create new repositories on push
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.
Artifact Registry Reader
(roles/)
Access to read repository items.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
Artifact Registry Repository Administrator
(roles/)
Access to manage artifacts in repositories.
artifactregistry.
artifactregistry.attachments.*
artifactregistry.
artifactregistry.files.*
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.
Artifact Registry Writer
(roles/)
Access to read and write repository items.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.
Assured Workloads roles
Permissions
Assured Workloads Administrator
(roles/)
Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration
assuredworkloads.*
axt.labels.set
bigquery.config.update
logging.settings.update
orgpolicy.policies.*
orgpolicy.policy.*
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Assured Workloads Editor
(roles/)
Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration
assuredworkloads.*
axt.labels.set
bigquery.config.update
logging.settings.update
orgpolicy.policies.*
orgpolicy.policy.*
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Assured Workloads Reader
(roles/)
Grants read access to all Assured Workloads resources and CRM resources - project/folder
assuredworkloads.operations.*
assuredworkloads.updates.list
assuredworkloads.
assuredworkloads.
assuredworkloads.workload.get
assuredworkloads.workload.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
AutoML roles
Permissions
AutoML Admin
Beta
(roles/)
Full access to all AutoML resources
Lowest-level resources where you can grant this role:
automl.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
AutoML Editor
Beta
(roles/)
Editor of all AutoML resources
Lowest-level resources where you can grant this role:
automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.files.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
AutoML Predictor
Beta
(roles/)
Predict using models
Lowest-level resources where you can grant this role:
automl.models.predict
resourcemanager.projects.get
resourcemanager.projects.list
AutoML Viewer
Beta
(roles/)
Viewer of all AutoML resources
Lowest-level resources where you can grant this role:
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.files.list
automl.
automl.
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Backup and DR roles
Permissions
Backup and DR Admin
(roles/)
Provides full access to all Backup and DR resources.
backupdr.
backupdr.backupPlans.*
backupdr.backupVaults.*
backupdr.bvbackups.*
backupdr.bvdataSources.*
backupdr.
backupdr.locations.*
backupdr.managementServers.*
backupdr.operations.*
backupdr.
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Backup Config Viewer
Beta
(roles/)
Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.
backupdr.
Backup and DR Backup User
(roles/)
Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.locations.*
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Backup Vault Accessor
(roles/)
Allows the Backup Appliance permissions to create and manage backups in a backup vault.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.delete
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.update
backupdr.bvdataSources.*
backupdr.operations.*
Backup and DR Backup Vault Admin
(roles/)
Allows the Backup Appliance full administrative control of backup vault resources.
backupdr.backupVaults.*
backupdr.bvbackups.*
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.bvdataSources.update
backupdr.
backupdr.locations.*
backupdr.operations.*
Backup and DR Backup Vault Lister
(roles/)
Allows the Backup Appliance permission to list backup vaults in a given project.
backupdr.backupVaults.list
Backup and DR Backup Vault Viewer
(roles/)
Allows read-only permissions to access backup vault resources and backups.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.operations.get
backupdr.operations.list
Backup and DR Cloud Storage Operator
(roles/)
Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Backup and DR Compute Engine Operator
(roles/)
Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.
backupdr.
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.
compute.
compute.
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.
compute.instances.useReadOnly
compute.machineTypes.*
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.resourcePolicies.use
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Management Server Accessor
Beta
(roles/)
Grants the Backup and DR management server access role to Backup Appliances.
backupdr.
Backup and DR Mount User
(roles/)
Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.
backupdr.locations.*
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Restore User
(roles/)
Allows the user to restore or mount from a backup. This role cannot create a backup plan.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.
backupdr.locations.*
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR User
(roles/)
Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR User V2
(roles/)
Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.
backupdr.
backupdr.backupPlans.*
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.
backupdr.locations.*
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup and DR Viewer
(roles/)
Provides read-only access to all Backup and DR resources.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvdataSources.get
backupdr.bvdataSources.list
backupdr.locations.*
backupdr.
backupdr.
backupdr.managementServers.get
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.operations.get
backupdr.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE roles
Permissions
Backup for GKE Admin
(roles/)
Full access to all Backup for GKE resources.
gkebackup.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Backup Admin
(roles/)
Allows administrators to manage all BackupPlan and Backup resources.
gkebackup.backupPlans.*
gkebackup.backups.*
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.volumeBackups.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Delegated Backup Admin
(roles/)
Allows administrators to manage Backup resources for specific BackupPlans
gkebackup.backupPlans.get
gkebackup.backups.*
gkebackup.volumeBackups.*
Backup for GKE Delegated Restore Admin
(roles/)
Allows administrators to manage Restore resources for specific RestorePlans
gkebackup.restorePlans.get
gkebackup.restores.*
gkebackup.volumeRestores.*
Backup for GKE Restore Admin
(roles/)
Allows administrators to manage all RestorePlan and Restore resources.
gkebackup.backupPlans.get
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.*
gkebackup.restores.*
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
Backup for GKE Viewer
(roles/)
Read-only access to all Backup for GKE resources.
gkebackup.backupPlans.get
gkebackup.
gkebackup.backupPlans.list
gkebackup.backups.get
gkebackup.
gkebackup.backups.list
gkebackup.locations.*
gkebackup.operations.get
gkebackup.operations.list
gkebackup.restorePlans.get
gkebackup.
gkebackup.restorePlans.list
gkebackup.restores.get
gkebackup.restores.list
gkebackup.volumeBackups.*
gkebackup.volumeRestores.*
resourcemanager.projects.get
resourcemanager.projects.list
Permissions
(roles/)
Administrator of Bare Metal Solution resources
baremetalsolution.
baremetalsolution.instances.*
baremetalsolution.luns.*
baremetalsolution.
baremetalsolution.
baremetalsolution.networks.*
baremetalsolution.nfsshares.*
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.
baremetalsolution.skus.list
baremetalsolution.
baremetalsolution.sshKeys.*
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.*
baremetalsolution.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Editor of Bare Metal Solution resources
baremetalsolution.
baremetalsolution.instances.*
baremetalsolution.luns.*
baremetalsolution.
baremetalsolution.
baremetalsolution.networks.*
baremetalsolution.nfsshares.*
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.
baremetalsolution.skus.list
baremetalsolution.
baremetalsolution.sshKeys.*
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.*
baremetalsolution.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Admin of Bare Metal Solution Instance resources
baremetalsolution.instances.*
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Viewer of Bare Metal Solution Instance resources
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Administrator of Bare Metal Solution Lun resources
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.
(roles/)
Viewer of Bare Metal Solution Lun resources
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.
Maintenance Events Admin
(roles/)
Administrator of Bare Metal Solution maintenance events resources
baremetalsolution.
Maintenance Events Editor
(roles/)
Editor of Bare Metal Solution maintenance events resources
baremetalsolution.
Maintenance Events Viewer
(roles/)
Viewer of Bare Metal Solution maintenance events resources
baremetalsolution.
baremetalsolution.
(roles/)
Admin of Bare Metal Solution networks resources
baremetalsolution.
baremetalsolution.networks.*
baremetalsolution.
baremetalsolution.pods.list
(roles/)
Administrator of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.*
baremetalsolution.
baremetalsolution.pods.list
(roles/)
Editor of Bare Metal Solution NFS Share resources
baremetalsolution.nfsshares.*
baremetalsolution.
baremetalsolution.pods.list
(roles/)
Viewer of Bare Metal Solution NFS Share resources
baremetalsolution.
baremetalsolution.
baremetalsolution.
(roles/)
Viewer of Bare Metal Solution OS images resources
baremetalsolution.
(roles/)
Administrator of Bare Metal Solution Procurements
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.skus.list
(roles/)
Editor of Bare Metal Solution Procurements
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.skus.list
(roles/)
Viewer of Bare Metal Solution Procurements
baremetalsolution.
baremetalsolution.
baremetalsolution.skus.list
(roles/)
Administrator of Bare Metal Solution storage resources
baremetalsolution.luns.*
baremetalsolution.nfsshares.*
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.*
baremetalsolution.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Viewer of Bare Metal Solution resources
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.luns.get
baremetalsolution.luns.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.networks.get
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.
baremetalsolution.skus.list
baremetalsolution.
baremetalsolution.
baremetalsolution.sshKeys.list
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.
baremetalsolution.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Administrator of Bare Metal Solution volume resources
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.volumes.*
(roles/)
Editor of Bare Metal Solution volumes resources
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.get
baremetalsolution.volumes.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
(roles/)
Administrator of Bare Metal Solution snapshots resources
baremetalsolution.
baremetalsolution.
(roles/)
Editor of Bare Metal Solution snapshots resources
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
(roles/)
Viewer of Bare Metal Solution snapshots resources
baremetalsolution.
baremetalsolution.
baremetalsolution.
(roles/)
Viewer of Bare Metal Solution volumes resources
baremetalsolution.
baremetalsolution.volumes.get
baremetalsolution.volumes.list
BeyondCorp roles
Permissions
Cloud BeyondCorp Admin
Beta
(roles/)
Full access to all Cloud BeyondCorp resources.
beyondcorp.appConnections.*
beyondcorp.appConnectors.*
beyondcorp.appGateways.*
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.*
beyondcorp.locations.*
beyondcorp.operations.*
beyondcorp.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Client Connector Admin
Beta
(roles/)
Full access to all BeyondCorp Client Connector resources.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Client Connector Service User
Beta
(roles/)
Access Client Connector Service
beyondcorp.
Cloud BeyondCorp Client Connector Viewer
Beta
(roles/)
Read-only access to all BeyondCorp Client Connector resources.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.get
beyondcorp.
beyondcorp.clientGateways.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud BeyondCorp Partner Service Delegate Admin
Beta
(roles/)
Delegates access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.
beyondcorp.operations.*
beyondcorp.partnerTenants.*
beyondcorp.proxyConfigs.*
resourcemanager.
Cloud BeyondCorp Partner Service Delegate Viewer
Beta
(roles/)
Delegates read-only access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.
beyondcorp.partnerTenants.get
beyondcorp.partnerTenants.list
beyondcorp.proxyConfigs.get
beyondcorp.proxyConfigs.list
resourcemanager.
Cloud BeyondCorp Subscription Admin
Beta
(roles/)
Full access to all BeyondCorp Subscription resources.
beyondcorp.subscriptions.*
resourcemanager.
Cloud BeyondCorp Subscription Viewer
Beta
(roles/)
Read-only access to all BeyondCorp Subscription resources.
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list
resourcemanager.
Cloud BeyondCorp Viewer
Beta
(roles/)
Read-only access to all Cloud BeyondCorp resources.
beyondcorp.appConnections.get
beyondcorp.
beyondcorp.appConnections.list
beyondcorp.appConnectors.get
beyondcorp.
beyondcorp.appConnectors.list
beyondcorp.appGateways.get
beyondcorp.
beyondcorp.appGateways.list
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.get
beyondcorp.
beyondcorp.clientGateways.list
beyondcorp.locations.*
beyondcorp.operations.get
beyondcorp.operations.list
beyondcorp.subscriptions.get
beyondcorp.subscriptions.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery roles
Permissions
BigQuery Admin
(roles/)
Provides permissions to manage all resources within the project. Can manage
all data within the project, and can cancel jobs from other users running
within the project.
Lowest-level resources where you can grant this role:
Datasets
Row access policies
Tables
Views
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery.
bigquery.reservations.*
bigquery.routines.*
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration.
dataform.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Connection Admin
(roles/)
bigquery.connections.*
BigQuery Connection User
(roles/)
bigquery.connections.get
bigquery.
bigquery.connections.list
bigquery.connections.use
BigQuery Data Editor
(roles/)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Owner
(roles/)
When applied to a table or view, this role provides permissions to:
Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also
create new datasets.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Viewer
(roles/)
When applied to a table or view, this role provides permissions to:
Read data and metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to list all of the resources in the
dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata
with applicable APIs and in queries.
When applied at the project or organization level, this role can also
enumerate all datasets in the project. Additional roles, however, are
necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Filtered Data Viewer
(roles/)
Access to view filtered table data defined by a row access policy
bigquery.
BigQuery Job User
(roles/)
Provides permissions to run jobs, including queries, within the project.
Lowest-level resources where you can grant this role:
bigquery.config.get
bigquery.jobs.create
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
When applied to a table or view, this role provides permissions to:
Read metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
List tables and views in the dataset.
Read metadata from the dataset's tables and views.
When applied at the project or organization level, this role provides permissions to:
List all datasets and read metadata for all datasets in the project.
List all tables and views and read metadata for all tables and views
in the project.
Additional roles are necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Read Session User
(roles/)
Provides the ability to create and use read sessions.
Lowest-level resources where you can grant this role:
bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Admin
(roles/)
Administers BigQuery workloads, including slot assignments, commitments, and reservations.
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.
bigquery.
bigquery.reservations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Editor
(roles/)
Manages BigQuery workloads, but is unable to create or modify slot commitments.
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.
bigquery.
bigquery.reservations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Resource Viewer
(roles/)
Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.
bigquery.
bigquery.
bigquery.reservations.get
bigquery.reservations.list
bigquery.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Studio Admin
(roles/)
Combination role of BigQuery Admin, Dataform Admin, Notebook Runtime Admin and Dataproc Serverless Editor.
aiplatform.
aiplatform.notebookRuntimes.*
aiplatform.operations.list
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery.
bigquery.reservations.*
bigquery.routines.*
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration.
compute.projects.get
compute.regions.*
compute.reservations.get
compute.reservations.list
compute.zones.*
dataform.*
dataplex.projects.search
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Studio User
(roles/)
Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, Notebook Runtime User and Dataproc Serverless Editor.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
bigquery.config.get
bigquery.jobs.create
bigquery.readsessions.*
compute.projects.get
compute.regions.*
compute.zones.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataplex.projects.search
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery User
(roles/)
When applied to a dataset, this role provides the ability to read the dataset's metadata and list
tables in the dataset.
When applied to a project, this role also provides the ability to run jobs, including queries,
within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and
enumerate datasets within a project. Additionally, allows the creation of new datasets within the
project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner)
on these new datasets.
Lowest-level resources where you can grant this role:
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.
bigquery.
bigquery.reservations.get
bigquery.reservations.list
bigquery.
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
bigquerymigration.
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Data Policy Admin
(roles/)
Role for managing Data Policies in BigQuery
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
Masked Reader
(roles/)
Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns
bigquery.
Raw Data Reader
Beta
(roles/)
Raw read access to sub-resources associated with a data policy, for example, BigQuery columns
bigquery.
BigQuery Data Policy Viewer
(roles/)
Role for viewing Data Policies in BigQuery
bigquery.dataPolicies.get
bigquery.dataPolicies.list
Billing roles
Permissions
Billing Account Administrator
(roles/)
Provides access to see and manage all aspects of billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.close
billing.accounts.get
billing.
billing.accounts.getIamPolicy
billing.
billing.accounts.getPricing
billing.
billing.
billing.accounts.list
billing.accounts.move
billing.
billing.
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing.
billing.
billing.anomalies.*
billing.anomaliesConfigs.*
billing.
billing.
billing.
billing.
billing.
billing.billingAccountSkus.*
billing.budgets.*
billing.credits.list
billing.
billing.
billing.resourceAssociations.*
billing.subscriptions.*
cloudasset.
cloudnotifications.
cloudsupport.properties.get
cloudsupport.techCases.*
commerceoffercatalog.*
compute.commitments.*
consumerprocurement.accounts.*
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.events.*
consumerprocurement.
consumerprocurement.
consumerprocurement.orders.*
dataprocessing.datasources.get
dataprocessing.
dataprocessing.
dataprocessing.
logging.logEntries.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.privateLogEntries.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.costInsights.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Billing Account Costs Manager
(roles/)
Manage budgets for a billing account, and view, analyze, and export cost information of a billing
account.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.accounts.getIamPolicy
billing.
billing.
billing.accounts.list
billing.
billing.anomalies.get
billing.anomalies.list
billing.anomaliesConfigs.*
billing.budgets.*
billing.
recommender.costInsights.*
Billing Account Creator
(roles/)
Provides access to create billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.create
resourcemanager.
Project Billing Manager
(roles/)
When granted in conjunction with the Billing Account User role, provides access to assign a
project's billing account or disable its billing.
Lowest-level resources where you can grant this role:
resourcemanager.
resourcemanager.
Billing Account User
(roles/)
When granted in conjunction with the Project Owner role or Project Billing Manager role, provides
access to associate projects with billing accounts.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.
billing.credits.list
billing.
Billing Account Viewer
(roles/)
View billing account cost and pricing information, transactions, and billing and commitment
recommendations.
Lowest-level resources where you can grant this role:
billing.accounts.get
billing.
billing.accounts.getIamPolicy
billing.
billing.accounts.getPricing
billing.
billing.
billing.accounts.list
billing.anomalies.get
billing.anomalies.list
billing.anomaliesConfigs.get
billing.
billing.
billing.
billing.
billing.
billing.billingAccountSkus.*
billing.budgets.get
billing.budgets.list
billing.credits.list
billing.
billing.
billing.
billing.subscriptions.get
billing.subscriptions.list
commerceoffercatalog.*
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.orders.get
consumerprocurement.
dataprocessing.datasources.get
dataprocessing.
dataprocessing.
dataprocessing.
recommender.
recommender.
recommender.costInsights.get
recommender.costInsights.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
Binary Authorization roles
Permissions
Binary Authorization Attestor Admin
(roles/)
Administrator of Binary Authorization Attestors
binaryauthorization.
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Editor
(roles/)
Editor of Binary Authorization Attestors
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Image Verifier
(roles/)
Caller of Binary Authorization Attestors VerifyImageAttested
binaryauthorization.
binaryauthorization.
binaryauthorization.
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Attestor Viewer
(roles/)
Viewer of Binary Authorization Attestors
binaryauthorization.
binaryauthorization.
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Administrator
(roles/)
Administrator of Binary Authorization Policy
binaryauthorization.
binaryauthorization.
binaryauthorization.policy.*
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Editor
(roles/)
Editor of Binary Authorization Policy
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.policy.get
binaryauthorization.
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Evaluator
(roles/)
Evaluator of Binary Authorization Policy
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
Binary Authorization Policy Viewer
(roles/)
Viewer of Binary Authorization Policy
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
CA Service roles
Permissions
CA Service Admin
(roles/)
Full access to all CA Service resources.
privateca.*
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
CA Service Auditor
(roles/)
Read-only access to all CA Service resources.
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.certificates.get
privateca.
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca.
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
CA Service Operation Manager
(roles/)
Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.
privateca.caPools.create
privateca.caPools.delete
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.update
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.certificates.get
privateca.
privateca.certificates.list
privateca.certificates.update
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.
privateca.
privateca.reusableConfigs.get
privateca.
privateca.reusableConfigs.list
privateca.
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
CA Service Certificate Manager
(roles/)
Create certificates and read-only access for CA Service resources.
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.certificates.create
privateca.certificates.get
privateca.
privateca.certificates.list
privateca.locations.*
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.get
privateca.
privateca.reusableConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
CA Service Certificate Requester
(roles/)
Request certificates from CA Service.
privateca.certificates.create
CA Service Pool Reader
(roles/)
Read CA Pools in CA Service.
privateca.caPools.get
CA Service Certificate Template User
(roles/)
Read, list and use certificate templates.
privateca.
privateca.
privateca.
CA Service Workload Certificate Requester
(roles/)
Request certificates from CA Service with caller's identity.
privateca.
Certificate Manager roles
Permissions
Certificate Manager Editor
(roles/)
Edit access to Certificate Manager all resources.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.certs.get
certificatemanager.certs.list
certificatemanager.
certificatemanager.certs.use
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.locations.*
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Manager Owner
(roles/)
Full access to Certificate Manager all resources.
certificatemanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Manager Viewer
(roles/)
Read-only access to Certificate Manager all resources.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.certs.get
certificatemanager.certs.list
certificatemanager.
certificatemanager.
certificatemanager.locations.*
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Chat roles
Permissions
Chat Apps Owner
(roles/)
Can view and modify app configurations
chat.*
Chat Apps Viewer
(roles/)
Can view app configurations
chat.bots.get
Chronicle API roles
Permissions
Chronicle API Admin
(roles/)
Full access to the Chronicle API services, including global settings.
chronicle.ais.*
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.
chronicle.
chronicle.collectors.*
chronicle.conversations.*
chronicle.
chronicle.
chronicle.curatedRuleSets.*
chronicle.curatedRules.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.*
chronicle.dataAccessLabels.*
chronicle.dataAccessScopes.*
chronicle.dataExports.*
chronicle.
chronicle.dataTableRows.*
chronicle.dataTables.*
chronicle.dataTaps.*
chronicle.enrichmentControls.*
chronicle.entities.*
chronicle.
chronicle.
chronicle.events.*
chronicle.
chronicle.
chronicle.
chronicle.feeds.*
chronicle.findingsGraphs.*
chronicle.
chronicle.
chronicle.forwarders.*
chronicle.
chronicle.ingestionLogLabels.*
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.instances.get
chronicle.
chronicle.instances.report
chronicle.iocMatches.*
chronicle.iocState.*
chronicle.iocs.*
chronicle.legacies.*
chronicle.logTypeSchemas.list
chronicle.logTypes.list
chronicle.logs.*
chronicle.messages.*
chronicle.
chronicle.nativeDashboards.*
chronicle.operations.*
chronicle.parserExtensions.*
chronicle.parsers.*
chronicle.parsingErrors.list
chronicle.preferenceSets.*
chronicle.referenceLists.*
chronicle.retrohunts.*
chronicle.riskConfigs.*
chronicle.ruleDeployments.*
chronicle.
chronicle.rules.*
chronicle.searchQueries.*
chronicle.
chronicle.
chronicle.watchlists.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Editor
(roles/)
Modify Access to Chronicle API resources.
chronicle.ais.*
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.
chronicle.collectors.get
chronicle.collectors.list
chronicle.conversations.*
chronicle.
chronicle.
chronicle.curatedRuleSets.*
chronicle.curatedRules.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.*
chronicle.
chronicle.dataExports.*
chronicle.
chronicle.dataTableRows.*
chronicle.dataTables.*
chronicle.dataTaps.*
chronicle.
chronicle.
chronicle.entities.*
chronicle.
chronicle.
chronicle.
chronicle.events.*
chronicle.findingsGraphs.*
chronicle.
chronicle.
chronicle.forwarders.generate
chronicle.forwarders.get
chronicle.forwarders.list
chronicle.
chronicle.ingestionLogLabels.*
chronicle.
chronicle.
chronicle.
chronicle.instances.get
chronicle.
chronicle.instances.report
chronicle.iocMatches.*
chronicle.iocState.*
chronicle.iocs.*
chronicle.legacies.*
chronicle.logTypeSchemas.list
chronicle.logs.*
chronicle.messages.*
chronicle.
chronicle.nativeDashboards.*
chronicle.operations.*
chronicle.preferenceSets.*
chronicle.referenceLists.*
chronicle.retrohunts.*
chronicle.riskConfigs.*
chronicle.ruleDeployments.*
chronicle.
chronicle.rules.create
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.update
chronicle.rules.verifyRuleText
chronicle.searchQueries.*
chronicle.watchlists.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Global Data Access
Beta
(roles/)
Grants global access to data i.e. all data can be accessed.
chronicle.
Chronicle API Limited Viewer
(roles/)
Grants read-only access to Chronicle API resources, excluding Rules and Retrohunts.
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.
chronicle.conversations.get
chronicle.conversations.list
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.dashboards.schedule
chronicle.
chronicle.entities.find
chronicle.
chronicle.entities.get
chronicle.
chronicle.
chronicle.entities.summarize
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.events.batchGet
chronicle.
chronicle.events.get
chronicle.
chronicle.events.searchRawLogs
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.*
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.ingestionLogLabels.*
chronicle.
chronicle.instances.get
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.logTypeSchemas.list
chronicle.logs.export
chronicle.logs.get
chronicle.logs.list
chronicle.messages.get
chronicle.messages.list
chronicle.
chronicle.nativeDashboards.get
chronicle.
chronicle.operations.get
chronicle.operations.list
chronicle.
chronicle.operations.wait
chronicle.preferenceSets.*
chronicle.searchQueries.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle API Restricted Data Access
Beta
(roles/)
Grants access to data controlled by Data Access Scopes. Intended to be refined by IAM Conditions.
chronicle.
Chronicle API Restricted Data Access Viewer
Beta
(roles/)
Grants readonly access to Chronicle API resources without global data access scope.
chronicle.ais.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.
chronicle.entities.find
chronicle.
chronicle.entities.get
chronicle.entities.list
chronicle.
chronicle.entities.summarize
chronicle.
chronicle.events.batchGet
chronicle.
chronicle.events.get
chronicle.
chronicle.events.searchRawLogs
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.*
chronicle.
chronicle.
chronicle.instances.get
chronicle.instances.report
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.logs.get
chronicle.logs.list
chronicle.
chronicle.nativeDashboards.get
chronicle.
chronicle.operations.get
chronicle.operations.list
chronicle.
chronicle.operations.wait
chronicle.preferenceSets.*
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle.
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle.
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.verifyRuleText
chronicle.searchQueries.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle SOAR Admin
Beta
(roles/)
Grants admin access to Chronicle SOAR.
chronicle.instances.soarAdmin
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.
securitycenter.simulations.get
securitycenter.
securitycenter.
Chronicle SOAR Threat Manager
Beta
(roles/)
Grants threat manager access to Chronicle SOAR.
chronicle.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.
securitycenter.simulations.get
securitycenter.
securitycenter.
Chronicle SOAR Vulnerability Manager
Beta
(roles/)
Grants vulnerability manager access to Chronicle SOAR.
chronicle.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.
securitycenter.simulations.get
securitycenter.
securitycenter.
Chronicle API Viewer
(roles/)
Read-only access to the Chronicle API resources.
chronicle.ais.*
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.
chronicle.collectors.get
chronicle.collectors.list
chronicle.conversations.get
chronicle.conversations.list
chronicle.
chronicle.
chronicle.
chronicle.curatedRuleSets.*
chronicle.curatedRules.*
chronicle.dashboardCharts.*
chronicle.dashboardQueries.*
chronicle.dashboards.get
chronicle.dashboards.list
chronicle.dashboards.schedule
chronicle.
chronicle.
chronicle.dataExports.get
chronicle.
chronicle.dataTableRows.get
chronicle.dataTableRows.list
chronicle.dataTables.get
chronicle.dataTables.list
chronicle.dataTaps.get
chronicle.dataTaps.list
chronicle.
chronicle.
chronicle.entities.find
chronicle.
chronicle.entities.get
chronicle.entities.list
chronicle.
chronicle.
chronicle.entities.summarize
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.events.batchGet
chronicle.
chronicle.events.get
chronicle.
chronicle.events.searchRawLogs
chronicle.events.udmSearch
chronicle.events.validateQuery
chronicle.findingsGraphs.*
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.forwarders.generate
chronicle.forwarders.get
chronicle.forwarders.list
chronicle.
chronicle.ingestionLogLabels.*
chronicle.
chronicle.
chronicle.
chronicle.instances.get
chronicle.
chronicle.instances.report
chronicle.iocMatches.*
chronicle.iocState.get
chronicle.iocs.*
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.
chronicle.logTypeSchemas.list
chronicle.logs.export
chronicle.logs.get
chronicle.logs.list
chronicle.messages.get
chronicle.messages.list
chronicle.
chronicle.nativeDashboards.get
chronicle.
chronicle.operations.get
chronicle.operations.list
chronicle.
chronicle.operations.wait
chronicle.preferenceSets.*
chronicle.referenceLists.get
chronicle.referenceLists.list
chronicle.
chronicle.retrohunts.get
chronicle.retrohunts.list
chronicle.riskConfigs.get
chronicle.ruleDeployments.get
chronicle.ruleDeployments.list
chronicle.
chronicle.rules.get
chronicle.rules.list
chronicle.rules.listRevisions
chronicle.rules.verifyRuleText
chronicle.searchQueries.*
chronicle.watchlists.get
chronicle.watchlists.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB roles
Permissions
Cloud AlloyDB Admin
Beta
(roles/)
Full access to Cloud AlloyDB all resources.
alloydb.*
cloudaicompanion.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB Client
Beta
(roles/)
Connectivity access to Cloud AlloyDB instances.
alloydb.
alloydb.clusters.get
alloydb.instances.connect
alloydb.instances.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB Database User
Beta
(roles/)
Role allowing access to login as a database user.
alloydb.clusters.get
alloydb.instances.executeSql
alloydb.instances.get
alloydb.users.login
resourcemanager.projects.get
resourcemanager.projects.list
Cloud AlloyDB Viewer
Beta
(roles/)
Read-only access to Cloud AlloyDB all resources.
alloydb.backups.get
alloydb.backups.list
alloydb.
alloydb.
alloydb.clusters.export
alloydb.clusters.get
alloydb.clusters.list
alloydb.
alloydb.
alloydb.databases.list
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb.
alloydb.users.get
alloydb.users.list
cloudaicompanion.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Asset roles
Permissions
Cloud Asset Owner
(roles/)
Full access to cloud assets metadata
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.feeds.*
cloudasset.savedqueries.*
recommender.
recommender.locations.*
Cloud Asset Viewer
(roles/)
Read only access to cloud assets metadata
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
recommender.
recommender.
recommender.locations.*
Cloud Bigtable roles
Permissions
Bigtable Administrator
(roles/)
Administers all Bigtable instances within a project, including the data stored within
tables. Can create new instances. Intended for project administrators.
Lowest-level resources where you can grant this role:
bigtable.*
monitoring.
monitoring.
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable Reader
(roles/)
Provides read-only access to the data stored within Bigtable tables. Intended for
data scientists, dashboard generators, and other data-analysis scenarios.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable.
bigtable.
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.
bigtable.instances.get
bigtable.instances.list
bigtable.instances.ping
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable.
bigtable.
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.
monitoring.
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable User
(roles/)
Provides read-write access to the data stored within Bigtable tables. Intended for
application developers or service accounts.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable.
bigtable.
bigtable.
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.
bigtable.instances.get
bigtable.instances.list
bigtable.instances.ping
bigtable.keyvisualizer.*
bigtable.locations.list
bigtable.
bigtable.
bigtable.tables.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
monitoring.
monitoring.
monitoring.timeSeries.*
resourcemanager.projects.get
Bigtable Viewer
(roles/)
Provides no data access. Intended as a minimal set of permissions to access
the Google Cloud console for Bigtable.
Lowest-level resources where you can grant this role:
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.authorizedViews.get
bigtable.authorizedViews.list
bigtable.backups.get
bigtable.backups.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.instances.get
bigtable.instances.list
bigtable.
bigtable.
bigtable.locations.list
bigtable.
bigtable.
bigtable.tables.get
bigtable.tables.list
monitoring.
monitoring.
monitoring.timeSeries.list
resourcemanager.projects.get
Cloud Build roles
Permissions
Cloud Build Approver
(roles/)
Can approve or reject pending builds.
cloudbuild.builds.approve
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Service Account
(roles/)
Provides access to perform builds.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
cloudbuild.workerpools.use
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
logging.logEntries.create
logging.logEntries.list
logging.views.access
pubsub.topics.create
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Build Editor
(roles/)
Provides access to create and cancel builds.
Lowest-level resources where you can grant this role:
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Viewer
(roles/)
Provides access to view builds.
Lowest-level resources where you can grant this role:
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Connection Admin
(roles/)
Can manage connections and repositories.
cloudbuild.connections.*
cloudbuild.operations.*
cloudbuild.repositories.create
cloudbuild.repositories.delete
cloudbuild.
cloudbuild.repositories.get
cloudbuild.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Connection Viewer
(roles/)
Can view and list connections and repositories.
cloudbuild.
cloudbuild.connections.get
cloudbuild.
cloudbuild.connections.list
cloudbuild.
cloudbuild.repositories.get
cloudbuild.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Editor
(roles/)
Can update Integrations
cloudbuild.integrations.get
cloudbuild.integrations.list
cloudbuild.integrations.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Owner
(roles/)
Can create/delete Integrations
cloudbuild.integrations.*
compute.firewalls.create
compute.firewalls.get
compute.firewalls.list
compute.networks.get
compute.networks.updatePolicy
compute.regions.get
compute.subnetworks.get
compute.subnetworks.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Integrations Viewer
(roles/)
Can view Integrations
cloudbuild.integrations.get
cloudbuild.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build Read Only Token Accessor
(roles/)
Can view the connection and access its read-only token.
cloudbuild.connections.get
cloudbuild.
cloudbuild.repositories.get
Cloud Build Token Accessor
(roles/)
Can view the connection and access its read/write and read-only tokens.
cloudbuild.connections.get
cloudbuild.
cloudbuild.
cloudbuild.repositories.get
cloudbuild.repositories.list
Cloud Build WorkerPool Editor
(roles/)
Can update and view WorkerPools
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build WorkerPool Owner
(roles/)
Can create, delete, update, and view WorkerPools
cloudbuild.workerpools.create
cloudbuild.workerpools.delete
cloudbuild.workerpools.get
cloudbuild.workerpools.list
cloudbuild.workerpools.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Build WorkerPool User
(roles/)
Can run builds in the WorkerPool
cloudbuild.workerpools.use
Cloud Build WorkerPool Viewer
(roles/)
Can view WorkerPools
cloudbuild.workerpools.get
cloudbuild.workerpools.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Composer roles
Permissions
Cloud Composer v2 API Service Agent Extension
(roles/)
Cloud Composer v2 API Service Agent Extension is a supplementary role required to manage Composer v2 environments.
iam.
iam.
Composer Administrator
(roles/)
Provides full control of Cloud Composer resources.
Lowest-level resources where you can grant this role:
composer.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Environment and Storage Object Administrator
(roles/)
Provides full control of Cloud Composer resources and of the objects in all project buckets.
Lowest-level resources where you can grant this role:
composer.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Environment and Storage Object User
(roles/)
Read and use access to Cloud Composer resources and read access to Cloud Storage objects.
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer.
composer.
composer.
composer.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Environment and Storage Object Viewer
(roles/)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Provides read-only access to objects in all project buckets.
Lowest-level resources where you can grant this role:
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer.
composer.
composer.
composer.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Composer Shared VPC Agent
(roles/)
Role that should be assigned to Composer Agent service account in Shared VPC host project
compute.
compute.
compute.networkAttachments.get
compute.
compute.networks.access
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute.
compute.networks.removePeering
compute.networks.updatePeering
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zones.*
dns.managedZones.get
dns.managedZones.list
dns.
Composer User
(roles/)
Provides the permissions necessary to list and get Cloud Composer environments and operations.
Lowest-level resources where you can grant this role:
composer.dags.*
composer.environments.get
composer.environments.list
composer.imageversions.list
composer.operations.get
composer.operations.list
composer.
composer.
composer.
composer.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Composer Worker
(roles/)
Provides the permissions necessary to run a Cloud Composer environment VM. Intended for service accounts.
Lowest-level resources where you can grant this role:
artifactregistry.*
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
cloudbuild.workerpools.use
composer.environments.get
container.*
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
datalineage.events.create
datalineage.processes.create
datalineage.processes.get
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.update
logging.logEntries.create
logging.logEntries.list
logging.logEntries.route
logging.views.access
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.*
orgpolicy.policy.get
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Cloud Connectors roles
Permissions
Connector Admin
(roles/)
Full access to all resources of Connectors Service.
connectors.actions.*
connectors.connections.create
connectors.connections.delete
connectors.
connectors.
connectors.connections.get
connectors.
connectors.
connectors.
connectors.
connectors.connections.list
connectors.
connectors.connections.update
connectors.connectors.*
connectors.
connectors.customConnectors.*
connectors.
connectors.entities.*
connectors.entityTypes.list
connectors.
connectors.eventtypes.*
connectors.locations.*
connectors.managedZones.*
connectors.operations.*
connectors.providers.*
connectors.regionalSettings.*
connectors.runtimeconfig.get
connectors.
connectors.settings.*
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.
Custom Connectors Admin
(roles/)
Custom Connector is a global resource which creates custom connector within the given target project. This role grants Admin access to Custom Connector resources
connectors.
connectors.customConnectors.*
connectors.locations.*
Custom Connector Viewer
(roles/)
Custom Connector is a global resource which creates custom connector within the given target project. This role grants Read-only access to Custom Connector & Custom Connector Version resources.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.locations.*
Connectors Endpoint Attachment Admin
(roles/)
Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Admin access to Connectors Endpoint Attachment resources.
connectors.
connectors.locations.*
Connectors Endpoint Attachment Viewer
(roles/)
Endpoint Attachment is a regional resource which creates PSC connection endpoint for the given PSC Service Attachment. This role grants Read-only access to Connectors Endpoint Attachment resources
connectors.
connectors.
connectors.
connectors.locations.*
Connectors Event Subscriptions Admin
(roles/)
Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Admin access to Connectors Subscription resources
connectors.
Connectors Event Subscriptions Viewer
(roles/)
Event Subscription is a regional resource which creates subscriptions on events for a given connection within the given target project. This role grants Read-only access to Event Subscription resources.
connectors.
connectors.
Connector Invoker
(roles/)
Full Access to invoke all operations on Connections.
connectors.actions.*
connectors.
connectors.entities.*
connectors.entityTypes.list
Connector Event Listener
(roles/)
Full Access to listen events by connections.
connectors.
Connectors Managed Zone Admin
(roles/)
Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Admin access to Connectors Managed Zone resources
connectors.locations.*
connectors.managedZones.*
Connectors Managed Zone Viewer
(roles/)
Managed Zone is a global resource which creates Cloud DNS Peering Zone with the given target project. This role grants Read-only access to Connectors Managed Zone resources.
connectors.locations.*
connectors.managedZones.get
connectors.
connectors.managedZones.list
Connectors Viewer
(roles/)
Read-only access to Connectors all resources.
connectors.
connectors.connections.get
connectors.
connectors.
connectors.
connectors.
connectors.connections.list
connectors.connectors.*
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.eventtypes.*
connectors.locations.*
connectors.managedZones.get
connectors.
connectors.managedZones.list
connectors.operations.get
connectors.operations.list
connectors.providers.*
connectors.
connectors.runtimeconfig.get
connectors.settings.get
connectors.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion roles
Permissions
Cloud Data Fusion Accessor
Beta
(roles/)
Read-only access to Cloud Data Fusion Instances. Use it on instance level along with the namespace grants to provide access to the specific namespace.
datafusion.instances.get
datafusion.
datafusion.instances.list
datafusion.
datafusion.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Admin
(roles/)
Full access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
datafusion.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Developer
Beta
(roles/)
Access Cloud Data Fusion Instances, develop and run pipelines.
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.instances.get
datafusion.
datafusion.instances.list
datafusion.
datafusion.
datafusion.locations.*
datafusion.namespaces.get
datafusion.
datafusion.namespaces.list
datafusion.
datafusion.
datafusion.namespaces.update
datafusion.
datafusion.operations.get
datafusion.operations.list
datafusion.
datafusion.
datafusion.
datafusion.pipelines.*
datafusion.profiles.get
datafusion.profiles.list
datafusion.secureKeys.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Operator
Beta
(roles/)
Access Cloud Data Fusion Instances, operate namespaces and related resources.
datafusion.artifacts.*
datafusion.instances.get
datafusion.
datafusion.instances.list
datafusion.
datafusion.
datafusion.locations.*
datafusion.namespaces.get
datafusion.
datafusion.namespaces.list
datafusion.
datafusion.
datafusion.
datafusion.
datafusion.namespaces.update
datafusion.
datafusion.
datafusion.operations.get
datafusion.operations.list
datafusion.
datafusion.
datafusion.
datafusion.pipelines.create
datafusion.pipelines.delete
datafusion.pipelines.execute
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.pipelines.update
datafusion.profiles.*
datafusion.secureKeys.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion Runner
(roles/)
Access to Cloud Data Fusion runtime resources.
datafusion.instances.runtime
Cloud Data Fusion Viewer
(roles/)
Read-only access to Cloud Data Fusion Instances, Namespaces and related resources.
Lowest-level resources where you can grant this role:
datafusion.artifacts.get
datafusion.artifacts.list
datafusion.instances.get
datafusion.
datafusion.instances.list
datafusion.
datafusion.
datafusion.locations.*
datafusion.namespaces.get
datafusion.
datafusion.namespaces.list
datafusion.operations.get
datafusion.operations.list
datafusion.
datafusion.
datafusion.pipelines.get
datafusion.pipelines.list
datafusion.profiles.get
datafusion.profiles.list
datafusion.secureKeys.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Labeling roles
Permissions
Data Labeling Service Admin
Beta
(roles/)
Full access to all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service Editor
Beta
(roles/)
Editor of all Data Labeling resources
datalabeling.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Labeling Service Viewer
Beta
(roles/)
Viewer of all Data Labeling resources
datalabeling.
datalabeling.
datalabeling.
datalabeling.
datalabeling.dataitems.*
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.examples.*
datalabeling.instructions.get
datalabeling.instructions.list
datalabeling.operations.get
datalabeling.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Dataplex roles
Permissions
Dataplex Administrator
(roles/)
Full access to Dataplex resources, except Dataplex Catalog.
cloudasset.
cloudasset.
cloudasset.
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.assets.update
dataplex.content.*
dataplex.
dataplex.dataAttributes.*
dataplex.dataTaxonomies.*
dataplex.datascans.*
dataplex.encryptionConfig.*
dataplex.entities.*
dataplex.entryGroups.export
dataplex.entryGroups.import
dataplex.environments.*
dataplex.lakeActions.list
dataplex.lakes.*
dataplex.locations.*
dataplex.metadataJobs.*
dataplex.operations.*
dataplex.partitions.*
dataplex.tasks.*
dataplex.zoneActions.list
dataplex.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Aspect Type Owner
(roles/)
Grants access to creating and managing Aspect Types. Does not give the right to create/modify Entries.
datacatalog.
dataplex.aspectTypes.*
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Aspect Type User
(roles/)
Grants access to use Aspect Types to create/modify Entries with the corresponding aspects.
datacatalog.
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Binding Administrator
(roles/)
Full access on DataAttribute Bindig resources.
dataplex.
Dataplex Catalog Admin
(roles/)
Has full access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries.
datacatalog.
dataplex.aspectTypes.*
dataplex.entries.*
dataplex.entryGroups.*
dataplex.entryTypes.*
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Catalog Editor
(roles/)
Has write access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Cannot set IAM policies on resources
datacatalog.
dataplex.aspectTypes.create
dataplex.aspectTypes.delete
dataplex.aspectTypes.get
dataplex.
dataplex.aspectTypes.list
dataplex.aspectTypes.update
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.create
dataplex.entryGroups.delete
dataplex.entryGroups.get
dataplex.
dataplex.entryGroups.list
dataplex.entryGroups.update
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.entryTypes.create
dataplex.entryTypes.delete
dataplex.entryTypes.get
dataplex.
dataplex.entryTypes.list
dataplex.entryTypes.update
dataplex.entryTypes.use
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Catalog Viewer
(roles/)
Has read access to Catalog resources: Entry Groups, Entry Types, Aspect Types and Entries. Can view IAM policies on Catalog resources.
datacatalog.
dataplex.aspectTypes.get
dataplex.
dataplex.aspectTypes.list
dataplex.entries.get
dataplex.entries.list
dataplex.entryGroups.get
dataplex.
dataplex.entryGroups.list
dataplex.entryTypes.get
dataplex.
dataplex.entryTypes.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Data Owner
(roles/)
Owner access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.ownData
dataplex.assets.readData
dataplex.assets.writeData
Dataplex Data Reader
(roles/)
Read only access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.readData
Dataplex DataScan Administrator
(roles/)
Full access to DataScan resources.
dataplex.datascans.*
dataplex.operations.get
dataplex.operations.list
Dataplex DataScan Creator
(roles/)
Access to create new DataScan resources.
dataplex.datascans.create
dataplex.datascans.get
dataplex.datascans.list
dataplex.operations.get
Dataplex DataScan DataViewer
(roles/)
Read access to DataScan resources and additional contents.
dataplex.datascans.get
dataplex.datascans.getData
dataplex.
dataplex.datascans.list
Dataplex DataScan Editor
(roles/)
Write access to DataScan resources.
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.update
dataplex.operations.get
dataplex.operations.list
Dataplex DataScan Viewer
(roles/)
Read access to DataScan resources.
dataplex.datascans.get
dataplex.
dataplex.datascans.list
Dataplex Data Writer
(roles/)
Write access to data. To be granted to Dataplex resources Lake, Zone or Asset only.
dataplex.assets.writeData
Dataplex Developer
(roles/)
Allows running data analytics workloads in a lake.
dataplex.content.*
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.list
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.update
Dataplex Editor
(roles/)
Write access to Dataplex resources.
cloudasset.
dataplex.assetActions.list
dataplex.assets.create
dataplex.assets.delete
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.update
dataplex.content.delete
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.dataAttributes.bind
dataplex.dataAttributes.create
dataplex.dataAttributes.delete
dataplex.dataAttributes.get
dataplex.
dataplex.dataAttributes.list
dataplex.dataAttributes.update
dataplex.
dataplex.
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.
dataplex.dataTaxonomies.list
dataplex.dataTaxonomies.update
dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.update
dataplex.environments.create
dataplex.environments.delete
dataplex.environments.get
dataplex.
dataplex.environments.list
dataplex.environments.update
dataplex.lakeActions.list
dataplex.lakes.create
dataplex.lakes.delete
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.update
dataplex.operations.*
dataplex.tasks.cancel
dataplex.tasks.create
dataplex.tasks.delete
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.run
dataplex.tasks.update
dataplex.zoneActions.list
dataplex.zones.create
dataplex.zones.delete
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.update
Dataplex Encryption Admin
Beta
(roles/)
Gives user permissions to manage encryption config.
dataplex.encryptionConfig.*
dataplex.operations.get
dataplex.operations.list
Dataplex Entry Group Exporter
Beta
(roles/)
Grants access to export this entry group for Metadata Job processing.
dataplex.entryGroups.export
dataplex.entryGroups.get
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Group Importer
Beta
(roles/)
Grants access to import this entry group for Metadata Job processing.
dataplex.entryGroups.get
dataplex.entryGroups.import
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Group Owner
(roles/)
Owns Entry Groups and Entries inside of them.
datacatalog.
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.*
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Owner
(roles/)
Owns Metadata Entries.
datacatalog.
dataplex.aspectTypes.get
dataplex.aspectTypes.list
dataplex.aspectTypes.use
dataplex.entries.*
dataplex.entryGroups.get
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Type Owner
(roles/)
Grants access to creating and managing Entry Types. Does not give the right to create/modify Entries.
datacatalog.
dataplex.entryTypes.*
dataplex.operations.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Entry Type User
(roles/)
Grants access to use Entry Types to create/modify Entries of those types.
datacatalog.
dataplex.entryTypes.get
dataplex.entryTypes.list
dataplex.entryTypes.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants access to creating and managing Metadata Jobs. Does not give the right to create/modify Entry Groups.
dataplex.metadataJobs.*
dataplex.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read access to Metadata Job resources.
dataplex.metadataJobs.get
dataplex.metadataJobs.list
dataplex.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read only access to metadata.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.get
dataplex.entities.list
dataplex.partitions.get
dataplex.partitions.list
dataplex.zones.get
dataplex.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Write and Read access to metadata.
dataplex.assets.get
dataplex.assets.list
dataplex.entities.*
dataplex.partitions.*
dataplex.zones.get
dataplex.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataplex Security Administrator
(roles/)
Permissions configure ResourceAccess and DataAccess Specs on Data Attributes.
dataplex.
dataplex.
Dataplex Storage Data Owner
(roles/)
Owner access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Dataplex Storage Data Reader
(roles/)
Read only access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.datasets.get
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
storage.buckets.get
storage.objects.get
storage.objects.list
Dataplex Storage Data Writer
(roles/)
Write access to data. Should not be used directly. This role is granted by Dataplex to managed resources like Cloud Storage buckets, BigQuery datasets etc.
bigquery.tables.updateData
storage.objects.create
storage.objects.delete
storage.objects.update
Dataplex Taxonomy Administrator
(roles/)
Full access to DataTaxonomy, DataAttribute resources.
dataplex.dataAttributes.*
dataplex.dataTaxonomies.create
dataplex.dataTaxonomies.delete
dataplex.dataTaxonomies.get
dataplex.
dataplex.dataTaxonomies.list
dataplex.
dataplex.dataTaxonomies.update
Dataplex Taxonomy Viewer
(roles/)
Read access on DataTaxonomy, DataAttribute resources.
dataplex.dataAttributes.get
dataplex.
dataplex.dataAttributes.list
dataplex.dataTaxonomies.get
dataplex.
dataplex.dataTaxonomies.list
Dataplex Viewer
(roles/)
Read access to Dataplex resources.
cloudasset.
dataplex.assetActions.list
dataplex.assets.get
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.get
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.
dataplex.
dataplex.
dataplex.dataAttributes.get
dataplex.
dataplex.dataAttributes.list
dataplex.dataTaxonomies.get
dataplex.
dataplex.dataTaxonomies.list
dataplex.datascans.get
dataplex.
dataplex.datascans.list
dataplex.environments.get
dataplex.
dataplex.environments.list
dataplex.lakeActions.list
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.operations.get
dataplex.operations.list
dataplex.tasks.get
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.list
dataplex.zones.get
dataplex.zones.getIamPolicy
dataplex.zones.list
Cloud Debugger roles
Permissions
Cloud Debugger Agent
Beta
(roles/)
Provides permissions to register the debug target, read active breakpoints,
and report breakpoint results.
Lowest-level resources where you can grant this role:
clouddebugger.breakpoints.list
clouddebugger.
clouddebugger.
clouddebugger.debuggees.create
Cloud Debugger User
Beta
(roles/)
Provides permissions to create, view, list, and delete breakpoints
(snapshots & logpoints) as well as list debug targets (debuggees).
Lowest-level resources where you can grant this role:
clouddebugger.
clouddebugger.
clouddebugger.breakpoints.get
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
Cloud Deploy roles
Permissions
Cloud Deploy Admin
(roles/)
Full control of Cloud Deploy resources.
clouddeploy.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Approver
(roles/)
Permission to approve or reject rollouts.
clouddeploy.config.get
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.rollouts.approve
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Custom Target Type Admin
(roles/)
Permission to manage CustomTargetType resources
clouddeploy.config.get
clouddeploy.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Developer
(roles/)
Permission to manage deployment configuration without permission to access operational resources, such as targets.
clouddeploy.automationRuns.get
clouddeploy.
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.config.get
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.deployPolicies.get
clouddeploy.
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.get
clouddeploy.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Runner
(roles/)
Permission to execute Cloud Deploy work without permission to deliver to a target.
clouddeploy.config.get
logging.logEntries.create
storage.objects.create
storage.objects.get
storage.objects.list
Cloud Deploy Operator
(roles/)
Permission to manage deployment configuration.
clouddeploy.automationRuns.*
clouddeploy.automations.*
clouddeploy.config.get
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.deployPolicies.get
clouddeploy.
clouddeploy.jobRuns.*
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.*
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.ignoreJob
clouddeploy.rollouts.list
clouddeploy.rollouts.retryJob
clouddeploy.rollouts.rollback
clouddeploy.targets.create
clouddeploy.
clouddeploy.targets.delete
clouddeploy.
clouddeploy.targets.get
clouddeploy.
clouddeploy.targets.list
clouddeploy.
clouddeploy.
clouddeploy.targets.update
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Policy Admin
Beta
(roles/)
Permission to manage Deploy Policies.
clouddeploy.deployPolicies.*
clouddeploy.locations.*
clouddeploy.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Policy Overrider
Beta
(roles/)
Permission to override Deploy Policies.
clouddeploy.deployPolicies.get
clouddeploy.
clouddeploy.
clouddeploy.locations.*
clouddeploy.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Releaser
(roles/)
Permission to create Cloud Deploy releases and rollouts.
clouddeploy.config.get
clouddeploy.
clouddeploy.
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.*
clouddeploy.releases.create
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.advance
clouddeploy.rollouts.cancel
clouddeploy.rollouts.create
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.rollouts.rollback
clouddeploy.targets.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deploy Viewer
(roles/)
Can view Cloud Deploy resources.
clouddeploy.automationRuns.get
clouddeploy.
clouddeploy.automations.get
clouddeploy.automations.list
clouddeploy.config.get
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.deployPolicies.get
clouddeploy.
clouddeploy.jobRuns.get
clouddeploy.jobRuns.list
clouddeploy.locations.*
clouddeploy.operations.get
clouddeploy.operations.list
clouddeploy.releases.get
clouddeploy.releases.list
clouddeploy.rollouts.get
clouddeploy.rollouts.list
clouddeploy.targets.get
clouddeploy.
clouddeploy.targets.list
clouddeploy.
clouddeploy.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud DLP roles
Permissions
DLP Administrator
(roles/)
Administer DLP including jobs and templates.
dlp.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
DLP Analyze Risk Templates Editor
(roles/)
Edit DLP analyze risk templates.
dlp.analyzeRiskTemplates.*
DLP Analyze Risk Templates Reader
(roles/)
Read DLP analyze risk templates.
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
DLP Column Data Profiles Reader
(roles/)
Read DLP column profiles.
dlp.columnDataProfiles.*
DLP Connections Admin
(roles/)
Manage DLP Connections.
dlp.connections.*
resourcemanager.projects.get
resourcemanager.projects.list
DLP Connections Viewer
(roles/)
View DLP Connections.
dlp.connections.get
dlp.connections.list
dlp.connections.search
DLP Data Profiles Admin
(roles/)
Manage DLP profiles.
dlp.charts.get
dlp.columnDataProfiles.*
dlp.fileStoreProfiles.*
dlp.projectDataProfiles.*
dlp.tableDataProfiles.*
DLP Data Profiles Reader
(roles/)
Read DLP profiles.
dlp.charts.get
dlp.columnDataProfiles.*
dlp.fileStoreProfiles.get
dlp.fileStoreProfiles.list
dlp.projectDataProfiles.*
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
DLP De-identify Templates Editor
(roles/)
Edit DLP de-identify templates.
dlp.deidentifyTemplates.*
DLP De-identify Templates Reader
(roles/)
Read DLP de-identify templates.
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
DLP Cost Estimation
(roles/)
Manage DLP Cost Estimates.
dlp.estimates.*
DLP File Store Data Profiles Admin
(roles/)
Manage DLP file store profiles.
dlp.fileStoreProfiles.*
DLP File Store Data Profiles Reader
(roles/)
Read DLP file store profiles.
dlp.charts.get
dlp.fileStoreProfiles.get
dlp.fileStoreProfiles.list
DLP Inspect Findings Reader
(roles/)
Read DLP stored findings.
dlp.inspectFindings.list
DLP Inspect Templates Editor
(roles/)
Edit DLP inspect templates.
dlp.inspectTemplates.*
DLP Inspect Templates Reader
(roles/)
Read DLP inspect templates.
dlp.inspectTemplates.get
dlp.inspectTemplates.list
DLP Job Triggers Editor
(roles/)
Edit job triggers configurations.
dlp.jobTriggers.*
DLP Job Triggers Reader
(roles/)
Read job triggers.
dlp.jobTriggers.get
dlp.jobTriggers.list
DLP Jobs Editor
(roles/)
Edit and create jobs
dlp.jobs.*
dlp.kms.encrypt
DLP Jobs Reader
(roles/)
Read jobs
dlp.jobs.get
dlp.jobs.list
DLP Organization Data Profiles Driver
(roles/)
Permissions needed by the DLP service account to generate data profiles within an organization or folder.
Lowest-level resources where you can grant this role:
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.annotationSpecs.get
aiplatform.
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform.
aiplatform.
aiplatform.cacheConfigs.get
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.consents.get
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform.
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.
aiplatform.
aiplatform.datasetVersions.get
aiplatform.
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.executions.get
aiplatform.executions.list
aiplatform.
aiplatform.extensions.get
aiplatform.extensions.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.get
aiplatform.locations.list
aiplatform.metadataSchemas.get
aiplatform.
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform.
aiplatform.
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.nasTrialDetails.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
aiplatform.
aiplatform.
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.ragCorpora.get
aiplatform.ragCorpora.list
aiplatform.ragCorpora.query
aiplatform.ragFiles.get
aiplatform.ragFiles.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.specialistPools.get
aiplatform.
aiplatform.
aiplatform.studies.get
aiplatform.studies.list
aiplatform.
aiplatform.
aiplatform.tensorboardRuns.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.
aiplatform.
aiplatform.trials.get
aiplatform.trials.list
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
alloydb.
alloydb.
alloydb.backups.get
alloydb.backups.list
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.clusters.export
alloydb.
alloydb.clusters.get
alloydb.clusters.list
alloydb.
alloydb.
alloydb.databases.list
alloydb.instances.connect
alloydb.instances.executeSql
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb.
alloydb.users.get
alloydb.users.list
alloydb.users.login
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery.
bigquery.
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.
bigquery.
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.
bigquery.models.*
bigquery.readsessions.*
bigquery.
bigquery.
bigquery.reservations.get
bigquery.reservations.list
bigquery.
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.
bigquery.
bigquery.tables.replicateData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
cloudaicompanion.
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudsql.instances.connect
cloudsql.
cloudsql.
cloudsql.instances.get
cloudsql.
cloudsql.
cloudsql.instances.login
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.routes.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
container.
container.
container.
container.
datacatalog.
datacatalog.entries.updateTag
datacatalog.
datacatalog.
datacatalog.tagTemplates.get
datacatalog.
datacatalog.tagTemplates.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
datafusion.
datafusion.
datafusion.
datafusion.
dataplex.projects.search
datastore.
datastore.
datastore.
datastore.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
dlp.*
domains.
domains.
domains.
domains.
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file.
file.
file.
file.instances.listTagBindings
file.
file.
file.
file.snapshots.listTagBindings
iam.
iam.
iam.
iam.
logging.
logging.
logging.
logging.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
pubsub.topics.updateTag
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
redis.
redis.
redis.
redis.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager.
secretmanager.
secretmanager.
secretmanager.
serviceusage.services.use
spanner.
spanner.
spanner.
spanner.
storage.
storage.
storage.buckets.getIamPolicy
storage.
storage.
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
workflows.
workflows.
workflows.
workflows.
DLP Project Data Profiles Reader
(roles/)
Read DLP project profiles.
dlp.projectDataProfiles.*
DLP Project Data Profiles Driver
(roles/)
Permissions needed by the DLP service account to generate data profiles within a project.
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.annotationSpecs.get
aiplatform.
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform.
aiplatform.
aiplatform.cacheConfigs.get
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.consents.get
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform.
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.
aiplatform.
aiplatform.datasetVersions.get
aiplatform.
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.executions.get
aiplatform.executions.list
aiplatform.
aiplatform.extensions.get
aiplatform.extensions.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.get
aiplatform.locations.list
aiplatform.metadataSchemas.get
aiplatform.
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform.
aiplatform.
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.nasTrialDetails.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
aiplatform.
aiplatform.
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.ragCorpora.get
aiplatform.ragCorpora.list
aiplatform.ragCorpora.query
aiplatform.ragFiles.get
aiplatform.ragFiles.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.specialistPools.get
aiplatform.
aiplatform.
aiplatform.studies.get
aiplatform.studies.list
aiplatform.
aiplatform.
aiplatform.tensorboardRuns.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.
aiplatform.
aiplatform.trials.get
aiplatform.trials.list
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
alloydb.
alloydb.
alloydb.backups.get
alloydb.backups.list
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.clusters.export
alloydb.
alloydb.clusters.get
alloydb.clusters.list
alloydb.
alloydb.
alloydb.databases.list
alloydb.instances.connect
alloydb.instances.executeSql
alloydb.instances.get
alloydb.instances.list
alloydb.locations.*
alloydb.operations.get
alloydb.operations.list
alloydb.
alloydb.users.get
alloydb.users.list
alloydb.users.login
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.config.get
bigquery.connections.updateTag
bigquery.datasets.create
bigquery.
bigquery.
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.
bigquery.
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.
bigquery.models.*
bigquery.readsessions.*
bigquery.
bigquery.
bigquery.reservations.get
bigquery.reservations.list
bigquery.
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.
bigquery.
bigquery.tables.replicateData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
cloudaicompanion.
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudsql.instances.connect
cloudsql.
cloudsql.
cloudsql.instances.get
cloudsql.
cloudsql.
cloudsql.instances.login
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.routes.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
container.
container.
container.
container.
datacatalog.
datacatalog.entries.updateTag
datacatalog.
datacatalog.
datacatalog.tagTemplates.get
datacatalog.
datacatalog.tagTemplates.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
datafusion.
datafusion.
datafusion.
datafusion.
dataplex.projects.search
datastore.
datastore.
datastore.
datastore.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
dlp.*
domains.
domains.
domains.
domains.
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file.
file.
file.
file.instances.listTagBindings
file.
file.
file.
file.snapshots.listTagBindings
iam.
iam.
iam.
iam.
logging.
logging.
logging.
logging.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
pubsub.topics.updateTag
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
redis.
redis.
redis.
redis.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager.
secretmanager.
secretmanager.
secretmanager.
serviceusage.services.use
spanner.
spanner.
spanner.
spanner.
storage.
storage.
storage.buckets.getIamPolicy
storage.
storage.
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
workflows.
workflows.
workflows.
workflows.
DLP Reader
(roles/)
Read DLP entities, such as jobs and templates.
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectFindings.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobTriggers.get
dlp.jobTriggers.list
dlp.jobs.get
dlp.jobs.list
dlp.locations.*
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Stored InfoTypes Editor
(roles/)
Edit DLP stored info types.
dlp.storedInfoTypes.*
DLP Stored InfoTypes Reader
(roles/)
Read DLP stored info types.
dlp.storedInfoTypes.get
dlp.storedInfoTypes.list
DLP Subscription Admin
(roles/)
Manage DLP subscriptions.
dlp.subscriptions.*
resourcemanager.projects.get
resourcemanager.projects.list
DLP Subscription Viewer
(roles/)
View DLP subscriptions.
dlp.subscriptions.get
dlp.subscriptions.list
DLP Table Data Profiles Admin
(roles/)
Manage DLP table profiles.
dlp.tableDataProfiles.*
DLP Table Data Profiles Reader
(roles/)
Read DLP table profiles.
dlp.tableDataProfiles.get
dlp.tableDataProfiles.list
DLP User
(roles/)
Inspect, Redact, and De-identify Content
dlp.kms.encrypt
dlp.locations.*
serviceusage.services.use
Cloud Domains roles
Permissions
Cloud Domains Admin
(roles/)
Full access to Cloud Domains Registrations and related resources.
domains.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Domains Viewer
(roles/)
Read-only access to Cloud Domains Registrations and related resources.
domains.locations.*
domains.operations.get
domains.operations.list
domains.registrations.get
domains.
domains.registrations.list
domains.
domains.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Filestore roles
Permissions
Cloud Filestore Editor
Beta
(roles/)
Read-write access to Filestore instances and related resources.
file.*
Cloud Filestore Viewer
Beta
(roles/)
Read-only access to Filestore instances and related resources.
file.backups.get
file.backups.list
file.backups.listEffectiveTags
file.backups.listTagBindings
file.instances.get
file.instances.list
file.
file.instances.listTagBindings
file.locations.*
file.operations.get
file.operations.list
file.
file.snapshots.listTagBindings
Cloud Financial Services roles
Permissions
Financial Services Admin
(roles/)
Full access to all Financial Services API resources.
financialservices.*
resourcemanager.projects.get
resourcemanager.projects.list
Financial Services Viewer
(roles/)
View access to all Financial Services API resources.
financialservices.locations.*
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.v1models.get
financialservices.
financialservices.
financialservices.
financialservices.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Functions roles
Permissions
Cloud Functions Admin
(roles/)
Full access to functions, operations and locations.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudfunctions.*
eventarc.*
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Functions Developer
(roles/)
Read and write access to all functions-related resources.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudfunctions.functions.call
cloudfunctions.
cloudfunctions.
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.
cloudfunctions.
cloudfunctions.
cloudfunctions.locations.list
cloudfunctions.operations.*
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.enrollments.update
eventarc.
eventarc.
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Functions Invoker
(roles/)
Ability to invoke 1st gen HTTP functions with restricted access. 2nd gen functions need the Cloud Run Invoker role instead.
cloudfunctions.
Cloud Functions Viewer
(roles/)
Read-only access to functions and locations.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.*
eventarc.
eventarc.
eventarc.
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.locations.*
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Healthcare roles
Permissions
Healthcare Annotation Editor
(roles/)
Create, delete, update, read and list annotations.
healthcare.
healthcare.
healthcare.annotations.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Reader
(roles/)
Read and list annotations in an Annotation store.
healthcare.
healthcare.
healthcare.annotations.get
healthcare.annotations.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Administrator
(roles/)
Administer Annotation stores.
healthcare.annotationStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Annotation Store Viewer
(roles/)
List Annotation Stores in a dataset.
healthcare.
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Editor
(roles/)
Edit AttributeDefinition objects.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Attribute Definition Reader
(roles/)
Read AttributeDefinition objects in a consent store.
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Administrator
(roles/)
Administer ConsentArtifact objects.
healthcare.consentArtifacts.*
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Editor
(roles/)
Edit ConsentArtifact objects.
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Artifact Reader
(roles/)
Read ConsentArtifact objects in a consent store.
healthcare.
healthcare.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Editor
(roles/)
Edit Consent objects.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.consents.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Reader
(roles/)
Read Consent objects in a consent store.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.consents.get
healthcare.consents.list
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Store Administrator
(roles/)
Administer Consent stores.
healthcare.consentStores.*
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Consent Store Viewer
(roles/)
List Consent Stores in a dataset.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Dataset Administrator
(roles/)
Administer Healthcare Datasets.
healthcare.datasets.*
healthcare.locations.*
healthcare.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare Dataset Viewer
(roles/)
List the Healthcare Datasets in a project.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Editor
(roles/)
Edit DICOM images individually and in bulk.
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.
healthcare.
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.import
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Store Administrator
(roles/)
Administer DICOM stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.create
healthcare.
healthcare.dicomStores.delete
healthcare.
healthcare.dicomStores.get
healthcare.
healthcare.dicomStores.list
healthcare.
healthcare.dicomStores.update
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Store Viewer
(roles/)
List DICOM Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare DICOM Viewer
(roles/)
Retrieve DICOM images from a DICOM store.
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.dicomStores.export
healthcare.dicomStores.get
healthcare.dicomStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Resource Editor
(roles/)
Create, delete, update, read and search FHIR resources.
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.
healthcare.fhirResources.get
healthcare.fhirResources.patch
healthcare.
healthcare.
healthcare.
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Resource Reader
(roles/)
Read and search FHIR resources.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.get
healthcare.
healthcare.
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Store Administrator
(roles/)
Administer FHIR resource stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirResources.purge
healthcare.
healthcare.
healthcare.fhirStores.create
healthcare.
healthcare.fhirStores.delete
healthcare.
healthcare.
healthcare.fhirStores.export
healthcare.fhirStores.get
healthcare.
healthcare.
healthcare.fhirStores.import
healthcare.fhirStores.list
healthcare.fhirStores.rollback
healthcare.
healthcare.fhirStores.update
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare FHIR Store Viewer
(roles/)
List FHIR Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.fhirStores.get
healthcare.fhirStores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Consumer
(roles/)
List and read HL7v2 messages, update message labels, and publish new messages.
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.hl7V2Messages.get
healthcare.hl7V2Messages.list
healthcare.
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Editor
(roles/)
Read, write, and delete access to HL7v2 messages.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Messages.*
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Message Ingest
(roles/)
Ingest HL7v2 messages received from a source network.
healthcare.datasets.get
healthcare.datasets.list
healthcare.
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Store Administrator
(roles/)
Administer HL7v2 Stores.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.*
healthcare.locations.*
healthcare.operations.cancel
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare HL7v2 Store Viewer
(roles/)
View HL7v2 Stores in a dataset.
healthcare.datasets.get
healthcare.datasets.list
healthcare.hl7V2Stores.get
healthcare.hl7V2Stores.list
healthcare.locations.*
healthcare.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare NLP Service Viewer
Beta
(roles/)
Extract and analyze medical entities from a given text.
healthcare.locations.*
healthcare.
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare User Data Mapping Editor
(roles/)
Edit UserDataMapping objects.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
healthcare.userDataMappings.*
resourcemanager.projects.get
resourcemanager.projects.list
Healthcare User Data Mapping Reader
(roles/)
Read UserDataMapping objects in a consent store.
healthcare.
healthcare.
healthcare.consentStores.get
healthcare.consentStores.list
healthcare.
healthcare.datasets.get
healthcare.datasets.list
healthcare.locations.*
healthcare.operations.get
healthcare.
healthcare.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud IAP roles
Permissions
IAP Policy Admin
(roles/)
Provides full access to Identity-Aware Proxy resources.
iap.tunnel.*
iap.
iap.
iap.
iap.
iap.tunnelLocations.*
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.
iap.
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
IAP-secured Web App User
(roles/)
Provides permission to access HTTPS resources which use Identity-Aware Proxy.
iap.
(roles/)
Remediate IAP resource
iap.tunnelDestGroups.remediate
iap.tunnelinstances.remediate
iap.
IAP Settings Admin
(roles/)
Administrator of IAP Settings.
iap.projects.*
iap.web.getSettings
iap.web.updateSettings
iap.
iap.
iap.webServices.getSettings
iap.webServices.updateSettings
iap.webTypes.getSettings
iap.webTypes.updateSettings
IAP-secured Tunnel Destination Group Editor
(roles/)
Edit Tunnel Destination Group resources which use Identity-Aware Proxy
iap.tunnelDestGroups.create
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.get
iap.tunnelDestGroups.list
iap.tunnelDestGroups.update
IAP-secured Tunnel Destination Group Viewer
(roles/)
View Tunnel Destination Group resources which use Identity-Aware Proxy
iap.tunnelDestGroups.get
iap.tunnelDestGroups.list
IAP-secured Tunnel User
(roles/)
Access Tunnel resources which use Identity-Aware Proxy
iap.
iap.
Cloud IDS roles
Permissions
Cloud IDS Admin
Beta
(roles/)
Full access to Cloud IDS all resources.
ids.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud IDS Viewer
Beta
(roles/)
Read-only access to Cloud IDS all resources.
ids.endpoints.get
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.locations.*
ids.operations.get
ids.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS roles
Permissions
Cloud KMS Admin
(roles/)
Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations.
Lowest-level resources where you can grant this role:
cloudkms.autokeyConfigs.*
cloudkms.
cloudkms.
cloudkms.cryptoKeyVersions.get
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.cryptoKeys.*
cloudkms.ekmConfigs.*
cloudkms.ekmConnections.*
cloudkms.importJobs.*
cloudkms.keyHandles.*
cloudkms.keyRings.*
cloudkms.locations.get
cloudkms.locations.list
cloudkms.
cloudkms.operations.get
cloudkms.
resourcemanager.projects.get
Cloud KMS Autokey Admin
(roles/)
Enables management of AutokeyConfig.
cloudkms.autokeyConfigs.*
cloudkms.
Cloud KMS Autokey User
(roles/)
Grants ability to use KeyHandle resources.
cloudkms.keyHandles.*
cloudkms.operations.get
cloudkms.
Cloud KMS CryptoKey Decrypter
(roles/)
Provides ability to use Cloud KMS resources for decrypt operations
only.
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Decrypter Via Delegation
(roles/)
Enables Decrypt operations via other Google Cloud services
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS CryptoKey Encrypter
(roles/)
Provides ability to use Cloud KMS resources for encrypt operations
only.
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Encrypter/Decrypter
(roles/)
Provides ability to use Cloud KMS resources for encrypt and decrypt
operations only.
Lowest-level resources where you can grant this role:
cloudkms.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation
(roles/)
Enables Encrypt and Decrypt operations via other Google Cloud services
cloudkms.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS CryptoKey Encrypter Via Delegation
(roles/)
Enables Encrypt operations via other Google Cloud services
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Crypto Operator
(roles/)
Enables all Crypto Operations.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS EkmConnections Admin
(roles/)
Enables management of EkmConnections.
cloudkms.ekmConfigs.get
cloudkms.ekmConfigs.update
cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.list
cloudkms.ekmConnections.update
cloudkms.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Expert Raw AES-CBC Key Manager
(roles/)
Enables raw AES-CBC keys management.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Expert Raw AES-CTR Key Manager
(roles/)
Enables raw AES-CTR keys management.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Expert Raw PKCS#1 Key Manager
(roles/)
Enables raw PKCS#1 keys management.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud KMS Importer
(roles/)
Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations
cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.list
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS Protected Resources Viewer
(roles/)
Enables viewing protected resources.
cloudkms.
Cloud KMS CryptoKey Public Key Viewer
(roles/)
Enables GetPublicKey operations
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Signer
(roles/)
Enables Sign operations
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Signer/Verifier
(roles/)
Enables Sign, Verify, and GetPublicKey operations
cloudkms.
cloudkms.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS CryptoKey Verifier
(roles/)
Enables Verify and GetPublicKey operations
cloudkms.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Cloud KMS Viewer
(roles/)
Enables Get and List operations.
cloudkms.autokeyConfigs.get
cloudkms.cryptoKeyVersions.get
cloudkms.
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.list
cloudkms.ekmConfigs.get
cloudkms.ekmConnections.get
cloudkms.ekmConnections.list
cloudkms.importJobs.get
cloudkms.importJobs.list
cloudkms.keyHandles.get
cloudkms.keyHandles.list
cloudkms.keyRings.get
cloudkms.keyRings.list
cloudkms.locations.get
cloudkms.locations.list
cloudkms.operations.get
resourcemanager.projects.get
Cloud Life Sciences roles
Permissions
Cloud Life Sciences Admin
Beta
(roles/)
Full control of Cloud Life Sciences resources.
lifesciences.*
Cloud Life Sciences Editor
Beta
(roles/)
Access to read and edit Cloud Life Sciences resources.
lifesciences.*
Cloud Life Sciences Viewer
Beta
(roles/)
Access to read Cloud Life Sciences resources.
lifesciences.operations.get
lifesciences.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Life Sciences Workflows Runner
Beta
(roles/)
Full access to operate on Cloud Life Sciences workflows.
lifesciences.*
Cloud Managed Identities roles
Permissions
Google Cloud Managed Identities Admin
(roles/)
Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level.
managedidentities.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Backup Admin
(roles/)
Full access to Google Cloud Managed Identities Backup and related resources. Intended to be granted on a project-level
managedidentities.backups.*
managedidentities.domains.get
managedidentities.locations.*
managedidentities.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Backup Viewer
(roles/)
Read-only access to Google Cloud Managed Identities Backup and related resources.
managedidentities.backups.get
managedidentities.
managedidentities.backups.list
managedidentities.domains.get
managedidentities.locations.*
managedidentities.
managedidentities.
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Domain Admin
(roles/)
Read-Update-Delete to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a resource (domain) level.
managedidentities.backups.*
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.domains.get
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.locations.*
managedidentities.
managedidentities.
managedidentities.
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Domain Join
Beta
(roles/)
Access to domain join VMs with Cloud AD
managedidentities.
managedidentities.domains.get
Google Cloud Managed Identities Peering Admin
(roles/)
Full access to Google Cloud Managed Identities Domains and related resources. Intended to be granted on a project-level
managedidentities.locations.*
managedidentities.operations.*
managedidentities.peerings.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Peering Viewer
(roles/)
Read-only access to Google Cloud Managed Identities Peering and related resources.
managedidentities.locations.*
managedidentities.
managedidentities.
managedidentities.peerings.get
managedidentities.
managedidentities.
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud Managed Identities Viewer
(roles/)
Read-only access to Google Cloud Managed Identities Domains and related resources.
managedidentities.backups.get
managedidentities.
managedidentities.backups.list
managedidentities.domains.get
managedidentities.
managedidentities.domains.list
managedidentities.
managedidentities.
managedidentities.locations.*
managedidentities.
managedidentities.
managedidentities.peerings.get
managedidentities.
managedidentities.
managedidentities.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Marketplace roles
Permissions
Commerce Business Enablement Configuration Admin
Beta
(roles/)
Admin of Various Provider Configuration resources
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement PaymentConfig Admin
Beta
(roles/)
Administration of Payment Configuration resource
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement PaymentConfig Viewer
Beta
(roles/)
Viewer of Payment Configuration resource
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Rebates Admin
Beta
(roles/)
Provides admin access to rebates
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
Commerce Business Enablement Rebates Viewer
Beta
(roles/)
Provides read-only access to rebates
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
Commerce Business Enablement Reseller Discount Admin
Beta
(roles/)
Provides admin access to reseller discount offers
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Reseller Discount Viewer
Beta
(roles/)
Provides read-only access to reseller discount offers
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Business Enablement Configuration Viewer
Beta
(roles/)
Viewer of Various Provider Configuration resource
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Offer Catalog Offers Viewer
Beta
(roles/)
Allows viewing offers
commerceoffercatalog.*
Commerce Organization Governance Admin
Beta
(roles/)
Full access to Organization Governance APIs
commerceorggovernance.*
consumerprocurement.
resourcemanager.projects.get
resourcemanager.projects.list
Governed Marketplace User
Beta
(roles/)
Full access to Governed Marketplace features.
commerceorggovernance.
consumerprocurement.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Organization Governance Viewer
Beta
(roles/)
Full access to Organization Governance read-only APIs.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
consumerprocurement.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Price Management Events Viewer
Beta
(roles/)
Allows viewing key events for an offer
commerceprice.events.*
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Price Management Private Offers Admin
Beta
(roles/)
Allows managing private offers
commerceagreementpublishing.*
commerceprice.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Commerce Price Management Viewer
Beta
(roles/)
Allows viewing offers, free trials, skus
commerceagreementpublishing.
commerceagreementpublishing.
commerceagreementpublishing.
commerceagreementpublishing.
commerceprice.
commerceprice.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Commerce Producer Admin
Beta
(roles/)
Grants full access to all resources in Cloud Commerce Producer API.
commercebusinessenablement.
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Producer Viewer
Beta
(roles/)
Grants read access to all resources in Cloud Commerce Producer API.
commercebusinessenablement.
resourcemanager.projects.get
resourcemanager.projects.list
Consumer Procurement Entitlement Manager
(roles/)
Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer
project.
commerceoffercatalog.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Entitlement Viewer
(roles/)
Allows inspecting entitlements and service states for a consumer project.
commerceoffercatalog.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Events Viewer
(roles/)
Allows viewing key events for an offer
consumerprocurement.events.*
Consumer Procurement License Pool Editor
(roles/)
Allows managing license pools and license assignments.
consumerprocurement.
Consumer Procurement License Pool Viewer
(roles/)
Allows viewing license pools and license assignments.
consumerprocurement.
consumerprocurement.
Consumer Procurement Order Administrator
(roles/)
Allows managing purchases.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.
billing.credits.list
billing.
commerceoffercatalog.*
consumerprocurement.accounts.*
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.events.*
consumerprocurement.
consumerprocurement.
consumerprocurement.orders.*
Consumer Procurement Order Viewer
(roles/)
Allows inspecting purchases.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.orders.get
consumerprocurement.
Consumer Procurement Administrator
(roles/)
Allows managing purchases, consents at both billing account and project level.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.
billing.credits.list
billing.
commerceoffercatalog.*
consumerprocurement.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Consumer Procurement Viewer
(roles/)
Allows inspecting purchases, consents and entitlements and service states for a consumer project.
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.credits.list
commerceoffercatalog.*
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.orders.get
consumerprocurement.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Migration roles
Permissions
Velostrata Manager
Beta
(roles/)
Ability to create and manage Compute VMs to run Velostrata Infrastructure
cloudmigration.
compute.addresses.create
compute.
compute.addresses.delete
compute.
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.
compute.instances.list
compute.instances.reset
compute.
compute.instances.setLabels
compute.
compute.instances.setMetadata
compute.
compute.
compute.
compute.instances.setTags
compute.instances.start
compute.
compute.instances.stop
compute.instances.update
compute.
compute.
compute.instances.use
compute.licenseCodes.get
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenses.get
compute.licenses.list
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.list
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
compute.zones.*
gkehub.endpoints.connect
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
Velostrata Storage Access
Beta
(roles/)
Ability to access migration storage
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Velostrata Manager Connection Agent
Beta
(roles/)
Ability to set up connection between Velostrata Manager and Google
cloudmigration.
gkehub.endpoints.connect
VM Migration Administrator
Beta
(roles/)
Ability to view and edit all VM Migration objects
resourcemanager.projects.get
resourcemanager.projects.list
vmmigration.*
VM Migration Viewer
Beta
(roles/)
Ability to view all VM Migration objects
resourcemanager.projects.get
resourcemanager.projects.list
vmmigration.cloneJobs.get
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.get
vmmigration.cutoverJobs.list
vmmigration.
vmmigration.
vmmigration.deployments.get
vmmigration.deployments.list
vmmigration.groups.get
vmmigration.groups.list
vmmigration.locations.*
vmmigration.migratingVms.get
vmmigration.migratingVms.list
vmmigration.operations.get
vmmigration.operations.list
vmmigration.
vmmigration.sources.get
vmmigration.sources.list
vmmigration.targets.get
vmmigration.targets.list
vmmigration.
vmmigration.
Cloud Private Catalog roles
Permissions
Catalog Consumer
Beta
(roles/)
Can browse catalogs in the target resource context.
cloudprivatecatalog.
resourcemanager.projects.get
resourcemanager.projects.list
Catalog Admin
Beta
(roles/)
Can manage catalog and view its associations.
cloudprivatecatalog.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Catalog Manager
Beta
(roles/)
Can manage associations between a catalog and a target resource.
cloudprivatecatalog.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Catalog Org Admin
Beta
(roles/)
Can manage catalog org settings.
cloudprivatecatalog.
cloudprivatecatalogproducer.*
commerceorggovernance.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Profiler roles
Permissions
Cloud Profiler Agent
(roles/)
Cloud Profiler agents are allowed to register and provide the profiling data.
cloudprofiler.profiles.create
cloudprofiler.profiles.update
Cloud Profiler User
(roles/)
Cloud Profiler users are allowed to query and view the profiling data.
cloudprofiler.profiles.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Run roles
Permissions
Cloud Run Admin
(roles/)
Full control over all Cloud Run resources.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
run.*
Cloud Run Builder
Beta
(roles/)
Can build Cloud Run functions and source deployed services.
artifactregistry.
artifactregistry.
artifactregistry.
logging.logEntries.create
source.repos.get
storage.objects.get
Cloud Run Developer
(roles/)
Read and write access to all Cloud Run resources.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
Cloud Run Invoker
(roles/)
Can invoke Cloud Run services and execute Cloud Run jobs.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
run.jobs.run
run.routes.invoke
Cloud Run Jobs Executor
(roles/)
Can execute and cancel Cloud Run jobs.
run.executions.cancel
run.jobs.run
Cloud Run Jobs Executor With Overrides
(roles/)
Can execute and cancel Cloud Run jobs with overrides.
run.executions.cancel
run.jobs.run
run.jobs.runWithOverrides
Cloud Run Service Invoker
(roles/)
Can invoke Cloud Run services.
run.routes.invoke
Cloud Run Source Developer
Beta
(roles/)
Deploy and manage Cloud Run source deployed resources.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.enrollments.update
eventarc.
eventarc.
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
orgpolicy.policy.get
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.folders.create
storage.folders.get
storage.folders.list
storage.managedFolders.create
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.abort
storage.
storage.
storage.objects.create
storage.objects.get
storage.objects.list
Cloud Run Source Viewer
Beta
(roles/)
View Cloud Run source deployed resources.
artifactregistry.
artifactregistry.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
eventarc.
eventarc.
eventarc.
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.locations.*
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Cloud Run Viewer
(roles/)
Can view the state of all Cloud Run resources, including IAM policies.
Lowest-level resources where you can grant this role:
Cloud Run service
Cloud Run job
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
Cloud Scheduler roles
Permissions
Cloud Scheduler Admin
(roles/)
Full access to jobs and executions.
Note that a Cloud Scheduler Admin (or any custom role with the permission
cloudscheduler.jobs.create) can create jobs that publish to any Pub/Sub topics within the
project.
appengine.applications.get
cloudscheduler.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Scheduler Job Runner
(roles/)
Access to run jobs.
appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.run
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Scheduler Viewer
(roles/)
Get and list access to jobs, executions, and locations.
appengine.applications.get
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.list
cloudscheduler.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Cloud Security Scanner roles
Permissions
Web Security Scanner Editor
(roles/)
Full access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
appengine.applications.get
cloudsecurityscanner.*
compute.addresses.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Web Security Scanner Runner
(roles/)
Read access to Scan and ScanRun, plus the ability to start scans
Lowest-level resources where you can grant this role:
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.scans.get
cloudsecurityscanner.
cloudsecurityscanner.scans.run
Web Security Scanner Viewer
(roles/)
Read access to all Web Security Scanner resources
Lowest-level resources where you can grant this role:
cloudsecurityscanner.
cloudsecurityscanner.results.*
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.scans.get
cloudsecurityscanner.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Services roles
Permissions
Service Broker Admin
(roles/)
Full access to ServiceBroker resources.
servicebroker.*
Service Broker Operator
(roles/)
Operational access to the ServiceBroker resources.
servicebroker.
servicebroker.bindings.create
servicebroker.bindings.delete
servicebroker.bindings.get
servicebroker.bindings.list
servicebroker.catalogs.create
servicebroker.catalogs.delete
servicebroker.catalogs.get
servicebroker.catalogs.list
servicebroker.
servicebroker.instances.create
servicebroker.instances.delete
servicebroker.instances.get
servicebroker.instances.list
servicebroker.instances.update
Cloud Spanner roles
Permissions
Cloud Spanner Admin
(roles/)
Has complete access to all Spanner
resources in a Google Cloud project. A principal with this role can:
Grant and revoke permissions to other principals for all Spanner resources in the project.
Allocate and delete chargeable Spanner resources.
Issue get/list/modify operations on Cloud Spanner resources.
Read from and write to all Cloud Spanner databases in the project.
Fetch project metadata.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.*
resourcemanager.projects.get
resourcemanager.projects.list
spanner.*
Cloud Spanner Backup Admin
(roles/)
A principal with this role can:
Create, view, update, and delete backups.
View and manage a backup's allow policy.
This role cannot restore a database from a backup.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backupOperations.*
spanner.backupSchedules.create
spanner.backupSchedules.delete
spanner.backupSchedules.get
spanner.backupSchedules.list
spanner.backupSchedules.update
spanner.backups.copy
spanner.backups.create
spanner.backups.delete
spanner.backups.get
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner.backups.update
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner.
spanner.
spanner.
spanner.instances.get
spanner.instances.list
spanner.
spanner.
Cloud Spanner Backup Writer
(roles/)
This role is intended to be used by scripts that automate backup creation.
A principal with this role can create backups, but cannot update or delete them.
Lowest-level resources where you can grant this role:
spanner.backupOperations.get
spanner.backupOperations.list
spanner.backupSchedules.create
spanner.backupSchedules.get
spanner.backupSchedules.list
spanner.backups.copy
spanner.backups.create
spanner.backups.get
spanner.backups.list
spanner.databases.createBackup
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner.instances.get
Cloud Spanner Database Admin
(roles/)
A principal with this role can:
Get/list all Spanner instances in the project.
Create/list/drop databases in an instance.
Grant/revoke access to databases in the project.
Read from and write to all Cloud Spanner databases in the project.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.*
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databaseOperations.*
spanner.databaseRoles.*
spanner.
spanner.
spanner.
spanner.databases.changequorum
spanner.databases.create
spanner.databases.drop
spanner.databases.get
spanner.databases.getDdl
spanner.databases.getIamPolicy
spanner.databases.list
spanner.
spanner.
spanner.databases.read
spanner.databases.select
spanner.databases.setIamPolicy
spanner.databases.update
spanner.databases.updateDdl
spanner.databases.updateTag
spanner.databases.useDataBoost
spanner.
spanner.databases.write
spanner.instancePartitions.get
spanner.
spanner.
spanner.
spanner.instances.get
spanner.instances.getIamPolicy
spanner.instances.list
spanner.
spanner.
spanner.sessions.*
Cloud Spanner Database Reader
(roles/)
A principal with this role can:
Read from the Spanner database.
Execute SQL queries on the database.
View schema for the database.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.create
spanner.
spanner.databases.getDdl
spanner.
spanner.
spanner.databases.read
spanner.databases.select
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
Cloud Spanner Database Reader with DataBoost
(roles/)
Includes all permissions in the spanner.databaseReader role enabling access to read and/or query a Cloud Spanner database using instance resources, as well as the permission to access the database with Data Boost, a fully managed serverless service that provides independent compute resources.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.create
spanner.
spanner.databases.getDdl
spanner.
spanner.
spanner.databases.read
spanner.databases.select
spanner.databases.useDataBoost
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
Cloud Spanner Database Role User
(roles/)
In conjunction with the IAM role Cloud Spanner Fine-grained Access User, grants permissions to individual Spanner database roles. Add a condition for each desired Spanner database role that includes the resource type of `spanner.googleapis.com/DatabaseRole` and the resource name ending with `/YOUR_SPANNER_DATABASE_ROLE`.
Lowest-level resources where you can grant this role:
spanner.databaseRoles.use
Cloud Spanner Database User
(roles/)
A principal with this role can:
Read from and write to the Spanner database.
Execute SQL queries on the database, including DML and Partitioned DML.
View and update schema for the database.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.create
spanner.databaseOperations.*
spanner.
spanner.
spanner.
spanner.databases.changequorum
spanner.databases.getDdl
spanner.
spanner.
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.updateTag
spanner.databases.write
spanner.instancePartitions.get
spanner.instances.get
spanner.sessions.*
Cloud Spanner Fine-grained Access User
(roles/)
Grants permissions to use Spanner's fine-grained access control framework. To grant access to specific database roles, also add the `roles/spanner.databaseRoleUser` IAM role and its necessary conditions.
Lowest-level resources where you can grant this role:
spanner.databaseRoles.list
spanner.
Cloud Spanner Restore Admin
(roles/)
A principal with this role can restore databases from backups.
If you need to restore a backup to a different instance, apply this
role at the project level or to both instances. This role cannot create backups.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.backups.get
spanner.backups.list
spanner.
spanner.databaseOperations.*
spanner.databases.create
spanner.databases.get
spanner.databases.list
spanner.instancePartitions.get
spanner.
spanner.
spanner.
spanner.instances.get
spanner.instances.list
spanner.
spanner.
Cloud Spanner Viewer
(roles/)
A principal with this role can:
View all Spanner instances (but cannot modify instances).
View all Spanner databases (but cannot modify or read from databases).
For example, you can combine this role with the roles/spanner.databaseUser role to
grant a user with access to a specific database, but only view access to other instances and
databases.
This role is recommended at the Google Cloud project level for users interacting with Cloud
Spanner resources in the Google Cloud console.
Lowest-level resources where you can grant this role:
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
spanner.databases.list
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instancePartitions.get
spanner.
spanner.instances.get
spanner.instances.list
spanner.
spanner.
Cloud SQL roles
Permissions
Cloud SQL Admin
(roles/)
Provides full control of Cloud SQL resources.
Lowest-level resources where you can grant this role:
cloudaicompanion.companions.*
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudsql.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud SQL Client
(roles/)
Provides connectivity access to Cloud SQL instances.
Lowest-level resources where you can grant this role:
cloudsql.instances.connect
cloudsql.instances.get
Cloud SQL Editor
(roles/)
Provides full control of existing Cloud SQL instances excluding
modifying users, SSL certificates or deleting resources.
Lowest-level resources where you can grant this role:
cloudaicompanion.
cloudsql.backupRuns.create
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.create
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.
cloudsql.instances.connect
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.
cloudsql.instances.list
cloudsql.
cloudsql.
cloudsql.
cloudsql.
cloudsql.instances.migrate
cloudsql.
cloudsql.instances.reencrypt
cloudsql.
cloudsql.instances.restart
cloudsql.
cloudsql.
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.schemas.view
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.get
cloudsql.users.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud SQL Instance User
(roles/)
Role allowing access to a Cloud SQL instance
cloudsql.instances.get
cloudsql.instances.login
Cloud SQL Schema Viewer
(roles/)
Role allowing access to the Cloud SQL instance schema on Dataplex
cloudsql.schemas.view
Cloud SQL Studio User
(roles/)
Role allowing access to Cloud SQL Studio
cloudaicompanion.companions.*
cloudaicompanion.
cloudaicompanion.
cloudsql.databases.list
cloudsql.instances.executeSql
cloudsql.instances.get
cloudsql.instances.login
cloudsql.users.list
Cloud SQL Viewer
(roles/)
Provides read-only access to Cloud SQL resources.
Lowest-level resources where you can grant this role:
cloudaicompanion.
cloudsql.backupRuns.get
cloudsql.backupRuns.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.export
cloudsql.instances.get
cloudsql.
cloudsql.instances.list
cloudsql.
cloudsql.
cloudsql.
cloudsql.
cloudsql.sslCerts.get
cloudsql.sslCerts.list
cloudsql.users.get
cloudsql.users.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Storage roles
Permissions
Storage Admin
(roles/)
Grants full control of objects and buckets.
When applied to an individual bucket , control applies only to
the specified bucket and objects within the bucket.
Lowest-level resources where you can grant this role:
firebase.projects.get
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Storage Folder Admin
(roles/)
Grants full control over folders and objects, including listing, creating, viewing, and deleting objects.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.*
Storage HMAC Key Admin
(roles/)
Full control of Cloud Storage HMAC keys.
firebase.projects.get
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.hmacKeys.*
Storage Insights Collector Service
(roles/)
Read-only access to Cloud Storage Inventory metadata for Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.
Storage Object Admin
(roles/)
Grants full control of objects, including listing, creating, viewing,
and deleting objects.
Lowest-level resources where you can grant this role:
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Storage Object Creator
(roles/)
Allows users to create objects. Does not give permission to view,
delete, or overwrite objects.
Lowest-level resources where you can grant this role:
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.create
storage.managedFolders.create
storage.multipartUploads.abort
storage.
storage.
storage.objects.create
Storage Object User
(roles/)
Access to create, read, update and delete objects and multipart uploads in GCS.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.restore
storage.objects.update
Storage Object Viewer
(roles/)
Grants access to view objects and their metadata, excluding ACLs. Can
also list the objects in a bucket.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
Storage Transfer Admin
(roles/)
Create, update and manage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.*
Storage Transfer Agent
(roles/)
Perform transfers from an agent.
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.
pubsub.topics.create
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
storagetransfer.
storagetransfer.
storagetransfer.operations.get
storagetransfer.
Storage Transfer User
(roles/)
Create and update storage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.
storagetransfer.agentpools.get
storagetransfer.
storagetransfer.
storagetransfer.
storagetransfer.jobs.create
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.jobs.run
storagetransfer.jobs.update
storagetransfer.operations.*
storagetransfer.
Storage Transfer Viewer
(roles/)
Read access to storage transfer jobs and operations.
resourcemanager.projects.get
resourcemanager.projects.list
storagetransfer.agentpools.get
storagetransfer.
storagetransfer.jobs.get
storagetransfer.jobs.list
storagetransfer.operations.get
storagetransfer.
storagetransfer.
Cloud Storage Legacy roles
Permissions
Storage Legacy Bucket Owner
(roles/)
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding allow policies, when
listing; and read and edit bucket metadata, including allow policies.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs .
Lowest-level resources where you can grant this role:
storage.anywhereCaches.*
storage.bucketOperations.*
storage.
storage.
storage.
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getIpFilter
storage.
storage.
storage.buckets.restore
storage.buckets.setIamPolicy
storage.buckets.setIpFilter
storage.buckets.update
storage.folders.*
storage.managedFolders.*
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.restore
storage.objects.setRetention
Storage Legacy Bucket Reader
(roles/)
Grants permission to list a bucket's contents and read bucket metadata,
excluding allow policies. Also grants permission to read object metadata,
excluding allow policies, when listing objects.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs .
Lowest-level resources where you can grant this role:
storage.buckets.get
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.list
storage.objects.list
Storage Legacy Bucket Writer
(roles/)
Grants permission to create, overwrite, and delete objects; list objects
in a bucket and read object metadata, excluding allow policies, when
listing; and read bucket metadata, excluding allow policies.
Use of this role is also reflected in the bucket's ACLs. For more
information, see
IAM relation to ACLs .
Lowest-level resources where you can grant this role:
storage.buckets.get
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.create
storage.objects.delete
storage.objects.list
storage.objects.restore
storage.objects.setRetention
Storage Legacy Object Owner
(roles/)
Grants permission to view and edit objects and their metadata, including
ACLs.
Lowest-level resources where you can grant this role:
storage.objects.get
storage.objects.getIamPolicy
storage.
storage.objects.setIamPolicy
storage.objects.setRetention
storage.objects.update
Storage Legacy Object Reader
(roles/)
Grants permission to view objects and their metadata, excluding ACLs.
Lowest-level resources where you can grant this role:
storage.objects.get
Cloud Talent Solution roles
Permissions
Cloud Talent Solution Admin
(roles/)
Access to Cloud Talent Solution Self-Service Tools.
cloudjobdiscovery.tools.access
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Job Editor
(roles/)
Write access to all job data in Cloud Talent Solution.
cloudjobdiscovery.companies.*
cloudjobdiscovery.
cloudjobdiscovery.jobs.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Job Viewer
(roles/)
Read access to all job data in Cloud Talent Solution.
cloudjobdiscovery.
cloudjobdiscovery.
cloudjobdiscovery.jobs.get
cloudjobdiscovery.jobs.search
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Profile Editor
(roles/)
Write access to all profile data in Cloud Talent Solution.
cloudjobdiscovery.
cloudjobdiscovery.profiles.*
cloudjobdiscovery.tenants.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Talent Solution Profile Viewer
(roles/)
Read access to all profile data in Cloud Talent Solution.
cloudjobdiscovery.profiles.get
cloudjobdiscovery.
cloudjobdiscovery.tenants.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks roles
Permissions
Cloud Tasks Admin
Beta
(roles/)
Full access to queues and tasks.
cloudtasks.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Enqueuer
Beta
(roles/)
Access to create tasks.
cloudtasks.tasks.create
cloudtasks.tasks.fullView
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Queue Admin
Beta
(roles/)
Admin access to queues.
cloudtasks.locations.*
cloudtasks.queues.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Task Deleter
Beta
(roles/)
Access to delete tasks.
cloudtasks.tasks.delete
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Task Runner
Beta
(roles/)
Access to run tasks.
cloudtasks.tasks.fullView
cloudtasks.tasks.run
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Tasks Viewer
Beta
(roles/)
Get and list access to tasks, queues, and locations.
cloudtasks.cmekConfig.get
cloudtasks.locations.*
cloudtasks.queues.get
cloudtasks.queues.list
cloudtasks.tasks.fullView
cloudtasks.tasks.get
cloudtasks.tasks.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud TPU roles
Permissions
TPU Admin
(roles/)
Full access to TPU nodes and related resources.
resourcemanager.projects.get
resourcemanager.projects.list
tpu.*
TPU Viewer
(roles/)
Read-only access to TPU nodes and related resources.
resourcemanager.projects.get
resourcemanager.projects.list
tpu.acceleratortypes.*
tpu.locations.*
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
tpu.runtimeversions.*
tpu.tensorflowversions.*
TPU Shared VPC Agent
(roles/)
Can use shared VPC network (XPN) for the TPU VMs.
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.globalOperations.get
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
Cloud Trace roles
Permissions
Cloud Trace Admin
(roles/)
Provides full access to the Trace console and read-write access to traces.
Lowest-level resources where you can grant this role:
cloudtrace.*
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Trace Agent
(roles/)
For service accounts. Provides ability to write traces by sending the data
to Stackdriver Trace.
Lowest-level resources where you can grant this role:
cloudtrace.traces.patch
Cloud Trace User
(roles/)
Provides full access to the Trace console and read access to traces.
Lowest-level resources where you can grant this role:
cloudtrace.insights.*
cloudtrace.stats.get
cloudtrace.tasks.*
cloudtrace.traceScopes.*
cloudtrace.traces.get
cloudtrace.traces.list
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation roles
Permissions
Cloud Translation API Admin
(roles/)
Full access to all Cloud Translation resources
automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API Editor
(roles/)
Editor of all Cloud Translation resources
automl.models.get
automl.models.predict
cloudtranslate.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API User
(roles/)
User of Cloud Translation and AutoML models
automl.models.get
automl.models.predict
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.datasets.get
cloudtranslate.datasets.list
cloudtranslate.generalModels.*
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Translation API Viewer
(roles/)
Viewer of all Translation resources
automl.models.get
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.datasets.get
cloudtranslate.datasets.list
cloudtranslate.
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.
cloudtranslate.
cloudtranslate.locations.*
cloudtranslate.operations.get
cloudtranslate.operations.list
cloudtranslate.operations.wait
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Workstations roles
Permissions
Cloud Workstations Admin
(roles/)
Grants CRUD access to all Workstation resources.
compute.acceleratorTypes.*
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
workstations.operations.get
workstations.
workstations.
workstations.
workstations.
workstations.workstations.get
workstations.
workstations.workstations.list
workstations.
workstations.
workstations.workstations.stop
workstations.
Cloud Workstations Network Admin
(roles/)
Grants ability to connect a Workstation Cluster to a shared VPC network.
compute.addresses.create
compute.
compute.addresses.delete
compute.
compute.addresses.get
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.
compute.
compute.globalOperations.get
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
compute.
compute.zoneOperations.get
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
Cloud Workstations Operation Viewer
(roles/)
Grants ability to view Cloud Workstations API operations.
workstations.operations.get
Cloud Workstations User
(roles/)
Grants runtime access to Workstation resources.
workstations.operations.get
workstations.
workstations.workstations.get
workstations.
workstations.workstations.stop
workstations.
workstations.workstations.use
Cloud Workstations Creator
(roles/)
Grants ability to create Workstation resources.
resourcemanager.projects.get
resourcemanager.projects.list
workstations.operations.get
workstations.
workstations.
workstations.
workstations.
Compute Engine roles
Permissions
Compute Admin
(roles/)
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Node group
Node template
Snapshot
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Future Reservation Admin
Beta
(roles/)
compute.acceleratorTypes.list
compute.
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.reservations.create
compute.zones.list
Compute Future Reservation User
Beta
(roles/)
compute.acceleratorTypes.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.reservations.create
compute.zones.list
Compute Future Reservation Viewer
Beta
(roles/)
compute.acceleratorTypes.list
compute.futureReservations.get
compute.
compute.instanceTemplates.list
compute.machineTypes.list
compute.regions.list
compute.zones.list
Compute Image User
(roles/)
Permission to list and read images without having other permissions on the image. Granting this role
at the project level gives users the ability to list all images in the project and create resources,
such as instances and persistent disks, based on images in the project.
Lowest-level resources where you can grant this role:
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Instance Admin (beta)
(roles/)
Permissions to create, modify, and delete virtual machine instances.
This includes permissions to create, modify, and delete disks, and also to
configure Shielded VM
settings.
If the user will be managing virtual machine instances that are configured
to run as a service account, you must also grant the
roles/iam.serviceAccountUser role.
For example, if your company has someone who manages groups of virtual
machine instances but does not manage network or security settings and
does not manage instances that run as service accounts, you can grant this
role on the organization, folder, or project that contains the instances,
or you can grant it on individual instances.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Snapshot
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.acceleratorTypes.*
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.
compute.
compute.
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.globalAddresses.use
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.
compute.instanceGroups.*
compute.instanceSettings.get
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.
compute.networks.get
compute.networks.list
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.list
compute.
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Instance Admin (v1)
(roles/)
Full control of Compute Engine instances, instance groups, disks, snapshots, and images.
Read access to all Compute Engine networking resources.
If you grant a user this role only at an instance level, then that user cannot create new instances.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.acceleratorTypes.*
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.diskTypes.*
compute.disks.*
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.globalAddresses.use
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.*
compute.
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.networks.list
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Load Balancer Admin
(roles/)
Permissions to create, modify, and delete load balancers and associate
resources.
For example, if your company has a load balancing team that manages load
balancers, SSL certificates for load balancers, SSL policies, and other
load balancing resources, and a separate networking team that manages
the rest of the networking resources, then grant this role to the load
balancing team's group.
Lowest-level resources where you can grant this role:
certificatemanager.
certificatemanager.
certificatemanager.
compute.addresses.*
compute.backendBuckets.*
compute.backendServices.*
compute.
compute.disks.listTagBindings
compute.forwardingRules.*
compute.globalAddresses.*
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.
compute.images.listTagBindings
compute.instanceGroups.*
compute.instances.get
compute.instances.list
compute.
compute.
compute.instances.use
compute.instances.useReadOnly
compute.
compute.networks.get
compute.networks.list
compute.
compute.
compute.networks.use
compute.projects.get
compute.
compute.
compute.regionHealthChecks.*
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.*
compute.
compute.
compute.
compute.regionUrlMaps.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.securityPolicies.use
compute.
compute.
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
compute.zoneOperations.get
compute.zoneOperations.list
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Load Balancer Services User
(roles/)
Permissions to use services from a load balancer in other projects.
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendBuckets.use
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.backendServices.use
compute.projects.get
compute.
compute.
compute.
compute.
compute.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Network Admin
(roles/)
Permissions to create, modify, and delete networking resources,
except for firewall rules and SSL certificates. The network admin role
allows read-only access to firewall rules, SSL certificates, and instances
(to view their ephemeral IP addresses). The network admin role does not
allow a user to create, start, stop, or delete instances.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the networking team's group.
Or, if you have a combined team that manages both security and networking,
then grant this role as well as the
roles/compute.securityAdmin role to the combined team's group.
Lowest-level resources where you can grant this role:
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.*
compute.backendServices.*
compute.
compute.disks.listTagBindings
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.
compute.
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.*
compute.globalAddresses.*
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceGroups.update
compute.instanceGroups.use
compute.instanceSettings.get
compute.instances.get
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.
compute.instances.use
compute.instances.useReadOnly
compute.
compute.
compute.
compute.interconnects.*
compute.machineTypes.*
compute.networkAttachments.*
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.*
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.*
compute.
compute.
compute.
compute.regionUrlMaps.*
compute.regions.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.securityPolicies.use
compute.serviceAttachments.*
compute.
compute.
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.*
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.*
networkservices.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.services.get
servicenetworking.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*
Compute Network User
(roles/)
Provides access to a shared VPC network
Once granted, service owners can use VPC networks and subnets that belong
to the host project. For example, a network user can create a VM instance
that belongs to a host project network but they cannot delete or create
new networks in the host project.
Lowest-level resources where you can grant this role:
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.useInternal
compute.
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.instanceSettings.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.interconnects.use
compute.networkAttachments.get
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.access
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnGateways.use
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zones.*
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.get
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.get
networksecurity.urlLists.list
networksecurity.urlLists.use
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.gateways.get
networkservices.gateways.list
networkservices.gateways.use
networkservices.grpcRoutes.get
networkservices.
networkservices.
networkservices.
networkservices.httpRoutes.get
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.meshes.use
networkservices.operations.get
networkservices.
networkservices.route_views.*
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.
networkservices.
networkservices.
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Network Viewer
(roles/)
Read-only access to all networking resources
For example, if you have software that inspects your network
configuration, you could grant this role to that software's
service account.
Lowest-level resources where you can grant this role:
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instances.get
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.machineTypes.*
compute.networkAttachments.get
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zones.*
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.get
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.get
networksecurity.urlLists.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.gateways.get
networkservices.gateways.list
networkservices.grpcRoutes.get
networkservices.
networkservices.
networkservices.
networkservices.httpRoutes.get
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.operations.get
networkservices.
networkservices.route_views.*
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.
networkservices.
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*
Compute Organization Firewall Policy Admin
(roles/)
Full control of Compute Engine Organization Firewall Policies.
compute.firewallPolicies.*
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.projects.get
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Firewall Policy User
(roles/)
View or use Compute Engine Firewall Policies to associate with the organization or folders.
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.
compute.
compute.firewallPolicies.use
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Security Policy Admin
(roles/)
Full control of Compute Engine Organization Security Policies.
compute.firewallPolicies.*
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.securityPolicies.move
compute.
compute.
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Security Policy User
(roles/)
View or use Compute Engine Security Policies to associate with the organization or folders.
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.
compute.
compute.firewallPolicies.use
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.projects.get
compute.
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.
compute.securityPolicies.use
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Organization Resource Admin
(roles/)
Full control of Compute Engine Firewall Policy associations to the organization or folders.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Admin Login
(roles/)
Access to log in to a Compute Engine instance as an administrator
user.
Lowest-level resources where you can grant this role:
compute.
compute.disks.listTagBindings
compute.
compute.images.listTagBindings
compute.instanceSettings.get
compute.instances.get
compute.instances.list
compute.
compute.
compute.instances.osAdminLogin
compute.instances.osLogin
compute.projects.get
compute.
compute.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Login
(roles/)
Access to log in to a Compute Engine instance as a standard user.
Lowest-level resources where you can grant this role:
compute.
compute.disks.listTagBindings
compute.
compute.images.listTagBindings
compute.instanceSettings.get
compute.instances.get
compute.instances.list
compute.
compute.
compute.instances.osLogin
compute.projects.get
compute.
compute.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute OS Login External User
(roles/)
Available only at the organization level.
Access for an external user to set OS Login information associated with
this organization. This role does not grant access to instances. External
users must be granted one of the required
OS Login roles
in order to allow access to instances using SSH.
Lowest-level resources where you can grant this role:
compute.
Compute packet mirroring admin
(roles/)
Specify resources to be mirrored.
compute.
compute.networks.mirror
compute.projects.get
compute.subnetworks.mirror
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute packet mirroring user
(roles/)
Use Compute Engine packet mirrorings.
compute.packetMirrorings.*
compute.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Public IP Admin
(roles/)
Full control of public IP address management for Compute Engine.
compute.addresses.*
compute.globalAddresses.*
compute.
compute.
compute.
resourcemanager.projects.get
resourcemanager.projects.list
Compute Security Admin
(roles/)
Permissions to create, modify, and delete firewall rules and SSL
certificates, and also to
configure Shielded VM
settings.
For example, if your company has a security team that manages firewalls
and SSL certificates and a networking team that manages the rest of the
networking resources, then grant this role to the security team's group.
Lowest-level resources where you can grant this role:
compute.backendBuckets.list
compute.backendServices.list
compute.firewallPolicies.*
compute.firewalls.*
compute.globalOperations.get
compute.globalOperations.list
compute.instanceSettings.get
compute.
compute.instances.list
compute.
compute.
compute.
compute.
compute.
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.networks.updatePolicy
compute.packetMirrorings.*
compute.projects.get
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.regionSslPolicies.*
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.*
compute.sslCertificates.*
compute.sslPolicies.*
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.targetInstances.list
compute.targetPools.list
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Sole Tenant Viewer
(roles/)
Permissions to view sole tenancy node groups
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
Compute Storage Admin
(roles/)
Permissions to create, modify, and delete disks, images, and snapshots.
For example, if your company has someone who manages project images and
you don't want them to have the editor role on the project, then grant
this role to their account on the project.
Lowest-level resources where you can grant this role:
compute.diskTypes.*
compute.disks.*
compute.globalOperations.get
compute.globalOperations.list
compute.images.*
compute.instanceSettings.get
compute.instantSnapshots.*
compute.licenseCodes.*
compute.licenses.*
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.resourcePolicies.*
compute.snapshots.*
compute.storagePools.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Viewer
(roles/)
Read-only access to get and list Compute Engine resources, without
being able to read the data stored on them.
For example, an account with this role could inventory all of the disks in
a project, but it could not read any of the data on those disks.
Lowest-level resources where you can grant this role:
Disk
Image
Instance
Instance template
Node group
Node template
Snapshot
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Compute Shared VPC Admin
(roles/)
Permissions to administer shared VPC host projects,
specifically enabling the host projects and associating shared VPC service projects to the host
project's network.
At the organization level, this role can only be granted by an organization admin.
Google Cloud recommends that the Shared VPC Admin be the owner of the shared VPC host project. The
Shared VPC Admin is responsible for granting the Compute Network User role
(roles/compute.networkUser) to service owners, and the shared VPC host project owner
controls the project itself. Managing the project is easier if a single principal (individual or
group) can fulfill both roles.
Lowest-level resources where you can grant this role:
compute.globalOperations.get
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.projects.get
compute.
compute.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
OS Config Admin
Beta
(roles/)
Full access to OS Config resources
osconfig.*
GuestPolicy Admin
Beta
(roles/)
Full admin access to GuestPolicies
osconfig.guestPolicies.*
resourcemanager.projects.get
resourcemanager.projects.list
GuestPolicy Editor
Beta
(roles/)
Editor of GuestPolicy resources
osconfig.guestPolicies.get
osconfig.guestPolicies.list
osconfig.guestPolicies.update
resourcemanager.projects.get
resourcemanager.projects.list
GuestPolicy Viewer
Beta
(roles/)
Viewer of GuestPolicy resources
osconfig.guestPolicies.get
osconfig.guestPolicies.list
resourcemanager.projects.get
resourcemanager.projects.list
InstanceOSPoliciesCompliance Viewer
Beta
(roles/)
Viewer of OS Policies Compliance of VM instances
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
OS Inventory Viewer
(roles/)
Viewer of OS Inventories
osconfig.inventories.*
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignment Admin
(roles/)
Full admin access to OS Policy Assignments
osconfig.osPolicyAssignments.*
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignment Editor
(roles/)
Editor of OS Policy Assignments
osconfig.
osconfig.
osconfig.
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignmentReport Viewer
(roles/)
Viewer of OS policy assignment reports for VM instances
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
OSPolicyAssignment Viewer
(roles/)
Viewer of OS Policy Assignments
osconfig.
osconfig.
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
PatchDeployment Admin
(roles/)
Full admin access to PatchDeployments
osconfig.patchDeployments.*
resourcemanager.projects.get
resourcemanager.projects.list
PatchDeployment Viewer
(roles/)
Viewer of PatchDeployment resources
osconfig.patchDeployments.get
osconfig.patchDeployments.list
resourcemanager.projects.get
resourcemanager.projects.list
Patch Job Executor
(roles/)
Access to execute Patch Jobs.
osconfig.patchJobs.*
resourcemanager.projects.get
resourcemanager.projects.list
Patch Job Viewer
(roles/)
Get and list Patch Jobs.
osconfig.patchJobs.get
osconfig.patchJobs.list
resourcemanager.projects.get
resourcemanager.projects.list
PolicyOrchestrator Admin
Beta
(roles/)
Admin of PolicyOrchestrator resources
osconfig.locations.*
osconfig.operations.get
osconfig.policyOrchestrators.*
PolicyOrchestrator Viewer
Beta
(roles/)
Viewer of PolicyOrchestrator resources
osconfig.locations.*
osconfig.operations.get
osconfig.
osconfig.
Project Feature Settings Editor
(roles/)
Read/write access to project feature settings
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
Project Feature Settings Viewer
(roles/)
Read access to project feature settings
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
Upgrade Report Viewer
Beta
(roles/)
Provides read-only access to VM Manager Upgrade Reports
osconfig.upgradeReports.*
resourcemanager.projects.get
resourcemanager.projects.list
OS Config Viewer
Beta
(roles/)
Readonly access to OS Config resources
osconfig.guestPolicies.get
osconfig.guestPolicies.list
osconfig.
osconfig.inventories.*
osconfig.locations.*
osconfig.operations.get
osconfig.operations.list
osconfig.
osconfig.
osconfig.
osconfig.
osconfig.patchDeployments.get
osconfig.patchDeployments.list
osconfig.patchJobs.get
osconfig.patchJobs.list
osconfig.
osconfig.
osconfig.
osconfig.upgradeReports.*
osconfig.
OS VulnerabilityReport Viewer
(roles/)
Viewer of OS VulnerabilityReports
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis roles
Permissions
Container Analysis Admin
(roles/)
Access to all Container Analysis resources.
containeranalysis.
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.
containeranalysis.notes.list
containeranalysis.
containeranalysis.notes.update
containeranalysis.
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Notes Attacher
(roles/)
Can attach Container Analysis Occurrences to Notes.
containeranalysis.
containeranalysis.notes.get
Container Analysis Notes Editor
(roles/)
Can edit Container Analysis Notes.
containeranalysis.
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences for Notes Viewer
(roles/)
Can view all Container Analysis Occurrences attached to a Note.
containeranalysis.notes.get
containeranalysis.
Container Analysis Notes Viewer
(roles/)
Can view Container Analysis Notes.
containeranalysis.notes.get
containeranalysis.notes.list
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences Editor
(roles/)
Can edit Container Analysis Occurrences.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
resourcemanager.projects.get
resourcemanager.projects.list
Container Analysis Occurrences Viewer
(roles/)
Can view Container Analysis Occurrences.
containeranalysis.
containeranalysis.
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog roles
Permissions
Data Catalog Admin
(roles/)
Full access to all DataCatalog resources
bigquery.connections.get
bigquery.connections.updateTag
bigquery.datasets.get
bigquery.datasets.updateTag
bigquery.models.getMetadata
bigquery.models.updateTag
bigquery.routines.get
bigquery.routines.updateTag
bigquery.tables.get
bigquery.tables.updateTag
datacatalog.catalogs.searchAll
datacatalog.
datacatalog.
datacatalog.entries.*
datacatalog.entryGroups.*
datacatalog.migrationConfig.*
datacatalog.operations.list
datacatalog.relationships.*
datacatalog.tagTemplates.*
datacatalog.taxonomies.*
dataplex.projects.search
pubsub.topics.get
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
Policy Tag Admin
(roles/)
Manage taxonomies
datacatalog.
datacatalog.
datacatalog.taxonomies.*
resourcemanager.projects.get
resourcemanager.projects.list
Fine-Grained Reader
(roles/)
Read access to sub-resources tagged by a policy tag, for example, BigQuery columns
datacatalog.
DataCatalog Data Steward
Beta
(roles/)
Can update overview and data steward fields
datacatalog.entries.get
datacatalog.entries.list
datacatalog.
datacatalog.
datacatalog.entryGroups.get
datacatalog.
datacatalog.relationships.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog EntryGroup Creator
(roles/)
Can create new entryGroups
datacatalog.entryGroups.create
datacatalog.entryGroups.get
datacatalog.entryGroups.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog EntryGroup Owner
(roles/)
Full access to entryGroups
datacatalog.entries.*
datacatalog.entryGroups.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Entry Owner
(roles/)
Full access to entries
datacatalog.entries.*
datacatalog.entryGroups.get
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Entry Viewer
(roles/)
Read access to entries
datacatalog.entries.get
datacatalog.entries.list
datacatalog.entryGroups.get
datacatalog.
datacatalog.relationships.list
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Glossary Owner
Beta
(roles/)
Full access to glossaries
datacatalog.entries.*
datacatalog.relationships.*
dataplex.projects.search
DataCatalog Glossary User
Beta
(roles/)
Can view glossaries and associate terms to entries
datacatalog.entries.get
datacatalog.entries.list
datacatalog.relationships.*
dataplex.projects.search
DataCatalog Migration Config Admin
Beta
(roles/)
Full access to Migration Config
datacatalog.migrationConfig.*
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
DataCatalog Search Admin
Beta
(roles/)
Can search all metadata for a project/org in DataCatalog
datacatalog.catalogs.searchAll
dataplex.projects.search
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog Tag Editor
(roles/)
Access to modify metadata tags for entries, as well as BigQuery and
Pub/Sub data assets
bigquery.connections.updateTag
bigquery.datasets.updateTag
bigquery.models.updateTag
bigquery.routines.updateTag
bigquery.tables.updateTag
datacatalog.entries.updateTag
datacatalog.
pubsub.topics.updateTag
Data Catalog TagTemplate Creator
(roles/)
Access to create new tag templates
datacatalog.
datacatalog.tagTemplates.get
dataplex.projects.search
Data Catalog TagTemplate Owner
(roles/)
Full access to tag templates
datacatalog.tagTemplates.*
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog TagTemplate User
(roles/)
Access to apply a tag template to an entry (to modify tags, see Data Catalog Tag Editor)
datacatalog.tagTemplates.get
datacatalog.
datacatalog.tagTemplates.use
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog TagTemplate Viewer
(roles/)
Read access to templates and tags created using the templates
datacatalog.tagTemplates.get
datacatalog.
dataplex.projects.search
resourcemanager.projects.get
resourcemanager.projects.list
Data Catalog Viewer
(roles/)
Provides metadata read access to catalogued Google Cloud assets for BigQuery
and Pub/Sub
bigquery.connections.get
bigquery.datasets.get
bigquery.models.getMetadata
bigquery.routines.get
bigquery.tables.get
datacatalog.entries.get
datacatalog.entries.list
datacatalog.entryGroups.get
datacatalog.entryGroups.list
datacatalog.
datacatalog.operations.list
datacatalog.relationships.list
datacatalog.tagTemplates.get
datacatalog.
datacatalog.taxonomies.get
datacatalog.taxonomies.list
dataplex.projects.search
pubsub.topics.get
resourcemanager.projects.get
resourcemanager.projects.list
Data Connectors roles
Permissions
Connector Admin
Beta
(roles/)
Full access to Data Connectors.
dataconnectors.*
resourcemanager.projects.get
resourcemanager.projects.list
Connector User
Beta
(roles/)
Access to use Data Connectors.
dataconnectors.connectors.get
dataconnectors.
dataconnectors.connectors.list
dataconnectors.connectors.use
Data Migration roles
Permissions
Database Migration Admin
(roles/)
Full access to all resources of Database Migration.
cloudaicompanion.
datamigration.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Pipelines roles
Permissions
Data pipelines Admin
(roles/)
Administrator of Data pipelines resources
datapipelines.*
resourcemanager.projects.get
resourcemanager.projects.list
Data pipelines Invoker
(roles/)
Invoker of Data pipelines jobs
datapipelines.pipelines.run
resourcemanager.projects.get
resourcemanager.projects.list
Data pipelines Viewer
(roles/)
Viewer of Data pipelines resources
datapipelines.jobs.list
datapipelines.pipelines.get
datapipelines.pipelines.list
resourcemanager.projects.get
resourcemanager.projects.list
Data Studio roles
Permissions
Data Studio Admin
Beta
(roles/)
Data Studio Admin
datastudio.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Studio Workspace Content Manager
Beta
(roles/)
Content Manager of a Data Studio resource
datastudio.datasources.get
datastudio.
datastudio.datasources.move
datastudio.
datastudio.datasources.search
datastudio.
datastudio.datasources.share
datastudio.datasources.trash
datastudio.datasources.update
datastudio.reports.get
datastudio.
datastudio.reports.move
datastudio.
datastudio.reports.search
datastudio.
datastudio.reports.share
datastudio.reports.trash
datastudio.reports.update
datastudio.
datastudio.workspaces.get
datastudio.
datastudio.workspaces.moveIn
datastudio.workspaces.search
resourcemanager.projects.get
resourcemanager.
Data Studio Workspace Contributor
Beta
(roles/)
Contributor of a Data Studio resource
datastudio.datasources.get
datastudio.
datastudio.
datastudio.datasources.search
datastudio.
datastudio.datasources.share
datastudio.datasources.update
datastudio.reports.get
datastudio.
datastudio.
datastudio.reports.search
datastudio.
datastudio.reports.share
datastudio.reports.update
datastudio.
datastudio.workspaces.get
datastudio.
datastudio.workspaces.moveIn
datastudio.workspaces.search
resourcemanager.projects.get
resourcemanager.
Data Studio Asset Editor
Beta
(roles/)
Editor of a Data Studio resource
datastudio.datasources.get
datastudio.
datastudio.datasources.search
datastudio.datasources.update
datastudio.reports.get
datastudio.
datastudio.reports.search
datastudio.reports.update
resourcemanager.projects.get
resourcemanager.
Data Studio Workspace Manager
Beta
(roles/)
Manager of a Data Studio resource
datastudio.*
resourcemanager.projects.get
resourcemanager.
Data Studio Asset Viewer
Beta
(roles/)
Viewer of a Data Studio resource
datastudio.datasources.get
datastudio.datasources.search
datastudio.reports.get
datastudio.reports.search
resourcemanager.projects.get
Data Studio Workspace Viewer
Beta
(roles/)
Viewer of a Data Studio Workspace
datastudio.datasources.get
datastudio.datasources.search
datastudio.reports.get
datastudio.reports.search
datastudio.workspaces.get
datastudio.workspaces.search
resourcemanager.projects.get
Looker Admin
Beta
(roles/)
Admin of Looker instance mapping to a Studio subscription
datastudio.*
resourcemanager.projects.get
resourcemanager.
Looker Studio Pro Manager
Beta
(roles/)
Looker Studio Pro Manager
lookerstudio.pro.manage
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.
Dataflow roles
Permissions
Dataflow Admin
(roles/)
Minimal role for creating and managing dataflow jobs.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
compute.machineTypes.get
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Dataflow Developer
(roles/)
Provides the permissions necessary to execute and manipulate
Dataflow jobs.
Lowest-level resources where you can grant this role:
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Viewer
(roles/)
Provides read-only access to all Dataflow-related
resources.
Lowest-level resources where you can grant this role:
dataflow.jobs.get
dataflow.jobs.list
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.get
dataflow.snapshots.list
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Worker
(roles/)
Provides the permissions necessary for a Compute Engine service
account to execute work units for a Dataflow pipeline.
Lowest-level resources where you can grant this role:
autoscaling.
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
compute.
compute.instances.delete
compute.
dataflow.jobs.get
dataflow.shuffle.*
dataflow.streamingWorkItems.*
dataflow.workItems.*
logging.logEntries.create
logging.logEntries.route
monitoring.timeSeries.create
storage.buckets.get
storage.objects.create
storage.objects.get
Permissions
(roles/)
Full access to all Dataform resources.
dataform.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Access only to private and shared code resources. The permissions in the Code Creator let you create and list code in Dataform, and access only the code that you created and code that was explicitly shared with you.
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Edit access code resources.
dataform.locations.*
dataform.repositories.commit
dataform.
dataform.repositories.create
dataform.
dataform.
dataform.repositories.get
dataform.
dataform.repositories.list
dataform.
dataform.repositories.readFile
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.
dataform.
dataform.
dataform.workspaces.get
dataform.
dataform.
dataform.workspaces.list
dataform.
dataform.
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.
dataform.workspaces.readFile
dataform.
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.
dataform.workspaces.writeFile
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to code resources.
dataform.locations.*
dataform.repositories.*
dataform.workspaces.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read-only access to all code resources.
dataform.locations.*
dataform.
dataform.
dataform.
dataform.repositories.get
dataform.
dataform.repositories.list
dataform.
dataform.repositories.readFile
dataform.
dataform.
dataform.
dataform.workspaces.get
dataform.
dataform.workspaces.list
dataform.
dataform.workspaces.readFile
dataform.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Edit access to Workspaces and Read-only access to Repositories.
dataform.compilationResults.*
dataform.config.get
dataform.locations.*
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.
dataform.
dataform.
dataform.repositories.get
dataform.
dataform.repositories.list
dataform.
dataform.repositories.readFile
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowInvocations.*
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.
dataform.
dataform.
dataform.workspaces.get
dataform.
dataform.
dataform.workspaces.list
dataform.
dataform.
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.
dataform.workspaces.readFile
dataform.
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.
dataform.workspaces.writeFile
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read-only access to all Dataform resources.
dataform.
dataform.
dataform.
dataform.config.get
dataform.locations.*
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.
dataform.
dataform.
dataform.repositories.get
dataform.
dataform.repositories.list
dataform.
dataform.repositories.readFile
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.
dataform.
dataform.
dataform.
dataform.
dataform.
dataform.workspaces.get
dataform.
dataform.workspaces.list
dataform.
dataform.workspaces.readFile
dataform.
resourcemanager.projects.get
resourcemanager.projects.list
Dataprep roles
Permissions
Dataprep User
Beta
(roles/)
Use of Dataprep.
dataprep.projects.use
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Dataproc roles
Permissions
Dataproc Administrator
(roles/)
Full control of Dataproc resources.
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.autoscalingPolicies.*
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.
dataproc.clusters.*
dataproc.jobs.*
dataproc.nodeGroups.*
dataproc.operations.*
dataproc.sessionTemplates.*
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.
dataproc.sessions.terminate
dataproc.workflowTemplates.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Editor
(roles/)
Provides the permissions necessary for viewing the resources required to
manage Dataproc, including machine types, networks, projects,
and zones.
Lowest-level resources where you can grant this role:
compute.machineTypes.*
compute.networks.get
compute.networks.list
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.nodeGroups.*
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.
dataproc.sessions.terminate
dataproc.
dataproc.
dataproc.workflowTemplates.get
dataproc.
dataproc.
dataproc.
dataproc.
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Hub Agent
(roles/)
Allows management of Dataproc resources. Intended for service accounts running Dataproc Hub instances.
compute.instances.get
compute.instances.setMetadata
compute.instances.setTags
compute.zoneOperations.get
compute.zones.list
dataproc.
dataproc.
dataproc.
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.update
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.create
logging.logEntries.list
logging.logEntries.route
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.objects.get
storage.objects.list
Dataproc serverless session user permissions
(roles/)
Permissions needed to run serverless sessions as a user
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Serverless Node.
(roles/)
Node access to Dataproc Serverless sessions. Intended for service accounts.
dataproc.
dataproc.
dataprocrm.nodePools.*
Dataproc serverless session view permissions
(roles/)
Permissions needed to view serverless sessions
compute.projects.get
compute.regions.*
compute.zones.*
dataproc.batches.get
dataproc.batches.list
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessions.get
dataproc.sessions.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Viewer
(roles/)
Provides read-only access to Dataproc resources.
Lowest-level resources where you can grant this role:
compute.machineTypes.get
compute.regions.*
compute.zones.*
dataproc.
dataproc.
dataproc.batches.analyze
dataproc.batches.get
dataproc.batches.list
dataproc.
dataproc.clusters.get
dataproc.clusters.list
dataproc.jobs.get
dataproc.jobs.list
dataproc.nodeGroups.get
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessions.get
dataproc.sessions.list
dataproc.
dataproc.workflowTemplates.get
dataproc.
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Worker
(roles/)
Provides worker access to Dataproc resources. Intended for service accounts.
cloudprofiler.profiles.create
cloudprofiler.profiles.update
dataproc.agents.*
dataproc.
dataproc.
dataproc.tasks.*
dataprocrm.
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
storage.buckets.get
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Permissions
(roles/)
Full access to all Dataproc Metastore resources.
metastore.backups.*
metastore.federations.*
metastore.imports.*
metastore.locations.*
metastore.migrations.*
metastore.operations.*
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
metastore.services.restore
metastore.
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read and write access to all Dataproc Metastore resources.
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.federations.create
metastore.federations.delete
metastore.federations.get
metastore.federations.list
metastore.federations.update
metastore.imports.*
metastore.locations.*
metastore.migrations.*
metastore.operations.*
metastore.services.create
metastore.services.delete
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
metastore.services.restore
metastore.services.update
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Access to the Metastore Federation resource.
metastore.federations.use
(roles/)
Access to read and modify the metadata of databases and tables under those databases.
metastore.databases.create
metastore.databases.delete
metastore.databases.get
metastore.
metastore.databases.list
metastore.databases.update
metastore.services.get
metastore.services.use
metastore.tables.create
metastore.tables.delete
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.update
(roles/)
Access to mutate metadata from a Dataproc Metastore service's underlying metadata store.
metastore.
(roles/)
Read-only access to Dataproc Metastore resources with additional metadata operations permission.
metastore.backups.create
metastore.backups.delete
metastore.backups.get
metastore.backups.list
metastore.backups.use
metastore.imports.*
metastore.locations.*
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
metastore.services.restore
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to the metadata of databases and tables under those databases.
metastore.databases.*
metastore.services.get
metastore.
metastore.services.list
metastore.services.use
metastore.tables.*
(roles/)
Access to query metadata from a Dataproc Metastore service's underlying metadata store.
metastore.
(roles/)
Access to the Dataproc Metastore gRPC endpoint
metastore.databases.get
metastore.databases.list
metastore.services.get
metastore.services.use
(roles/)
Access to read the metadata of databases and tables under those databases
metastore.databases.get
metastore.
metastore.databases.list
metastore.services.get
metastore.services.use
metastore.tables.get
metastore.tables.getIamPolicy
metastore.tables.list
(roles/)
Access to Dataproc Metastore Managed Migration resources and workflow.
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
compute.autoscalers.create
compute.autoscalers.delete
compute.disks.create
compute.disks.delete
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.use
compute.
compute.
compute.
compute.instanceGroups.delete
compute.instanceGroups.use
compute.
compute.
compute.instanceTemplates.get
compute.
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setMetadata
compute.machineTypes.list
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.use
compute.
compute.
compute.
compute.subnetworks.get
compute.subnetworks.use
compute.zones.list
datastream.
datastream.
datastream.objects.*
datastream.operations.get
datastream.
datastream.
datastream.streams.create
datastream.streams.delete
datastream.streams.get
datastream.streams.update
(roles/)
Read-only access to all Dataproc Metastore resources.
metastore.backups.get
metastore.backups.list
metastore.federations.get
metastore.
metastore.federations.list
metastore.imports.get
metastore.imports.list
metastore.locations.*
metastore.operations.get
metastore.operations.list
metastore.services.export
metastore.services.get
metastore.
metastore.services.list
resourcemanager.projects.get
resourcemanager.projects.list
Datastore roles
Permissions
Cloud Datastore Backup Schedules Admin
(roles/)
Manage backup schedules in Cloud Datastore.
datastore.backupSchedules.*
datastore.
datastore.databases.list
Cloud Datastore Backup Schedules Viewer
(roles/)
Read access to backup schedules in Cloud Datastore.
datastore.backupSchedules.get
datastore.backupSchedules.list
Cloud Datastore Backups Admin
(roles/)
Read/Write access to metadata about backups in Cloud Datastore but restore is not allowed.
datastore.backups.delete
datastore.backups.get
datastore.backups.list
Cloud Datastore Backups Viewer
(roles/)
Read access to metadata about backups in Cloud Datastore.
datastore.backups.get
datastore.backups.list
Cloud Datastore Bulk Admin
(roles/)
Full access to manage bulk operations.
datastore.databases.bulkDelete
datastore.
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Import Export Admin
(roles/)
Provides full access to manage imports and exports.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.databases.export
datastore.
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Index Admin
(roles/)
Provides full access to manage index definitions.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.
datastore.indexes.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Key Visualizer Viewer
(roles/)
Full access to Key Visualizer scans.
datastore.
datastore.keyVisualizerScans.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Owner
(roles/)
Provides full access to Datastore resources.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Restore Admin
(roles/)
Restore into Cloud Datastore Databases from Cloud Datastore Backups.
datastore.backups.get
datastore.backups.list
datastore.
datastore.databases.create
datastore.
datastore.databases.list
datastore.operations.get
datastore.operations.list
Cloud Datastore User
(roles/)
Provides read/write access to data in a Datastore database.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.*
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Datastore Viewer
(roles/)
Provides read access to Datastore resources.
Lowest-level resources where you can grant this role:
appengine.applications.get
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
resourcemanager.projects.get
resourcemanager.projects.list
DataStream roles
Permissions
Datastream Admin
(roles/)
Full access to all Datastream resources.
datastream.*
resourcemanager.projects.get
resourcemanager.projects.list
Datastream Viewer
(roles/)
Read-only access to all Datastream resources.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.locations.*
datastream.objects.get
datastream.objects.list
datastream.operations.get
datastream.operations.list
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.routes.get
datastream.routes.getIamPolicy
datastream.routes.list
datastream.streams.fetchErrors
datastream.streams.get
datastream.
datastream.streams.list
datastream.
datastream.
resourcemanager.projects.get
resourcemanager.projects.list
Deployment Manager roles
Permissions
Deployment Manager Editor
(roles/)
Provides the permissions necessary to create and manage deployments.
Lowest-level resources where you can grant this role:
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Deployment Manager Type Editor
(roles/)
Provides read and write access to all Type Registry resources.
Lowest-level resources where you can grant this role:
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Deployment Manager Type Viewer
(roles/)
Provides read-only access to all Type Registry resources.
Lowest-level resources where you can grant this role:
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Deployment Manager Viewer
(roles/)
Provides read-only access to all Deployment Manager-related
resources.
Lowest-level resources where you can grant this role:
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.get
deploymentmanager.types.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Dialogflow roles
Permissions
CX Premium Admin
(roles/)
An admin has access to all resources and can perform all administrative actions in an AAM project.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Conversational Architect
(roles/)
A Conversational Architect can label conversational data, approve taxonomy changes and design virtual agents for a customer's use cases.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Dialog Designer
(roles/)
A Dialog Designer can label conversational data and propose taxonomy changes for virtual agent modeling.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Lead Dialog Designer
(roles/)
A Dialog Designer Lead can label conversational data and approve taxonomy changes for virtual agent modeling.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
CX Premium Viewer
(roles/)
A user can view the taxonomy and data reports in an AAM project.
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
resourcemanager.projects.list
Dialogflow API Admin
(roles/)
Grant to Dialogflow API admins
that need full access to Dialogflow-specific resources.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
dialogflow.*
resourcemanager.projects.get
Dialogflow Agent Assist Client
(roles/)
Can create and handle live conversations using Agent Assist features.
dialogflow.answerrecords.*
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.generators.get
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.participants.*
dialogflow.
Dialogflow API Client
(roles/)
Grant to Dialogflow API clients
that perform Dialogflow-specific edits and detect intent calls
using the API.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
dialogflow.contexts.*
dialogflow.conversations.*
dialogflow.
dialogflow.messages.list
dialogflow.participants.*
dialogflow.
dialogflow.sessions.*
Dialogflow Console Agent Editor
(roles/)
Grant to Dialogflow Console editors
that edit existing agents.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
actions.agentVersions.create
dialogflow.*
resourcemanager.projects.get
Dialogflow Console Simulator User
(roles/)
Can perform query of dialogflow suggestions in the simulator in web console.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.participants.*
dialogflow.
resourcemanager.projects.get
resourcemanager.projects.list
Dialogflow Console Smart Messaging Allowlist Editor
(roles/)
Can edit allowlist for smart messaging associated with conversation model in the agent assist console
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.documents.get
dialogflow.documents.list
dialogflow.operations.get
dialogflow.
resourcemanager.projects.get
resourcemanager.projects.list
Dialogflow Conversation Manager
(roles/)
Can manage all the resources related to Dialogflow Conversations.
dialogflow.
dialogflow.conversations.*
dialogflow.participants.*
Dialogflow Entity Type Admin
(roles/)
Can read & write entity types.
dialogflow.entityTypes.*
Dialogflow Environment editor
(roles/)
Can read & update environment and its sub-resources.
dialogflow.deployments.*
dialogflow.environments.get
dialogflow.
dialogflow.environments.list
dialogflow.
dialogflow.
dialogflow.environments.update
dialogflow.experiments.*
Dialogflow Flow editor
(roles/)
Can read & update flow and its sub-resources.
dialogflow.flows.get
dialogflow.flows.list
dialogflow.flows.train
dialogflow.flows.update
dialogflow.flows.validate
dialogflow.pages.*
dialogflow.
dialogflow.versions.*
Dialogflow Integration Manager
(roles/)
Can add, remove, enable and disable Dialogflow integrations.
dialogflow.integrations.*
Dialogflow Intent Admin
(roles/)
Can read & write intents.
dialogflow.intents.*
Dialogflow API Reader
(roles/)
Grant to Dialogflow API clients
that perform Dialogflow-specific read-only calls
using the API.
Also see
Dialogflow access control .
Lowest-level resources where you can grant this role:
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.get
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.get
dialogflow.conversations.list
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.get
dialogflow.participants.list
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
resourcemanager.projects.get
Dialogflow Test Case Admin
(roles/)
Can read & write test cases.
dialogflow.testcases.*
Dialogflow Webhook Admin
(roles/)
Can read & write webhooks.
dialogflow.webhooks.*
DNS roles
Permissions
DNS Administrator
(roles/)
Provides read-write access to all Cloud DNS resources.
Lowest-level resources where you can grant this role:
compute.networks.get
compute.networks.list
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get
resourcemanager.projects.list
DNS Peer
(roles/)
Access to target networks with DNS peering zones
dns.
DNS Reader
(roles/)
Provides read-only access to all Cloud DNS resources.
Lowest-level resources where you can grant this role:
compute.networks.get
dns.changes.get
dns.changes.list
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.projects.get
dns.resourceRecordSets.get
dns.resourceRecordSets.list
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicyRules.get
dns.responsePolicyRules.list
resourcemanager.projects.get
resourcemanager.projects.list
Document AI roles
Permissions
Document AI Administrator
Beta
(roles/)
Grants full access to all resources in Document AI
documentai.*
resourcemanager.projects.get
resourcemanager.projects.list
Document AI API User
Beta
(roles/)
Grants access to process documents in Document AI
documentai.
documentai.
documentai.
documentai.
documentai.
documentai.
Document AI Editor
Beta
(roles/)
Grants access to use all resources in Document AI
documentai.*
resourcemanager.projects.get
resourcemanager.projects.list
Document AI Viewer
Beta
(roles/)
Grants access to view all resources and process documents in Document AI
documentai.
documentai.datasetSchemas.get
documentai.datasets.get
documentai.
documentai.
documentai.
documentai.evaluations.get
documentai.evaluations.list
documentai.
documentai.
documentai.labelerPools.get
documentai.labelerPools.list
documentai.locations.*
documentai.
documentai.
documentai.processorTypes.*
documentai.
documentai.
documentai.
documentai.
documentai.
documentai.processors.get
documentai.processors.list
documentai.
documentai.
resourcemanager.projects.get
resourcemanager.projects.list
Earth Engine roles
Permissions
Earth Engine Resource Admin
Beta
(roles/)
Full access to all Earth Engine resource features
earthengine.*
resourcemanager.projects.get
resourcemanager.projects.list
Earth Engine Apps Publisher
Beta
(roles/)
Publisher of Earth Engine Apps
iam.serviceAccounts.create
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam.
iam.
resourcemanager.projects.get
serviceusage.services.get
Earth Engine Resource Viewer
Beta
(roles/)
Viewer of all Earth Engine resources
earthengine.assets.get
earthengine.
earthengine.assets.list
earthengine.
earthengine.config.get
earthengine.
earthengine.maps.get
earthengine.operations.get
earthengine.operations.list
earthengine.tables.get
earthengine.thumbnails.get
earthengine.
resourcemanager.projects.get
resourcemanager.projects.list
Earth Engine Resource Writer
Beta
(roles/)
Writer of all Earth Engine resources
earthengine.assets.create
earthengine.assets.delete
earthengine.assets.get
earthengine.
earthengine.assets.list
earthengine.assets.update
earthengine.
earthengine.config.*
earthengine.exports.create
earthengine.
earthengine.
earthengine.imports.create
earthengine.maps.*
earthengine.operations.*
earthengine.tables.*
earthengine.thumbnails.*
earthengine.videothumbnails.*
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container roles
Permissions
Edge Container Admin
(roles/)
Full access to Edge Container all resources.
edgecontainer.*
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container Machine User
(roles/)
Access to use Edge Container Machine resources.
edgecontainer.machines.get
edgecontainer.
edgecontainer.machines.list
edgecontainer.machines.use
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container Cluster offline Credential User
(roles/)
Access to get Edge Container cluster offline credentials
edgecontainer.
resourcemanager.projects.get
resourcemanager.projects.list
Edge Container Viewer
(roles/)
Read-only access to Edge Container all resources.
edgecontainer.
edgecontainer.clusters.get
edgecontainer.
edgecontainer.clusters.list
edgecontainer.locations.*
edgecontainer.machines.get
edgecontainer.
edgecontainer.machines.list
edgecontainer.nodePools.get
edgecontainer.
edgecontainer.nodePools.list
edgecontainer.operations.get
edgecontainer.operations.list
edgecontainer.serverconfig.get
edgecontainer.
edgecontainer.
edgecontainer.
resourcemanager.projects.get
resourcemanager.projects.list
Edge Network roles
Permissions
Edge Network Admin
(roles/)
Full access to Edge Network all resources.
edgenetwork.*
resourcemanager.projects.get
resourcemanager.projects.list
Edge Network Viewer
(roles/)
Read-only access to Edge Network all resources.
edgenetwork.
edgenetwork.
edgenetwork.
edgenetwork.interconnects.get
edgenetwork.
edgenetwork.
edgenetwork.interconnects.list
edgenetwork.locations.*
edgenetwork.networks.get
edgenetwork.
edgenetwork.networks.getStatus
edgenetwork.networks.list
edgenetwork.operations.get
edgenetwork.operations.list
edgenetwork.routers.get
edgenetwork.
edgenetwork.
edgenetwork.routers.list
edgenetwork.routes.get
edgenetwork.routes.list
edgenetwork.subnetworks.get
edgenetwork.
edgenetwork.
edgenetwork.subnetworks.list
edgenetwork.zones.get
edgenetwork.zones.list
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Knowledge Graph roles
Permissions
Enterprise Knowledge Graph Admin
Beta
(roles/)
Administrator of Enterprise Knowledge Graph resources
enterpriseknowledgegraph.*
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Knowledge Graph Editor
Beta
(roles/)
Editor of Enterprise Knowledge Graph resources
enterpriseknowledgegraph.*
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Knowledge Graph Viewer
Beta
(roles/)
Viewer of Enterprise Knowledge Graph resources
enterpriseknowledgegraph.
enterpriseknowledgegraph.
enterpriseknowledgegraph.
enterpriseknowledgegraph.
resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting roles
Permissions
Error Reporting Admin
Beta
(roles/)
Provides full access to Error Reporting data.
Lowest-level resources where you can grant this role:
cloudnotifications.
errorreporting.*
logging.notificationRules.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Error Reporting User
Beta
(roles/)
Provides the permissions to read and write Error Reporting data, except
for sending new error events.
Lowest-level resources where you can grant this role:
cloudnotifications.
errorreporting.
errorreporting.
errorreporting.
errorreporting.groupMetadata.*
errorreporting.groups.list
logging.notificationRules.*
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Error Reporting Viewer
Beta
(roles/)
Provides read-only access to Error Reporting data.
Lowest-level resources where you can grant this role:
cloudnotifications.
errorreporting.
errorreporting.
errorreporting.
errorreporting.groups.list
logging.notificationRules.get
logging.notificationRules.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
Error Reporting Writer
Beta
(roles/)
Provides the permissions to send error events to Error Reporting.
Lowest-level resources where you can grant this role:
errorreporting.
Eventarc roles
Permissions
Eventarc Admin
(roles/)
Full control over all Eventarc resources.
Lowest-level resources where you can grant this role:
eventarc.*
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Connection Publisher
Beta
(roles/)
Can publish events to Eventarc channel connections.
Lowest-level resources where you can grant this role:
eventarc.
eventarc.
eventarc.
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Developer
(roles/)
Access to read and write Eventarc resources.
Lowest-level resources where you can grant this role:
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.enrollments.update
eventarc.
eventarc.
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Event Receiver
(roles/)
Can receive events from all event providers.
Lowest-level resources where you can grant this role:
eventarc.events.*
Eventarc Message Bus Admin
Beta
(roles/)
Full control over Message Buses resources.
eventarc.messageBuses.create
eventarc.messageBuses.delete
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.publish
eventarc.messageBuses.update
eventarc.messageBuses.use
Eventarc Message Bus User
Beta
(roles/)
Access to publish to or bind to a Message Bus.
eventarc.messageBuses.get
eventarc.messageBuses.list
eventarc.messageBuses.publish
eventarc.messageBuses.use
Eventarc Publisher
Beta
(roles/)
Can publish events to Eventarc channels.
Lowest-level resources where you can grant this role:
eventarc.channels.get
eventarc.channels.list
eventarc.channels.publish
resourcemanager.projects.get
resourcemanager.projects.list
Eventarc Viewer
(roles/)
Can view the state of all Eventarc resources, including IAM policies.
Lowest-level resources where you can grant this role:
eventarc.
eventarc.
eventarc.
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.locations.*
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase roles
Permissions
Firebase Admin
(roles/)
Full access to Firebase products.
apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.
clientauthconfig.
clientauthconfig.clients.get
clientauthconfig.clients.list
clientauthconfig.
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudconfig.*
cloudfunctions.*
cloudmessaging.messages.create
cloudnotifications.
cloudtestservice.
cloudtestservice.matrices.*
cloudtoolresults.*
datastore.*
errorreporting.groups.list
eventarc.*
fcmdata.deliverydata.list
firebase.*
firebaseabt.*
firebaseanalytics.*
firebaseappcheck.*
firebaseappdistro.*
firebaseauth.*
firebasecrash.*
firebasecrashlytics.*
firebasedatabase.*
firebasedataconnect.*
firebasedynamiclinks.*
firebaseextensions.*
firebaseextensionspublisher.*
firebasehosting.*
firebaseinappmessaging.*
firebasemessagingcampaigns.*
firebaseml.*
firebasenotifications.*
firebaseperformance.*
firebaserules.*
firebasestorage.*
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.*
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Firebase Analytics Admin
(roles/)
Full access to Google Analytics for Firebase.
cloudnotifications.
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseextensions.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Firebase Analytics Viewer
(roles/)
Read access to Google Analytics for Firebase.
cloudnotifications.
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.
firebaseextensions.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Firebase Develop Admin
(roles/)
Full access to Firebase Develop products and Analytics.
apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
appengine.applications.get
automl.*
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudfunctions.*
cloudnotifications.
datastore.*
errorreporting.groups.list
eventarc.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseappcheck.*
firebaseauth.*
firebasedatabase.*
firebasedataconnect.*
firebaseextensions.
firebasehosting.*
firebaseml.*
firebaserules.*
firebasestorage.*
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.*
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.operations.*
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.variables.watch
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
runtimeconfig.waiters.update
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Firebase Develop Viewer
(roles/)
Read access to Firebase Develop products and Analytics.
apikeys.keys.get
apikeys.keys.list
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.files.list
automl.
automl.
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.*
cloudnotifications.
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
errorreporting.groups.list
eventarc.
eventarc.
eventarc.
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.locations.*
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.services.get
firebaseauth.configs.get
firebaseauth.users.get
firebasedatabase.instances.get
firebasedatabase.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebaseextensions.
firebasehosting.sites.get
firebasehosting.sites.list
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Firebase Grow Admin
(roles/)
Full access to Firebase Grow products and Analytics.
apikeys.keys.get
apikeys.keys.list
clientauthconfig.clients.get
clientauthconfig.clients.list
cloudconfig.*
cloudmessaging.messages.create
cloudnotifications.
fcmdata.deliverydata.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt.*
firebaseanalytics.*
firebasedynamiclinks.*
firebaseextensions.
firebaseinappmessaging.*
firebasemessagingcampaigns.*
firebasenotifications.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Grow Viewer
(roles/)
Read access to Firebase Grow products and Analytics.
apikeys.keys.get
apikeys.keys.list
cloudconfig.configs.get
cloudnotifications.
fcmdata.deliverydata.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt.
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.
firebaseanalytics.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.links.get
firebasedynamiclinks.
firebasedynamiclinks.stats.get
firebaseextensions.
firebaseinappmessaging.
firebaseinappmessaging.
firebasemessagingcampaigns.
firebasemessagingcampaigns.
firebasenotifications.
firebasenotifications.
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Quality Admin
(roles/)
Full access to Firebase Quality products and Analytics.
apikeys.keys.get
apikeys.keys.list
cloudnotifications.
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.*
firebaseappdistro.*
firebasecrash.*
firebasecrashlytics.*
firebaseextensions.
firebaseperformance.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Quality Viewer
(roles/)
Read access to Firebase Quality products and Analytics.
apikeys.keys.get
apikeys.keys.list
cloudnotifications.
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseanalytics.
firebaseappdistro.groups.list
firebaseappdistro.
firebaseappdistro.testers.list
firebasecrash.reports.get
firebasecrashlytics.config.get
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.
firebasecrashlytics.
firebaseextensions.
firebaseperformance.data.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Firebase Admin SDK Administrator Service Agent
(roles/)
Read and write access to Firebase products available in the Admin SDK
appengine.applications.get
cloudconfig.*
cloudmessaging.messages.create
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.*
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
firebase.clients.*
firebase.projects.get
firebase.projects.update
firebaseappcheck.*
firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.getSecret
firebaseauth.configs.update
firebaseauth.users.*
firebasedatabase.*
firebasedataconnect.*
firebasehosting.*
firebaseml.*
firebasenotifications.*
firebaserules.releases.get
firebaserules.releases.list
firebaserules.releases.update
firebaserules.rulesets.create
firebaserules.rulesets.delete
firebaserules.rulesets.get
firebaserules.rulesets.list
identitytoolkit.*
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Firebase SDK Provisioning Service Agent
(roles/)
Access to provision apps with the Admin SDK.
apikeys.keys.list
clientauthconfig.clients.list
cloudmessaging.messages.create
firebase.clients.create
servicemanagement.
serviceusage.services.enable
serviceusage.services.get
Firebase Viewer
(roles/)
Read-only access to Firebase products.
apikeys.keys.get
apikeys.keys.list
automl.annotationSpecs.get
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.get
automl.columnSpecs.list
automl.datasets.get
automl.datasets.list
automl.examples.get
automl.examples.list
automl.files.list
automl.
automl.
automl.locations.get
automl.locations.list
automl.modelEvaluations.get
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.operations.list
automl.tableSpecs.get
automl.tableSpecs.list
clientauthconfig.brands.get
clientauthconfig.brands.list
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.operations.*
cloudconfig.configs.get
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.*
cloudnotifications.
cloudtestservice.
cloudtestservice.matrices.get
cloudtoolresults.
cloudtoolresults.
cloudtoolresults.histories.get
cloudtoolresults.
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
errorreporting.groups.list
eventarc.
eventarc.
eventarc.
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.locations.*
eventarc.messageBuses.get
eventarc.
eventarc.messageBuses.list
eventarc.messageBuses.use
eventarc.operations.get
eventarc.operations.list
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.providers.*
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
fcmdata.deliverydata.list
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.links.list
firebase.playLinks.get
firebase.playLinks.list
firebase.projects.get
firebaseabt.
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.
firebaseanalytics.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.services.get
firebaseappdistro.groups.list
firebaseappdistro.
firebaseappdistro.testers.list
firebaseauth.configs.get
firebaseauth.users.get
firebasecrash.reports.get
firebasecrashlytics.config.get
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.
firebasecrashlytics.
firebasedatabase.instances.get
firebasedatabase.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.links.get
firebasedynamiclinks.
firebasedynamiclinks.stats.get
firebaseextensions.
firebaseextensionspublisher.
firebaseextensionspublisher.
firebasehosting.sites.get
firebasehosting.sites.list
firebaseinappmessaging.
firebaseinappmessaging.
firebasemessagingcampaigns.
firebasemessagingcampaigns.
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebasenotifications.
firebasenotifications.
firebaseperformance.data.get
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.
logging.logEntries.list
monitoring.timeSeries.list
oauthconfig.verification.get
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.configurations.*
run.executions.get
run.executions.list
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.locations.list
run.operations.get
run.operations.list
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.tasks.*
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Firebase App Check Service Agent
(roles/)
Grants Firebase App Check Service Account access to consumer app attestation resources, such as reCAPTCHA Enterprise and Play Integrity API.
recaptchaenterprise.
serviceusage.services.use
Firebase Extensions API Service Agent
(roles/)
Grants Firebase Extensions API Service Account access to manage resources.
appengine.applications.get
artifactregistry.
cloudfunctions.
cloudfunctions.
cloudtasks.locations.*
cloudtasks.queues.*
cloudtasks.tasks.create
cloudtasks.tasks.fullView
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.
deploymentmanager.types.*
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.setIamPolicy
iam.serviceAccounts.actAs
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.
run.services.getIamPolicy
run.services.setIamPolicy
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Firebase Products roles
Permissions
Firebase Remote Config Admin
(roles/)
Full access to Firebase Remote Config resources.
cloudconfig.*
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Remote Config Viewer
(roles/)
Read access to Firebase Remote Config resources.
cloudconfig.configs.get
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Test Lab Direct Access Admin
Beta
(roles/)
Administrator owning access to Direct Access
cloudtestservice.
cloudtestservice.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Test Lab Direct Access Viewer
Beta
(roles/)
Viewer, able to see what direct access sessions exist
cloudtestservice.
cloudtestservice.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Test Lab Admin
(roles/)
Full access to all Test Lab features
cloudtestservice.
cloudtestservice.matrices.*
cloudtoolresults.*
firebase.billingPlans.get
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Firebase Test Lab Viewer
(roles/)
Read access to Test Lab features
cloudtestservice.
cloudtestservice.matrices.get
cloudtoolresults.
cloudtoolresults.
cloudtoolresults.histories.get
cloudtoolresults.
cloudtoolresults.settings.get
cloudtoolresults.steps.get
cloudtoolresults.steps.list
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Firebase A/B Testing Admin
Beta
(roles/)
Full read/write access to Firebase A/B Testing resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseabt.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase A/B Testing Viewer
Beta
(roles/)
Read-only access to Firebase A/B Testing resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseabt.
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase App Check Admin
(roles/)
Full management of Firebase App Check.
firebaseappcheck.*
Firebase App Check Token Verifier
(roles/)
Access to token verification capabilities for Firebase App Check.
firebaseappcheck.
Firebase App Check Viewer
(roles/)
Read-only access for Firebase App Check.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.
firebaseappcheck.services.get
Firebase App Distribution Admin
(roles/)
Full read/write access to Firebase App Distribution resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseappdistro.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase App Distribution Viewer
(roles/)
Read-only access to Firebase App Distribution resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseappdistro.groups.list
firebaseappdistro.
firebaseappdistro.testers.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Authentication Admin
(roles/)
Full read/write access to Firebase Authentication resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseauth.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Authentication Viewer
(roles/)
Read-only access to Firebase Authentication resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseauth.configs.get
firebaseauth.users.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Crashlytics Admin
(roles/)
Full read/write access to Firebase Crashlytics resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasecrashlytics.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Crashlytics Viewer
(roles/)
Read-only access to Firebase Crashlytics resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasecrashlytics.config.get
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.
firebasecrashlytics.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Realtime Database Admin
(roles/)
Full read/write access to Firebase Realtime Database resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedatabase.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Realtime Database Viewer
(roles/)
Read-only access to Firebase Realtime Database resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedatabase.instances.get
firebasedatabase.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Dynamic Links Admin
(roles/)
Full read/write access to Firebase Dynamic Links resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedynamiclinks.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Dynamic Links Viewer
(roles/)
Read-only access to Firebase Dynamic Links resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.links.get
firebasedynamiclinks.
firebasedynamiclinks.stats.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Developer
Beta
(roles/)
View, create, and delete Firebase Extensions Instances and Extensions Versions, and update Extensions Instances
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Viewer
Beta
(roles/)
Viewer of Firebase Extensions Instances
firebase.clients.get
firebase.clients.list
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Publisher - Extensions Admin
Beta
(roles/)
Fully manage Firebase Extensions
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseextensionspublisher.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Extensions Publisher - Extensions Viewer
Beta
(roles/)
View Firebase Extensions
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseextensionspublisher.
firebaseextensionspublisher.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Hosting Admin
(roles/)
Full read/write access to Firebase Hosting resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasehosting.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Hosting Viewer
(roles/)
Read-only access to Firebase Hosting resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasehosting.sites.get
firebasehosting.sites.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase In-App Messaging Admin
Beta
(roles/)
Full read/write access to Firebase In-App Messaging resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseinappmessaging.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase In-App Messaging Viewer
Beta
(roles/)
Read-only access to Firebase In-App Messaging resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseinappmessaging.
firebaseinappmessaging.
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Messaging Campaigns Admin
Beta
(roles/)
Full management of Firebase Messaging Campaigns.
firebasemessagingcampaigns.*
Firebase Messaging Campaigns Viewer
Beta
(roles/)
Read-only access for Firebase Messaging Campaigns.
firebasemessagingcampaigns.
firebasemessagingcampaigns.
Firebase ML Kit Admin
Beta
(roles/)
Full read/write access to Firebase ML Kit resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseml.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase ML Kit Viewer
Beta
(roles/)
Read-only access to Firebase ML Kit resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Cloud Messaging Admin
(roles/)
Full read/write access to Firebase Cloud Messaging resources.
fcmdata.deliverydata.list
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasenotifications.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Cloud Messaging Viewer
(roles/)
Read-only access to Firebase Cloud Messaging resources.
fcmdata.deliverydata.list
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasenotifications.
firebasenotifications.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to firebaseperformance resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseperformance.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read-only access to firebaseperformance resources.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebaseperformance.data.get
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Rules Admin
(roles/)
Full management of Firebase Rules.
firebaserules.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Rules System
(roles/)
Read/write/list access for Datastore entities and Cloud Storage objects, as well as get/list/publish access for PubSub topics.
datastore.databases.get
datastore.entities.*
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Firebase Rules Viewer
(roles/)
Read-only access on all resources with the ability to test Rulesets.
firebaserules.releases.get
firebaserules.releases.list
firebaserules.rulesets.get
firebaserules.rulesets.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Storage for Firebase Admin
Beta
(roles/)
Full management of Cloud Storage for Firebase.
firebase.clients.get
firebase.clients.list
firebase.projects.get
firebasestorage.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Storage for Firebase Viewer
Beta
(roles/)
Read-only access for Cloud Storage for Firebase.
firebasestorage.buckets.get
firebasestorage.buckets.list
firebasestorage.
resourcemanager.projects.get
resourcemanager.projects.list
Fleet Engine roles
Permissions
Fleet Engine Consumer SDK User
(roles/)
Limited read access to Fleet Engine resources
fleetengine.trips.get
fleetengine.vehicles.get
fleetengine.vehicles.search
fleetengine.
Fleet Engine Delivery Admin
(roles/)
Full access to Fleet Engine Delivery resources.
fleetengine.deliveryvehicles.*
fleetengine.tasks.*
fleetengine.tasktrackinginfo.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Fleet Engine Delivery Consumer User
(roles/)
Limited read access to Fleet Engine Delivery resources
fleetengine.
fleetengine.
Fleet Engine Delivery Fleet Reader User
(roles/)
Grants read access to all Fleet Engine Delivery resources
fleetengine.
fleetengine.
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.
fleetengine.
Fleet Engine Delivery Super User
(roles/)
Full access to Fleet Engine DeliveryVehicles and Tasks resources.
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.tasks.create
fleetengine.tasks.get
fleetengine.tasks.list
fleetengine.
fleetengine.tasks.update
fleetengine.
resourcemanager.projects.get
resourcemanager.projects.list
Fleet Engine Delivery Trusted Driver User
(roles/)
Read and write access to Fleet Engine Delivery resources
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.
fleetengine.tasks.create
fleetengine.tasks.update
Fleet Engine Delivery Untrusted Driver User
(roles/)
Limited write access to Fleet Engine Delivery Vehicle resources
fleetengine.
fleetengine.
Fleet Engine Driver SDK User
(roles/)
Read and limited update access to Fleet Engine resources
fleetengine.trips.get
fleetengine.trips.search
fleetengine.trips.update
fleetengine.vehicles.get
fleetengine.
Fleet Engine On-Demand Admin
(roles/)
Full access to Vehicle and Trip resources.
fleetengine.trips.*
fleetengine.vehicles.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Fleet Engine Service Super User
(roles/)
Full access to all Fleet Engine resources.
fleetengine.trips.create
fleetengine.trips.get
fleetengine.trips.search
fleetengine.trips.update
fleetengine.trips.updateState
fleetengine.vehicles.create
fleetengine.vehicles.get
fleetengine.vehicles.list
fleetengine.vehicles.search
fleetengine.
fleetengine.vehicles.update
fleetengine.
resourcemanager.projects.get
resourcemanager.projects.list
Genomics roles
Permissions
Genomics Admin
(roles/)
Full access to genomics datasets and operations.
genomics.*
Genomics Editor
(roles/)
Access to read and edit genomics datasets and operations.
genomics.datasets.create
genomics.datasets.delete
genomics.datasets.get
genomics.datasets.list
genomics.datasets.update
genomics.operations.*
Genomics Pipelines Runner
(roles/)
Full access to operate on genomics pipelines.
genomics.operations.*
Genomics Viewer
(roles/)
Access to view genomics datasets and operations.
genomics.datasets.get
genomics.datasets.list
genomics.operations.get
genomics.operations.list
GKE Hub roles
Permissions
Fleet Admin (formerly GKE Hub Admin)
(roles/)
Full access to Fleet resources.
gkehub.features.*
gkehub.fleet.*
gkehub.locations.*
gkehub.membershipbindings.*
gkehub.membershipfeatures.*
gkehub.memberships.*
gkehub.namespaces.*
gkehub.operations.*
gkehub.rbacrolebindings.*
gkehub.scopes.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE Connect Agent
(roles/)
Ability to set up GKE Connect between external clusters and Google.
gkehub.endpoints.connect
Fleet Editor (formerly GKE Hub Editor)
(roles/)
Edit access to Fleet resources.
gkehub.features.create
gkehub.features.delete
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.update
gkehub.fleet.*
gkehub.locations.*
gkehub.membershipbindings.*
gkehub.membershipfeatures.*
gkehub.memberships.create
gkehub.memberships.delete
gkehub.
gkehub.memberships.get
gkehub.
gkehub.memberships.list
gkehub.memberships.update
gkehub.namespaces.*
gkehub.operations.*
gkehub.rbacrolebindings.*
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.
gkehub.scopes.update
resourcemanager.projects.get
resourcemanager.projects.list
Connect Gateway Admin
(roles/)
Full access to Connect Gateway.
gkehub.gateway.*
gkehub.memberships.get
serviceusage.services.get
Connect Gateway Editor
(roles/)
Edit access to Connect Gateway.
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.memberships.get
serviceusage.services.get
Connect Gateway Reader
(roles/)
Read-only access to Connect Gateway.
gkehub.
gkehub.gateway.get
gkehub.memberships.get
serviceusage.services.get
Fleet Scope Admin
(roles/)
Admin access to Fleet Scopes to set IAM Bindings and RBACRoleBindings.
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.rbacrolebindings.*
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.
gkehub.scopes.setIamPolicy
Fleet Scope Editor
(roles/)
Edit access to Namespaces under Fleet Scopes.
gkehub.namespaces.create
gkehub.namespaces.delete
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.
Fleet Project-level Scope Editor
(roles/)
Role for project-level permissions for editor of Fleet Scopes.
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.memberships.get
gkehub.operations.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
Fleet Scope Viewer
(roles/)
Viewer of Fleet Scopes and associated resources.
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.
Fleet Project-level Scope Viewer
(roles/)
Role for project-level permissions for viewer of Fleet Scopes.
gkehub.
gkehub.gateway.get
gkehub.memberships.get
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
Fleet Viewer (formerly GKE Hub Viewer)
(roles/)
Read-only access to Fleets and related resources.
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub.
gkehub.memberships.get
gkehub.
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub.
resourcemanager.projects.get
resourcemanager.projects.list
GKE on-prem roles
Permissions
GKE on-prem Admin
(roles/)
Full access to GKE on-prem all resources.
gkeonprem.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE on-prem Viewer
(roles/)
Read-only access to GKE on-prem all resources.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.locations.*
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.vmwareClusters.get
gkeonprem.
gkeonprem.vmwareClusters.list
gkeonprem.
gkeonprem.vmwareNodePools.get
gkeonprem.
gkeonprem.vmwareNodePools.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Workspace Add-ons roles
Permissions
Google Workspace Add-ons Developer
(roles/)
Full access to Google Workspace Add-ons resources
gsuiteaddons.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Workspace Add-ons Reader
(roles/)
Read-only access to Google Workspace Add-ons resources
gsuiteaddons.
gsuiteaddons.deployments.get
gsuiteaddons.deployments.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Workspace Add-ons Tester
(roles/)
Testing execution access to Google Workspace Add-ons resources
gsuiteaddons.
gsuiteaddons.
gsuiteaddons.
gsuiteaddons.
resourcemanager.projects.get
resourcemanager.projects.list
IAM roles
Permissions
Deny Admin
(roles/)
Deny admin role, with permissions to read and modify deny policies
Lowest-level resources where you can grant this role:
cloudasset.assets.listResource
iam.denypolicies.*
policyanalyzer.
policysimulator.
policysimulator.
Deny Reviewer
(roles/)
Deny Reviewer role, with permissions to read deny policies
Lowest-level resources where you can grant this role:
iam.denypolicies.get
iam.denypolicies.list
IAM Operation Viewer
Beta
(roles/)
Operation user role, with permissions to view and list operations in IAM v3
iam.operations.get
Principal Access Boundary Policy Admin
Beta
(roles/)
Principal Access Boundary admin role, with permissions to read and modify principal access boundary policies, and to bind and unbind principal access boundary policies to targets. Also includes permissions to read principal authorization activities analysis and permissions to list assets from Cloud Asset Inventory
cloudasset.assets.listResource
cloudasset.
iam.
Principal Access Boundary Policy User
Beta
(roles/)
Principal Access Boundary Policies user role, with permissions to view principal access boundary policies, and to bind and unbind principal access boundary policies to targets
iam.
iam.
iam.
iam.
Principal Access Boundary Policy Viewer
Beta
(roles/)
Principal Access Boundary Reviewer role, with permissions to read principal access boundary policies and view associated policy bindings
iam.
iam.
iam.
Security Admin
(roles/)
Security admin role, with permissions to get and set any IAM policy.
accessapproval.requests.list
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
actions.agentVersions.list
advisorynotifications.
aiplatform.agentExamples.list
aiplatform.agents.list
aiplatform.
aiplatform.annotations.list
aiplatform.apps.list
aiplatform.artifacts.list
aiplatform.
aiplatform.cachedContents.list
aiplatform.contexts.list
aiplatform.customJobs.list
aiplatform.dataItems.list
aiplatform.
aiplatform.
aiplatform.datasets.list
aiplatform.
aiplatform.
aiplatform.edgeDevices.list
aiplatform.
aiplatform.endpoints.list
aiplatform.
aiplatform.
aiplatform.entityTypes.list
aiplatform.
aiplatform.executions.list
aiplatform.extensions.list
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featureViews.list
aiplatform.
aiplatform.features.list
aiplatform.
aiplatform.featurestores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.indexEndpoints.list
aiplatform.indexes.list
aiplatform.locations.list
aiplatform.
aiplatform.metadataStores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.modelMonitors.list
aiplatform.models.list
aiplatform.nasJobs.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
aiplatform.
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.ragCorpora.list
aiplatform.ragFiles.list
aiplatform.
aiplatform.schedules.list
aiplatform.sessions.list
aiplatform.
aiplatform.studies.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.tensorboards.list
aiplatform.
aiplatform.trials.list
aiplatform.tuningJobs.list
alloydb.backups.list
alloydb.clusters.list
alloydb.databases.list
alloydb.instances.list
alloydb.locations.list
alloydb.operations.list
alloydb.
alloydb.users.list
analyticshub.
analyticshub.
analyticshub.
analyticshub.
analyticshub.listings.list
analyticshub.
analyticshub.
apigateway.
apigateway.apiconfigs.list
apigateway.
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.apis.setIamPolicy
apigateway.
apigateway.gateways.list
apigateway.
apigateway.locations.list
apigateway.operations.list
apigee.
apigee.apiproducts.list
apigee.appgroupapps.list
apigee.appgroups.list
apigee.apps.list
apigee.archivedeployments.list
apigee.caches.list
apigee.datacollectors.list
apigee.datastores.list
apigee.
apigee.deployments.list
apigee.
apigee.
apigee.developerapps.list
apigee.
apigee.developers.list
apigee.
apigee.
apigee.
apigee.envgroups.list
apigee.
apigee.environments.list
apigee.
apigee.exports.list
apigee.flowhooks.list
apigee.hostqueries.list
apigee.
apigee.
apigee.instances.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.nataddresses.list
apigee.operations.list
apigee.organizations.list
apigee.portals.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.rateplans.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.securityActions.list
apigee.securityFeedback.list
apigee.securityIncidents.list
apigee.securityProfiles.list
apigee.securityProfilesV2.list
apigee.securityreports.list
apigee.
apigee.sharedflows.list
apigee.targetservers.list
apigee.
apigee.tracesessions.list
apigeeconnect.connections.list
apigeeregistry.
apigeeregistry.apis.list
apigeeregistry.
apigeeregistry.
apigeeregistry.artifacts.list
apigeeregistry.
apigeeregistry.
apigeeregistry.locations.list
apigeeregistry.operations.list
apigeeregistry.
apigeeregistry.specs.list
apigeeregistry.
apigeeregistry.
apigeeregistry.versions.list
apigeeregistry.
apihub.apiHubInstances.list
apihub.apiOperations.list
apihub.apis.list
apihub.attributes.list
apihub.definitions.list
apihub.dependencies.list
apihub.deployments.list
apihub.externalApis.list
apihub.
apihub.llmEnablements.list
apihub.operations.list
apihub.plugins.list
apihub.
apihub.specs.list
apihub.versions.list
apikeys.keys.list
apim.apiObservations.list
apim.apiOperations.list
apim.locations.list
apim.observationJobs.list
apim.observationSources.list
apim.operations.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
apphub.
apphub.applications.list
apphub.
apphub.discoveredServices.list
apphub.
apphub.locations.list
apphub.operations.list
apphub.
apphub.services.list
apphub.workloads.list
applianceactivation.
artifactregistry.
artifactregistry.
artifactregistry.files.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.list
artifactregistry.tags.list
artifactregistry.versions.list
assuredoss.locations.list
assuredoss.metadata.list
assuredoss.operations.list
assuredworkloads.
assuredworkloads.updates.list
assuredworkloads.
assuredworkloads.workload.list
auditmanager.auditReports.list
auditmanager.
auditmanager.controls.list
auditmanager.
auditmanager.findings.list
auditmanager.locations.list
auditmanager.operations.list
auditmanager.
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.datasets.setIamPolicy
automl.examples.list
automl.files.list
automl.
automl.locations.getIamPolicy
automl.locations.list
automl.locations.setIamPolicy
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.models.setIamPolicy
automl.operations.list
automl.tableSpecs.list
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
autoscaling.sites.getIamPolicy
autoscaling.sites.setIamPolicy
backupdr.
backupdr.backupPlans.list
backupdr.backupVaults.list
backupdr.bvbackups.list
backupdr.bvdataSources.list
backupdr.locations.list
backupdr.
backupdr.
backupdr.
backupdr.operations.list
backupdr.
baremetalsolution.
baremetalsolution.
baremetalsolution.luns.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.skus.list
baremetalsolution.
baremetalsolution.sshKeys.list
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.list
baremetalsolution.
batch.jobs.list
batch.locations.list
batch.operations.list
batch.resourceAllowances.list
batch.tasks.list
beyondcorp.
beyondcorp.appConnections.list
beyondcorp.
beyondcorp.
beyondcorp.appConnectors.list
beyondcorp.
beyondcorp.
beyondcorp.appGateways.list
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.list
beyondcorp.
beyondcorp.locations.list
beyondcorp.operations.list
beyondcorp.partnerTenants.list
beyondcorp.proxyConfigs.list
beyondcorp.subscriptions.list
biglake.catalogs.list
biglake.databases.list
biglake.locks.list
biglake.tables.list
bigquery.
bigquery.
bigquery.connections.list
bigquery.
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.
bigquery.reservations.list
bigquery.routines.list
bigquery.
bigquery.
bigquery.
bigquery.savedqueries.list
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.setIamPolicy
bigquerymigration.
bigquerymigration.
bigtable.appProfiles.list
bigtable.
bigtable.authorizedViews.list
bigtable.
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.backups.setIamPolicy
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.
bigtable.instances.list
bigtable.
bigtable.keyvisualizer.list
bigtable.locations.list
bigtable.tables.getIamPolicy
bigtable.tables.list
bigtable.tables.setIamPolicy
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.setIamPolicy
billing.anomalies.list
billing.
billing.
billing.
billing.
billing.
billing.budgets.list
billing.credits.list
billing.
billing.subscriptions.list
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
blockchainnodeengine.
blockchainnodeengine.
blockchainnodeengine.
blockchainvalidatormanager.
blockchainvalidatormanager.
blockchainvalidatormanager.
capacityplanner.forecasts.list
capacityplanner.
carestudio.patients.list
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.certs.list
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.collectors.list
chronicle.conversations.list
chronicle.
chronicle.
chronicle.curatedRuleSets.list
chronicle.curatedRules.list
chronicle.dashboardCharts.list
chronicle.
chronicle.dashboards.list
chronicle.
chronicle.
chronicle.dataTableRows.list
chronicle.dataTables.list
chronicle.dataTaps.list
chronicle.
chronicle.entities.list
chronicle.
chronicle.
chronicle.
chronicle.feeds.list
chronicle.
chronicle.
chronicle.forwarders.list
chronicle.
chronicle.
chronicle.iocMatches.list
chronicle.logTypeSchemas.list
chronicle.logTypes.list
chronicle.logs.list
chronicle.messages.list
chronicle.
chronicle.operations.list
chronicle.
chronicle.parsers.list
chronicle.parsingErrors.list
chronicle.referenceLists.list
chronicle.retrohunts.list
chronicle.ruleDeployments.list
chronicle.
chronicle.rules.list
chronicle.searchQueries.list
chronicle.
chronicle.watchlists.list
chroniclesm.
clientauthconfig.brands.list
clientauthconfig.clients.list
cloud.locations.list
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudasset.
cloudasset.feeds.list
cloudasset.savedqueries.list
cloudbuild.builds.list
cloudbuild.
cloudbuild.connections.list
cloudbuild.
cloudbuild.integrations.list
cloudbuild.operations.list
cloudbuild.repositories.list
cloudbuild.workerpools.list
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
clouddeploy.
clouddeploy.automations.list
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.jobRuns.list
clouddeploy.locations.list
clouddeploy.operations.list
clouddeploy.releases.list
clouddeploy.rollouts.list
clouddeploy.
clouddeploy.targets.list
clouddeploy.
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.
cloudfunctions.locations.list
cloudfunctions.operations.list
cloudjobdiscovery.
cloudkms.
cloudkms.
cloudkms.cryptoKeys.list
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudkms.ekmConnections.list
cloudkms.
cloudkms.
cloudkms.importJobs.list
cloudkms.
cloudkms.keyHandles.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.keyRings.setIamPolicy
cloudkms.locations.list
cloudnotifications.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.
cloudsupport.accounts.list
cloudsupport.
cloudsupport.techCases.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.queues.setIamPolicy
cloudtasks.tasks.list
cloudtestservice.
cloudtoolresults.
cloudtoolresults.
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traceScopes.list
cloudtrace.traces.list
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.datasets.list
cloudtranslate.glossaries.list
cloudtranslate.
cloudtranslate.locations.list
cloudtranslate.operations.list
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
commerceagreementpublishing.
commerceagreementpublishing.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commerceoffercatalog.
commerceoffercatalog.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceprice.events.list
commerceprice.
composer.dags.list
composer.environments.list
composer.imageversions.list
composer.operations.list
composer.
composer.
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.list
compute.
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.disks.setIamPolicy
compute.
compute.
compute.firewallPolicies.list
compute.
compute.firewalls.list
compute.forwardingRules.list
compute.
compute.
compute.
compute.globalAddresses.list
compute.
compute.
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.images.setIamPolicy
compute.
compute.instanceGroups.list
compute.
compute.instanceTemplates.list
compute.
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.interconnects.list
compute.
compute.licenseCodes.list
compute.
compute.licenses.getIamPolicy
compute.licenses.list
compute.licenses.setIamPolicy
compute.
compute.machineImages.list
compute.
compute.machineTypes.list
compute.multiMig.list
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.list
compute.networks.list
compute.
compute.nodeGroups.list
compute.
compute.
compute.nodeTemplates.list
compute.
compute.nodeTypes.list
compute.packetMirrorings.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.regionUrlMaps.list
compute.regions.list
compute.reservationBlocks.list
compute.reservations.list
compute.
compute.resourcePolicies.list
compute.
compute.routers.list
compute.routes.list
compute.securityPolicies.list
compute.
compute.
compute.
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.snapshots.setIamPolicy
compute.sslCertificates.list
compute.sslPolicies.list
compute.
compute.storagePools.list
compute.
compute.
compute.subnetworks.list
compute.
compute.targetGrpcProxies.list
compute.targetHttpProxies.list
compute.
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.
compute.zoneOperations.list
compute.
compute.zones.list
confidentialcomputing.
config.
config.deployments.list
config.
config.locations.list
config.operations.list
config.previews.list
config.resources.list
config.revisions.list
config.terraformversions.list
configdelivery.
configdelivery.locations.list
configdelivery.operations.list
configdelivery.releases.list
configdelivery.
configdelivery.rollouts.list
connectors.actions.list
connectors.
connectors.connections.list
connectors.
connectors.connectors.list
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.entities.list
connectors.entityTypes.list
connectors.
connectors.eventtypes.list
connectors.locations.list
connectors.
connectors.managedZones.list
connectors.
connectors.operations.list
connectors.providers.list
connectors.versions.list
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
container.apiServices.list
container.auditSinks.list
container.backendConfigs.list
container.bindings.list
container.
container.
container.clusterRoles.list
container.clusters.list
container.
container.configMaps.list
container.
container.cronJobs.list
container.csiDrivers.list
container.csiNodeInfos.list
container.csiNodes.list
container.
container.daemonSets.list
container.deployments.list
container.endpointSlices.list
container.endpoints.list
container.events.list
container.frontendConfigs.list
container.
container.ingresses.list
container.
container.jobs.list
container.leases.list
container.limitRanges.list
container.
container.
container.
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.
container.
container.petSets.list
container.
container.podPresets.list
container.
container.podTemplates.list
container.pods.list
container.priorityClasses.list
container.replicaSets.list
container.
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.storageStates.list
container.
container.
container.
container.
container.updateInfos.list
container.
container.
container.
container.
container.volumeSnapshots.list
containeranalysis.
containeranalysis.notes.list
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containersecurity.
containersecurity.
containersecurity.
contentwarehouse.corpora.list
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.ruleSets.list
contentwarehouse.
databasecenter.*
databaseinsights.
datacatalog.
datacatalog.
datacatalog.
datacatalog.entries.list
datacatalog.
datacatalog.
datacatalog.entryGroups.list
datacatalog.
datacatalog.operations.list
datacatalog.relationships.list
datacatalog.
datacatalog.
datacatalog.
datacatalog.taxonomies.list
datacatalog.
dataconnectors.
dataconnectors.connectors.list
dataconnectors.
dataconnectors.locations.list
dataconnectors.operations.list
dataflow.jobs.list
dataflow.messages.list
dataflow.snapshots.list
dataform.
dataform.locations.list
dataform.releaseConfigs.list
dataform.
dataform.repositories.list
dataform.
dataform.workflowConfigs.list
dataform.
dataform.
dataform.workspaces.list
dataform.
datafusion.artifacts.list
datafusion.
datafusion.instances.list
datafusion.
datafusion.locations.list
datafusion.
datafusion.namespaces.list
datafusion.
datafusion.operations.list
datafusion.
datafusion.pipelines.list
datafusion.profiles.list
datafusion.secureKeys.list
datalabeling.
datalabeling.
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
datalineage.events.list
datalineage.processes.list
datalineage.runs.list
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.locations.list
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.objects.list
datamigration.operations.list
datamigration.
datamigration.
datamigration.
datapipelines.jobs.list
datapipelines.pipelines.list
dataplex.
dataplex.aspectTypes.list
dataplex.
dataplex.assetActions.list
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.assets.setIamPolicy
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.content.setIamPolicy
dataplex.
dataplex.
dataplex.
dataplex.
dataplex.dataAttributes.list
dataplex.
dataplex.
dataplex.dataTaxonomies.list
dataplex.
dataplex.
dataplex.datascans.list
dataplex.
dataplex.encryptionConfig.list
dataplex.entities.list
dataplex.entries.list
dataplex.
dataplex.entryGroups.list
dataplex.
dataplex.
dataplex.entryTypes.list
dataplex.
dataplex.
dataplex.environments.list
dataplex.
dataplex.lakeActions.list
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.lakes.setIamPolicy
dataplex.locations.list
dataplex.metadataJobs.list
dataplex.operations.list
dataplex.partitions.list
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.tasks.setIamPolicy
dataplex.zoneActions.list
dataplex.zones.getIamPolicy
dataplex.zones.list
dataplex.zones.setIamPolicy
dataproc.agents.list
dataproc.
dataproc.
dataproc.
dataproc.batches.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.clusters.setIamPolicy
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.jobs.setIamPolicy
dataproc.
dataproc.operations.list
dataproc.
dataproc.sessionTemplates.list
dataproc.sessions.list
dataproc.
dataproc.
dataproc.
dataprocessing.
dataprocessing.
dataprocessing.
dataprocrm.locations.list
dataprocrm.nodePools.list
dataprocrm.nodes.list
dataprocrm.operations.list
dataprocrm.workloads.list
datastore.backupSchedules.list
datastore.backups.list
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.
datastore.locations.list
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
datastream.
datastream.
datastream.
datastream.locations.list
datastream.objects.list
datastream.operations.list
datastream.
datastream.
datastream.
datastream.routes.getIamPolicy
datastream.routes.list
datastream.routes.setIamPolicy
datastream.
datastream.streams.list
datastream.
datastudio.
datastudio.
datastudio.
datastudio.
datastudio.
datastudio.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.list
developerconnect.
developerconnect.
developerconnect.
developerconnect.
dialogflow.agents.list
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.list
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.list
dialogflow.deployments.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.environments.list
dialogflow.examples.list
dialogflow.experiments.list
dialogflow.flows.list
dialogflow.generators.list
dialogflow.integrations.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.
dialogflow.pages.list
dialogflow.participants.list
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.list
dialogflow.tools.list
dialogflow.
dialogflow.versions.list
dialogflow.webhooks.list
discoveryengine.branches.list
discoveryengine.
discoveryengine.
discoveryengine.controls.list
discoveryengine.
discoveryengine.
discoveryengine.documents.list
discoveryengine.engines.list
discoveryengine.
discoveryengine.models.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.schemas.list
discoveryengine.
discoveryengine.sessions.list
discoveryengine.
dlp.analyzeRiskTemplates.list
dlp.columnDataProfiles.list
dlp.connections.list
dlp.deidentifyTemplates.list
dlp.estimates.list
dlp.fileStoreProfiles.list
dlp.inspectFindings.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.locations.list
dlp.projectDataProfiles.list
dlp.storedInfoTypes.list
dlp.subscriptions.list
dlp.tableDataProfiles.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.setIamPolicy
dns.policies.getIamPolicy
dns.policies.list
dns.policies.setIamPolicy
dns.resourceRecordSets.list
dns.responsePolicies.list
dns.responsePolicyRules.list
documentai.
documentai.evaluations.list
documentai.labelerPools.list
documentai.locations.list
documentai.processorTypes.list
documentai.
documentai.processors.list
domains.locations.list
domains.operations.list
domains.
domains.registrations.list
domains.
earthengine.
earthengine.assets.list
earthengine.
earthengine.operations.list
edgecontainer.
edgecontainer.clusters.list
edgecontainer.
edgecontainer.locations.list
edgecontainer.
edgecontainer.machines.list
edgecontainer.
edgecontainer.
edgecontainer.nodePools.list
edgecontainer.
edgecontainer.operations.list
edgecontainer.
edgecontainer.
edgecontainer.
edgenetwork.
edgenetwork.
edgenetwork.
edgenetwork.
edgenetwork.interconnects.list
edgenetwork.
edgenetwork.locations.list
edgenetwork.
edgenetwork.networks.list
edgenetwork.
edgenetwork.operations.list
edgenetwork.
edgenetwork.routers.list
edgenetwork.
edgenetwork.routes.list
edgenetwork.
edgenetwork.subnetworks.list
edgenetwork.
edgenetwork.zones.list
enterpriseknowledgegraph.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
errorreporting.
errorreporting.
errorreporting.groups.list
essentialcontacts.
eventarc.
eventarc.
eventarc.
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.setIamPolicy
eventarc.
eventarc.enrollments.list
eventarc.
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.locations.list
eventarc.
eventarc.messageBuses.list
eventarc.
eventarc.operations.list
eventarc.
eventarc.pipelines.list
eventarc.
eventarc.providers.list
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.setIamPolicy
fcmdata.deliverydata.list
file.backups.list
file.instances.list
file.locations.list
file.operations.list
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
firebase.clients.list
firebase.links.list
firebase.playLinks.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.
firebaseappdistro.testers.list
firebasecrashlytics.
firebasedatabase.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.
firebaseextensions.
firebaseextensionspublisher.
firebasehosting.sites.list
firebaseinappmessaging.
firebasemessagingcampaigns.
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.
firebaserules.releases.list
firebaserules.rulesets.list
firebasestorage.buckets.list
fleetengine.
fleetengine.tasks.list
fleetengine.vehicles.list
gcp.redisenterprise.
gcp.redisenterprise.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.datasets.setIamPolicy
genomics.operations.list
gkebackup.
gkebackup.backupPlans.list
gkebackup.
gkebackup.backups.list
gkebackup.locations.list
gkebackup.operations.list
gkebackup.
gkebackup.restorePlans.list
gkebackup.
gkebackup.restores.list
gkebackup.volumeBackups.list
gkebackup.volumeRestores.list
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.features.setIamPolicy
gkehub.locations.list
gkehub.membershipbindings.list
gkehub.membershipfeatures.list
gkehub.
gkehub.memberships.list
gkehub.
gkehub.namespaces.list
gkehub.operations.list
gkehub.rbacrolebindings.list
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.scopes.setIamPolicy
gkemulticloud.
gkemulticloud.awsClusters.list
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.locations.list
gkeonprem.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.vmwareClusters.list
gkeonprem.
gkeonprem.
gkeonprem.vmwareNodePools.list
gkeonprem.
gsuiteaddons.deployments.list
healthcare.
healthcare.
healthcare.
healthcare.annotations.list
healthcare.
healthcare.
healthcare.
healthcare.consentStores.list
healthcare.
healthcare.consents.list
healthcare.
healthcare.datasets.list
healthcare.
healthcare.
healthcare.dicomStores.list
healthcare.
healthcare.
healthcare.fhirStores.list
healthcare.
healthcare.hl7V2Messages.list
healthcare.
healthcare.hl7V2Stores.list
healthcare.
healthcare.locations.list
healthcare.operations.list
healthcare.
iam.denypolicies.list
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.policybindings.list
iam.
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.
iam.serviceAccounts.list
iam.
iap.tunnel.*
iap.
iap.tunnelDestGroups.list
iap.
iap.
iap.
iap.tunnelLocations.*
iap.tunnelZones.*
iap.web.getIamPolicy
iap.web.setIamPolicy
iap.
iap.
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
identitytoolkit.
identitytoolkit.tenants.list
identitytoolkit.
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.endpoints.setIamPolicy
ids.locations.list
ids.operations.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.list
integrations.certificates.list
integrations.executions.list
integrations.
integrations.integrations.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.sfdcChannels.list
integrations.
integrations.suspensions.list
integrations.testCases.list
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.operations.list
issuerswitch.ruleMetadata.list
issuerswitch.
issuerswitch.rules.list
krmapihosting.
krmapihosting.krmApiHosts.list
krmapihosting.
krmapihosting.locations.list
krmapihosting.operations.list
licensemanager.
licensemanager.instances.list
licensemanager.locations.list
licensemanager.operations.list
licensemanager.products.list
lifesciences.operations.list
livestream.assets.list
livestream.channels.list
livestream.clips.list
livestream.events.list
livestream.inputs.list
livestream.locations.list
livestream.operations.list
logging.buckets.list
logging.exclusions.list
logging.links.list
logging.locations.list
logging.logEntries.list
logging.logMetrics.list
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.list
logging.operations.list
logging.privateLogEntries.list
logging.queries.usePrivate
logging.sinks.list
logging.views.getIamPolicy
logging.views.list
logging.views.setIamPolicy
looker.backups.list
looker.instances.list
looker.locations.list
looker.operations.list
managedflink.deployments.list
managedflink.jobs.list
managedflink.locations.list
managedflink.operations.list
managedflink.sessions.list
managedidentities.
managedidentities.backups.list
managedidentities.
managedidentities.
managedidentities.domains.list
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedkafka.clusters.list
managedkafka.
managedkafka.locations.list
managedkafka.operations.list
managedkafka.topics.list
mapsadmin.clientMaps.list
mapsadmin.
mapsadmin.clientStyles.list
mapsadmin.styleSnapshots.list
mapsanalytics.
mapsplatformdatasets.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
memcache.instances.list
memcache.locations.list
memcache.operations.list
memorystore.instances.list
memorystore.locations.list
memorystore.operations.list
metastore.backups.getIamPolicy
metastore.backups.list
metastore.backups.setIamPolicy
metastore.
metastore.databases.list
metastore.
metastore.
metastore.federations.list
metastore.
metastore.imports.list
metastore.locations.list
metastore.migrations.list
metastore.operations.list
metastore.
metastore.services.list
metastore.
metastore.tables.getIamPolicy
metastore.tables.list
metastore.tables.setIamPolicy
migrationcenter.assets.list
migrationcenter.
migrationcenter.
migrationcenter.groups.list
migrationcenter.
migrationcenter.
migrationcenter.locations.list
migrationcenter.
migrationcenter.
migrationcenter.relations.list
migrationcenter.
migrationcenter.reports.list
migrationcenter.sources.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.jobs.setIamPolicy
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.models.setIamPolicy
ml.operations.list
ml.studies.getIamPolicy
ml.studies.list
ml.studies.setIamPolicy
ml.trials.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.list
monitoring.slos.list
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.
netapp.activeDirectories.list
netapp.backupPolicies.list
netapp.backupVaults.list
netapp.backups.list
netapp.kmsConfigs.list
netapp.locations.list
netapp.operations.list
netapp.quotaRules.list
netapp.replications.list
netapp.snapshots.list
netapp.storagePools.list
netapp.volumes.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.hubs.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.list
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.list
networkservices.
networkservices.
networkservices.gateways.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.locations.list
networkservices.meshes.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.tcpRoutes.list
networkservices.tlsRoutes.list
networkservices.
notebooks.
notebooks.environments.list
notebooks.
notebooks.
notebooks.executions.list
notebooks.
notebooks.
notebooks.instances.list
notebooks.
notebooks.locations.list
notebooks.operations.list
notebooks.
notebooks.runtimes.list
notebooks.
notebooks.
notebooks.schedules.list
notebooks.
observability.
ondemandscanning.
opsconfigmonitoring.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.list
oracledatabase.operations.list
orgpolicy.constraints.list
orgpolicy.
orgpolicy.policies.list
osconfig.guestPolicies.list
osconfig.
osconfig.inventories.list
osconfig.locations.list
osconfig.operations.list
osconfig.
osconfig.
osconfig.patchDeployments.list
osconfig.patchJobs.list
osconfig.
osconfig.upgradeReports.list
osconfig.
parallelstore.instances.list
parallelstore.locations.list
parallelstore.operations.list
parametermanager.
parametermanager.
parametermanager.
paymentsresellersubscription.
paymentsresellersubscription.
policyremediatormanager.
policyremediatormanager.
policysimulator.
policysimulator.
policysimulator.
policysimulator.
policysimulator.
policysimulator.replays.*
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.setIamPolicy
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.certificates.list
privateca.
privateca.locations.list
privateca.operations.list
privateca.
privateca.reusableConfigs.list
privateca.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
proximitybeacon.
proximitybeacon.
proximitybeacon.beacons.list
proximitybeacon.
proximitybeacon.
proximitybeacon.
proximitybeacon.
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.schemas.setIamPolicy
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.setIamPolicy
pubsub.
pubsub.subscriptions.list
pubsub.
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsublite.operations.list
pubsublite.reservations.list
pubsublite.subscriptions.list
pubsublite.topics.list
recaptchaenterprise.
recaptchaenterprise.keys.list
recaptchaenterprise.
recaptchaenterprise.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.costInsights.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
redis.backupCollections.list
redis.backups.list
redis.clusters.list
redis.instances.list
redis.locations.list
redis.operations.list
remotebuildexecution.
remotebuildexecution.
resourcemanager.
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.list
resourcemanager.
resourcemanager.tagHolds.list
resourcemanager.
resourcemanager.tagKeys.list
resourcemanager.
resourcemanager.
resourcemanager.tagValues.list
resourcemanager.
resourcesettings.settings.list
retail.branches.list
retail.catalogs.list
retail.controls.list
retail.experiments.list
retail.models.list
retail.operations.list
retail.products.list
retail.servingConfigs.list
riskmanager.
riskmanager.operations.list
riskmanager.policies.list
riskmanager.reports.list
rma.collectors.list
rma.locations.list
rma.operations.list
run.configurations.list
run.executions.list
run.jobs.getIamPolicy
run.jobs.list
run.jobs.setIamPolicy
run.locations.list
run.operations.list
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
run.services.setIamPolicy
run.tasks.list
runapps.applications.list
runapps.deployments.list
runapps.locations.list
runapps.operations.list
runtimeconfig.
runtimeconfig.configs.list
runtimeconfig.
runtimeconfig.operations.list
runtimeconfig.
runtimeconfig.variables.list
runtimeconfig.
runtimeconfig.
runtimeconfig.waiters.list
runtimeconfig.
secretmanager.locations.list
secretmanager.
secretmanager.secrets.list
secretmanager.
secretmanager.versions.list
securedlandingzone.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securitycenter.assets.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.sources.list
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.locations.list
securityposture.
securityposture.
securityposture.
securityposture.postures.list
securityposture.reports.list
servicebroker.
servicebroker.
servicebroker.bindings.list
servicebroker.
servicebroker.
servicebroker.catalogs.list
servicebroker.
servicebroker.
servicebroker.
servicebroker.instances.list
servicebroker.
serviceconsumermanagement.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.services.list
servicedirectory.
servicehealth.events.list
servicehealth.locations.list
servicehealth.
servicehealth.
servicemanagement.
servicemanagement.
servicemanagement.
servicenetworking.
servicesecurityinsights.
servicesecurityinsights.
servicesecurityinsights.
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
source.repos.setIamPolicy
spanner.backupOperations.list
spanner.
spanner.backupSchedules.list
spanner.
spanner.backups.getIamPolicy
spanner.backups.list
spanner.backups.setIamPolicy
spanner.
spanner.databaseRoles.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.databases.setIamPolicy
spanner.
spanner.instanceConfigs.list
spanner.
spanner.
spanner.
spanner.instances.getIamPolicy
spanner.instances.list
spanner.instances.setIamPolicy
spanner.sessions.list
speakerid.phrases.list
speakerid.speakers.list
speech.customClasses.list
speech.locations.list
speech.operations.list
speech.phraseSets.list
speech.recognizers.list
stackdriver.
storage.anywhereCaches.list
storage.bucketOperations.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.folders.list
storage.hmacKeys.list
storage.
storage.managedFolders.list
storage.
storage.multipartUploads.list
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storageinsights.
storageinsights.locations.list
storageinsights.
storageinsights.
storageinsights.
storagetransfer.
storagetransfer.jobs.list
storagetransfer.
stream.locations.list
stream.operations.list
stream.streamContents.list
stream.streamInstances.list
telcoautomation.
telcoautomation.
telcoautomation.edgeSlms.list
telcoautomation.
telcoautomation.locations.list
telcoautomation.
telcoautomation.
telcoautomation.
timeseriesinsights.
timeseriesinsights.
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.runtimeversions.list
tpu.tensorflowversions.list
transcoder.jobTemplates.list
transcoder.jobs.list
transferappliance.
transferappliance.
transferappliance.
transferappliance.orders.list
transferappliance.
translationhub.portals.list
videostitcher.cdnKeys.list
videostitcher.
videostitcher.liveConfigs.list
videostitcher.operations.list
videostitcher.slates.list
videostitcher.
videostitcher.vodConfigs.list
videostitcher.
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.analyses.setIamPolicy
visionai.annotations.list
visionai.applications.list
visionai.assets.list
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.clusters.setIamPolicy
visionai.corpora.list
visionai.dataSchemas.list
visionai.drafts.list
visionai.events.getIamPolicy
visionai.events.list
visionai.events.setIamPolicy
visionai.indexEndpoints.list
visionai.indexes.list
visionai.instances.list
visionai.locations.list
visionai.operations.list
visionai.
visionai.operators.list
visionai.
visionai.processors.list
visionai.searchConfigs.list
visionai.series.getIamPolicy
visionai.series.list
visionai.series.setIamPolicy
visionai.streams.getIamPolicy
visionai.streams.list
visionai.streams.setIamPolicy
visionai.uistreams.list
visualinspection.
visualinspection.
visualinspection.
visualinspection.datasets.list
visualinspection.images.list
visualinspection.
visualinspection.
visualinspection.models.list
visualinspection.modules.list
visualinspection.
visualinspection.
visualinspection.
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.list
vmmigration.
vmmigration.deployments.list
vmmigration.groups.list
vmmigration.locations.list
vmmigration.migratingVms.list
vmmigration.operations.list
vmmigration.
vmmigration.sources.list
vmmigration.targets.list
vmmigration.
vmwareengine.
vmwareengine.clusters.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.locations.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.nodeTypes.list
vmwareengine.nodes.list
vmwareengine.operations.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.subnets.list
vmwareengine.
vpcaccess.connectors.list
vpcaccess.locations.list
vpcaccess.operations.list
workflows.callbacks.list
workflows.executions.list
workflows.locations.list
workflows.operations.list
workflows.stepEntries.list
workflows.workflows.list
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.locations.list
workloadmanager.
workloadmanager.results.list
workloadmanager.rules.list
workstations.
workstations.
workstations.
workstations.
workstations.
workstations.workstations.list
workstations.
Security Reviewer
(roles/)
Provides permissions to list all resources and allow policies on them.
accessapproval.requests.list
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
actions.agentVersions.list
advisorynotifications.
aiplatform.agentExamples.list
aiplatform.agents.list
aiplatform.
aiplatform.annotations.list
aiplatform.apps.list
aiplatform.artifacts.list
aiplatform.
aiplatform.cachedContents.list
aiplatform.contexts.list
aiplatform.customJobs.list
aiplatform.dataItems.list
aiplatform.
aiplatform.
aiplatform.datasets.list
aiplatform.
aiplatform.
aiplatform.edgeDevices.list
aiplatform.
aiplatform.endpoints.list
aiplatform.
aiplatform.entityTypes.list
aiplatform.executions.list
aiplatform.extensions.list
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featureViews.list
aiplatform.features.list
aiplatform.
aiplatform.featurestores.list
aiplatform.
aiplatform.
aiplatform.indexEndpoints.list
aiplatform.indexes.list
aiplatform.locations.list
aiplatform.
aiplatform.metadataStores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.modelMonitors.list
aiplatform.models.list
aiplatform.nasJobs.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
aiplatform.
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.ragCorpora.list
aiplatform.ragFiles.list
aiplatform.
aiplatform.schedules.list
aiplatform.sessions.list
aiplatform.
aiplatform.studies.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.tensorboards.list
aiplatform.
aiplatform.trials.list
aiplatform.tuningJobs.list
alloydb.backups.list
alloydb.clusters.list
alloydb.databases.list
alloydb.instances.list
alloydb.locations.list
alloydb.operations.list
alloydb.
alloydb.users.list
analyticshub.
analyticshub.
analyticshub.
analyticshub.listings.list
analyticshub.
apigateway.
apigateway.apiconfigs.list
apigateway.apis.getIamPolicy
apigateway.apis.list
apigateway.
apigateway.gateways.list
apigateway.locations.list
apigateway.operations.list
apigee.
apigee.apiproducts.list
apigee.appgroupapps.list
apigee.appgroups.list
apigee.apps.list
apigee.archivedeployments.list
apigee.caches.list
apigee.datacollectors.list
apigee.datastores.list
apigee.
apigee.deployments.list
apigee.
apigee.developerapps.list
apigee.
apigee.developers.list
apigee.
apigee.
apigee.
apigee.envgroups.list
apigee.
apigee.environments.list
apigee.exports.list
apigee.flowhooks.list
apigee.hostqueries.list
apigee.
apigee.
apigee.instances.list
apigee.keystorealiases.list
apigee.keystores.list
apigee.keyvaluemapentries.list
apigee.keyvaluemaps.list
apigee.nataddresses.list
apigee.operations.list
apigee.organizations.list
apigee.portals.list
apigee.proxies.list
apigee.proxyrevisions.list
apigee.queries.list
apigee.rateplans.list
apigee.references.list
apigee.reports.list
apigee.resourcefiles.list
apigee.securityActions.list
apigee.securityFeedback.list
apigee.securityIncidents.list
apigee.securityProfiles.list
apigee.securityProfilesV2.list
apigee.securityreports.list
apigee.
apigee.sharedflows.list
apigee.targetservers.list
apigee.
apigee.tracesessions.list
apigeeconnect.connections.list
apigeeregistry.
apigeeregistry.apis.list
apigeeregistry.
apigeeregistry.artifacts.list
apigeeregistry.
apigeeregistry.locations.list
apigeeregistry.operations.list
apigeeregistry.
apigeeregistry.specs.list
apigeeregistry.
apigeeregistry.versions.list
apihub.apiHubInstances.list
apihub.apiOperations.list
apihub.apis.list
apihub.attributes.list
apihub.definitions.list
apihub.dependencies.list
apihub.deployments.list
apihub.externalApis.list
apihub.
apihub.llmEnablements.list
apihub.operations.list
apihub.plugins.list
apihub.
apihub.specs.list
apihub.versions.list
apikeys.keys.list
apim.apiObservations.list
apim.apiOperations.list
apim.locations.list
apim.observationJobs.list
apim.observationSources.list
apim.operations.list
appengine.instances.list
appengine.memcache.list
appengine.operations.list
appengine.services.list
appengine.versions.list
apphub.
apphub.applications.list
apphub.discoveredServices.list
apphub.
apphub.locations.list
apphub.operations.list
apphub.
apphub.services.list
apphub.workloads.list
applianceactivation.
artifactregistry.
artifactregistry.
artifactregistry.files.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.list
artifactregistry.tags.list
artifactregistry.versions.list
assuredoss.locations.list
assuredoss.metadata.list
assuredoss.operations.list
assuredworkloads.
assuredworkloads.updates.list
assuredworkloads.
assuredworkloads.workload.list
auditmanager.auditReports.list
auditmanager.
auditmanager.controls.list
auditmanager.
auditmanager.findings.list
auditmanager.locations.list
auditmanager.operations.list
auditmanager.
automl.annotationSpecs.list
automl.annotations.list
automl.columnSpecs.list
automl.datasets.getIamPolicy
automl.datasets.list
automl.examples.list
automl.files.list
automl.
automl.locations.getIamPolicy
automl.locations.list
automl.modelEvaluations.list
automl.models.getIamPolicy
automl.models.list
automl.operations.list
automl.tableSpecs.list
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
autoscaling.sites.getIamPolicy
backupdr.
backupdr.backupPlans.list
backupdr.backupVaults.list
backupdr.bvbackups.list
backupdr.bvdataSources.list
backupdr.locations.list
backupdr.
backupdr.
backupdr.operations.list
backupdr.
baremetalsolution.
baremetalsolution.
baremetalsolution.luns.list
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.
baremetalsolution.pods.list
baremetalsolution.
baremetalsolution.skus.list
baremetalsolution.
baremetalsolution.sshKeys.list
baremetalsolution.
baremetalsolution.
baremetalsolution.volumes.list
baremetalsolution.
batch.jobs.list
batch.locations.list
batch.operations.list
batch.resourceAllowances.list
batch.tasks.list
beyondcorp.
beyondcorp.appConnections.list
beyondcorp.
beyondcorp.appConnectors.list
beyondcorp.
beyondcorp.appGateways.list
beyondcorp.
beyondcorp.
beyondcorp.
beyondcorp.clientGateways.list
beyondcorp.locations.list
beyondcorp.operations.list
beyondcorp.partnerTenants.list
beyondcorp.proxyConfigs.list
beyondcorp.subscriptions.list
biglake.catalogs.list
biglake.databases.list
biglake.locks.list
biglake.tables.list
bigquery.
bigquery.
bigquery.connections.list
bigquery.
bigquery.dataPolicies.list
bigquery.datasets.getIamPolicy
bigquery.jobs.list
bigquery.models.list
bigquery.
bigquery.reservations.list
bigquery.routines.list
bigquery.
bigquery.
bigquery.savedqueries.list
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquerymigration.
bigquerymigration.
bigtable.appProfiles.list
bigtable.
bigtable.authorizedViews.list
bigtable.backups.getIamPolicy
bigtable.backups.list
bigtable.clusters.list
bigtable.hotTablets.list
bigtable.
bigtable.instances.list
bigtable.keyvisualizer.list
bigtable.locations.list
bigtable.tables.getIamPolicy
bigtable.tables.list
billing.accounts.getIamPolicy
billing.accounts.list
billing.anomalies.list
billing.
billing.
billing.
billing.
billing.
billing.budgets.list
billing.credits.list
billing.
billing.subscriptions.list
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
blockchainnodeengine.
blockchainnodeengine.
blockchainnodeengine.
blockchainvalidatormanager.
blockchainvalidatormanager.
blockchainvalidatormanager.
capacityplanner.forecasts.list
capacityplanner.
carestudio.patients.list
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.certs.list
certificatemanager.
certificatemanager.
certificatemanager.
certificatemanager.
chronicle.analyticValues.list
chronicle.analytics.list
chronicle.collectors.list
chronicle.conversations.list
chronicle.
chronicle.
chronicle.curatedRuleSets.list
chronicle.curatedRules.list
chronicle.dashboardCharts.list
chronicle.
chronicle.dashboards.list
chronicle.
chronicle.
chronicle.dataTableRows.list
chronicle.dataTables.list
chronicle.dataTaps.list
chronicle.
chronicle.entities.list
chronicle.
chronicle.
chronicle.
chronicle.feeds.list
chronicle.
chronicle.
chronicle.forwarders.list
chronicle.
chronicle.
chronicle.iocMatches.list
chronicle.logTypeSchemas.list
chronicle.logTypes.list
chronicle.logs.list
chronicle.messages.list
chronicle.
chronicle.operations.list
chronicle.
chronicle.parsers.list
chronicle.parsingErrors.list
chronicle.referenceLists.list
chronicle.retrohunts.list
chronicle.ruleDeployments.list
chronicle.
chronicle.rules.list
chronicle.searchQueries.list
chronicle.
chronicle.watchlists.list
chroniclesm.
clientauthconfig.brands.list
clientauthconfig.clients.list
cloud.locations.list
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudasset.feeds.list
cloudasset.savedqueries.list
cloudbuild.builds.list
cloudbuild.
cloudbuild.connections.list
cloudbuild.integrations.list
cloudbuild.operations.list
cloudbuild.repositories.list
cloudbuild.workerpools.list
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
clouddebugger.breakpoints.list
clouddebugger.debuggees.list
clouddeploy.
clouddeploy.automations.list
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.jobRuns.list
clouddeploy.locations.list
clouddeploy.operations.list
clouddeploy.releases.list
clouddeploy.rollouts.list
clouddeploy.
clouddeploy.targets.list
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.locations.list
cloudfunctions.operations.list
cloudjobdiscovery.
cloudkms.
cloudkms.
cloudkms.cryptoKeys.list
cloudkms.
cloudkms.
cloudkms.ekmConnections.list
cloudkms.
cloudkms.importJobs.list
cloudkms.keyHandles.list
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.locations.list
cloudnotifications.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprivatecatalogproducer.
cloudprofiler.profiles.list
cloudscheduler.jobs.list
cloudscheduler.locations.list
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsql.backupRuns.list
cloudsql.databases.list
cloudsql.instances.list
cloudsql.sslCerts.list
cloudsql.users.list
cloudsupport.
cloudsupport.accounts.list
cloudsupport.techCases.list
cloudtasks.locations.list
cloudtasks.queues.getIamPolicy
cloudtasks.queues.list
cloudtasks.tasks.list
cloudtestservice.
cloudtoolresults.
cloudtoolresults.
cloudtoolresults.steps.list
cloudtrace.insights.list
cloudtrace.tasks.list
cloudtrace.traceScopes.list
cloudtrace.traces.list
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.datasets.list
cloudtranslate.glossaries.list
cloudtranslate.
cloudtranslate.locations.list
cloudtranslate.operations.list
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
commerceagreementpublishing.
commerceagreementpublishing.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commercebusinessenablement.
commerceoffercatalog.
commerceoffercatalog.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceorggovernance.
commerceprice.events.list
commerceprice.
composer.dags.list
composer.environments.list
composer.imageversions.list
composer.operations.list
composer.
composer.
compute.acceleratorTypes.list
compute.addresses.list
compute.autoscalers.list
compute.
compute.backendBuckets.list
compute.
compute.backendServices.list
compute.commitments.list
compute.diskTypes.list
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.
compute.firewallPolicies.list
compute.firewalls.list
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.list
compute.
compute.
compute.
compute.globalOperations.list
compute.
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.images.getIamPolicy
compute.images.list
compute.
compute.instanceGroups.list
compute.
compute.instanceTemplates.list
compute.instances.getIamPolicy
compute.instances.list
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.interconnects.list
compute.
compute.licenseCodes.list
compute.licenses.getIamPolicy
compute.licenses.list
compute.
compute.machineImages.list
compute.machineTypes.list
compute.multiMig.list
compute.
compute.
compute.
compute.
compute.networkProfiles.list
compute.networks.list
compute.
compute.nodeGroups.list
compute.
compute.nodeTemplates.list
compute.nodeTypes.list
compute.packetMirrorings.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.list
compute.
compute.
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.regionUrlMaps.list
compute.regions.list
compute.reservationBlocks.list
compute.reservations.list
compute.
compute.resourcePolicies.list
compute.routers.list
compute.routes.list
compute.securityPolicies.list
compute.
compute.
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.
compute.storagePools.list
compute.
compute.subnetworks.list
compute.targetGrpcProxies.list
compute.targetHttpProxies.list
compute.
compute.targetInstances.list
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
compute.
compute.zoneOperations.list
compute.zones.list
confidentialcomputing.
config.
config.deployments.list
config.locations.list
config.operations.list
config.previews.list
config.resources.list
config.revisions.list
config.terraformversions.list
configdelivery.
configdelivery.locations.list
configdelivery.operations.list
configdelivery.releases.list
configdelivery.
configdelivery.rollouts.list
connectors.actions.list
connectors.
connectors.connections.list
connectors.connectors.list
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.entities.list
connectors.entityTypes.list
connectors.
connectors.eventtypes.list
connectors.locations.list
connectors.
connectors.managedZones.list
connectors.operations.list
connectors.providers.list
connectors.versions.list
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
consumerprocurement.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
container.apiServices.list
container.auditSinks.list
container.backendConfigs.list
container.bindings.list
container.
container.
container.clusterRoles.list
container.clusters.list
container.
container.configMaps.list
container.
container.cronJobs.list
container.csiDrivers.list
container.csiNodeInfos.list
container.csiNodes.list
container.
container.daemonSets.list
container.deployments.list
container.endpointSlices.list
container.endpoints.list
container.events.list
container.frontendConfigs.list
container.
container.ingresses.list
container.
container.jobs.list
container.leases.list
container.limitRanges.list
container.
container.
container.
container.namespaces.list
container.networkPolicies.list
container.nodes.list
container.operations.list
container.
container.
container.petSets.list
container.
container.podPresets.list
container.
container.podTemplates.list
container.pods.list
container.priorityClasses.list
container.replicaSets.list
container.
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.runtimeClasses.list
container.scheduledJobs.list
container.
container.serviceAccounts.list
container.services.list
container.statefulSets.list
container.storageClasses.list
container.storageStates.list
container.
container.
container.
container.
container.updateInfos.list
container.
container.
container.
container.
container.volumeSnapshots.list
containeranalysis.
containeranalysis.notes.list
containeranalysis.
containeranalysis.
containersecurity.
containersecurity.
containersecurity.
contentwarehouse.corpora.list
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.ruleSets.list
contentwarehouse.
databasecenter.*
databaseinsights.
datacatalog.
datacatalog.
datacatalog.entries.list
datacatalog.
datacatalog.entryGroups.list
datacatalog.operations.list
datacatalog.relationships.list
datacatalog.
datacatalog.
datacatalog.taxonomies.list
dataconnectors.
dataconnectors.connectors.list
dataconnectors.locations.list
dataconnectors.operations.list
dataflow.jobs.list
dataflow.messages.list
dataflow.snapshots.list
dataform.
dataform.locations.list
dataform.releaseConfigs.list
dataform.
dataform.repositories.list
dataform.workflowConfigs.list
dataform.
dataform.
dataform.workspaces.list
datafusion.artifacts.list
datafusion.
datafusion.instances.list
datafusion.locations.list
datafusion.
datafusion.namespaces.list
datafusion.operations.list
datafusion.
datafusion.pipelines.list
datafusion.profiles.list
datafusion.secureKeys.list
datalabeling.
datalabeling.
datalabeling.dataitems.list
datalabeling.datasets.list
datalabeling.examples.list
datalabeling.instructions.list
datalabeling.operations.list
datalineage.events.list
datalineage.processes.list
datalineage.runs.list
datamigration.
datamigration.
datamigration.
datamigration.
datamigration.locations.list
datamigration.
datamigration.
datamigration.
datamigration.objects.list
datamigration.operations.list
datamigration.
datamigration.
datapipelines.jobs.list
datapipelines.pipelines.list
dataplex.
dataplex.aspectTypes.list
dataplex.assetActions.list
dataplex.assets.getIamPolicy
dataplex.assets.list
dataplex.content.getIamPolicy
dataplex.content.list
dataplex.
dataplex.
dataplex.
dataplex.dataAttributes.list
dataplex.
dataplex.dataTaxonomies.list
dataplex.
dataplex.datascans.list
dataplex.encryptionConfig.list
dataplex.entities.list
dataplex.entries.list
dataplex.
dataplex.entryGroups.list
dataplex.
dataplex.entryTypes.list
dataplex.
dataplex.environments.list
dataplex.lakeActions.list
dataplex.lakes.getIamPolicy
dataplex.lakes.list
dataplex.locations.list
dataplex.metadataJobs.list
dataplex.operations.list
dataplex.partitions.list
dataplex.tasks.getIamPolicy
dataplex.tasks.list
dataplex.zoneActions.list
dataplex.zones.getIamPolicy
dataplex.zones.list
dataproc.agents.list
dataproc.
dataproc.
dataproc.batches.list
dataproc.clusters.getIamPolicy
dataproc.clusters.list
dataproc.jobs.getIamPolicy
dataproc.jobs.list
dataproc.
dataproc.operations.list
dataproc.sessionTemplates.list
dataproc.sessions.list
dataproc.
dataproc.
dataprocessing.
dataprocessing.
dataprocessing.
dataprocrm.locations.list
dataprocrm.nodePools.list
dataprocrm.nodes.list
dataprocrm.operations.list
dataprocrm.workloads.list
datastore.backupSchedules.list
datastore.backups.list
datastore.databases.list
datastore.entities.list
datastore.indexes.list
datastore.
datastore.locations.list
datastore.namespaces.list
datastore.operations.list
datastore.statistics.list
datastream.
datastream.
datastream.locations.list
datastream.objects.list
datastream.operations.list
datastream.
datastream.
datastream.routes.getIamPolicy
datastream.routes.list
datastream.
datastream.streams.list
datastudio.
datastudio.
datastudio.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.types.list
developerconnect.
developerconnect.
developerconnect.
developerconnect.
dialogflow.agents.list
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.list
dialogflow.contexts.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.list
dialogflow.deployments.list
dialogflow.documents.list
dialogflow.entityTypes.list
dialogflow.environments.list
dialogflow.examples.list
dialogflow.experiments.list
dialogflow.flows.list
dialogflow.generators.list
dialogflow.integrations.list
dialogflow.intents.list
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.
dialogflow.pages.list
dialogflow.participants.list
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.testcases.list
dialogflow.tools.list
dialogflow.
dialogflow.versions.list
dialogflow.webhooks.list
discoveryengine.branches.list
discoveryengine.
discoveryengine.
discoveryengine.controls.list
discoveryengine.
discoveryengine.
discoveryengine.documents.list
discoveryengine.engines.list
discoveryengine.
discoveryengine.models.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.schemas.list
discoveryengine.
discoveryengine.sessions.list
discoveryengine.
dlp.analyzeRiskTemplates.list
dlp.columnDataProfiles.list
dlp.connections.list
dlp.deidentifyTemplates.list
dlp.estimates.list
dlp.fileStoreProfiles.list
dlp.inspectFindings.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dlp.jobs.list
dlp.locations.list
dlp.projectDataProfiles.list
dlp.storedInfoTypes.list
dlp.subscriptions.list
dlp.tableDataProfiles.list
dns.changes.list
dns.dnsKeys.list
dns.managedZoneOperations.list
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.policies.getIamPolicy
dns.policies.list
dns.resourceRecordSets.list
dns.responsePolicies.list
dns.responsePolicyRules.list
documentai.
documentai.evaluations.list
documentai.labelerPools.list
documentai.locations.list
documentai.processorTypes.list
documentai.
documentai.processors.list
domains.locations.list
domains.operations.list
domains.
domains.registrations.list
earthengine.
earthengine.assets.list
earthengine.operations.list
edgecontainer.
edgecontainer.clusters.list
edgecontainer.locations.list
edgecontainer.
edgecontainer.machines.list
edgecontainer.
edgecontainer.nodePools.list
edgecontainer.operations.list
edgecontainer.
edgecontainer.
edgenetwork.
edgenetwork.
edgenetwork.
edgenetwork.interconnects.list
edgenetwork.locations.list
edgenetwork.
edgenetwork.networks.list
edgenetwork.operations.list
edgenetwork.
edgenetwork.routers.list
edgenetwork.routes.list
edgenetwork.
edgenetwork.subnetworks.list
edgenetwork.zones.list
enterpriseknowledgegraph.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
errorreporting.
errorreporting.
errorreporting.groups.list
essentialcontacts.
eventarc.
eventarc.
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.
eventarc.enrollments.list
eventarc.
eventarc.googleApiSources.list
eventarc.locations.list
eventarc.
eventarc.messageBuses.list
eventarc.operations.list
eventarc.
eventarc.pipelines.list
eventarc.providers.list
eventarc.triggers.getIamPolicy
eventarc.triggers.list
fcmdata.deliverydata.list
file.backups.list
file.instances.list
file.locations.list
file.operations.list
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
financialservices.
firebase.clients.list
firebase.links.list
firebase.playLinks.list
firebaseabt.experiments.list
firebaseappdistro.groups.list
firebaseappdistro.
firebaseappdistro.testers.list
firebasecrashlytics.
firebasedatabase.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedynamiclinks.
firebasedynamiclinks.
firebasedynamiclinks.
firebaseextensions.
firebaseextensionspublisher.
firebasehosting.sites.list
firebaseinappmessaging.
firebasemessagingcampaigns.
firebaseml.models.list
firebaseml.modelversions.list
firebasenotifications.
firebaserules.releases.list
firebaserules.rulesets.list
firebasestorage.buckets.list
fleetengine.
fleetengine.tasks.list
fleetengine.vehicles.list
gcp.redisenterprise.
gcp.redisenterprise.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
genomics.datasets.getIamPolicy
genomics.datasets.list
genomics.operations.list
gkebackup.
gkebackup.backupPlans.list
gkebackup.backups.list
gkebackup.locations.list
gkebackup.operations.list
gkebackup.
gkebackup.restorePlans.list
gkebackup.restores.list
gkebackup.volumeBackups.list
gkebackup.volumeRestores.list
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.locations.list
gkehub.membershipbindings.list
gkehub.membershipfeatures.list
gkehub.
gkehub.memberships.list
gkehub.namespaces.list
gkehub.operations.list
gkehub.rbacrolebindings.list
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkemulticloud.
gkemulticloud.awsClusters.list
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.locations.list
gkeonprem.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.vmwareClusters.list
gkeonprem.
gkeonprem.vmwareNodePools.list
gsuiteaddons.deployments.list
healthcare.
healthcare.
healthcare.annotations.list
healthcare.
healthcare.
healthcare.
healthcare.consentStores.list
healthcare.consents.list
healthcare.
healthcare.datasets.list
healthcare.
healthcare.dicomStores.list
healthcare.
healthcare.fhirStores.list
healthcare.hl7V2Messages.list
healthcare.
healthcare.hl7V2Stores.list
healthcare.locations.list
healthcare.operations.list
healthcare.
iam.denypolicies.list
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.policybindings.list
iam.
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.
iam.serviceAccounts.list
iap.tunnel.getIamPolicy
iap.
iap.tunnelDestGroups.list
iap.
iap.
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
identitytoolkit.
identitytoolkit.tenants.list
ids.endpoints.getIamPolicy
ids.endpoints.list
ids.locations.list
ids.operations.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.list
integrations.certificates.list
integrations.executions.list
integrations.
integrations.integrations.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.sfdcChannels.list
integrations.
integrations.suspensions.list
integrations.testCases.list
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.operations.list
issuerswitch.ruleMetadata.list
issuerswitch.
issuerswitch.rules.list
krmapihosting.
krmapihosting.krmApiHosts.list
krmapihosting.locations.list
krmapihosting.operations.list
licensemanager.
licensemanager.instances.list
licensemanager.locations.list
licensemanager.operations.list
licensemanager.products.list
lifesciences.operations.list
livestream.assets.list
livestream.channels.list
livestream.clips.list
livestream.events.list
livestream.inputs.list
livestream.locations.list
livestream.operations.list
logging.buckets.list
logging.exclusions.list
logging.links.list
logging.locations.list
logging.logEntries.list
logging.logMetrics.list
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.list
logging.operations.list
logging.privateLogEntries.list
logging.queries.usePrivate
logging.sinks.list
logging.views.getIamPolicy
logging.views.list
looker.backups.list
looker.instances.list
looker.locations.list
looker.operations.list
managedflink.deployments.list
managedflink.jobs.list
managedflink.locations.list
managedflink.operations.list
managedflink.sessions.list
managedidentities.
managedidentities.backups.list
managedidentities.
managedidentities.domains.list
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
managedkafka.clusters.list
managedkafka.
managedkafka.locations.list
managedkafka.operations.list
managedkafka.topics.list
mapsadmin.clientMaps.list
mapsadmin.
mapsadmin.clientStyles.list
mapsadmin.styleSnapshots.list
mapsanalytics.
mapsplatformdatasets.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
memcache.instances.list
memcache.locations.list
memcache.operations.list
memorystore.instances.list
memorystore.locations.list
memorystore.operations.list
metastore.backups.getIamPolicy
metastore.backups.list
metastore.
metastore.databases.list
metastore.
metastore.federations.list
metastore.imports.list
metastore.locations.list
metastore.migrations.list
metastore.operations.list
metastore.
metastore.services.list
metastore.tables.getIamPolicy
metastore.tables.list
migrationcenter.assets.list
migrationcenter.
migrationcenter.
migrationcenter.groups.list
migrationcenter.
migrationcenter.
migrationcenter.locations.list
migrationcenter.
migrationcenter.
migrationcenter.relations.list
migrationcenter.
migrationcenter.reports.list
migrationcenter.sources.list
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.list
ml.models.getIamPolicy
ml.models.list
ml.operations.list
ml.studies.getIamPolicy
ml.studies.list
ml.trials.list
ml.versions.list
monitoring.alertPolicies.list
monitoring.dashboards.list
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.list
monitoring.slos.list
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.
netapp.activeDirectories.list
netapp.backupPolicies.list
netapp.backupVaults.list
netapp.backups.list
netapp.kmsConfigs.list
netapp.locations.list
netapp.operations.list
netapp.quotaRules.list
netapp.replications.list
netapp.snapshots.list
netapp.storagePools.list
netapp.volumes.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.hubs.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.list
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.list
networkservices.
networkservices.
networkservices.gateways.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.locations.list
networkservices.meshes.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.tcpRoutes.list
networkservices.tlsRoutes.list
networkservices.
notebooks.
notebooks.environments.list
notebooks.
notebooks.executions.list
notebooks.
notebooks.instances.list
notebooks.locations.list
notebooks.operations.list
notebooks.
notebooks.runtimes.list
notebooks.
notebooks.schedules.list
observability.
ondemandscanning.
opsconfigmonitoring.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.list
oracledatabase.operations.list
orgpolicy.constraints.list
orgpolicy.
orgpolicy.policies.list
osconfig.guestPolicies.list
osconfig.
osconfig.inventories.list
osconfig.locations.list
osconfig.operations.list
osconfig.
osconfig.
osconfig.patchDeployments.list
osconfig.patchJobs.list
osconfig.
osconfig.upgradeReports.list
osconfig.
parallelstore.instances.list
parallelstore.locations.list
parallelstore.operations.list
parametermanager.
parametermanager.
parametermanager.
paymentsresellersubscription.
paymentsresellersubscription.
policyremediatormanager.
policyremediatormanager.
policysimulator.
policysimulator.
policysimulator.
policysimulator.
policysimulator.
policysimulator.replays.list
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.
privateca.certificates.list
privateca.locations.list
privateca.operations.list
privateca.
privateca.reusableConfigs.list
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
proximitybeacon.
proximitybeacon.
proximitybeacon.beacons.list
proximitybeacon.
proximitybeacon.
pubsub.schemas.getIamPolicy
pubsub.schemas.list
pubsub.snapshots.getIamPolicy
pubsub.snapshots.list
pubsub.
pubsub.subscriptions.list
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsublite.operations.list
pubsublite.reservations.list
pubsublite.subscriptions.list
pubsublite.topics.list
recaptchaenterprise.
recaptchaenterprise.keys.list
recaptchaenterprise.
recaptchaenterprise.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.costInsights.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
redis.backupCollections.list
redis.backups.list
redis.clusters.list
redis.instances.list
redis.locations.list
redis.operations.list
remotebuildexecution.
remotebuildexecution.
resourcemanager.
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.list
resourcemanager.tagHolds.list
resourcemanager.
resourcemanager.tagKeys.list
resourcemanager.
resourcemanager.tagValues.list
resourcesettings.settings.list
retail.branches.list
retail.catalogs.list
retail.controls.list
retail.experiments.list
retail.models.list
retail.operations.list
retail.products.list
retail.servingConfigs.list
riskmanager.
riskmanager.operations.list
riskmanager.policies.list
riskmanager.reports.list
rma.collectors.list
rma.locations.list
rma.operations.list
run.configurations.list
run.executions.list
run.jobs.getIamPolicy
run.jobs.list
run.locations.list
run.operations.list
run.revisions.list
run.routes.list
run.services.getIamPolicy
run.services.list
run.tasks.list
runapps.applications.list
runapps.deployments.list
runapps.locations.list
runapps.operations.list
runtimeconfig.
runtimeconfig.configs.list
runtimeconfig.operations.list
runtimeconfig.
runtimeconfig.variables.list
runtimeconfig.
runtimeconfig.waiters.list
secretmanager.locations.list
secretmanager.
secretmanager.secrets.list
secretmanager.versions.list
securedlandingzone.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securitycenter.assets.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.sources.list
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.locations.list
securityposture.
securityposture.
securityposture.
securityposture.postures.list
securityposture.reports.list
servicebroker.
servicebroker.
servicebroker.bindings.list
servicebroker.
servicebroker.catalogs.list
servicebroker.
servicebroker.
servicebroker.instances.list
serviceconsumermanagement.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.services.list
servicehealth.events.list
servicehealth.locations.list
servicehealth.
servicehealth.
servicemanagement.
servicemanagement.
servicenetworking.
servicesecurityinsights.
servicesecurityinsights.
servicesecurityinsights.
serviceusage.services.list
source.repos.getIamPolicy
source.repos.list
spanner.backupOperations.list
spanner.
spanner.backupSchedules.list
spanner.backups.getIamPolicy
spanner.backups.list
spanner.
spanner.databaseRoles.list
spanner.databases.getIamPolicy
spanner.databases.list
spanner.
spanner.instanceConfigs.list
spanner.
spanner.
spanner.
spanner.instances.getIamPolicy
spanner.instances.list
spanner.sessions.list
speakerid.phrases.list
speakerid.speakers.list
speech.customClasses.list
speech.locations.list
speech.operations.list
speech.phraseSets.list
speech.recognizers.list
stackdriver.
storage.anywhereCaches.list
storage.bucketOperations.list
storage.buckets.getIamPolicy
storage.buckets.list
storage.folders.list
storage.hmacKeys.list
storage.
storage.managedFolders.list
storage.multipartUploads.list
storage.objects.getIamPolicy
storage.objects.list
storageinsights.
storageinsights.locations.list
storageinsights.
storageinsights.
storageinsights.
storagetransfer.
storagetransfer.jobs.list
storagetransfer.
stream.locations.list
stream.operations.list
stream.streamContents.list
stream.streamInstances.list
telcoautomation.
telcoautomation.
telcoautomation.edgeSlms.list
telcoautomation.
telcoautomation.locations.list
telcoautomation.
telcoautomation.
telcoautomation.
timeseriesinsights.
timeseriesinsights.
tpu.acceleratortypes.list
tpu.locations.list
tpu.nodes.list
tpu.operations.list
tpu.runtimeversions.list
tpu.tensorflowversions.list
transcoder.jobTemplates.list
transcoder.jobs.list
transferappliance.
transferappliance.
transferappliance.
transferappliance.orders.list
transferappliance.
translationhub.portals.list
videostitcher.cdnKeys.list
videostitcher.
videostitcher.liveConfigs.list
videostitcher.operations.list
videostitcher.slates.list
videostitcher.
videostitcher.vodConfigs.list
videostitcher.
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.annotations.list
visionai.applications.list
visionai.assets.list
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.corpora.list
visionai.dataSchemas.list
visionai.drafts.list
visionai.events.getIamPolicy
visionai.events.list
visionai.indexEndpoints.list
visionai.indexes.list
visionai.instances.list
visionai.locations.list
visionai.operations.list
visionai.
visionai.operators.list
visionai.processors.list
visionai.searchConfigs.list
visionai.series.getIamPolicy
visionai.series.list
visionai.streams.getIamPolicy
visionai.streams.list
visionai.uistreams.list
visualinspection.
visualinspection.
visualinspection.
visualinspection.datasets.list
visualinspection.images.list
visualinspection.
visualinspection.
visualinspection.models.list
visualinspection.modules.list
visualinspection.
visualinspection.
visualinspection.
vmmigration.cloneJobs.list
vmmigration.cutoverJobs.list
vmmigration.
vmmigration.deployments.list
vmmigration.groups.list
vmmigration.locations.list
vmmigration.migratingVms.list
vmmigration.operations.list
vmmigration.
vmmigration.sources.list
vmmigration.targets.list
vmmigration.
vmwareengine.
vmwareengine.clusters.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.locations.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.nodeTypes.list
vmwareengine.nodes.list
vmwareengine.operations.list
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.subnets.list
vmwareengine.
vpcaccess.connectors.list
vpcaccess.locations.list
vpcaccess.operations.list
workflows.callbacks.list
workflows.executions.list
workflows.locations.list
workflows.operations.list
workflows.stepEntries.list
workflows.workflows.list
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.locations.list
workloadmanager.
workloadmanager.results.list
workloadmanager.rules.list
workstations.
workstations.
workstations.
workstations.
workstations.workstations.list
Workspace Pool IAM Admin
Beta
(roles/)
IAM workspace pool admin able to bind IAM policies to Dasher accounts.
iam.workspacePools.*
Infrastructure Manager roles
Permissions
Cloud Infrastructure Manager Admin
Beta
(roles/)
Full access to Cloud Infrastructure Manager resources.
config.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Infrastructure Manager Agent
Beta
(roles/)
Required permissions to make Cloud Infrastructure Manager work with the user-specified service account
cloudbuild.connections.list
cloudbuild.
cloudbuild.repositories.list
cloudquotas.quotas.get
config.artifacts.import
config.deployments.deleteState
config.deployments.getLock
config.deployments.getState
config.deployments.updateState
config.previews.upload
config.revisions.getState
logging.logEntries.create
monitoring.timeSeries.list
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Infrastructure Manager Viewer
Beta
(roles/)
Read-only access to Cloud Infrastructure Manager resources.
config.deployments.get
config.
config.deployments.list
config.locations.*
config.operations.get
config.operations.list
config.previews.get
config.previews.list
config.resources.*
config.revisions.get
config.revisions.list
config.terraformversions.*
resourcemanager.projects.get
resourcemanager.projects.list
KRM API Hosting roles
Permissions
Config Controller Admin
(roles/)
Full access to all Config Controller resources.
krmapihosting.*
resourcemanager.projects.get
resourcemanager.projects.list
Config Controller Viewer
(roles/)
Read-only access to all Config Controller resources.
krmapihosting.krmApiHosts.get
krmapihosting.
krmapihosting.krmApiHosts.list
krmapihosting.locations.*
krmapihosting.operations.get
krmapihosting.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine roles
Permissions
Kubernetes Engine Admin
(roles/)
Provides access to full management of clusters and their
Kubernetes API objects.
To set a service account on nodes, you must also have the Service Account User role
(roles/iam.serviceAccountUser) on the
user-managed
service account that your nodes will use .
Lowest-level resources where you can grant this role:
container.*
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine KMS Crypto Key User
(roles/)
Allow the Kubernetes Engine service agent in the cluster project to call KMS with user provided crypto keys to sign payloads.
cloudkms.cryptoKeyVersions.get
cloudkms.
cloudkms.
cloudkms.
cloudkms.cryptoKeys.get
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
Kubernetes Engine Cluster Admin
(roles/)
Provides access to management of clusters.
To set a service account on nodes, you must also have the Service Account User role
(roles/iam.serviceAccountUser) on the
user-managed
service account that your nodes will use .
Lowest-level resources where you can grant this role:
container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine Cluster Viewer
(roles/)
Provides access to get and list GKE clusters.
container.clusters.get
container.clusters.list
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine Default Node Service Account
(roles/)
Least privilege role to use as the default service account for GKE Nodes.
autoscaling.sites.writeMetrics
logging.logEntries.create
monitoring.
monitoring.
monitoring.timeSeries.*
Kubernetes Engine Developer
(roles/)
Provides access to Kubernetes API objects inside clusters.
Lowest-level resources where you can grant this role:
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container.
container.
container.
container.
container.
container.
container.
container.
container.clusterRoles.get
container.clusterRoles.list
container.clusters.connect
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.
container.
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container.
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container.
container.ingresses.*
container.
container.jobs.*
container.leases.*
container.limitRanges.*
container.
container.
container.
container.
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.
container.persistentVolumes.*
container.petSets.*
container.
container.podPresets.*
container.
container.
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container.
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.
container.
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container.
container.
container.thirdPartyObjects.*
container.
container.tokenReviews.create
container.updateInfos.*
container.
container.
container.volumeAttachments.*
container.
container.
container.volumeSnapshots.*
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Kubernetes Engine Host Service Agent User
(roles/)
Allows the Kubernetes Engine service account in the host project to configure shared network
resources for cluster management. Also gives access to inspect the firewall rules in the host
project.
compute.firewalls.get
container.hostServiceAgent.use
dns.
dns.
dns.
dns.responsePolicies.*
dns.responsePolicyRules.*
Kubernetes Engine Viewer
(roles/)
Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects.
Lowest-level resources where you can grant this role:
container.apiServices.get
container.
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.
container.
container.
container.
container.
container.clusterRoles.get
container.clusterRoles.list
container.clusters.connect
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.
container.
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.
container.
container.
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getScale
container.
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.
container.
container.
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.
container.
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.
container.
container.
container.
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.
container.
container.
container.
container.
container.
container.petSets.get
container.petSets.list
container.
container.
container.
container.podPresets.get
container.podPresets.list
container.
container.
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.
container.replicaSets.list
container.
container.
container.
container.
container.resourceQuotas.get
container.
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.
container.
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.
container.storageStates.list
container.
container.
container.
container.
container.
container.
container.
container.tokenReviews.create
container.updateInfos.get
container.updateInfos.list
container.
container.
container.
container.
container.
container.
container.
container.
container.
container.
container.volumeSnapshots.get
container.volumeSnapshots.list
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Live Stream roles
Permissions
Live Stream Editor
(roles/)
Full access to Live Stream resources.
livestream.*
resourcemanager.projects.get
resourcemanager.projects.list
Live Stream Viewer
(roles/)
Read access to Live Stream resources.
livestream.assets.get
livestream.assets.list
livestream.channels.get
livestream.channels.list
livestream.clips.get
livestream.clips.list
livestream.events.get
livestream.events.list
livestream.inputs.get
livestream.inputs.list
livestream.locations.*
livestream.operations.get
livestream.operations.list
livestream.pools.get
resourcemanager.projects.get
resourcemanager.projects.list
Logging roles
Permissions
Logging Admin
(roles/)
Provides all permissions necessary to use all features of Cloud Logging.
Lowest-level resources where you can grant this role:
logging.buckets.copyLogEntries
logging.buckets.create
logging.
logging.buckets.delete
logging.
logging.buckets.get
logging.buckets.list
logging.
logging.
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
logging.fields.access
logging.links.*
logging.locations.*
logging.logEntries.*
logging.logMetrics.*
logging.logScopes.*
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.*
logging.notificationRules.*
logging.operations.*
logging.privateLogEntries.list
logging.queries.*
logging.settings.*
logging.sinks.*
logging.sqlAlerts.*
logging.usage.get
logging.views.*
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Logs Bucket Writer
(roles/)
Ability to write logs to a log bucket.
Lowest-level resources where you can grant this role:
logging.buckets.write
Logs Configuration Writer
(roles/)
Provides permissions to read and write the configurations of logs-based
metrics and sinks for exporting logs.
Lowest-level resources where you can grant this role:
logging.buckets.create
logging.
logging.buckets.delete
logging.
logging.buckets.get
logging.buckets.list
logging.
logging.
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
logging.links.*
logging.locations.*
logging.logMetrics.*
logging.logScopes.*
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.settings.*
logging.sinks.*
logging.sqlAlerts.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.getIamPolicy
logging.views.list
logging.views.update
observability.scopes.get
resourcemanager.projects.get
resourcemanager.projects.list
Log Field Accessor
(roles/)
Ability to read restricted fields in a log bucket.
Lowest-level resources where you can grant this role:
logging.fields.access
Log Link Accessor
(roles/)
Ability to see links for a bucket.
logging.links.get
logging.links.list
Logs Writer
(roles/)
Provides the permissions to write log entries.
Lowest-level resources where you can grant this role:
logging.logEntries.create
logging.logEntries.route
Private Logs Viewer
(roles/)
Provides permissions of the Logs Viewer role and in addition, provides
read-only access to log entries in private logs.
Lowest-level resources where you can grant this role:
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.privateLogEntries.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.access
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
SQL Alert Writer
Beta
(roles/)
Ability to write SQL Alerts.
logging.sqlAlerts.*
Logs View Accessor
(roles/)
Ability to read logs in a view.
Lowest-level resources where you can grant this role:
logging.logEntries.download
logging.views.access
logging.views.listLogs
logging.views.listResourceKeys
logging.
Logs Viewer
(roles/)
Provides access to view logs.
Lowest-level resources where you can grant this role:
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
Looker roles
Permissions
Looker Admin
(roles/)
Full access to all Looker resources.
looker.*
resourcemanager.projects.get
resourcemanager.projects.list
Looker Instance User
(roles/)
Access to log in to a Looker instance.
looker.instances.get
looker.instances.login
resourcemanager.projects.get
resourcemanager.projects.list
Looker Viewer
(roles/)
Read-only access to all Looker resources.
looker.backups.get
looker.backups.list
looker.instances.get
looker.instances.list
looker.instances.login
looker.locations.*
looker.operations.get
looker.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Maps API Admin roles
Permissions
Maps API Admin
(roles/)
Read and Write all Maps Management and Maps Styles Resources.
mapsadmin.*
resourcemanager.projects.get
resourcemanager.projects.list
Maps API Viewer
(roles/)
Read all Maps Management and Maps Styles Resources.
mapsadmin.clientMaps.get
mapsadmin.clientMaps.list
mapsadmin.
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsadmin.
mapsadmin.styleSnapshots.list
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Memcache roles
Permissions
Cloud Memorystore Memcached Admin
(roles/)
Full access to Memcached instances and related resources.
compute.networks.list
memcache.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Memorystore Memcached Editor
(roles/)
Read-Write access to Memcached instances and related resources.
memcache.
memcache.instances.get
memcache.instances.list
memcache.instances.update
memcache.
memcache.locations.*
memcache.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Memorystore Memcached Viewer
(roles/)
Read-only access to Memcached instances and related resources.
memcache.instances.get
memcache.instances.list
memcache.locations.*
memcache.operations.get
memcache.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Redis roles
Permissions
Cloud Memorystore Redis Admin
(roles/)
Full control for all Memorystore for Redis resources.
compute.networks.list
networkconnectivity.
redis.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Cloud Memorystore Redis Db Connection User
Beta
(roles/)
Access to connecting to Redis Server db.
redis.clusters.connect
Cloud Memorystore Redis Editor
(roles/)
Manage Memorystore for Redis instances. Can't create or delete instances.
compute.networks.list
redis.backupCollections.get
redis.backupCollections.list
redis.backups.get
redis.backups.list
redis.clusters.backup
redis.clusters.get
redis.clusters.list
redis.clusters.update
redis.instances.failover
redis.instances.get
redis.instances.list
redis.instances.update
redis.locations.*
redis.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Cloud Memorystore Redis Viewer
(roles/)
Read-only access to all Memorystore for Redis resources.
redis.backupCollections.get
redis.backupCollections.list
redis.backups.get
redis.backups.list
redis.clusters.get
redis.clusters.list
redis.instances.get
redis.instances.list
redis.
redis.
redis.locations.*
redis.operations.get
redis.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
Mesh Management roles
Permissions
Mesh Config Admin
Beta
(roles/)
Full access to all mesh configuration resources
meshconfig.projects.init
Mesh Config Viewer
Beta
(roles/)
Read access to mesh configuration
Migration Center roles
Permissions
Migration Center Admin
Beta
(roles/)
Full access to Migration Center all resources.
migrationcenter.*
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
serviceusage.quotas.get
Migration Center Discovery Client
Beta
(roles/)
Migration Center Discover Client role
migrationcenter.
migrationcenter.
migrationcenter.
Migration Center Discovery Client Registrator
Beta
(roles/)
Registrator of Migration Center Discover Clients
migrationcenter.
migrationcenter.
migrationcenter.
migrationcenter.operations.get
migrationcenter.sources.create
migrationcenter.sources.delete
resourcemanager.projects.get
resourcemanager.projects.list
Migration Center Viewer
Beta
(roles/)
Read-only access to Migration Center all resources.
migrationcenter.assets.get
migrationcenter.assets.list
migrationcenter.
migrationcenter.
migrationcenter.errorFrames.*
migrationcenter.groups.get
migrationcenter.groups.list
migrationcenter.
migrationcenter.
migrationcenter.importJobs.get
migrationcenter.
migrationcenter.locations.*
migrationcenter.operations.get
migrationcenter.
migrationcenter.
migrationcenter.
migrationcenter.relations.*
migrationcenter.
migrationcenter.
migrationcenter.reports.get
migrationcenter.reports.list
migrationcenter.settings.get
migrationcenter.sources.get
migrationcenter.sources.list
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.*
rma.operations.get
rma.operations.list
serviceusage.quotas.get
Monitoring roles
Permissions
Monitoring Admin
(roles/)
Provides full access to Cloud Monitoring.
Lowest-level resources where you can grant this role:
cloudnotifications.
monitoring.*
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
stackdriver.*
Monitoring AlertPolicy Editor
(roles/)
Read/write access to alerting policies.
monitoring.alertPolicies.*
Monitoring AlertPolicy Viewer
(roles/)
Read-only access to alerting policies.
monitoring.alertPolicies.get
monitoring.alertPolicies.list
Monitoring Cloud Console Incident Editor
Beta
(roles/)
Read/write access to incidents from Cloud Console.
Monitoring Cloud Console Incident Viewer
Beta
(roles/)
Read access to incidents from Cloud Console.
Monitoring Dashboard Configuration Editor
(roles/)
Read/write access to dashboard configurations.
monitoring.dashboards.*
Monitoring Dashboard Configuration Viewer
(roles/)
Read-only access to dashboard configurations.
monitoring.dashboards.get
monitoring.dashboards.list
Monitoring Editor
(roles/)
Provides full access to information about all monitoring data and
configurations.
Lowest-level resources where you can grant this role:
cloudnotifications.
monitoring.alertPolicies.*
monitoring.dashboards.*
monitoring.groups.*
monitoring.metricDescriptors.*
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.*
monitoring.slos.*
monitoring.snoozes.*
monitoring.timeSeries.*
monitoring.
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
stackdriver.*
Monitoring Metric Writer
(roles/)
Provides write-only access to metrics. This provides exactly the permissions
needed by the Cloud Monitoring agent and other systems that send metrics.
Lowest-level resources where you can grant this role:
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
Monitoring Metrics Scopes Admin
Beta
(roles/)
Access to add and remove monitored projects from metrics scopes.
monitoring.metricsScopes.link
resourcemanager.projects.get
resourcemanager.projects.list
Monitoring Metrics Scopes Viewer
Beta
(roles/)
Read-only access to metrics scopes and their monitored projects.
resourcemanager.projects.get
resourcemanager.projects.list
Monitoring NotificationChannel Editor
Beta
(roles/)
Read/write access to notification channels.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
Monitoring NotificationChannel Viewer
Beta
(roles/)
Read-only access to notification channels.
monitoring.
monitoring.
monitoring.
Monitoring Services Editor
(roles/)
Read/write access to services.
monitoring.services.*
monitoring.slos.*
Monitoring Services Viewer
(roles/)
Read-only access to services.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
Monitoring Snooze Editor
(roles/)
monitoring.snoozes.*
Monitoring Snooze Viewer
(roles/)
monitoring.snoozes.get
monitoring.snoozes.list
Monitoring Uptime Check Configuration Editor
Beta
(roles/)
Read/write access to uptime check configurations.
monitoring.
Monitoring Uptime Check Configuration Viewer
Beta
(roles/)
Read-only access to uptime check configurations.
monitoring.
monitoring.
Monitoring Viewer
(roles/)
Provides read-only access to get and list information about all monitoring
data and configurations.
Lowest-level resources where you can grant this role:
cloudnotifications.
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.
monitoring.
opsconfigmonitoring.
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver.
Network Connectivity roles
Permissions
Service Automation Consumer Network Admin
(roles/)
Service Automation Consumer Network Admin is responsible for setting up ServiceConnectionPolicies.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Group User
(roles/)
Enables use access on group resources
networkconnectivity.groups.use
Hub & Spoke Admin
(roles/)
Enables full access to hub and spoke resources.
Lowest-level resources where you can grant this role:
networkconnectivity.groups.*
networkconnectivity.
networkconnectivity.
networkconnectivity.hubs.*
networkconnectivity.
networkconnectivity.
networkconnectivity.spokes.*
resourcemanager.projects.get
resourcemanager.projects.list
Hub & Spoke Viewer
(roles/)
Enables read-only access to hub and spoke resources.
Lowest-level resources where you can grant this role:
networkconnectivity.groups.get
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.hubs.get
networkconnectivity.
networkconnectivity.hubs.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.spokes.get
networkconnectivity.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Regional Endpoint Admin
(roles/)
Full access to all Regional Endpoint resources.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Regional Endpoint Viewer
(roles/)
Read-only access to all Regional Endpoint resources.
networkconnectivity.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Service Class User
(roles/)
Service Class User uses a ServiceClass
networkconnectivity.
networkconnectivity.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Service Automation Service Producer Admin
(roles/)
Service Automation Producer Admin uses information from a consumer request to manage ServiceClasses and ServiceConnectionMaps
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Spoke Admin
(roles/)
Enables full access to spoke resources and read-only access to hub resources.
Lowest-level resources where you can grant this role:
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.hubs.get
networkconnectivity.
networkconnectivity.hubs.list
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.spokes.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Management roles
Permissions
Network Management Admin
(roles/)
Full access to Network Management resources.
Lowest-level resources where you can grant this role:
networkmanagement.*
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Network Management Viewer
(roles/)
Read-only access to Network Management resources.
Lowest-level resources where you can grant this role:
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.locations.*
networkmanagement.
networkmanagement.
networkmanagement.
networkmanagement.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Network Security roles
Permissions
Intercept Deployment Admin
Beta
(roles/)
Enables full access to intercept resources on the Producer's side.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Intercept Deployment User
Beta
(roles/)
Allows a consumer to connect their interceptEndpointGroup to the Producer's interceptDeploymentGroup.
networksecurity.
networksecurity.
networksecurity.
Intercept Deployment Viewer
Beta
(roles/)
Enables read-only access to intercept resources on the Producer's side.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Intercept Endpoint Admin
Beta
(roles/)
Enables full access to intercept resources on the consumer's side.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Intercept Endpoint User
Beta
(roles/)
Allows a consumer to connect their networks to a interceptEndpointGroup.
networksecurity.
networksecurity.
networksecurity.
Intercept Endpoint Viewer
Beta
(roles/)
Enables read-only access to intercept resources on the Consumer's side.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Deployment Admin
Beta
(roles/)
Enables full access to mirroring resources on the Producer's side.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Deployment User
Beta
(roles/)
Allows a consumer to connect their mirroringEndpointGroup to the Producer's mirroringDeploymentGroup.
networksecurity.
networksecurity.
networksecurity.
Mirroring Deployment Viewer
Beta
(roles/)
Enables read-only access to mirroring resources on the Producer's side.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Endpoint Admin
Beta
(roles/)
Enables full access to mirroring resources on the consumer's side.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Mirroring Endpoint User
Beta
(roles/)
Allows a consumer to connect their networks to a mirroringEndpointGroup.
networksecurity.
networksecurity.
networksecurity.
Mirroring Endpoint Viewer
Beta
(roles/)
Enables read-only access to mirroring resources on the Consumer's side.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
resourcemanager.projects.get
resourcemanager.projects.list
Network Services roles
Permissions
Service Extensions Admin
Beta
(roles/)
Provides full access to Service Extensions resources.
networkservices.
networkservices.
networkservices.
networkservices.wasmPlugins.*
resourcemanager.projects.get
resourcemanager.projects.list
Service Extensions Viewer
Beta
(roles/)
Provides read-only access to Service Extensions resources.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
resourcemanager.projects.get
resourcemanager.projects.list
Observability roles
Permissions
Observability Admin
Beta
(roles/)
Full access to Observability resources.
observability.*
Observability Analytics User
Beta
(roles/)
Grants permissions to use Cloud Observability Analytics.
observability.analyticsViews.*
observability.scopes.get
Observability Editor
Beta
(roles/)
Edit access to Observability resources.
observability.*
Observability Viewer
Beta
(roles/)
Read only access to Observability resources.
observability.
observability.
observability.scopes.get
On-Demand Scanning roles
Permissions
On-Demand Scanning Admin
Beta
(roles/)
All permissions for On-Demand Scanning
ondemandscanning.*
Ops Config Monitoring roles
Permissions
(roles/)
Read-only access to resource metadata.
opsconfigmonitoring.
(roles/)
Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.
opsconfigmonitoring.
Organization Policy roles
Permissions
Access Transparency Admin
(roles/)
Enable Access Transparency for Organization
Lowest-level resources where you can grant this role:
axt.*
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Organization Policy Administrator
(roles/)
Provides access to define what restrictions an organization wants to place
on the configuration of cloud resources by setting Organization Policies.
Lowest-level resources where you can grant this role:
orgpolicy.*
policysimulator.
policysimulator.
recommender.
recommender.
Organization Policy Viewer
(roles/)
Provides access to view Organization Policies on resources.
Lowest-level resources where you can grant this role:
orgpolicy.constraints.list
orgpolicy.
orgpolicy.
orgpolicy.policies.list
orgpolicy.policy.get
Other roles
Permissions
Advisory Notifications Admin
(roles/)
Grants write access to settings in Advisory Notifications
advisorynotifications.*
resourcemanager.
resourcemanager.projects.get
Advisory Notifications Viewer
(roles/)
Grants view access in Advisory Notifications
advisorynotifications.
advisorynotifications.
resourcemanager.
resourcemanager.projects.get
Cloud API Hub Admin
Beta
(roles/)
Full access to all API hub resources.
apihub.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Attributes Admin
Beta
(roles/)
Full access to all Cloud API hub attribute's resources.
apihub.attributes.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API Hub Editor
Beta
(roles/)
Edit access to most of Cloud API Hub resources.
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.*
apihub.apis.*
apihub.attributes.get
apihub.attributes.list
apihub.definitions.*
apihub.dependencies.*
apihub.deployments.*
apihub.externalApis.*
apihub.
apihub.
apihub.llmEnablements.*
apihub.
apihub.operations.get
apihub.operations.list
apihub.plugins.get
apihub.plugins.list
apihub.
apihub.
apihub.specs.*
apihub.styleGuides.get
apihub.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Plugins Admin
Beta
(roles/)
Full access to all Cloud API hub plugin's resources.
apihub.plugins.*
apihub.specs.lint
apihub.styleGuides.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Provisioning Admin
Beta
(roles/)
Full access to Cloud API hub provisioning related resources.
apihub.apiHubInstances.*
apihub.
apihub.operations.*
apihub.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud API hub Viewer
Beta
(roles/)
View access to all Cloud API hub resources.
apihub.apiHubInstances.get
apihub.apiHubInstances.list
apihub.apiOperations.get
apihub.apiOperations.list
apihub.apis.get
apihub.apis.list
apihub.attributes.get
apihub.attributes.list
apihub.definitions.get
apihub.definitions.list
apihub.dependencies.get
apihub.dependencies.list
apihub.deployments.get
apihub.deployments.list
apihub.externalApis.get
apihub.externalApis.list
apihub.
apihub.
apihub.llmEnablements.get
apihub.llmEnablements.list
apihub.
apihub.operations.get
apihub.operations.list
apihub.plugins.get
apihub.plugins.list
apihub.
apihub.
apihub.specs.get
apihub.specs.list
apihub.styleGuides.get
apihub.versions.get
apihub.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
API Management Admin
Beta
(roles/)
Full access to API Management resources.
apim.*
resourcemanager.projects.get
resourcemanager.projects.list
API Management Viewer
Beta
(roles/)
Readonly access to API Management resources.
apim.apiObservations.get
apim.apiObservations.list
apim.apiOperations.*
apim.locations.*
apim.observationJobs.get
apim.observationJobs.list
apim.observationSources.get
apim.observationSources.list
apim.operations.get
apim.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Admin
(roles/)
Full access to App Hub resources.
apphub.*
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Editor
(roles/)
Edit access to App Hub resources.
apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.list
apphub.applications.update
apphub.discoveredServices.*
apphub.discoveredWorkloads.*
apphub.locations.*
apphub.operations.*
apphub.
apphub.services.*
apphub.workloads.*
resourcemanager.projects.get
resourcemanager.projects.list
App Hub Viewer
(roles/)
View access to App Hub resources.
apphub.applications.get
apphub.applications.list
apphub.discoveredServices.get
apphub.discoveredServices.list
apphub.discoveredWorkloads.get
apphub.
apphub.locations.*
apphub.operations.get
apphub.operations.list
apphub.
apphub.services.get
apphub.services.list
apphub.workloads.get
apphub.workloads.list
resourcemanager.projects.get
resourcemanager.projects.list
Appliance troubleshooting commands approver
Beta
(roles/)
Grants access to approve commands to run on appliances
applianceactivation.
applianceactivation.
resourcemanager.projects.get
resourcemanager.projects.list
On-appliance troubleshooting client
Beta
(roles/)
Grants access to read commands for an appliance and send its result.
applianceactivation.
applianceactivation.
Appliance troubleshooter
Beta
(roles/)
Grants access to send new commands to run on appliances and view the outputs
applianceactivation.
applianceactivation.
applianceactivation.
resourcemanager.projects.get
resourcemanager.projects.list
Assured OSS Admin
(roles/)
Access to use Assured OSS and manage configuration.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Assured OSS Project Admin
Beta
(roles/)
Access to use Assured OSS and manage configuration.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Assured OSS Reader
(roles/)
Access to use Assured OSS and view Assured OSS configuration.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Assured OSS User
(roles/)
Access to use Assured OSS.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Audit Manager Admin
Beta
(roles/)
Full access to Audit Manager resources.
auditmanager.auditReports.*
auditmanager.
auditmanager.
auditmanager.controlReports.*
auditmanager.controls.list
auditmanager.findings.*
auditmanager.locations.*
auditmanager.operations.*
auditmanager.
cloudasset.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Audit Manager Auditor
Beta
(roles/)
Allows creating and viewing an audit report.
auditmanager.auditReports.*
auditmanager.
auditmanager.
auditmanager.controlReports.*
auditmanager.controls.list
auditmanager.findings.*
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.*
auditmanager.
cloudasset.
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
Custom Compliance Framework Admin
Beta
(roles/)
Full access to Custom Compliance Framework resources.
auditmanager.
auditmanager.
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.*
resourcemanager.
Custom Compliance Framework Viewer
Beta
(roles/)
Allows viewing Custom Compliance Framework resources.
auditmanager.
auditmanager.
auditmanager.
auditmanager.locations.get
auditmanager.locations.list
auditmanager.operations.*
resourcemanager.
Autoscaling Metrics Writer
Beta
(roles/)
Access to write metrics for autoscaling site
autoscaling.sites.writeMetrics
Autoscaling Recommendations Reader
Beta
(roles/)
Access to read recommendations from autoscaling site
autoscaling.
Autoscaling Site Admin
Beta
(roles/)
Full access to all autoscaling site features
autoscaling.*
resourcemanager.projects.get
resourcemanager.projects.list
Autoscaling State Writer
Beta
(roles/)
Access to write state for autoscaling site
autoscaling.sites.writeState
Batch Administrator
(roles/)
Administrator of Batch resources
batch.jobs.*
batch.locations.*
batch.operations.*
batch.resourceAllowances.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch Agent Reporter
(roles/)
Reporter of Batch agent states.
batch.states.report
Batch Job Editor
(roles/)
Editor of Batch Jobs
batch.jobs.*
batch.locations.*
batch.operations.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch Job Viewer
(roles/)
Viewer of Batch Jobs, Task Groups and Tasks
batch.jobs.get
batch.jobs.list
batch.locations.*
batch.operations.*
batch.tasks.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch ResourceAllowance Editor
(roles/)
Editor of Batch ResourceAllowances
batch.locations.*
batch.operations.*
batch.resourceAllowances.*
resourcemanager.projects.get
resourcemanager.projects.list
Batch ResourceAllowance Viewer
(roles/)
Viewer of Batch ResourceAllowances
batch.locations.*
batch.operations.*
batch.resourceAllowances.get
batch.resourceAllowances.list
resourcemanager.projects.get
resourcemanager.projects.list
BigLake Admin
(roles/)
Provides full access to all BigLake resources.
biglake.*
resourcemanager.projects.get
resourcemanager.projects.list
BigLake Viewer
(roles/)
Provides read-only access to all BigLake resources.
biglake.catalogs.get
biglake.catalogs.list
biglake.databases.get
biglake.databases.list
biglake.locks.list
biglake.tables.get
biglake.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
MigrationWorkflow Editor
(roles/)
Editor of EDW migration workflows.
bigquerymigration.subtasks.*
bigquerymigration.
bigquerymigration.
bigquerymigration.
bigquerymigration.
bigquerymigration.
bigquerymigration.
bigquerymigration.
bigquerymigration.
Task Orchestrator
(roles/)
Orchestrator of EDW migration tasks.
bigquerymigration.
storage.objects.list
Migration Translation User
(roles/)
User of EDW migration interactive SQL translation service.
bigquerymigration.
MigrationWorkflow Viewer
(roles/)
Viewer of EDW migration MigrationWorkflow.
bigquerymigration.subtasks.*
bigquerymigration.
bigquerymigration.
Task Worker
(roles/)
Worker that executes EDW migration subtasks.
storage.objects.create
storage.objects.get
storage.objects.list
Carbon Footprint Viewer
(roles/)
billing.accounts.get
billing.
billing.accounts.list
Blockchain Node Engine Admin
(roles/)
Full access to Blockchain Node Engine resources.
blockchainnodeengine.*
resourcemanager.projects.get
resourcemanager.projects.list
Blockchain Node Engine Viewer
(roles/)
Read-only access to Blockchain Node Engine resources.
blockchainnodeengine.
blockchainnodeengine.
blockchainnodeengine.
blockchainnodeengine.
blockchainnodeengine.
resourcemanager.projects.get
resourcemanager.projects.list
Blockchain Validator Manager Admin
Beta
(roles/)
Full access to Blockchain Validator Manager resources.
blockchainvalidatormanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Blockchain Validator Viewer
Beta
(roles/)
Readonly access to Blockchain Validator Manager resources.
blockchainvalidatormanager.
blockchainvalidatormanager.
blockchainvalidatormanager.
blockchainvalidatormanager.
blockchainvalidatormanager.
resourcemanager.projects.get
resourcemanager.projects.list
Capacity Planner Usage Viewer
Beta
(roles/)
Read-only access to Capacity Planner usage resources
capacityplanner.*
cloudquotas.quotas.get
compute.futureReservations.get
compute.
compute.reservations.get
compute.reservations.list
monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
Care Studio Patients Viewer
(roles/)
This role can view all properties of Patients.
carestudio.*
resourcemanager.projects.get
resourcemanager.projects.list
Chronicle Service Admin
(roles/)
Admins can view and modify Chronicle service details.
chroniclesm.*
Chronicle Service Viewer
(roles/)
Viewers can see Chronicle service details but not change them.
chroniclesm.
chroniclesm.
chroniclesm.
chroniclesm.gcpSettings.get
Location reader
Beta
(roles/)
Read and enumerate locations available for resource creation.
cloud.*
Code Repository Indexes Admin
Beta
(roles/)
Grants full access to Code Repository Indexes resources.
cloudaicompanion.
cloudaicompanion.operations.*
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
resourcemanager.projects.get
resourcemanager.projects.list
Code Repository Indexes Viewer
Beta
(roles/)
Grants readonly access to Code Repository Indexes resources.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
resourcemanager.projects.get
resourcemanager.projects.list
Repository Groups User
Beta
(roles/)
Grants Read/Use access to the Code Repository Indexes Repository Group.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
Gemini for Google Cloud User
Beta
(roles/)
A user who can use Gemini for Google Cloud
cloudaicompanion.companions.*
cloudaicompanion.
cloudaicompanion.instances.*
cloudaicompanion.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Controls Partner Admin
(roles/)
Full access to Cloud Controls Partner resources.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
Cloud Controls Partner Editor
(roles/)
Editor access to Cloud Controls Partner resources.
cloudcontrolspartner.*
Cloud Controls Partner Inspectability Reader
(roles/)
Readonly access to Cloud Controls Partner inspectability resources.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
Cloud Controls Partner Monitoring Reader
(roles/)
Read-only access to Cloud Controls Partner monitoring resources.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
Cloud Controls Partner Reader
(roles/)
Read-only access to Cloud Controls Partner resources.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
cloudcontrolspartner.
Cloud Optimization AI Admin
(roles/)
Administrator of Cloud Optimization AI resources
cloudoptimization.*
Cloud Optimization AI Editor
(roles/)
Editor of Cloud Optimization AI resources
cloudoptimization.*
Cloud Optimization AI Viewer
(roles/)
Viewer of Cloud Optimization AI resources
cloudoptimization.
Cloud Quotas Admin
Beta
(roles/)
Full access to Cloud Quotas resources.
cloudquotas.*
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Quotas Viewer
Beta
(roles/)
Readonly access to Cloud Quotas resources.
cloudquotas.quotas.get
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Agreement Publishing Admin
Beta
(roles/)
Admin of Commerce Agreement Publishing service
commerceagreementpublishing.*
resourcemanager.projects.get
resourcemanager.projects.list
Commerce Agreement Publishing Viewer
Beta
(roles/)
Viewer of Commerce Agreement Publishing service
commerceagreementpublishing.
commerceagreementpublishing.
commerceagreementpublishing.
commerceagreementpublishing.
resourcemanager.projects.get
resourcemanager.projects.list
Confidential Space Workload User
(roles/)
Grants the ability to generate an attestation token and run a workload in a VM. Intended for service accounts that run on Confidential Space VMs.
confidentialcomputing.*
logging.logEntries.create
ConfigDelivery Admin
Beta
(roles/)
Grants full access to all Config Delivery resources. Lets users create, remove and manage fleet packages and resource bundles.
configdelivery.*
resourcemanager.projects.get
resourcemanager.projects.list
ConfigDelivery Viewer
Beta
(roles/)
Grants read access to all Config Delivery resources. Lets users view existing fleet packages and resource bundles, but they will not be able to make any changes.
configdelivery.
configdelivery.
configdelivery.locations.*
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.get
configdelivery.releases.list
configdelivery.
configdelivery.
configdelivery.rollouts.get
configdelivery.rollouts.list
resourcemanager.projects.get
resourcemanager.projects.list
Config Delivery Resource Bundle Publisher
Beta
(roles/)
Grants read and write permissions to Config Delivery ResourceBundles and Releases.
configdelivery.locations.*
configdelivery.operations.get
configdelivery.operations.list
configdelivery.releases.create
configdelivery.releases.get
configdelivery.releases.list
configdelivery.releases.update
configdelivery.
configdelivery.
configdelivery.
configdelivery.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to Contact Center AI Platform resources.
contactcenteraiplatform.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read-only access to Contact Center AI Platform resources.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenteraiplatform.
contactcenteraiplatform.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants read and write access to all Contact Center AI Insights resources.
contactcenterinsights.*
(roles/)
Grants read access to all Contact Center AI Insights resources.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
contactcenterinsights.
GKE Security Posture Viewer
Beta
(roles/)
Read-only access to GKE Security Posture resources.
container.clusters.list
containersecurity.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Admin
(roles/)
Grants full access to all the resources in Content Warehouse
contentwarehouse.corpora.*
contentwarehouse.
contentwarehouse.
contentwarehouse.documents.*
contentwarehouse.locations.*
contentwarehouse.
contentwarehouse.
contentwarehouse.ruleSets.*
contentwarehouse.synonymSets.*
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Document Admin
(roles/)
Grants full access to the document resource in Content Warehouse
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.documents.get
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.links.*
contentwarehouse.
contentwarehouse.
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse document creator
(roles/)
Grants access to create document in Content Warehouse
contentwarehouse.
contentwarehouse.
contentwarehouse.
contentwarehouse.
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Document Editor
(roles/)
Grants access to update document resource in Content Warehouse
contentwarehouse.
contentwarehouse.documents.get
contentwarehouse.
contentwarehouse.
contentwarehouse.links.*
contentwarehouse.
contentwarehouse.
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse document schema viewer
(roles/)
Grants access to view the document schemas in Content Warehouse
contentwarehouse.
contentwarehouse.
contentwarehouse.
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Viewer
(roles/)
Grants access to view all the resources in Content Warehouse
contentwarehouse.
contentwarehouse.documents.get
contentwarehouse.
contentwarehouse.links.get
contentwarehouse.
contentwarehouse.
resourcemanager.projects.get
resourcemanager.projects.list
Database center viewer
Beta
(roles/)
Viewer role for Database Center resource data
cloudaicompanion.
databasecenter.*
resourcemanager.projects.get
resourcemanager.projects.list
Events Service viewer
Beta
(roles/)
Viewer role for Events Service data
databaseinsights.
databaseinsights.
databaseinsights.
Database Insights monitoring viewer
Beta
(roles/)
Viewer role for Database Insights monitoring data
databaseinsights.
databaseinsights.
databaseinsights.
databaseinsights.locations.*
databaseinsights.
databaseinsights.
resourcemanager.projects.get
resourcemanager.projects.list
Database Insights performing operations
Beta
(roles/)
Admin role for performing Database Insights operations
databaseinsights.
Database Insights recommendation viewer
Beta
(roles/)
Viewer role for Database Insights recommendation data
databaseinsights.locations.*
databaseinsights.
databaseinsights.
databaseinsights.
resourcemanager.projects.get
resourcemanager.projects.list
Database Insights viewer
Beta
(roles/)
Viewer role for Database Insights data
databaseinsights.
databaseinsights.
databaseinsights.
databaseinsights.locations.*
databaseinsights.
databaseinsights.
databaseinsights.
databaseinsights.
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Administrator
(roles/)
Grants full access to all resources in Data Lineage API
datalineage.*
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Editor
(roles/)
Grants edit access to all resources in Data Lineage API
datalineage.events.*
datalineage.
datalineage.operations.get
datalineage.processes.create
datalineage.processes.get
datalineage.processes.list
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.list
datalineage.runs.update
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Events Producer
(roles/)
Grants access to creating all resources in Data Lineage API
datalineage.events.create
datalineage.processes.create
datalineage.processes.get
datalineage.processes.update
datalineage.runs.create
datalineage.runs.get
datalineage.runs.update
resourcemanager.projects.get
resourcemanager.projects.list
Data Lineage Viewer
(roles/)
Grants read access to all resources in Data Lineage API
datalineage.events.get
datalineage.events.list
datalineage.
datalineage.processes.get
datalineage.processes.list
datalineage.runs.get
datalineage.runs.list
resourcemanager.projects.get
resourcemanager.projects.list
Data Processing Controls Resource Admin
(roles/)
Data processing controls admin who can fully manage data processing controls settings and view all datasource data.
billing.accounts.get
billing.accounts.list
dataprocessing.*
Data Processing Controls Data Source Manager
(roles/)
Data processing controls data source manager who can get, list, and update the underlying data.
dataprocessing.
dataprocessing.
Dataproc Resource Manager Admin
Beta
(roles/)
Grants full access to all Dataproc Resource Manager resources. Intended for users that need to create and delete any Dataproc Resource Manager resources.
dataprocrm.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataproc Resource Manager Viewer
Beta
(roles/)
Grants read access to all Dataproc Resource Manager resources. Intended for users that need read-only access to Dataproc Resource Manager resources.
dataprocrm.locations.*
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodes.get
dataprocrm.nodes.list
dataprocrm.
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.get
dataprocrm.workloads.list
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Admin
Beta
(roles/)
Full access to Developer Connect resources.
developerconnect.connections.*
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.locations.*
developerconnect.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Read Token Accessor
Beta
(roles/)
Grants access to Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.
developerconnect.
developerconnect.
developerconnect.
Developer Connect Token Accessor
Beta
(roles/)
Grants access to Read/Write and Read-Only tokens (both PAT and short-lived). Also grants access to view the git repository link.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
Developer Connect User
Beta
(roles/)
Grants access to view the connection and to the features that interact with the actual repository such as reading content from the repository
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.locations.*
developerconnect.
developerconnect.
resourcemanager.projects.get
resourcemanager.projects.list
Developer Connect Viewer
Beta
(roles/)
Readonly access to Developer Connect resources.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.locations.*
developerconnect.
developerconnect.
resourcemanager.projects.get
resourcemanager.projects.list
Discovery Engine Admin
(roles/)
Grants full access to all discoveryengine resources.
discoveryengine.*
resourcemanager.projects.get
resourcemanager.projects.list
Discovery Engine Editor
(roles/)
Grants read and write access to all discovery engine resources.
discoveryengine.aclConfigs.get
discoveryengine.analytics.*
discoveryengine.answers.get
discoveryengine.branches.*
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.
discoveryengine.
discoveryengine.dataStores.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.documents.get
discoveryengine.
discoveryengine.documents.list
discoveryengine.
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.engines.pause
discoveryengine.engines.resume
discoveryengine.engines.tune
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.models.*
discoveryengine.operations.*
discoveryengine.projects.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.sessions.*
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
resourcemanager.projects.get
resourcemanager.projects.list
Discovery Engine User
Beta
(roles/)
Grants user-level access to Discovery Engine resources.
discoveryengine.answers.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.sessions.get
discoveryengine.sessions.list
discoveryengine.
Discovery Engine Viewer
(roles/)
Grants read access to all discovery engine resources.
discoveryengine.aclConfigs.get
discoveryengine.analytics.*
discoveryengine.answers.get
discoveryengine.branches.*
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.controls.get
discoveryengine.controls.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.dataStores.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.documents.get
discoveryengine.documents.list
discoveryengine.engines.get
discoveryengine.engines.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.models.get
discoveryengine.models.list
discoveryengine.operations.*
discoveryengine.projects.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.schemas.get
discoveryengine.schemas.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.sessions.get
discoveryengine.sessions.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Admin
Beta
(roles/)
Full access to Enterprise Purchasing resources.
enterprisepurchasing.*
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Editor
Beta
(roles/)
Edit access to Enterprise Purchasing resources.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
resourcemanager.projects.get
resourcemanager.projects.list
Enterprise Purchasing Viewer
Beta
(roles/)
Readonly access to Enterprise Purchasing resources.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
enterprisepurchasing.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to all essential contacts
essentialcontacts.*
(roles/)
Viewer for all essential contacts
essentialcontacts.contacts.get
essentialcontacts.
Firebase Cloud Messaging API Admin
Beta
(roles/)
Full read/write access to Firebase Cloud Messaging API resources.
cloudmessaging.messages.create
fcmdata.deliverydata.list
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Crash Symbol Uploader
(roles/)
Full read/write access to symbol mapping file resources for Firebase Crash Reporting.
firebase.clients.get
firebase.clients.list
resourcemanager.projects.get
Firebase Data Connect API Admin
Beta
(roles/)
Full access to Firebase Data Connect API resources, including data.
firebasedataconnect.*
resourcemanager.projects.get
resourcemanager.projects.list
Firebase Data Connect API Data Admin
Beta
(roles/)
Full access to data sources.
firebasedataconnect.
firebasedataconnect.
Firebase Data Connect API Data Viewer
Beta
(roles/)
Readonly access to data sources.
firebasedataconnect.
Firebase Data Connect API Viewer
Beta
(roles/)
Readonly access to Firebase Data Connect API resources. Role does not grant access to data.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
firebasedataconnect.
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Admin
Beta
(roles/)
Full access to GDC Hardware Management resources.
gdchardwaremanagement.*
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Operator
Beta
(roles/)
Create, read, and update access to GDC Hardware Management resources that support those operations. Also grants delete access to HardwareGroup resource.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.sites.*
gdchardwaremanagement.skus.*
gdchardwaremanagement.zones.*
resourcemanager.projects.get
resourcemanager.projects.list
GDC Hardware Management Reader
Beta
(roles/)
Readonly access to GDC Hardware Management resources.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.
gdchardwaremanagement.skus.*
gdchardwaremanagement.
gdchardwaremanagement.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Full access to Identity Platform resources.
firebaseauth.*
identitytoolkit.*
(roles/)
Read access to Identity Platform resources.
firebaseauth.configs.get
firebaseauth.users.get
identitytoolkit.tenants.get
identitytoolkit.
identitytoolkit.tenants.list
(roles/)
Full access to Identity Toolkit resources.
firebaseauth.*
identitytoolkit.*
(roles/)
Read access to Identity Toolkit resources.
firebaseauth.configs.get
firebaseauth.users.get
identitytoolkit.tenants.get
identitytoolkit.
identitytoolkit.tenants.list
Apigee Integration Admin
(roles/)
A user that has full access to all Apigee integrations.
connectors.actions.*
connectors.
connectors.entities.*
connectors.entityTypes.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.*
integrations.certificates.*
integrations.executions.get
integrations.executions.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
integrations.
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.suspensions.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Deployer
(roles/)
A developer that can deploy/undeploy Apigee integrations to the integration runtime.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Editor
(roles/)
A developer that can list, create and update Apigee integrations.
connectors.actions.*
connectors.
connectors.entities.*
connectors.entityTypes.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.get
integrations.authConfigs.list
integrations.
integrations.certificates.get
integrations.executions.get
integrations.executions.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
integrations.
integrations.sfdcChannels.*
integrations.sfdcInstances.*
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Invoker
(roles/)
A role that can invoke Apigee integrations.
connectors.actions.*
connectors.
connectors.entities.*
connectors.entityTypes.list
integrations.
integrations.
integrations.
integrations.
integrations.executions.get
integrations.executions.list
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Viewer
(roles/)
A developer that can list and view Apigee integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.get
integrations.authConfigs.list
integrations.certificates.get
integrations.certificates.list
integrations.executions.get
integrations.executions.list
integrations.
integrations.
integrations.integrations.get
integrations.integrations.list
integrations.sfdcChannels.list
integrations.
resourcemanager.projects.get
resourcemanager.projects.list
Apigee Integration Approver
(roles/)
A role that can approve / reject Apigee integrations that contain a suspension/wait task.
integrations.
integrations.suspensions.*
resourcemanager.projects.get
resourcemanager.projects.list
Certificate Viewer
(roles/)
A developer that can list and view Certificates.
integrations.certificates.get
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Admin
(roles/)
A user that has full access (CRUD) to all integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.*
integrations.certificates.*
integrations.executions.*
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.*
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.suspensions.*
integrations.testCases.*
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Deployer
(roles/)
A developer that can deploy/undeploy integrations to the integration runtime.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.integrations.list
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Editor
(roles/)
A developer that can list, create and update integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.get
integrations.authConfigs.list
integrations.
integrations.certificates.get
integrations.executions.*
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
integrations.
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.testCases.*
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Invoker
(roles/)
A role that can invoke integrations.
integrations.
integrations.
integrations.
integrations.
integrations.executions.*
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
integrations.testCases.get
integrations.testCases.invoke
integrations.testCases.list
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Viewer
(roles/)
A developer that can list and view integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.get
integrations.authConfigs.list
integrations.certificates.get
integrations.certificates.list
integrations.executions.get
integrations.executions.list
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.integrations.list
integrations.sfdcChannels.list
integrations.
integrations.testCases.get
integrations.testCases.list
resourcemanager.projects.get
resourcemanager.projects.list
Security Integration Admin
Beta
(roles/)
A user that has full access to all Security integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
Application Integration SFDC Instance Admin
(roles/)
A user that has full access (CRUD) to all SFDC instances.
integrations.sfdcChannels.*
integrations.sfdcInstances.*
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration SFDC Instance Editor
(roles/)
A developer that can list, create and update integrations.
integrations.
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.
integrations.
integrations.sfdcInstances.get
integrations.
integrations.
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration SFDC Instance Viewer
(roles/)
A developer that can list and view SFDC instances.
integrations.sfdcChannels.get
integrations.sfdcChannels.list
integrations.sfdcInstances.get
integrations.
resourcemanager.projects.get
resourcemanager.projects.list
Application Integration Approver
(roles/)
A role that can resolve suspended integrations.
integrations.
integrations.suspensions.*
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Account Manager Admin
Beta
(roles/)
This role can perform all account manager related operations
issuerswitch.
issuerswitch.managedAccounts.*
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Account Manager Transactions Admin
Beta
(roles/)
This role can perform all account manager transactions related operations
issuerswitch.
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Account Manager Transactions Viewer
Beta
(roles/)
This role can view all account manager transactions
issuerswitch.
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Admin
Beta
(roles/)
Access to all issuer switch roles
issuerswitch.*
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Participants Admin
Beta
(roles/)
Full access to issuer switch participants
issuerswitch.
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Resolutions Admin
Beta
(roles/)
Full access to issuer switch resolutions
issuerswitch.
issuerswitch.complaints.*
issuerswitch.disputes.*
issuerswitch.operations.get
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Rules Admin
Beta
(roles/)
Full access to issuer switch rules
issuerswitch.ruleMetadata.list
issuerswitch.
issuerswitch.rules.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Rules Viewer
Beta
(roles/)
This role can view rules and related metadata.
issuerswitch.ruleMetadata.list
issuerswitch.
issuerswitch.rules.list
resourcemanager.projects.get
resourcemanager.projects.list
Issuerswitch Transactions Viewer
Beta
(roles/)
This role can view all transactions
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.
issuerswitch.operations.get
issuerswitch.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Publisher of Kubernetes clusters metadata
kubernetesmetadata.*
Cloud License Manager Admin
(roles/)
Full access to Cloud License Manager resources.
licensemanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud License Manager Viewer
(roles/)
Readonly access to Cloud License Manager resources.
licensemanager.
licensemanager.
licensemanager.instances.*
licensemanager.locations.*
licensemanager.operations.get
licensemanager.operations.list
licensemanager.products.*
resourcemanager.projects.get
resourcemanager.projects.list
Managed Flink Admin
Beta
(roles/)
Full access to Managed Flink resources.
managedflink.*
resourcemanager.projects.get
resourcemanager.projects.list
Managed Flink Developer
Beta
(roles/)
Full access to Managed Flink Jobs and Sessions and read access to Deployments.
managedflink.deployments.get
managedflink.deployments.list
managedflink.jobs.*
managedflink.locations.*
managedflink.operations.get
managedflink.operations.list
managedflink.sessions.*
resourcemanager.projects.get
resourcemanager.projects.list
Managed Flink Viewer
Beta
(roles/)
Readonly access to Managed Flink resources.
managedflink.deployments.get
managedflink.deployments.list
managedflink.jobs.get
managedflink.jobs.list
managedflink.locations.*
managedflink.operations.get
managedflink.operations.list
managedflink.sessions.get
managedflink.sessions.list
resourcemanager.projects.get
resourcemanager.projects.list
Managed Kafka Admin
Beta
(roles/)
Full access to Managed Kafka resources.
managedkafka.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Client
Beta
(roles/)
Provides access to connect to the Kafka servers in a cluster, i.e. provides Kafka data plane access. Intended for, e.g., producers and consumers.
managedkafka.clusters.connect
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.consumerGroups.*
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Cluster Editor
Beta
(roles/)
Provides read and write access to Kafka clusters. Intended for, e.g., IT Departments that provision Kafka clusters, but need not be able to read or modify topics or consumer groups.
managedkafka.clusters.create
managedkafka.clusters.delete
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.clusters.update
managedkafka.
managedkafka.
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.get
managedkafka.topics.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Consumer Group Editor
Beta
(roles/)
Provides read and write access to consumer group metadata. Intended for, e.g., developers who configure consumer groups.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.consumerGroups.*
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.get
managedkafka.topics.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Topic Editor
Beta
(roles/)
Provides read and write access to topic metadata. Intended for, e.g., developers who configure topics.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.
managedkafka.
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Managed Kafka Viewer
Beta
(roles/)
Readonly access to Managed Kafka resources.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.
managedkafka.
managedkafka.locations.*
managedkafka.operations.get
managedkafka.operations.list
managedkafka.topics.get
managedkafka.topics.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Mandiant Attack Surface Management Editor
Beta
(roles/)
Access to write Attack Surface Management
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Attack Surface Management Viewer
Beta
(roles/)
Access to read Attack Surface Management
mandiant.
mandiant.genericPlatforms.get
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Digital Threat Monitoring Editor
Beta
(roles/)
Access to write Digital Threat Monitoring
mandiant.
mandiant.
mandiant.
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Digital Threat Monitoring Viewer
Beta
(roles/)
Access to read Digital Threat Monitoring
mandiant.
mandiant.genericPlatforms.get
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Expertise On Demand Editor
Beta
(roles/)
Access to write Expertise On Demand
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Expertise On Demand Viewer
Beta
(roles/)
Access to read Expertise On Demand
mandiant.
mandiant.genericPlatforms.get
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Threat Intel Editor
Beta
(roles/)
Access to write Threat Intel
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Threat Intel Viewer
Beta
(roles/)
Access to read Threat Intel
mandiant.genericPlatforms.get
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Validation Editor
Beta
(roles/)
Access to write Validation
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mandiant Validation Viewer
Beta
(roles/)
Access to read Validation
mandiant.genericPlatforms.get
mandiant.
resourcemanager.projects.get
resourcemanager.projects.list
Mobility Solutions Overages Viewer
Beta
(roles/)
Grants read-only access to Mobility Solutions Overages metric data.
mapsanalytics.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
Maps Analytics Viewer
Beta
(roles/)
Grants read-only access to all of the Maps Analytics resources.
mapsanalytics.metricData.query
mapsanalytics.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
(roles/)
Grants read and write access to all the Maps Platform Datasets API resources
mapsadmin.clientStyles.*
mapsplatformdatasets.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants read-only access to all the Maps Platform Datasets API resources
mapsadmin.clientStyles.get
mapsadmin.clientStyles.list
mapsplatformdatasets.
mapsplatformdatasets.
mapsplatformdatasets.
resourcemanager.projects.get
resourcemanager.projects.list
Marketplace Solutions Admin
Beta
(roles/)
Full access to Marketplace Solutions resources.
marketplacesolutions.*
resourcemanager.projects.get
resourcemanager.projects.list
Marketplace Solutions Editor
Beta
(roles/)
Edit access to Marketplace Solutions resources.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
resourcemanager.projects.get
resourcemanager.projects.list
Marketplace Solutions Viewer
Beta
(roles/)
Readonly access to Marketplace Solutions resources.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
marketplacesolutions.
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore Admin
Beta
(roles/)
Full access to Memorystore resources.
memorystore.instances.create
memorystore.instances.delete
memorystore.instances.get
memorystore.instances.list
memorystore.instances.update
memorystore.locations.*
memorystore.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Memorystore DB Connector User
Beta
(roles/)
Access to connecting to Memorystore Server db.
memorystore.instances.connect
Memorystore Viewer
Beta
(roles/)
Readonly access to Memorystore resources.
memorystore.instances.get
memorystore.instances.list
memorystore.locations.*
memorystore.operations.get
memorystore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Google Home Developer Console Admin
(roles/)
Admin access to Google Home Developer Console resources
nestconsole.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Home Developer Console Editor
(roles/)
Read-Write access to Google Home Developer Console resources
nestconsole.
nestconsole.
nestconsole.
nestconsole.
resourcemanager.projects.get
resourcemanager.projects.list
Google Home Developer Console Reader
(roles/)
Read-only access to Google Home Developer Console resources
nestconsole.
nestconsole.
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud NetApp Volumes Admin
Beta
(roles/)
Full access to Google Cloud NetApp Volumes resources.
netapp.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Cloud NetApp Volumes Viewer
Beta
(roles/)
Readonly access to Google Cloud NetApp Volumes resources.
netapp.activeDirectories.get
netapp.activeDirectories.list
netapp.backupPolicies.get
netapp.backupPolicies.list
netapp.backupVaults.get
netapp.backupVaults.list
netapp.backups.get
netapp.backups.list
netapp.kmsConfigs.get
netapp.kmsConfigs.list
netapp.locations.*
netapp.operations.get
netapp.operations.list
netapp.quotaRules.get
netapp.quotaRules.list
netapp.replications.get
netapp.replications.list
netapp.snapshots.get
netapp.snapshots.list
netapp.storagePools.get
netapp.storagePools.list
netapp.volumes.get
netapp.volumes.list
resourcemanager.projects.get
resourcemanager.projects.list
OAuth Config Editor
Beta
(roles/)
Read/write access to OAuth config resources
clientauthconfig.*
oauthconfig.*
OAuth Config Viewer
Beta
(roles/)
Read-only access to OAuth config resources
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.clients.get
clientauthconfig.clients.list
oauthconfig.clientpolicy.get
oauthconfig.testusers.get
oauthconfig.verification.get
Oracle Database@Google Cloud admin
(roles/)
Grants full access to manage all Oracle Database resources.
oracledatabase.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Autonomous Database Admin
(roles/)
Grants full access to manage all Autonomous Database resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.locations.*
oracledatabase.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Autonomous Database Viewer
(roles/)
Grants read access to see all Autonomous Database resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Exadata Infrastructure Admin
(roles/)
Grants full access to manage all Exadata Infrastructure resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud Exadata Infrastructure Viewer
(roles/)
Grants read access to see all Exadata Infrastructure resources.
oracledatabase.
oracledatabase.
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud VM Cluster Admin
(roles/)
Grants full access to manage all VM Cluster resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud VM Cluster Viewer
(roles/)
Grants read access to see all VM Cluster resources.
oracledatabase.
oracledatabase.
oracledatabase.dbNodes.list
oracledatabase.
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Oracle Database@Google Cloud viewer
(roles/)
Grants view access to all Oracle Database resources.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.
oracledatabase.
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Parallelstore Admin
(roles/)
Full access to Parallelstore resources.
parallelstore.*
resourcemanager.projects.get
resourcemanager.projects.list
Parallelstore Viewer
(roles/)
Readonly access to Parallelstore resources.
parallelstore.instances.get
parallelstore.instances.list
parallelstore.locations.*
parallelstore.operations.get
parallelstore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Admin
Beta
(roles/)
Grants full access to all Parameter Manager resources. Intended for project admins & owners who need to perform all administrative tasks.
parametermanager.*
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Accessor
Beta
(roles/)
Grants read access to ParameterManager ParameterVersion resources. Intended for users & applications that need to perform read operations on ParameterVersion only.
parametermanager.locations.*
parametermanager.
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Version Adder
Beta
(roles/)
Grants create access to Parameter Manager ParameterVersion resources. Intended for users & applications that need to perform create operations on ParameterVersions only.
parametermanager.locations.*
parametermanager.
parametermanager.
parametermanager.
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Version Manager
Beta
(roles/)
Grants read & write access to all Parameter Manager ParameterVersion resources. Intended for users & applications that need to view Parameters & perform create/read/update/delete/list operations on ParameterVersions only.
parametermanager.locations.*
parametermanager.
parametermanager.
parametermanager.
parametermanager.
parametermanager.
parametermanager.
parametermanager.
resourcemanager.projects.get
resourcemanager.projects.list
Parameter Manager Parameter Viewer
Beta
(roles/)
Grants read access to Parameter Manager Parameter & ParameterVersion resources. Intended for users & applications that need to perform read/list operations on Parameters & ParameterVersions only.
parametermanager.locations.*
parametermanager.
parametermanager.
parametermanager.
parametermanager.
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Admin
Beta
(roles/)
Full access to all Payments Reseller resources, including subscriptions, products and promotions
paymentsresellersubscription.*
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Viewer
Beta
(roles/)
Read access to all Payments Reseller resources, including subscriptions, products and promotions
paymentsresellersubscription.
paymentsresellersubscription.
paymentsresellersubscription.
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Products Viewer
Beta
(roles/)
Read access to Payments Reseller Product resource
paymentsresellersubscription.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Read access to Payments Reseller Promotion resource
paymentsresellersubscription.
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Subscriptions Editor
Beta
(roles/)
Write access to Payments Reseller Subscription resource
paymentsresellersubscription.
resourcemanager.projects.get
resourcemanager.projects.list
Payments Reseller Subscriptions Viewer
Beta
(roles/)
Read access to Payments Reseller Subscription resource
paymentsresellersubscription.
resourcemanager.projects.get
resourcemanager.projects.list
Payments Partner UserSessions Editor
Beta
(roles/)
Editor of UserSessions for a Payments Partner
paymentsresellersubscription.
Activity Analysis Viewer
Beta
(roles/)
Viewer user that can read all activity analysis.
policyanalyzer.*
(roles/)
Grants the ability to enable and disable the usage of the policy remediator for the organization
policyremediatormanager.*
(roles/)
Grants the ability to read/view the state of the policy remediator for the organization
policyremediatormanager.
policyremediatormanager.
policyremediatormanager.
policyremediatormanager.
Simulator Admin
Beta
(roles/)
Admin user that can run and access replays.
policysimulator.
policysimulator.
policysimulator.
policysimulator.replays.*
OrgPolicy Simulator Admin
Beta
(roles/)
OrgPolicy Admin that can run and access simulations.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
orgpolicy.
orgpolicy.
orgpolicy.policies.list
orgpolicy.policy.get
policysimulator.
policysimulator.
resourcemanager.
External Account Key Creator
Beta
(roles/)
This role can create a new externalAccountKey resource.
publicca.
resourcemanager.projects.get
resourcemanager.projects.list
Subscription Linking Admin
(roles/)
Full access to publication reader resources
readerrevenuesubscriptionlinking.*
resourcemanager.projects.get
resourcemanager.projects.list
Subscription Linking Entitlements Viewer
(roles/)
This role can view all publication reader entitlements
readerrevenuesubscriptionlinking.
Subscription Linking Viewer
(roles/)
This role can view all publication reader resources
readerrevenuesubscriptionlinking.
readerrevenuesubscriptionlinking.
resourcemanager.projects.get
resourcemanager.projects.list
Recommendations Exporter
(roles/)
Exporter of Recommendations
recommender.resources.export
Remote Build Execution Action Cache Writer
Beta
(roles/)
Remote Build Execution Action Cache Writer
remotebuildexecution.
remotebuildexecution.
Remote Build Execution Artifact Admin
Beta
(roles/)
Remote Build Execution Artifact Admin
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.blobs.*
remotebuildexecution.
Remote Build Execution Artifact Creator
Beta
(roles/)
Remote Build Execution Artifact Creator
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.blobs.*
remotebuildexecution.
Remote Build Execution Artifact Viewer
Beta
(roles/)
Remote Build Execution Artifact Viewer
remotebuildexecution.
remotebuildexecution.blobs.get
remotebuildexecution.
Remote Build Execution Configuration Admin
Beta
(roles/)
Remote Build Execution Configuration Admin
remotebuildexecution.
remotebuildexecution.
Remote Build Execution Configuration Viewer
Beta
(roles/)
Remote Build Execution Configuration Viewer
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
Remote Build Execution Logstream Writer
Beta
(roles/)
Remote Build Execution Logstream Writer
remotebuildexecution.
remotebuildexecution.
Remote Build Execution Reservation Admin
Beta
(roles/)
Remote Build Execution Reservation Admin
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
Remote Build Execution Worker
Beta
(roles/)
Remote Build Execution Worker
remotebuildexecution.
remotebuildexecution.blobs.*
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
Retail Admin
(roles/)
Full access to Retail api resources.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
retail.*
Retail Editor
(roles/)
Full access to Retail api resources except purge, rejoin, and setSponsorship.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
retail.alertConfigs.*
retail.
retail.
retail.attributesConfigs.get
retail.
retail.
retail.
retail.branches.*
retail.catalogs.*
retail.controls.*
retail.experiments.*
retail.models.*
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.retailProjects.get
retail.servingConfigs.*
retail.userEvents.create
retail.userEvents.import
Retail Viewer
(roles/)
Grants access to read all resources in Retail.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
retail.alertConfigs.get
retail.
retail.attributesConfigs.get
retail.branches.*
retail.catalogs.completeQuery
retail.
retail.catalogs.get
retail.catalogs.list
retail.controls.export
retail.controls.get
retail.controls.list
retail.experiments.get
retail.experiments.list
retail.
retail.
retail.models.get
retail.models.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.get
retail.servingConfigs.get
retail.servingConfigs.list
retail.servingConfigs.predict
retail.servingConfigs.search
RISC Configuration Admin
Beta
(roles/)
Read/write access to RISC config resources.
clientauthconfig.clients.list
riscconfigurationservice.*
RISC Configuration Viewer
Beta
(roles/)
Read-only access to RISC config resources.
clientauthconfig.clients.list
riscconfigurationservice.
Route Optimization Editor
(roles/)
This role can create long-running operations via BatchOptimizeTours.
resourcemanager.projects.get
resourcemanager.projects.list
routeoptimization.*
Route Optimization Viewer
(roles/)
This role can view any long-running Operations.
resourcemanager.projects.get
resourcemanager.projects.list
routeoptimization.
Serverless Integrations Developer
Beta
(roles/)
Access to create and change Serverless Integrations and their configuration.
resourcemanager.projects.get
resourcemanager.projects.list
runapps.applications.*
runapps.deployments.get
runapps.deployments.list
runapps.locations.*
runapps.operations.*
Serverless Integrations Operator
Beta
(roles/)
Access to deploy Serverless Integrations.
resourcemanager.projects.get
resourcemanager.projects.list
runapps.applications.get
runapps.applications.getStatus
runapps.applications.list
runapps.deployments.*
runapps.locations.*
runapps.operations.*
Serverless Integrations Viewer
Beta
(roles/)
Read-only access to Serverless Integrations resources.
resourcemanager.projects.get
resourcemanager.projects.list
runapps.applications.get
runapps.applications.getStatus
runapps.applications.list
runapps.deployments.get
runapps.deployments.list
runapps.locations.*
runapps.operations.get
runapps.operations.list
Cloud RuntimeConfig Admin
(roles/)
Full access to RuntimeConfig resources.
runtimeconfig.*
(roles/)
Access to modify (remediate) resources in SLZ BQDW Blueprint at Organization.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
(roles/)
Access to modify (remediate) resources in SLZ BQDW Blueprint at Project.
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.datasets.update
cloudkms.cryptoKeys.get
cloudkms.
cloudkms.cryptoKeys.list
cloudkms.
cloudkms.cryptoKeys.update
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.setIamPolicy
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsub.topics.update
resourcemanager.
serviceusage.services.use
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
storage.buckets.update
Overwatch Activator
Beta
(roles/)
This role can activate or suspend Overwatches
resourcemanager.projects.get
resourcemanager.projects.list
securedlandingzone.
securedlandingzone.
Overwatch Admin
Beta
(roles/)
Full access to Overwatches
resourcemanager.projects.get
resourcemanager.projects.list
securedlandingzone.*
Overwatch Viewer
Beta
(roles/)
This role can view all properties of Overwatches
resourcemanager.projects.get
resourcemanager.projects.list
securedlandingzone.
securedlandingzone.
securedlandingzone.
Security Posture Admin
(roles/)
Full access to Security Posture service APIs.
orgpolicy.*
resourcemanager.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.*
Security Posture Deployer
(roles/)
Mutate and read permissions to the Posture Deployment resource.
orgpolicy.*
resourcemanager.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.operations.get
securityposture.
Security Posture Deployments Viewer
(roles/)
Read only access to the Posture Deployment resource.
resourcemanager.
securityposture.operations.get
securityposture.
securityposture.
Security Posture Resource Editor
(roles/)
Mutate and read permissions to the Posture resource.
securityposture.operations.get
securityposture.postures.*
Security Posture Resource Viewer
(roles/)
Read only access to the Posture resource.
resourcemanager.
securityposture.operations.get
securityposture.postures.get
securityposture.postures.list
Security Posture Shift-Left Validator
(roles/)
Create access for Reports, e.g. IaC Validation Report.
securityposture.operations.get
securityposture.reports.*
Security Posture Viewer
(roles/)
Read only access to all the SecurityPosture Service resources.
resourcemanager.
securityposture.operations.get
securityposture.
securityposture.
securityposture.
securityposture.postures.get
securityposture.postures.list
Personalized Service Health Viewer
(roles/)
Readonly access to Personalized Service Health resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicehealth.*
Security Insights Viewer
Beta
(roles/)
Read-only access to Security Insights resources
servicesecurityinsights.*
Speaker ID Admin
(roles/)
Grants full access to all Speaker ID resources, including project settings.
speakerid.*
Speaker ID Editor
(roles/)
Grants access to read and write all Speaker ID resources.
speakerid.phrases.*
speakerid.speakers.*
Speaker ID Verifier
(roles/)
Grants read access to all Speaker ID resources, and allows verification.
speakerid.phrases.get
speakerid.phrases.list
speakerid.speakers.get
speakerid.speakers.list
speakerid.speakers.verify
Speaker ID Viewer
(roles/)
Grants read access to all Speaker ID resources.
speakerid.phrases.get
speakerid.phrases.list
speakerid.speakers.get
speakerid.speakers.list
Cloud Speech Administrator
(roles/)
Grants full access to all resources in Speech-to-text
speech.*
Cloud Speech Client
(roles/)
Grants access to the recognition APIs.
speech.adaptations.execute
speech.customClasses.get
speech.customClasses.list
speech.locations.*
speech.operations.get
speech.operations.list
speech.operations.wait
speech.phraseSets.get
speech.phraseSets.list
speech.recognizers.get
speech.recognizers.list
speech.recognizers.recognize
Cloud Speech Editor
(roles/)
Grants access to edit resources in Speech-to-text
speech.adaptations.execute
speech.customClasses.*
speech.locations.*
speech.operations.*
speech.phraseSets.*
speech.recognizers.*
Storage Insights Admin
(roles/)
Full access to Storage Insights resources.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.*
Storage Insights Analyst
(roles/)
Data access to Storage Insights.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.
storageinsights.
storageinsights.
storageinsights.
storageinsights.locations.*
storageinsights.operations.get
storageinsights.
storageinsights.
storageinsights.
storageinsights.
Storage Insights Viewer
(roles/)
Read-only access to Storage Insights resources.
resourcemanager.projects.get
resourcemanager.projects.list
storageinsights.
storageinsights.
storageinsights.locations.*
storageinsights.operations.get
storageinsights.
storageinsights.
storageinsights.
storageinsights.
Subscribe with Google Developer
Beta
(roles/)
Access DevTools for Subscribe with Google
resourcemanager.projects.get
resourcemanager.projects.list
subscribewithgoogledeveloper.
Telco Automation Admin
Beta
(roles/)
Full access to Telco Automation resources.
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
monitoring.timeSeries.list
observability.scopes.get
resourcemanager.projects.get
serviceusage.quotas.*
serviceusage.services.*
source.repos.get
source.repos.list
telcoautomation.*
Telco Automation Blueprint Designer
Beta
(roles/)
Ability to manage blueprints
telcoautomation.
telcoautomation.
telcoautomation.blueprints.get
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
Telco Automation Deployment Admin
Beta
(roles/)
Ability to manage deployments
telcoautomation.blueprints.get
telcoautomation.
telcoautomation.deployments.*
telcoautomation.
telcoautomation.
telcoautomation.
Telco Automation Tier 1 Operations Admin
Beta
(roles/)
Ability to get status of deployments
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
telcoautomation.blueprints.get
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
telcoautomation.
Telco Automation Tier 4 Operations Admin
Beta
(roles/)
Ability to manage deployments and their status
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.links.get
logging.links.list
logging.locations.*
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.logScopes.get
logging.logScopes.list
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.operations.get
logging.operations.list
logging.queries.getShared
logging.queries.listShared
logging.queries.usePrivate
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.get
logging.views.list
observability.scopes.get
resourcemanager.projects.get
telcoautomation.blueprints.get
telcoautomation.
telcoautomation.deployments.*
telcoautomation.
telcoautomation.
telcoautomation.
Telco Automation Service Orchestrator
Beta
(roles/)
Ability to manage deployments
telcoautomation.blueprints.get
telcoautomation.
telcoautomation.deployments.*
telcoautomation.
telcoautomation.
telcoautomation.
Timeseries Insights DataSet Editor
Beta
(roles/)
Edit access to DataSets.
timeseriesinsights.*
Timeseries Insights DataSet Owner
Beta
(roles/)
Full access to DataSets.
timeseriesinsights.*
Timeseries Insights DataSet Viewer
Beta
(roles/)
Read-only access (List and Query) to DataSets.
timeseriesinsights.
timeseriesinsights.
timeseriesinsights.
timeseriesinsights.locations.*
Traffic Director Client
Beta
(roles/)
Fetch service configurations and report metrics.
trafficdirector.*
Translation Hub Admin
Beta
(roles/)
Admin of Translation Hub
automl.models.get
automl.models.list
automl.models.predict
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.
resourcemanager.projects.get
resourcemanager.projects.list
translationhub.*
Translation Hub Portal User
Beta
(roles/)
Portal user of Translation Hub
automl.models.get
automl.models.list
automl.models.predict
cloudtranslate.
cloudtranslate.
cloudtranslate.
cloudtranslate.glossaries.get
cloudtranslate.glossaries.list
cloudtranslate.
resourcemanager.projects.get
resourcemanager.projects.list
translationhub.portals.get
translationhub.portals.list
Visual Inspection AI Solution Editor
(roles/)
Read and write access to all Visual Inspection AI resources except visualinspection.locations.reportUsageMetrics
visualinspection.
visualinspection.
visualinspection.annotations.*
visualinspection.datasets.*
visualinspection.images.*
visualinspection.locations.get
visualinspection.
visualinspection.
visualinspection.models.*
visualinspection.modules.*
visualinspection.operations.*
visualinspection.
visualinspection.solutions.*
Visual Inspection AI Usage Metrics Reporter
(roles/)
ReportUsageMetric access to Visual Inspection AI Service
visualinspection.
Visual Inspection AI Viewer
(roles/)
Read access to Visual Inspection AI resources
visualinspection.
visualinspection.
visualinspection.
visualinspection.
visualinspection.
visualinspection.
visualinspection.
visualinspection.datasets.get
visualinspection.datasets.list
visualinspection.images.get
visualinspection.images.list
visualinspection.locations.get
visualinspection.
visualinspection.
visualinspection.models.get
visualinspection.models.list
visualinspection.modules.get
visualinspection.modules.list
visualinspection.operations.*
visualinspection.
visualinspection.
visualinspection.
visualinspection.solutions.get
visualinspection.
PAM roles
Permissions
Privileged Access Manager Admin
(roles/)
Full access to Privileged Access Manager resources.
privilegedaccessmanager.*
resourcemanager.projects.get
Privileged Access Manager Viewer
(roles/)
Readonly access to Privileged Access Manager resources.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
privilegedaccessmanager.
resourcemanager.projects.get
Project roles
Permissions
Browser
(roles/)
Read access to browse the hierarchy for a project, including the folder, organization, and allow
policy. This role doesn't include permission to view resources in the project.
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Proximity Beacon roles
Permissions
Beacon Attachment Editor
(roles/)
Can create and delete attachments; can list and get a project's beacons; can list a project's namespaces.
proximitybeacon.attachments.*
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Attachment Publisher
(roles/)
Grants necessary permissions to use beacons to create attachments in namespaces not owned by this project.
proximitybeacon.beacons.attach
proximitybeacon.beacons.get
proximitybeacon.beacons.list
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Attachment Viewer
(roles/)
Can view all attachments under a namespace; no beacon or namespace permissions.
proximitybeacon.
proximitybeacon.
resourcemanager.projects.get
resourcemanager.projects.list
Beacon Editor
(roles/)
Necessary access to register, modify, and view beacons; no attachment or namespace permissions.
proximitybeacon.beacons.create
proximitybeacon.beacons.get
proximitybeacon.beacons.list
proximitybeacon.beacons.update
resourcemanager.projects.get
resourcemanager.projects.list
Pub/Sub roles
Permissions
Pub/Sub Admin
(roles/)
Provides full access to topics and subscriptions.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.*
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Editor
(roles/)
Provides access to modify topics and subscriptions, and access to publish
and consume messages.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Publisher
(roles/)
Provides access to publish messages to a topic.
Lowest-level resources where you can grant this role:
pubsub.topics.publish
Pub/Sub Subscriber
(roles/)
Provides access to consume messages from a subscription and to attach
subscriptions to a topic.
Lowest-level resources where you can grant this role:
Snapshot
Subscription
Topic
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.
Pub/Sub Viewer
(roles/)
Provides access to view topics and subscriptions.
Lowest-level resources where you can grant this role:
Schema
Snapshot
Subscription
Topic
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Pub/Sub Lite roles
Permissions
Pub/Sub Lite Admin
(roles/)
Full access to topics, subscriptions and reservations.
pubsublite.*
Pub/Sub Lite Editor
(roles/)
Modify topics, subscriptions and reservations, publish and consume messages.
pubsublite.*
Pub/Sub Lite Publisher
(roles/)
Publish messages to a topic.
pubsublite.
pubsublite.
pubsublite.topics.publish
Pub/Sub Lite Subscriber
(roles/)
Subscribe to and read messages from a topic.
pubsublite.
pubsublite.operations.get
pubsublite.
pubsublite.subscriptions.seek
pubsublite.
pubsublite.
pubsublite.
pubsublite.
pubsublite.
pubsublite.
pubsublite.topics.subscribe
Pub/Sub Lite Viewer
(roles/)
View topics, subscriptions and reservations.
pubsublite.operations.*
pubsublite.reservations.get
pubsublite.reservations.list
pubsublite.
pubsublite.subscriptions.get
pubsublite.
pubsublite.subscriptions.list
pubsublite.topics.get
pubsublite.
pubsublite.topics.list
pubsublite.
Rapid Migration Assessment roles
Permissions
Rapid Migration Assessment Admin
(roles/)
Full access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.*
Rapid Migration Assessment Runner
(roles/)
Update and Read access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.collectors.update
rma.locations.*
rma.operations.get
rma.operations.list
Rapid Migration Assessment Viewer
(roles/)
Read-only access to Rapid Migration Assessment all resources.
resourcemanager.projects.get
resourcemanager.projects.list
rma.annotations.get
rma.collectors.get
rma.collectors.list
rma.locations.*
rma.operations.get
rma.operations.list
reCAPTCHA Enterprise roles
Permissions
reCAPTCHA Enterprise Admin
Beta
(roles/)
Access to view and modify reCAPTCHA Enterprise keys
monitoring.timeSeries.list
recaptchaenterprise.
recaptchaenterprise.keys.*
recaptchaenterprise.
recaptchaenterprise.
resourcemanager.projects.get
resourcemanager.projects.list
reCAPTCHA Enterprise Agent
Beta
(roles/)
Access to create and annotate reCAPTCHA Enterprise assessments
recaptchaenterprise.
recaptchaenterprise.
recaptchaenterprise.
recaptchaenterprise.
resourcemanager.projects.get
resourcemanager.projects.list
reCAPTCHA Enterprise Viewer
Beta
(roles/)
Access to view reCAPTCHA Enterprise keys and metrics
monitoring.timeSeries.list
recaptchaenterprise.
recaptchaenterprise.
recaptchaenterprise.keys.get
recaptchaenterprise.keys.list
recaptchaenterprise.
recaptchaenterprise.
resourcemanager.projects.get
resourcemanager.projects.list
Recommendations AI roles
Permissions
Recommendations AI Admin
Beta
(roles/)
Full access to all Recommendations AI resources.
automlrecommendations.*
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.catalogs.update
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.purge
retail.products.update
retail.retailProjects.*
retail.userEvents.*
serviceusage.services.get
serviceusage.services.list
Recommendations AI Admin Viewer
Beta
(roles/)
Viewer of all Recommendations AI resources.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.get
serviceusage.services.get
serviceusage.services.list
Recommendations AI Editor
Beta
(roles/)
Editor of all Recommendations AI resources.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.catalogs.update
retail.operations.*
retail.placements.*
retail.products.create
retail.products.delete
retail.products.export
retail.products.get
retail.products.import
retail.products.list
retail.products.update
retail.retailProjects.get
retail.userEvents.create
retail.userEvents.import
serviceusage.services.get
serviceusage.services.list
Recommendations AI Viewer
Beta
(roles/)
Viewer of all Recommendations resources except apiKeys. To view all resources,
including apiKeys, grant the Recommendations AI Admin Viewer role
(roles/automlrecommendations.adminViewer).
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
automlrecommendations.
resourcemanager.projects.get
resourcemanager.projects.list
retail.catalogs.list
retail.operations.*
retail.placements.*
retail.products.export
retail.products.get
retail.products.list
retail.retailProjects.get
serviceusage.services.get
serviceusage.services.list
Recommender roles
Permissions
AlloyDB Recommender Admin
Beta
(roles/)
Admin of AlloyDB insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
AlloyDB Recommender Viewer
Beta
(roles/)
Viewer of AlloyDB insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Slot Recommender Admin
Beta
(roles/)
Admin of BigQuery Capacity Commitments insights and recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Recommender Billing Account Admin
Beta
(roles/)
Billing Account Admin of BigQuery Capacity Commitments insights and recommendations.
billing.accounts.get
billing.accounts.list
recommender.
recommender.
BigQuery Recommender Billing Account Viewer
Beta
(roles/)
Billing Account Viewer of BigQuery Capacity Commitments insights and recommendations.
billing.accounts.get
billing.accounts.list
recommender.
recommender.
recommender.
recommender.
BigQuery Recommender Project Admin
Beta
(roles/)
Project Admin of BigQuery Capacity Commitments insights and recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Recommender Project Viewer
Beta
(roles/)
Project Viewer of BigQuery Capacity Commitments insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Slot Recommender Viewer
Beta
(roles/)
Viewer of BigQuery Capacity Commitments insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Materialized View Recommender Admin
(roles/)
Admin of BigQuery Materialized View Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Materialized View Recommender Viewer
(roles/)
Viewer of BigQuery Materialized View Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Partitioning Clustering Recommender Admin
Beta
(roles/)
Admin of BigQuery Partitioning Clustering recommendations.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Partitioning Clustering Recommender Viewer
Beta
(roles/)
Viewer of BigQuery Partitioning Clustering recommendations.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Billing Account Usage Commitment Recommender Admin
Beta
(roles/)
Admin of Billing Account Usage Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender.
recommender.
Billing Account Usage Commitment Recommender Viewer
Beta
(roles/)
Viewer of Billing Account Usage Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender.
recommender.
recommender.
recommender.
Cloud Asset Insights Admin
(roles/)
Admin of all Cloud Asset insights.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Asset Insights Viewer
(roles/)
Viewer of all Cloud Asset insights.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Cost General Recommendations Recommender Admin
Beta
(roles/)
Admin of Cloud Cost General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Cost General Recommendations Recommender Viewer
Beta
(roles/)
Viewer of Cloud Cost General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deprecation General Recommender Admin
Beta
(roles/)
Admin of Cloud Deprecation General Recommender Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Deprecation General Recommender Viewer
Beta
(roles/)
Viewer of Cloud Deprecation General Recommender Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Manageability General Recommendations Recommender Admin
Beta
(roles/)
Admin of Cloud Manageability General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Manageability General Recommendations Recommender Viewer
Beta
(roles/)
Viewer of Cloud Manageability General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Admin of Cloud Performance General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Viewer of Cloud Performance General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Reliability General Recommendations Recommender Admin
Beta
(roles/)
Admin of Cloud Reliability General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Reliability General Recommendations Recommender Viewer
Beta
(roles/)
Viewer of Cloud Reliability General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Security General Recommendations Recommender Admin
Beta
(roles/)
Admin of Cloud Security General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Security General Recommendations Recommender Viewer
Beta
(roles/)
Viewer of Cloud Security General Recommendations Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Cloud SQL Recommender Admin
Beta
(roles/)
Admin of Cloud SQL insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud SQL Recommender Viewer
Beta
(roles/)
Viewer of Cloud SQL insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Compute Recommender Admin
(roles/)
Admin of compute recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Compute Recommender Viewer
(roles/)
Viewer of compute recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE Diagnosis Recommender Admin
(roles/)
Admin of GKE Diagnosis Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
GKE Diagnosis Recommender Viewer
(roles/)
Viewer of GKE Diagnosis Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Diagnostics Admin
(roles/)
Admin of Diagnostics recommendations.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataflow Diagnostics Viewer
(roles/)
Viewer of Diagnostics recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting Recommender Admin
(roles/)
Admin of Error Reporting Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Error Reporting Recommender Viewer
(roles/)
Viewer of Error Reporting Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firestore Database Reliability Recommender Admin
(roles/)
Admin of Firestore Database Reliability Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firestore Database Reliability Recommender Viewer
(roles/)
Viewer of Firestore Database Reliability Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firewall Recommender Admin
(roles/)
Admin of Firewall insights and recommendations.
monitoring.timeSeries.list
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Firewall Recommender Viewer
(roles/)
Viewer of Firewall insights and recommendations.
monitoring.timeSeries.list
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Google Maps Platform Insights/Recommendations Admin
(roles/)
Admin of all Google Maps Platform insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Google Maps Platform Insights/Recommendations Viewer
(roles/)
Viewer of all Google Maps Platform insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
IAM Recommender Admin
(roles/)
Admin of IAM recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Recommender Viewer
(roles/)
Viewer of IAM recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Policy Change Risk Recommender Admin
Beta
(roles/)
Admin of IAM Policy Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Policy Change Risk Recommender Viewer
Beta
(roles/)
Viewer of IAM Policy Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Recommender Admin
(roles/)
Admin of Network Analyzer Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Cloud SQL Recommender Admin
(roles/)
Admin of Network Analyzer Cloud SQL Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Cloud SQL Recommender Viewer
(roles/)
Viewer of Network Analyzer Cloud SQL Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Dynamic Route Recommender Admin
(roles/)
Admin of Network Analyzer Dynamic Route Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Dynamic Route Recommender Viewer
(roles/)
Viewer of Network Analyzer Dynamic Route Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Connectivity Recommender Admin
(roles/)
Admin of Network Analyzer GKE Connectivity Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Connectivity Recommender Viewer
(roles/)
Viewer of Network Analyzer GKE Connectivity Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE IP Address Recommender Admin
(roles/)
Admin of Network Analyzer GKE IP Address Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE IP Address Recommender Viewer
(roles/)
Viewer of Network Analyzer GKE IP Address Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Service Account Insights Recommender Admin
(roles/)
Admin of Network Analyzer GKE Service Account Insights Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer GKE Service Account Insights Recommender Viewer
(roles/)
Viewer of Network Analyzer GKE Service Account Insights Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer IP Address Recommender Admin
(roles/)
Admin of Network Analyzer IP Address Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer IP Address Recommender Viewer
(roles/)
Viewer of Network Analyzer IP Address Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Load Balancer Recommender Admin
(roles/)
Admin of Network Analyzer Load Balancer Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Load Balancer Recommender Viewer
(roles/)
Viewer of Network Analyzer Load Balancer Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer Recommender Viewer
(roles/)
Viewer of Network Analyzer Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer VPC Connectivity Recommender Admin
(roles/)
Admin of Network Analyzer VPC Connectivity Insights and Recommendations.
recommender.locations.*
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Network Analyzer VPC Connectivity Recommender Viewer
(roles/)
Viewer of Network Analyzer VPC Connectivity Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Org Policy Recommender Admin
Beta
(roles/)
Admin of Org Policy Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Org Policy Recommender Viewer
Beta
(roles/)
Viewer of Org Policy Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Product Suggestion Recommenders Admin
Beta
(roles/)
Admin of all Product Suggestion insights and recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Product Suggestion Recommenders Viewer
Beta
(roles/)
Viewer of all Product Suggestion insights and recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Project Usage Commitment Recommender Admin
Beta
(roles/)
Admin of Project Usage Commitment Recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Project Usage Commitment Recommender Viewer
Beta
(roles/)
Viewer of Project Usage Commitment Recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Project Utilization Recommender Admin
(roles/)
Admin of Project Utilization insights and recommendations.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Project Utilization Recommender Viewer
(roles/)
Viewer of Project Utilization insights and recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
RecentChange RecommenderConfig Admin
(roles/)
Admin of RecentChange RecommenderConfigs.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Recent Change Risk Recommender Admin
(roles/)
Admin of Recent Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Recent Change Risk Recommender Viewer
(roles/)
Viewer of Recent Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Service Limit Recommender Admin
Beta
(roles/)
Admin of Service Limit insights and recommendations.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Service Limit Recommender Viewer
Beta
(roles/)
Viewer of Service Limit insights and recommendations.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Service Account Change Risk Recommender Admin
Beta
(roles/)
Admin of Service Account Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Service Account Change Risk Recommender Viewer
Beta
(roles/)
Viewer of Service Account Change Risk Insights and Recommendations.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
Spanner Project Reliability Recommender Admin
Beta
(roles/)
Admin of Spanner Project Reliability Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Spanner Project Reliability Recommender Viewer
Beta
(roles/)
Viewer of Spanner Project Reliability Insights and Recommendations.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Spend Based Commitment Recommender Admin
Beta
(roles/)
Admin of Spend Based Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender.locations.*
recommender.
recommender.
recommender.
Spend Based Commitment Recommender Viewer
Beta
(roles/)
Viewer of Spend Based Commitment Recommender.
billing.accounts.get
billing.accounts.list
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
Recommender Viewer
(roles/)
Enables Get and List operations.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.costInsights.get
recommender.costInsights.list
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
Resource Manager roles
Permissions
Folder Admin
(roles/)
Provides all available permissions for working with folders.
Lowest-level resources where you can grant this role:
essentialcontacts.*
iam.policybindings.*
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.*
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager.
resourcemanager.
resourcemanager.
Folder Creator
(roles/)
Provides permissions needed to browse the hierarchy and create folders.
Lowest-level resources where you can grant this role:
essentialcontacts.contacts.get
essentialcontacts.
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
Folder Editor
(roles/)
Provides permission to modify folders as well as to view a folder's allow policy.
Lowest-level resources where you can grant this role:
essentialcontacts.contacts.get
essentialcontacts.
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager.
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.folders.update
resourcemanager.projects.get
resourcemanager.projects.list
Folder IAM Admin
(roles/)
Provides permissions to administer allow policies on folders.
Lowest-level resources where you can grant this role:
iam.policybindings.*
resourcemanager.
resourcemanager.
resourcemanager.folders.get
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
Folder Mover
(roles/)
Provides permission to move projects and folders into and out of a parent
organization or folder.
Lowest-level resources where you can grant this role:
resourcemanager.folders.move
resourcemanager.projects.move
Folder Viewer
(roles/)
Provides permission to get a folder and list the folders and projects below
a resource.
Lowest-level resources where you can grant this role:
essentialcontacts.contacts.get
essentialcontacts.
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
Project Lien Modifier
(roles/)
Provides access to modify Liens on projects.
Lowest-level resources where you can grant this role:
resourcemanager.
Organization Administrator
(roles/)
Access to manage IAM policies and view organization policies for organizations, folders, and projects.
Lowest-level resources where you can grant this role:
essentialcontacts.*
iam.policybindings.*
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.
resourcemanager.
resourcemanager.folders.get
resourcemanager.
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
resourcemanager.
resourcemanager.
resourcemanager.
Organization Viewer
(roles/)
Provides access to view an organization.
Lowest-level resources where you can grant this role:
resourcemanager.
Project Creator
(roles/)
Provides access to create new projects. Once a user creates a project,
they're automatically granted the owner role for that project.
Lowest-level resources where you can grant this role:
resourcemanager.
resourcemanager.
Project Deleter
(roles/)
Provides access to delete Google Cloud projects.
Lowest-level resources where you can grant this role:
resourcemanager.
Project IAM Admin
(roles/)
Provides permissions to administer allow policies on projects.
Lowest-level resources where you can grant this role:
iam.policybindings.*
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
Project Mover
(roles/)
Provides access to update and move projects.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.move
resourcemanager.
Tag Administrator
(roles/)
Access to create, delete, update, and manage access to Tags
resourcemanager.tagHolds.*
resourcemanager.tagKeys.*
resourcemanager.tagValues.*
Tag Hold Administrator
(roles/)
Access to create, delete and list TagHolds under a TagValue
resourcemanager.tagHolds.*
Tag User
(roles/)
Access to list Tags and manage their associations with resources
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.
alloydb.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
bigtable.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
cloudkms.
cloudkms.
cloudkms.
cloudkms.
cloudsql.
cloudsql.
cloudsql.
cloudsql.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.disks.createTagBinding
compute.disks.deleteTagBinding
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.routes.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
container.
container.
container.
container.
datafusion.
datafusion.
datafusion.
datafusion.
datastore.
datastore.
datastore.
datastore.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
domains.
domains.
domains.
domains.
file.backups.createTagBinding
file.backups.deleteTagBinding
file.backups.listEffectiveTags
file.backups.listTagBindings
file.
file.
file.
file.instances.listTagBindings
file.
file.
file.
file.snapshots.listTagBindings
iam.
iam.
iam.
iam.
logging.
logging.
logging.
logging.
managedidentities.
managedidentities.
managedidentities.
managedidentities.
redis.
redis.
redis.
redis.
resourcemanager.
resourcemanager.projects.get
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.createTagBinding
run.jobs.deleteTagBinding
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.createTagBinding
run.services.deleteTagBinding
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager.
secretmanager.
secretmanager.
secretmanager.
spanner.
spanner.
spanner.
spanner.
storage.
storage.
storage.
storage.
workflows.
workflows.
workflows.
workflows.
Tag Viewer
(roles/)
Access to list Tags and their associations with resources
alloydb.
alloydb.
alloydb.
alloydb.
artifactregistry.
artifactregistry.
bigquery.
bigquery.
bigquery.
bigquery.
bigtable.
bigtable.
bigtable.
bigtable.
clouddeploy.
clouddeploy.
clouddeploy.
clouddeploy.
cloudkms.
cloudkms.
cloudsql.
cloudsql.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.routes.listTagBindings
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
container.
container.
datafusion.
datafusion.
datastore.
datastore.
datastream.
datastream.
datastream.
datastream.
datastream.
datastream.
domains.
domains.
file.backups.listEffectiveTags
file.backups.listTagBindings
file.
file.instances.listTagBindings
file.
file.snapshots.listTagBindings
iam.
iam.
logging.
logging.
managedidentities.
managedidentities.
redis.
redis.
resourcemanager.
resourcemanager.
resourcemanager.tagHolds.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValues.get
resourcemanager.tagValues.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager.
secretmanager.
spanner.
spanner.
storage.
storage.
workflows.
workflows.
Resource Settings roles
Permissions
Resource Settings Administrator
(roles/)
Provides admin capabilities to set Resource Setting Values on resources.
Lowest-level resources where you can grant this role:
resourcesettings.*
Resource Settings Viewer
(roles/)
Provides capabilities to view Resource Settings and Resource Setting Values on resources.
resourcesettings.settings.get
resourcesettings.settings.list
Risk Manager roles
Permissions
Risk Manager Admin
Beta
(roles/)
Grants all Risk Manager permissions
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.*
Risk Manager Editor
Beta
(roles/)
Access to edit Risk Manager resources
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.
riskmanager.operations.*
riskmanager.policies.*
riskmanager.reports.create
riskmanager.reports.delete
riskmanager.reports.get
riskmanager.reports.list
riskmanager.
riskmanager.settings.*
Risk Manager Report Reviewer
Beta
(roles/)
Access to review Risk Manager reports
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.
riskmanager.operations.get
riskmanager.operations.list
riskmanager.reports.get
riskmanager.reports.list
riskmanager.reports.review
Risk Manager Viewer
Beta
(roles/)
Access to view Risk Manager resources
resourcemanager.projects.get
resourcemanager.projects.list
riskmanager.
riskmanager.operations.get
riskmanager.operations.list
riskmanager.policies.*
riskmanager.reports.get
riskmanager.reports.list
riskmanager.settings.get
Roles roles
Permissions
Organization Role Administrator
(roles/)
Provides access to administer all custom roles in the organization and the
projects below it.
Lowest-level resources where you can grant this role:
iam.roles.*
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Organization Role Viewer
(roles/)
Provides read access to all custom roles in the organization and the
projects below it.
Lowest-level resources where you can grant this role:
iam.roles.get
iam.roles.list
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
Role Administrator
(roles/)
Provides access to all custom roles in the project.
Lowest-level resources where you can grant this role:
iam.roles.*
resourcemanager.projects.get
resourcemanager.
Role Viewer
(roles/)
Provides read access to all custom roles in the project.
Lowest-level resources where you can grant this role:
iam.roles.get
iam.roles.list
resourcemanager.projects.get
resourcemanager.
Secret Manager roles
Permissions
Secret Manager Admin
(roles/)
Full access to administer Secret Manager resources.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.*
Secret Manager Secret Accessor
(roles/)
Allows accessing the payload of secrets.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.access
Secret Manager Secret Version Adder
(roles/)
Allows adding versions to existing secrets.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.add
Secret Manager Secret Version Manager
(roles/)
Allows creating and managing versions of existing secrets.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.add
secretmanager.versions.destroy
secretmanager.versions.disable
secretmanager.versions.enable
secretmanager.versions.get
secretmanager.versions.list
Secret Manager Viewer
(roles/)
Allows viewing metadata of all Secret Manager resources
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.locations.*
secretmanager.secrets.get
secretmanager.
secretmanager.secrets.list
secretmanager.
secretmanager.
secretmanager.versions.get
secretmanager.versions.list
Secure Source Manager roles
Permissions
Secure Source Manager Admin
Beta
(roles/)
Full access to all Secure Source Manager resources.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.*
Secure Source Manager Instance Accessor
Beta
(roles/)
An instance accessor can access an instance, but not necessarily create resources in the instance.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
Secure Source Manager Instance Manager
Beta
(roles/)
Read-write access to all Secure Source Manager resources (full control except for the ability to modify permissions).
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.sshkeys.*
Secure Source Manager Instance Owner
Beta
(roles/)
Full control over Secure Source Manager instances, including listing, creating, and deleting them. Also enables instance user management.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.sshkeys.*
Secure Source Manager Instance Repository Creator
Beta
(roles/)
An instance repository creator can connect to a Cloud Git instance via IAP (HTTPS) and create repositories in the instance.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
Secure Source Manager Repository Admin
Beta
(roles/)
A repoAdmin has the ability to CRUD a repository and its children as well as assign users to a repository. They can also set, get, or check IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
Secure Source Manager Repository Creator
Beta
(roles/)
A repoCreator has access to create repostiory in a project, the creator will then become the repoAdmin on this repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
Secure Source Manager Repository Pull Request Approver
Beta
(roles/)
A pull request approver can approve pull requests in a repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
Secure Source Manager Repository Reader
Beta
(roles/)
A repoReader has read access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
Secure Source Manager Repository Writer
Beta
(roles/)
A repoWriter has read/write access to a particular repository, including its child components. They cannot create repositories, and do not manage IAM policies on the repository.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
Secure Source Manager SSH Key User
Beta
(roles/)
An sshKeyUser can create SSH keys for themselves and list/delete SSH keys they own.
resourcemanager.projects.get
resourcemanager.projects.list
securesourcemanager.
securesourcemanager.
securesourcemanager.
securesourcemanager.
Security Center roles
Permissions
Security Center Admin
(roles/)
Admin(super user) access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.*
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudsecurityscanner.*
compute.addresses.list
iam.serviceAccountKeys.create
iam.serviceAccounts.create
iam.serviceAccounts.get
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.create
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.*
securitycentermanagement.*
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Security Center Admin Editor
(roles/)
Admin Read-write access to security center
Lowest-level resources where you can grant this role:
appengine.applications.get
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudsecurityscanner.*
compute.addresses.list
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.*
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.*
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.*
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Admin Viewer
(roles/)
Admin Read access to security center
Lowest-level resources where you can grant this role:
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
assuredoss.config.get
assuredoss.locations.*
assuredoss.metadata.*
assuredoss.operations.get
assuredoss.operations.list
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudsecurityscanner.
cloudsecurityscanner.results.*
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.
cloudsecurityscanner.scans.get
cloudsecurityscanner.
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.validate
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.topics.get
pubsub.topics.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.simulations.get
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Security Center Asset Security Marks Writer
(roles/)
Write access to asset security marks
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Assets Discovery Runner
(roles/)
Run asset discovery access to assets
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Assets Viewer
(roles/)
Read access to assets
Lowest-level resources where you can grant this role:
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
securitycenter.assets.group
securitycenter.assets.list
securitycenter.
securitycenter.
Security Center Attack Paths Reader
(roles/)
Read access to security center attack paths
securitycenter.
securitycenter.
Security Center BigQuery Exports Editor
(roles/)
Read-Write access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
Security Center BigQuery Exports Viewer
(roles/)
Read access to security center BigQuery Exports
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
Security Center Compliance Reports Viewer
Beta
(roles/)
Read access to security center compliance reports
securitycenter.
Security Center Compliance Snapshots Viewer
Beta
(roles/)
Read access to security center compliance snapshots
securitycenter.
securitycenter.
Security Center External Systems Editor
(roles/)
Write access to security center external systems
securitycenter.
Security Center Finding Security Marks Writer
(roles/)
Write access to finding security marks
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Findings Bulk Mute Editor
(roles/)
Ability to mute findings in bulk
securitycenter.
Security Center Findings Editor
(roles/)
Read-write access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
securitycenter.
Security Center Findings Mute Setter
(roles/)
Set mute access to findings
securitycenter.
Security Center Findings State Setter
(roles/)
Set state access to findings
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Findings Viewer
(roles/)
Read access to findings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.
resourcemanager.projects.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
securitycenter.
Security Center Findings Workflow State Setter
Beta
(roles/)
Set workflow state access to findings
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Mute Configurations Editor
(roles/)
Read-Write access to security center mute configurations
securitycenter.muteconfigs.*
Security Center Mute Configurations Viewer
(roles/)
Read access to security center mute configurations
securitycenter.muteconfigs.get
securitycenter.
Security Center Notification Configurations Editor
(roles/)
Write access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
Security Center Notification Configurations Viewer
(roles/)
Read access to notification configurations
Lowest-level resources where you can grant this role:
securitycenter.
securitycenter.
securitycenter.
Security Center Resource Value Configurations Editor
(roles/)
Read-Write access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter.
Security Center Resource Value Configurations Viewer
(roles/)
Read access to security center resource value configurations
resourcemanager.tagValues.get
securitycenter.
securitycenter.
Security Health Analytics Custom Modules Tester
(roles/)
Test access to Security Health Analytics Custom Modules
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
Security Center Settings Admin
(roles/)
Admin(super user) access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.*
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.*
Security Center Settings Editor
(roles/)
Read-Write access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.*
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.*
Security Center Settings Viewer
(roles/)
Read access to security center settings
Lowest-level resources where you can grant this role:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Simulations Reader
(roles/)
Read access to security center simulations
securitycenter.simulations.get
Security Center Sources Admin
(roles/)
Admin access to sources
Lowest-level resources where you can grant this role:
resourcemanager.
securitycenter.sources.*
securitycenter.
Security Center Sources Editor
(roles/)
Read-write access to sources
Lowest-level resources where you can grant this role:
resourcemanager.
securitycenter.sources.get
securitycenter.sources.list
securitycenter.sources.update
securitycenter.
Security Center Sources Viewer
(roles/)
Read access to sources
Lowest-level resources where you can grant this role:
resourcemanager.
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
Security Center Valued Resources Reader
(roles/)
Read access to security center valued resources
securitycenter.
Security Center Management Admin
(roles/)
Full access to manage Cloud Security Command Center services and custom modules configuration.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycentermanagement.*
Security Center Management Custom Modules Editor
(roles/)
Full access to manage Cloud Security Command Center custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management Custom Modules Viewer
(roles/)
Readonly access to Cloud Security Command Center custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management Custom ETD Modules Editor
(roles/)
Full access to manage Cloud Security Command Center ETD custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management ETD Custom Modules Viewer
(roles/)
Readonly access to Cloud Security Command Center ETD custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management Services Editor
(roles/)
Full access to manage Cloud Security Command Center services configuration.
securitycentermanagement.
Security Center Management Services Viewer
(roles/)
Readonly access to Cloud Security Command Center services configuration.
securitycentermanagement.
securitycentermanagement.
Security Center Management Settings Editor
(roles/)
Full access to manage Cloud Security Command Center settings
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycentermanagement.*
Security Center Management Settings Viewer
(roles/)
Readonly access to Cloud Security Command Center settings
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management SHA Custom Modules Editor
(roles/)
Full access to manage Cloud Security Command Center SHA custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management SHA Custom Modules Viewer
(roles/)
Readonly access to Cloud Security Command Center SHA custom modules.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Security Center Management Viewer
(roles/)
Readonly access to Cloud Security Command Center services and custom modules configuration.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Serverless VPC Access roles
Permissions
Serverless VPC Access Admin
(roles/)
Full access to all Serverless VPC Access resources
resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.*
Serverless VPC Access User
(roles/)
User of Serverless VPC Access connectors
compute.networks.access
resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.connectors.use
vpcaccess.locations.list
vpcaccess.operations.*
Serverless VPC Access Viewer
(roles/)
Viewer of all Serverless VPC Access resources
resourcemanager.projects.get
resourcemanager.projects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
vpcaccess.locations.list
vpcaccess.operations.*
Service Accounts roles
Permissions
Service Account Admin
(roles/)
Create and manage service accounts.
Lowest-level resources where you can grant this role:
iam.serviceAccounts.create
iam.
iam.serviceAccounts.delete
iam.
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam.
iam.serviceAccounts.list
iam.
iam.
iam.
iam.serviceAccounts.undelete
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list
Create Service Accounts
(roles/)
Access to create service accounts.
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Delete Service Accounts
(roles/)
Access to delete service accounts.
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account Key Admin
(roles/)
Create and manage (and rotate) service account keys.
Lowest-level resources where you can grant this role:
iam.serviceAccountKeys.*
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
Service Account OpenID Connect Identity Token Creator
(roles/)
Create OpenID Connect (OIDC) identity tokens
iam.
Service Account Token Creator
(roles/)
Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc).
Lowest-level resources where you can grant this role:
iam.serviceAccounts.get
iam.
iam.
iam.
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Service Account User
(roles/)
Run operations as the service account.
Lowest-level resources where you can grant this role:
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
View Service Accounts
(roles/)
Read access to service accounts, metadata, and keys.
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
iam.serviceAccounts.get
iam.
iam.serviceAccounts.list
iam.
iam.
resourcemanager.projects.get
resourcemanager.projects.list
Workload Identity User
(roles/)
Impersonate service accounts from federated workloads.
iam.serviceAccounts.get
iam.
iam.
iam.serviceAccounts.list
Service Agents roles
Permissions
Warning: Do not grant service agent roles to any principals except
service agents . Some
service agent roles contain very powerful permissions, and the permissions within these roles
can change without notice. Instead, choose a different
predefined role , or create a
custom role with the permissions you need.
(roles/)
Vertex AI Batch Prediction Service Agent for serving batch prediction requests.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.models.create
bigquery.models.export
bigquery.models.getData
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/)
Gives Vertex AI Colab the proper permissions to function.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.instances.attachDisk
compute.instances.create
compute.
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.useReadOnly
compute.networks.get
compute.networks.use
compute.networks.useExternalIp
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
iam.serviceAccounts.actAs
notebooks.instances.create
notebooks.instances.delete
notebooks.instances.get
(roles/)
Gives Vertex AI Custom Code the proper permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.agentExamples.*
aiplatform.agents.*
aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.apps.*
aiplatform.artifacts.*
aiplatform.
aiplatform.cacheConfigs.get
aiplatform.cachedContents.*
aiplatform.consents.get
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasetVersions.*
aiplatform.datasets.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.edgeDevices.*
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.entityTypes.create
aiplatform.entityTypes.delete
aiplatform.
aiplatform.
aiplatform.entityTypes.get
aiplatform.
aiplatform.entityTypes.list
aiplatform.
aiplatform.
aiplatform.entityTypes.update
aiplatform.
aiplatform.executions.*
aiplatform.extensions.*
aiplatform.featureGroups.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.features.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featurestores.get
aiplatform.
aiplatform.featurestores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.humanInTheLoops.*
aiplatform.
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.
aiplatform.
aiplatform.modelEvaluations.*
aiplatform.
aiplatform.modelMonitors.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.nasTrialDetails.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.notebookRuntimes.*
aiplatform.operations.list
aiplatform.
aiplatform.
aiplatform.pipelineJobs.*
aiplatform.
aiplatform.ragCorpora.*
aiplatform.ragFiles.*
aiplatform.reasoningEngines.*
aiplatform.schedules.*
aiplatform.sessions.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform.
aiplatform.tensorboardRuns.*
aiplatform.
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
aiplatform.tuningJobs.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.get
artifactregistry.versions.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
iam.serviceAccounts.get
iam.
iam.
iam.
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/)
Gives Vertex AI Extension that executes custom code the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
logging.logEntries.create
logging.logEntries.route
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
(roles/)
Gives Vertex AI Extension the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
aiplatform.locations.get
aiplatform.ragCorpora.query
discoveryengine.
iam.
iam.
logging.logEntries.create
logging.logEntries.route
serviceusage.services.use
storage.objects.get
(roles/)
Gives Vertex AI Model Monitoring the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.
aiplatform.
aiplatform.
aiplatform.
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
monitoring.
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/)
Vertex AI Service Agent used to run Notebook managed resources in user project with restricted permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
(roles/)
Gives Vertex AI Online Prediction the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.
gkehub.memberships.list
serviceusage.services.get
(roles/)
Vertex AI Service Agent used by Vertex RAG to access user imported data, Vertex AI, Document AI processors in the project
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.get
aiplatform.endpoints.predict
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.models.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.deleteSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
documentai.
documentai.processors.get
documentai.
logging.logEntries.create
logging.logEntries.route
storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
(roles/)
Vertex AI Service Agent used by GenAI Rapid Evaluation Service to access publisher model endpoints in the user project
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
(roles/)
Gives Vertex AI Reasoning Engine the proper permissions to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
cloudtrace.traces.patch
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
serviceusage.services.use
storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
(roles/)
Gives Vertex AI the permissions it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.agentExamples.*
aiplatform.agents.*
aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.apps.*
aiplatform.artifacts.*
aiplatform.
aiplatform.cacheConfigs.get
aiplatform.cachedContents.*
aiplatform.consents.get
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasetVersions.*
aiplatform.datasets.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.edgeDevices.*
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.entityTypes.create
aiplatform.entityTypes.delete
aiplatform.
aiplatform.
aiplatform.entityTypes.get
aiplatform.
aiplatform.entityTypes.list
aiplatform.
aiplatform.
aiplatform.entityTypes.update
aiplatform.
aiplatform.executions.*
aiplatform.extensions.*
aiplatform.featureGroups.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.features.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featurestores.get
aiplatform.
aiplatform.featurestores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.humanInTheLoops.*
aiplatform.
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.
aiplatform.
aiplatform.modelEvaluations.*
aiplatform.
aiplatform.modelMonitors.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.nasTrialDetails.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.notebookRuntimes.*
aiplatform.operations.list
aiplatform.
aiplatform.
aiplatform.pipelineJobs.*
aiplatform.
aiplatform.ragCorpora.*
aiplatform.ragFiles.*
aiplatform.reasoningEngines.*
aiplatform.schedules.*
aiplatform.sessions.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform.
aiplatform.tensorboardRuns.*
aiplatform.
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
aiplatform.tuningJobs.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.get
artifactregistry.versions.get
automl.datasets.export
automl.datasets.get
automl.datasets.list
automl.modelEvaluations.list
automl.models.get
automl.models.list
automl.operations.get
automl.tableSpecs.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.models.create
bigquery.models.export
bigquery.models.getData
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.instances.attachDisk
compute.instances.create
compute.
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.useReadOnly
compute.machineTypes.get
compute.networks.get
compute.networks.use
compute.networks.useExternalIp
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
datalabeling.
datalabeling.datasets.export
datalabeling.datasets.get
datalabeling.datasets.list
datalabeling.operations.get
iam.serviceAccounts.actAs
iam.
iam.
logging.logEntries.create
logging.logEntries.route
ml.models.list
ml.operations.get
ml.versions.get
ml.versions.list
monitoring.
notebooks.instances.create
notebooks.instances.delete
notebooks.instances.get
resourcemanager.projects.get
resourcemanager.projects.list
run.executions.delete
run.executions.get
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.run
run.jobs.update
run.operations.delete
run.operations.get
run.routes.invoke
run.services.create
run.services.delete
run.services.get
serviceusage.services.list
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
(roles/)
Vertex AI Service Agent used for tuning in user project.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.artifacts.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.contexts.*
aiplatform.endpoints.create
aiplatform.endpoints.deploy
aiplatform.endpoints.get
aiplatform.locations.get
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.models.get
aiplatform.models.update
aiplatform.models.upload
aiplatform.operations.list
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.tensorboardRuns.*
aiplatform.
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.tuningJobs.*
resourcemanager.projects.get
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.update
AlloyDB Service Agent
(roles/)
Gives the AlloyDB service account permission to manage customer resources
Warning: Do not grant service agent roles to any principals except
service agents .
alloydb.clusters.list
Anthos Service Agent
(roles/)
Gives the Anthos service agent access to Google Cloud resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
serviceusage.services.get
serviceusage.services.list
Anthos Audit Service Agent
(roles/)
Gives the Anthos Audit service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Config Management Service Agent
(roles/)
Gives the Anthos Config Management service agent access to Google Cloud resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.clusters.get
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Identity Service Agent
(roles/)
Gives the Anthos Identity service agent access to Google Cloud resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Policy Controller Service Agent
(roles/)
Gives the Anthos Policy Controller service agent access toCloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Anthos Service Mesh Service Agent
(roles/)
Gives the Anthos Service Mesh service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.
compute.instances.use
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networks.updatePolicy
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regions.list
compute.zones.list
container.backendConfigs.*
container.
container.clusterRoles.*
container.clusters.get
container.clusters.update
container.configMaps.*
container.
container.
container.
container.
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container.deployments.get
container.deployments.list
container.events.get
container.events.list
container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.list
container.jobs.update
container.
container.
container.
container.
container.namespaces.create
container.namespaces.get
container.namespaces.list
container.operations.get
container.pods.get
container.pods.list
container.secrets.*
container.
container.
container.serviceAccounts.get
container.serviceAccounts.list
container.
container.services.get
container.services.list
container.
container.
container.
container.
container.
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
logging.logEntries.create
meshconfig.projects.init
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.operations.*
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networkservices.
networkservices.gateways.*
networkservices.grpcRoutes.*
networkservices.httpFilters.*
networkservices.httpRoutes.*
networkservices.meshes.*
networkservices.operations.*
networkservices.
networkservices.tcpRoutes.*
networkservices.tlsRoutes.*
serviceusage.services.get
serviceusage.services.use
trafficdirector.*
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
Anthos Support Service Agent
(roles/)
Gives the Anthos Support Service Agent access to Cloud Platform resource.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.
gkehub.gateway.get
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub.
gkehub.memberships.get
gkehub.
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
Cloud API Gateway Service Agent
(roles/)
Gives Cloud API Gateway service account access to Service Management check and reports as well as impersonation on user-specified service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.
iam.
servicemanagement.
servicemanagement.
servicemanagement.
Cloud API Gateway Management Service Agent
(roles/)
Gives Cloud API Gateway service account access to retrieve a Service configuration.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.serviceAccounts.get
servicemanagement.
servicemanagement.
servicemanagement.services.get
servicemanagement.
servicemanagement.
serviceusage.services.get
Apigee Service Agent
(roles/)
Service agent that grants access to Apigee resources - API Products, Developers, Developer Apps, and App Keys.
Warning: Do not grant service agent roles to any principals except
service agents .
apigee.apiproducts.get
apigee.apiproducts.list
apigee.appkeys.create
apigee.appkeys.delete
apigee.appkeys.manage
apigee.apps.get
apigee.canaryevaluations.*
apigee.developerapps.*
apigee.developers.create
apigee.developers.delete
apigee.developers.get
apigee.environments.get
apigee.
apigee.
apigee.ingressconfigs.get
apigee.instances.reportStatus
apigee.operations.*
apigee.organizations.get
apigee.proxyrevisions.get
apigee.runtimeconfigs.get
cloudtrace.traces.patch
iam.
iam.
logging.buckets.create
logging.buckets.get
logging.buckets.list
logging.views.create
logging.views.get
logging.views.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
API-Hub Runtime Project Service Agent
(roles/)
Gives API-Hub Service Account access to runtime project resources.
Warning: Do not grant service agent roles to any principals except
service agents .
apigee.deployments.list
apigee.
apigee.envgroups.list
apigee.environments.get
apigee.organizations.get
apigee.proxyrevisions.get
APIM API Discovery Service Agent
(roles/)
Gives APIM the ability to manage resources in consumer project
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.globalOperations.get
compute.networks.use
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.subnetworks.use
networkservices.operations.*
App Development Experience Service Agent
(roles/)
Give the App Development Experience service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.clusters.get
container.clusters.update
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
App Engine Standard Environment Service Agent
(roles/)
Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.
datastore.databases.get
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
iam.
iam.
iam.serviceAccounts.signBlob
serviceusage.services.enable
serviceusage.services.get
storage.buckets.create
storage.buckets.get
App Engine flexible environment Service Agent
(roles/)
Can edit and manage App Engine Flexible Environment apps. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
billing.accounts.get
cloudbuild.builds.create
cloudbuild.builds.get
compute.addresses.create
compute.addresses.delete
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.update
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.backendServices.update
compute.backendServices.use
compute.disks.create
compute.disks.list
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.globalAddresses.create
compute.globalAddresses.delete
compute.globalAddresses.get
compute.globalAddresses.use
compute.
compute.
compute.
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.update
compute.
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.use
compute.
compute.
compute.
compute.httpsHealthChecks.get
compute.
compute.httpsHealthChecks.use
compute.
compute.images.get
compute.images.useReadOnly
compute.
compute.
compute.
compute.
compute.
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.update
compute.instanceGroups.use
compute.
compute.
compute.instanceTemplates.get
compute.
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.
compute.
compute.instances.list
compute.instances.reset
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.use
compute.machineTypes.get
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.regions.get
compute.routes.create
compute.routes.delete
compute.routes.get
compute.routes.list
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.use
compute.
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.use
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.targetHttpsProxies.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.update
compute.urlMaps.use
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.
deploymentmanager.
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.update
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.
serviceusage.services.enable
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Artifact Registry Service Agent
(roles/)
Gives the Artifact Registry service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
pubsub.topics.publish
Assured Workloads Monitoring Service Agent
(roles/)
Gives the Assured Workloads service account access to create CAIS feed and monitor Assured Workloads.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
cloudasset.assets.listResource
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
Assured Workloads Service Agent
(roles/)
Gives the Assured Workloads service account access to create KMS keyrings and keys, monitor Assured Workloads and read Organization Policies.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudkms.cryptoKeys.create
cloudkms.keyRings.create
orgpolicy.policies.list
orgpolicy.policy.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
Audit Manager Auditing Service Agent
(roles/)
Grants Audit Manager Service Agent access to various list/get rpcs of products to perform an audit.
Warning: Do not grant service agent roles to any principals except
service agents .
accessapproval.settings.get
artifactregistry.
bigquery.datasets.get
certificatemanager.certs.list
certificatemanager.
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.list
cloudkms.keyRings.list
cloudsecurityscanner.scans.get
cloudsql.instances.get
cloudsql.instances.list
compute.autoscalers.list
compute.backendServices.list
compute.disks.list
compute.firewallPolicies.list
compute.firewalls.list
compute.forwardingRules.list
compute.
compute.
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute.regionSslPolicies.list
compute.
compute.regionUrlMaps.list
compute.routers.list
compute.securityPolicies.list
compute.sslCertificates.list
compute.sslPolicies.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetSslProxies.list
compute.urlMaps.list
compute.vpnGateways.list
compute.zones.list
container.clusters.get
container.clusters.list
dlp.inspectTemplates.list
dlp.jobTriggers.list
dns.managedZones.list
iam.serviceAccounts.get
iam.
logging.buckets.list
monitoring.timeSeries.list
orgpolicy.constraints.list
orgpolicy.policy.get
privateca.certificates.list
recommender.
recommender.
recommender.locations.*
resourcemanager.folders.get
resourcemanager.
resourcemanager.folders.list
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
resourcemanager.tagHolds.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValues.get
resourcemanager.tagValues.list
secretmanager.secrets.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
AutoML Service Agent
(roles/)
AutoML service agent can act as Cloud Storage admin and export BigQuery tables, which can be backed by Cloud Storage and Cloud Bigtable.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
serviceusage.services.use
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Recommendations AI Service Agent
(roles/)
Recommendations AI service uploads catalog feeds from Cloud Storage, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Stackdriver metrics for customer projects.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
cloudnotifications.
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
logging.logEntries.create
logging.logEntries.route
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.
monitoring.
opsconfigmonitoring.
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver.
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Backup and DR Service Agent
(roles/)
Grants the Backup and DR Service access to protect Compute Engine instances.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.useReadOnly
compute.machineTypes.*
compute.networks.list
compute.nodeGroups.get
compute.nodeGroups.list
compute.nodeTemplates.get
compute.projects.get
compute.regionOperations.get
compute.regions.*
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.list
compute.subnetworks.use
compute.
compute.zoneOperations.get
compute.zones.list
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Gives permission to manage network resources such as interconnect pairing keys, required for Bare Metal Solution.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.networks.get
compute.networks.list
compute.projects.get
resourcemanager.projects.get
Google Batch Service Agent
(roles/)
Gives Google Batch account access to manage customer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.acceleratorTypes.*
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.diskTypes.*
compute.
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.disks.resize
compute.disks.setLabels
compute.
compute.
compute.
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.globalAddresses.use
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.create
compute.
compute.images.delete
compute.
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.images.setLabels
compute.images.update
compute.images.useReadOnly
compute.
compute.instanceGroups.*
compute.instanceSettings.*
compute.
compute.
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.
compute.
compute.
compute.instances.attachDisk
compute.instances.create
compute.
compute.instances.delete
compute.
compute.
compute.instances.detachDisk
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instances.osAdminLogin
compute.instances.osLogin
compute.
compute.
compute.instances.reset
compute.instances.resume
compute.
compute.
compute.
compute.instances.setLabels
compute.
compute.
compute.instances.setMetadata
compute.
compute.instances.setName
compute.
compute.
compute.
compute.
compute.
compute.instances.setTags
compute.
compute.instances.start
compute.
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.
compute.
compute.
compute.
compute.
compute.
compute.instances.use
compute.instances.useReadOnly
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenseCodes.update
compute.licenses.create
compute.licenses.delete
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.create
compute.machineImages.delete
compute.machineImages.get
compute.
compute.machineImages.list
compute.
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.networks.list
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.
compute.
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.
compute.resourcePolicies.use
compute.
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.snapshots.create
compute.
compute.snapshots.delete
compute.
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
BigQuery Connection Service Agent
(roles/)
Gives BigQuery Connection Service access to Cloud SQL instances in user projects.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsql.instances.connect
cloudsql.instances.get
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
BigQuery Continuous Query Service Agent
(roles/)
Gives BigQuery Continuous Query access to the service accounts in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.
BigQuery Data Transfer Service Agent
(roles/)
Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.jobs.create
compute.networkAttachments.get
compute.
compute.regionOperations.get
compute.subnetworks.use
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
iam.
logging.logEntries.create
logging.logEntries.route
resourcemanager.projects.get
resourcemanager.projects.list
BigQuery Omni Service Agent
(roles/)
Gives BigQuery Omni access to tables in user projects.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.jobs.create
bigquery.tables.updateData
BigQuery Spark Service Agent
(roles/)
Gives BigQuery Spark access to the service accounts in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.
Binary Authorization Service Agent
(roles/)
Can read Notes and Occurrences from the Container Analysis Service to find and verify signatures.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
cloudasset.
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.get
cloudasset.feeds.update
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.
containeranalysis.
containeranalysis.
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.list
Blockchain Node Engine Service Agent
(roles/)
Grants Blockchain Node Engine access to metrics in user project
Warning: Do not grant service agent roles to any principals except
service agents .
monitoring.timeSeries.list
Certificate Manager Service Agent
(roles/)
Grants Certificate Manager access to services and APIs in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
certificatemanager.
Chronicle Service Agent
(roles/)
Grants Chronicle scoped access to customer project
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.
bigquery.connections.list
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use
bigquery.datasets.create
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
chronicle.instances.get
monitoring.alertPolicies.*
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
Chronicle SOAR Service Agent
(roles/)
Gives Chronicle SOAR the ability to perform remediation on Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
compute.firewalls.get
compute.firewalls.update
compute.
compute.instances.get
compute.instances.list
compute.instances.stop
compute.
compute.networks.updatePolicy
compute.zones.list
iam.serviceAccounts.disable
iam.serviceAccounts.list
recommender.
resourcemanager.
securitycenter.
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.findings.update
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.sources.list
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.update
CIEM Service Agent
(roles/)
Gives CIEM Service Account permission to access GCP resources
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
cloudasset.
resourcemanager.
Gemini for Google Cloud Service Agent
(roles/)
Gives Gemini for Google Cloud components the proper permissions to function.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudbuild.connections.get
cloudbuild.
cloudbuild.
cloudbuild.repositories.get
cloudbuild.repositories.list
developerconnect.
developerconnect.
developerconnect.
developerconnect.
developerconnect.
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
serviceusage.services.use
Effective Policies Service Agent
(roles/)
Give effective policy service account access to search all resources and IAM policies.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
cloudasset.
Cloud Asset Service Agent
(roles/)
Gives Cloud Asset service agent permissions to Cloud Storage and BigQuery for exporting Assets, and permission to publish to Cloud Pub/Sub topics for Asset Real Time Feed.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
pubsub.topics.publish
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
Cloud Build Logging Service Agent
(roles/)
Gives the Cloud Build logging-specific service account access to write logs.
Warning: Do not grant service agent roles to any principals except
service agents .
logging.buckets.write
Cloud Build Service Agent
(roles/)
Gives Cloud Build service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.files.update
artifactregistry.files.upload
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.connections.get
cloudbuild.operations.*
cloudbuild.
cloudbuild.
cloudbuild.repositories.get
cloudbuild.repositories.list
cloudbuild.workerpools.use
compute.firewalls.get
compute.firewalls.list
compute.networkAttachments.get
compute.
compute.networks.get
compute.regionOperations.get
compute.subnetworks.get
containeranalysis.
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
developerconnect.
iam.serviceAccounts.get
iam.
iam.
logging.buckets.create
logging.buckets.get
logging.buckets.list
logging.logEntries.create
logging.logEntries.list
logging.views.access
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.get
pubsub.topics.publish
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.get
servicedirectory.
servicedirectory.
servicedirectory.locations.*
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.services.get
servicedirectory.
servicedirectory.services.list
servicedirectory.
serviceusage.services.use
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Infrastructure Manager Service Agent
(roles/)
Gives Infrastructure Manager service agent access to managed resources
Warning: Do not grant service agent roles to any principals except
service agents .
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
iam.serviceAccounts.actAs
iam.
logging.logEntries.create
logging.logEntries.route
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Controls Partner Access Approval Service Agent
(roles/)
Gives the Partner Console service account access to read Access Approval Requests for workloads associated with a partner.
Warning: Do not grant service agent roles to any principals except
service agents .
accessapproval.requests.get
accessapproval.requests.list
Cloud Controls Partner EKM Service Agent
(roles/)
Gives Cloud Controls Partner service agent permission to list EKM connections, get EKM connection status, and provide EKM diagnostic information.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudkms.ekmConnections.get
cloudkms.
cloudkms.ekmConnections.list
cloudkms.
Cloud Controls Partner Monitoring Service Agent
(roles/)
Gives Cloud Controls Partner monitoring service agent permission to view and list Assured Workload violations. The role is assigned to enable partner monitoring capability.
Warning: Do not grant service agent roles to any principals except
service agents .
assuredworkloads.
assuredworkloads.
Cloud Controls Partner Support Case Service Agent
(roles/)
Gives the Partner Console service account access to support cases for workloads associated with a partner.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsupport.techCases.get
Cloud Deploy Service Agent
(roles/)
Gives Cloud Deploy Service Account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.workerpools.use
iam.serviceAccounts.actAs
iam.
logging.logEntries.create
pubsub.topics.get
pubsub.topics.publish
servicemanagement.
serviceusage.services.use
storage.buckets.create
storage.buckets.get
storage.objects.get
Cloud Deployment Manager Service Agent
(roles/)
Allows Deployment Manager service to actuate resources across DM projects and folders
Warning: Do not grant service agent roles to any principals except
service agents .
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
accesscontextmanager.
appengine.applications.get
appengine.operations.get
appengine.services.update
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
bigquery.connections.get
bigquery.datasets.create
bigquery.datasets.delete
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.update
bigquery.jobs.create
bigquery.routines.create
bigquery.routines.get
bigquery.routines.update
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.setCategory
bigquery.tables.update
bigquery.tables.updateData
bigtable.instances.create
bigtable.instances.delete
bigtable.instances.get
bigtable.instances.update
bigtable.tables.create
bigtable.tables.delete
bigtable.tables.get
bigtable.tables.update
billing.
billing.resourcebudgets.write
cloudbuild.builds.create
cloudbuild.builds.get
cloudfunctions.functions.call
cloudfunctions.
cloudfunctions.
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.
cloudfunctions.operations.get
cloudprivatecatalog.
cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.get
cloudscheduler.jobs.update
cloudsql.backupRuns.create
cloudsql.databases.*
cloudsql.instances.create
cloudsql.instances.delete
cloudsql.instances.get
cloudsql.instances.import
cloudsql.instances.restart
cloudsql.instances.update
cloudsql.sslCerts.create
cloudsql.sslCerts.delete
cloudsql.sslCerts.get
cloudsql.users.create
cloudsql.users.delete
cloudtasks.queues.create
cloudtasks.queues.delete
cloudtasks.queues.get
compute.addresses.create
compute.
compute.addresses.delete
compute.
compute.addresses.get
compute.addresses.list
compute.addresses.setLabels
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.create
compute.autoscalers.delete
compute.autoscalers.get
compute.autoscalers.update
compute.backendBuckets.create
compute.backendBuckets.delete
compute.backendBuckets.get
compute.backendBuckets.update
compute.backendBuckets.use
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.
compute.backendServices.update
compute.backendServices.use
compute.
compute.disks.create
compute.disks.delete
compute.disks.get
compute.
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.
compute.
compute.
compute.
compute.forwardingRules.update
compute.forwardingRules.use
compute.globalAddresses.create
compute.
compute.globalAddresses.delete
compute.
compute.globalAddresses.get
compute.
compute.globalAddresses.use
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.update
compute.healthChecks.use
compute.
compute.
compute.
compute.httpHealthChecks.get
compute.
compute.httpHealthChecks.use
compute.
compute.
compute.
compute.httpsHealthChecks.get
compute.
compute.httpsHealthChecks.use
compute.
compute.images.create
compute.images.delete
compute.images.deprecate
compute.images.get
compute.images.setLabels
compute.images.useReadOnly
compute.
compute.
compute.
compute.
compute.
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.update
compute.instanceGroups.use
compute.
compute.
compute.instanceTemplates.get
compute.
compute.
compute.instances.create
compute.instances.delete
compute.
compute.instances.get
compute.
compute.instances.resume
compute.
compute.
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.
compute.instances.use
compute.
compute.
compute.
compute.
compute.
compute.interconnects.create
compute.interconnects.delete
compute.interconnects.get
compute.
compute.interconnects.use
compute.
compute.machineTypes.get
compute.
compute.
compute.
compute.
compute.
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute.
compute.networks.removePeering
compute.
compute.networks.update
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.
compute.
compute.
compute.
compute.
compute.packetMirrorings.get
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.regionHealthChecks.use
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.use
compute.regions.get
compute.reservations.list
compute.
compute.
compute.resourcePolicies.get
compute.resourcePolicies.use
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.update
compute.routers.use
compute.routes.create
compute.routes.delete
compute.routes.get
compute.
compute.
compute.securityPolicies.get
compute.
compute.
compute.securityPolicies.use
compute.
compute.serviceAttachments.get
compute.snapshots.useReadOnly
compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslPolicies.create
compute.sslPolicies.delete
compute.sslPolicies.get
compute.sslPolicies.use
compute.subnetworks.create
compute.subnetworks.delete
compute.
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.mirror
compute.subnetworks.update
compute.subnetworks.use
compute.
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.use
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.targetHttpsProxies.use
compute.targetInstances.create
compute.targetInstances.delete
compute.targetInstances.get
compute.targetInstances.use
compute.
compute.
compute.targetPools.create
compute.targetPools.delete
compute.targetPools.get
compute.
compute.
compute.targetPools.use
compute.
compute.
compute.targetSslProxies.get
compute.
compute.targetSslProxies.use
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.use
compute.
compute.
compute.targetVpnGateways.get
compute.
compute.targetVpnGateways.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.update
compute.urlMaps.use
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.setLabels
compute.vpnGateways.use
compute.vpnTunnels.create
compute.vpnTunnels.delete
compute.vpnTunnels.get
compute.vpnTunnels.setLabels
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.get
container.
container.
container.backendConfigs.get
container.
container.
container.
container.clusterRoles.bind
container.clusterRoles.create
container.clusterRoles.delete
container.
container.clusterRoles.get
container.clusters.create
container.clusters.delete
container.clusters.get
container.
container.clusters.update
container.configMaps.create
container.configMaps.delete
container.configMaps.get
container.configMaps.update
container.cronJobs.create
container.cronJobs.delete
container.cronJobs.get
container.cronJobs.update
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.update
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.update
container.
container.
container.frontendConfigs.get
container.
container.
container.
container.ingresses.create
container.ingresses.delete
container.ingresses.get
container.jobs.create
container.jobs.delete
container.jobs.get
container.
container.
container.
container.
container.
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.
container.
container.networkPolicies.get
container.operations.get
container.
container.
container.
container.
container.
container.
container.
container.priorityClasses.get
container.
container.
container.
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roles.bind
container.roles.create
container.roles.delete
container.roles.escalate
container.roles.get
container.roles.update
container.secrets.create
container.secrets.delete
container.secrets.get
container.secrets.update
container.
container.
container.serviceAccounts.get
container.
container.services.create
container.services.delete
container.services.get
container.statefulSets.create
container.statefulSets.delete
container.statefulSets.get
container.statefulSets.update
container.
container.
container.storageClasses.get
container.
container.
container.
container.
container.
container.
datacatalog.taxonomies.get
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.nodeGroups.create
dataproc.operations.get
dataproc.
dataproc.
dataproc.workflowTemplates.get
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
dns.changes.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.managedZones.update
dns.
dns.
dns.policies.delete
dns.policies.get
dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.list
dns.resourceRecordSets.update
file.instances.create
file.instances.delete
file.instances.get
file.instances.update
file.operations.get
firebase.projects.get
firebase.projects.update
firebaseanalytics.
iam.roles.create
iam.roles.delete
iam.roles.get
iam.roles.list
iam.roles.update
iam.serviceAccountKeys.delete
iam.serviceAccountKeys.get
iam.serviceAccounts.actAs
iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.update
logging.buckets.update
logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.update
logging.logEntries.create
logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.update
logging.
logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.update
monitoring.alertPolicies.*
monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.get
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.update
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
networksecurity.
pubsub.schemas.attach
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.publish
pubsub.topics.update
redis.instances.create
redis.instances.delete
redis.instances.get
redis.instances.update
redis.instances.updateAuth
redis.operations.get
resourcemanager.folders.create
resourcemanager.folders.delete
resourcemanager.folders.get
resourcemanager.
resourcemanager.folders.list
resourcemanager.folders.update
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
resourcemanager.projects.move
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.tagValues.get
runtimeconfig.configs.create
runtimeconfig.configs.delete
runtimeconfig.configs.get
runtimeconfig.configs.list
runtimeconfig.configs.update
runtimeconfig.variables.create
runtimeconfig.variables.delete
runtimeconfig.variables.get
runtimeconfig.variables.list
runtimeconfig.variables.update
runtimeconfig.waiters.create
runtimeconfig.waiters.delete
runtimeconfig.waiters.get
runtimeconfig.waiters.list
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicemanagement.
servicenetworking.
servicenetworking.
servicenetworking.services.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
source.repos.create
spanner.databaseOperations.get
spanner.databases.create
spanner.databases.drop
spanner.databases.get
spanner.databases.updateDdl
spanner.instanceOperations.get
spanner.instances.create
spanner.instances.delete
spanner.instances.get
spanner.instances.update
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.update
storage.hmacKeys.create
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
vpcaccess.connectors.create
vpcaccess.connectors.delete
vpcaccess.operations.get
workflows.operations.get
workflows.workflows.create
workflows.workflows.delete
workflows.workflows.get
Cloud Functions Service Agent
(roles/)
Gives Cloud Functions service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.attachments.*
artifactregistry.
artifactregistry.files.*
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.
clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
cloudbuild.workerpools.use
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
cloudfunctions.operations.*
compute.globalOperations.get
compute.networks.access
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.
eventarc.channels.attach
eventarc.channels.create
eventarc.channels.delete
eventarc.channels.get
eventarc.channels.getIamPolicy
eventarc.channels.list
eventarc.channels.publish
eventarc.channels.undelete
eventarc.channels.update
eventarc.enrollments.create
eventarc.enrollments.delete
eventarc.enrollments.get
eventarc.
eventarc.enrollments.list
eventarc.enrollments.update
eventarc.
eventarc.
eventarc.googleApiSources.get
eventarc.
eventarc.googleApiSources.list
eventarc.
eventarc.
eventarc.locations.*
eventarc.operations.*
eventarc.pipelines.create
eventarc.pipelines.delete
eventarc.pipelines.get
eventarc.
eventarc.pipelines.list
eventarc.pipelines.update
eventarc.providers.*
eventarc.triggers.create
eventarc.triggers.delete
eventarc.triggers.get
eventarc.triggers.getIamPolicy
eventarc.triggers.list
eventarc.triggers.undelete
eventarc.triggers.update
firebasedatabase.instances.get
firebasedatabase.
iam.serviceAccounts.actAs
iam.
iam.
iam.serviceAccounts.signBlob
pubsub.subscriptions.*
pubsub.
pubsub.topics.create
pubsub.topics.get
pubsub.topics.list
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.configurations.*
run.executions.*
run.jobs.create
run.jobs.delete
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.locations.list
run.operations.*
run.revisions.*
run.routes.*
run.services.create
run.services.delete
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.update
run.tasks.*
serviceusage.quotas.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.use
source.repos.get
source.repos.list
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.use
Cloud IoT Core Service Agent
(roles/)
Grants the ability to manage Cloud IoT Core resources, including publishing data to Cloud Pub/Sub and writing device activity logs to Stackdriver. Warning: If this role is removed from the Cloud IoT service account, Cloud IoT Core will be unable to publish data or write device activity logs.
Warning: Do not grant service agent roles to any principals except
service agents .
logging.logEntries.create
logging.logEntries.route
pubsub.topics.publish
Cloud KMS Organization Service Agent
(roles/)
Gives Cloud KMS organization-level service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
Cloud KMS Service Agent
(roles/)
Gives Cloud KMS service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
Cloud KMS KACLS Service Agent
(roles/)
Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudkms.
cloudkms.
cloudkms.cryptoKeys.get
Cloud Optimization Service Agent
(roles/)
Grants Cloud Optimization Service Account access to read and write data in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Scheduler Service Agent
(roles/)
Grants Cloud Scheduler Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.
iam.
logging.logEntries.create
logging.logEntries.route
pubsub.topics.publish
Cloud SQL Service Agent
(roles/)
Grants Cloud SQL access to services and APIs in the user project
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsql.instances.get
Cloud Tasks Service Agent
(roles/)
Grants Cloud Tasks Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.
iam.
logging.logEntries.create
Cloud TPU V2 API Service Agent
(roles/)
Give Cloud TPUs service account access to managed resources
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.
compute.
compute.firewallPolicies.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.firewalls.update
compute.forwardingRules.*
compute.globalAddresses.*
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute.
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute.
compute.
compute.
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.*
compute.
compute.networkProfiles.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.*
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.*
compute.
compute.
compute.
compute.regionUrlMaps.*
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.*
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.*
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.*
networkservices.*
pubsub.*
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.services.get
servicenetworking.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
trafficdirector.*
Cloud Translation API Service Agent
(roles/)
Gives Cloud Translation Service Account access to consumer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
automl.datasets.export
automl.datasets.get
automl.datasets.list
automl.models.get
automl.models.list
automl.operations.get
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Compliance Scanning Service Agent
(roles/)
Gives Compliance Scanning the access it needs to analyze containers and VMs for compliance and create occurrences using the Container Analysis API
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instances.get
compute.
compute.instances.list
compute.zones.*
containeranalysis.
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Cloud Composer API Service Agent
(roles/)
Cloud Composer API service agent can manage environments.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.applications.get
appengine.
appengine.applications.update
appengine.instances.*
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
cloudaicompanion.companions.*
cloudaicompanion.
cloudaicompanion.
cloudaicompanion.
cloudnotifications.
cloudsql.*
composer.dags.get
composer.environments.get
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.
compute.
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.*
compute.globalAddresses.*
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute.
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute.
compute.
compute.
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.*
compute.
compute.networkProfiles.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.*
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.*
compute.
compute.
compute.
compute.regionUrlMaps.*
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.*
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
container.*
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.resources.*
deploymentmanager.
deploymentmanager.types.*
dns.managedZones.get
dns.managedZones.list
dns.
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.
iam.
iam.serviceAccounts.list
logging.buckets.create
logging.
logging.buckets.delete
logging.
logging.buckets.get
logging.buckets.list
logging.
logging.
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
logging.links.*
logging.locations.*
logging.logEntries.create
logging.logEntries.route
logging.logMetrics.*
logging.logScopes.*
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.settings.*
logging.sinks.*
logging.sqlAlerts.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.getIamPolicy
logging.views.list
logging.views.update
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.
monitoring.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.*
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.*
networkservices.*
observability.scopes.get
opsconfigmonitoring.
orgpolicy.policy.get
pubsub.*
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.services.get
servicenetworking.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
stackdriver.
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
trafficdirector.*
Instance Group Manager Service Agent
(roles/)
Role containing all permissions required by Managed Instance Groups to create and manage instances.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.*
compute.
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.disks.resize
compute.disks.setLabels
compute.
compute.
compute.
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.globalAddresses.get
compute.globalOperations.get
compute.healthChecks.get
compute.httpHealthChecks.get
compute.httpsHealthChecks.get
compute.images.useReadOnly
compute.instanceGroups.update
compute.
compute.
compute.
compute.instances.attachDisk
compute.instances.create
compute.
compute.instances.delete
compute.
compute.
compute.instances.detachDisk
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instances.osAdminLogin
compute.instances.osLogin
compute.
compute.
compute.instances.reset
compute.instances.resume
compute.
compute.
compute.
compute.instances.setLabels
compute.
compute.
compute.instances.setMetadata
compute.
compute.instances.setName
compute.
compute.
compute.
compute.
compute.
compute.instances.setTags
compute.
compute.instances.start
compute.
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.
compute.
compute.
compute.
compute.
compute.
compute.instances.use
compute.instances.useReadOnly
compute.networks.use
compute.networks.useExternalIp
compute.regionOperations.get
compute.resourcePolicies.use
compute.snapshots.useReadOnly
compute.subnetworks.use
compute.
compute.
compute.
compute.zoneOperations.get
iam.serviceAccounts.actAs
Compute Engine Service Agent
(roles/)
Gives Compute Engine Service Account access to assert service account authority. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudnotifications.
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.createTagBinding
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.images.useReadOnly
compute.
compute.
compute.instances.create
compute.
compute.
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.resourcePolicies.use
compute.snapshots.useReadOnly
compute.subnetworks.use
compute.
iam.serviceAccounts.actAs
iam.
iam.
iam.
iam.serviceAccounts.signJwt
logging.logEntries.create
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.
monitoring.
opsconfigmonitoring.
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver.
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
Config Delivery Service Agent
(roles/)
Gives the Config Delivery service account permission to manage resources
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.*
artifactregistry.
artifactregistry.versions.get
artifactregistry.versions.list
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.repositories.get
container.
container.
container.serviceAccounts.get
container.serviceAccounts.list
container.thirdPartyObjects.*
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.memberships.get
iam.serviceAccounts.actAs
Connectors Platform Service Agent
(roles/)
Grants Connectors Platform service account to manage customer resources
Warning: Do not grant service agent roles to any principals except
service agents .
connectors.actions.*
connectors.connections.get
connectors.
connectors.connections.list
connectors.connectors.*
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.
connectors.entities.get
connectors.entityTypes.list
connectors.
connectors.
connectors.eventtypes.*
connectors.locations.*
connectors.managedZones.get
connectors.managedZones.list
connectors.providers.*
connectors.runtimeconfig.get
iam.
iam.
iam.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
(roles/)
Allows Contact Center AI to read and write APIs including BigQuery, Dialogflow, and Storage.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
datalabeling.dataitems.*
datalabeling.datasets.create
datalabeling.datasets.delete
datalabeling.datasets.export
datalabeling.datasets.get
datalabeling.datasets.import
datalabeling.operations.get
datalabeling.operations.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.documents.*
dialogflow.operations.get
dialogflow.
dialogflow.
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.kms.encrypt
dlp.locations.*
pubsub.topics.get
pubsub.topics.publish
serviceusage.services.use
speech.customClasses.get
speech.operations.get
speech.phraseSets.get
speech.recognizers.create
speech.recognizers.get
speech.recognizers.recognize
speech.recognizers.update
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
Kubernetes Engine Node Service Agent
(roles/)
Minimal set of permission required by a GKE node to support standard capabilities such as logging and monitoring export, and image pulls.
Warning: Do not grant service agent roles to any principals except
service agents .
autoscaling.sites.writeMetrics
logging.logEntries.create
monitoring.
monitoring.
monitoring.timeSeries.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
storage.objects.get
storage.objects.list
Kubernetes Engine Service Agent
(roles/)
Gives Kubernetes Engine account access to manage cluster resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
autoscaling.
autoscaling.sites.writeMetrics
autoscaling.sites.writeState
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
bigquery.datasets.create
bigquery.datasets.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.update
bigquery.tables.updateData
binaryauthorization.
certificatemanager.
certificatemanager.
certificatemanager.certmaps.*
certificatemanager.certs.*
certificatemanager.
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.*
compute.firewalls.*
compute.forwardingRules.*
compute.globalAddresses.*
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute.
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute.
compute.
compute.
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.*
compute.
compute.networkProfiles.*
compute.networks.*
compute.nodeGroups.get
compute.packetMirrorings.*
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.*
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.regionSslPolicies.*
compute.
compute.
compute.
compute.regionUrlMaps.*
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.*
compute.serviceAttachments.*
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.*
compute.sslPolicies.*
compute.storagePools.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
container.*
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
file.*
iam.serviceAccounts.actAs
iam.serviceAccounts.get
logging.logEntries.create
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.*
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.*
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.*
networkservices.*
parallelstore.instances.create
parallelstore.instances.delete
parallelstore.instances.get
parallelstore.
parallelstore.instances.list
parallelstore.instances.update
parallelstore.locations.*
parallelstore.operations.*
pubsub.topics.create
pubsub.topics.get
pubsub.topics.publish
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.services.get
servicenetworking.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
tpu.locations.*
tpu.nodes.create
tpu.nodes.delete
tpu.nodes.get
tpu.nodes.list
tpu.operations.*
trafficdirector.*
Container Analysis Service Agent
(roles/)
Gives Container Analysis API the access it needs to function
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
containeranalysis.notes.list
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.objects.get
storage.objects.list
Container Registry Service Agent
(roles/)
Access for Container Registry
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.publish
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Container Scanner Service Agent
(roles/)
Gives Container Scanner the access it needs to analyze containers for vulnerabilities and create occurrences using the Container Analysis API
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
containeranalysis.notes.list
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Container Threat Detection Service Agent
(roles/)
Gives Container Threat Detection service account access to enable/disable Container Threat Detection and manage the Container Threat Detection Agent on Google Kubernetes Engine clusters.
Warning: Do not grant service agent roles to any principals except
service agents .
container.apiServices.get
container.
container.apiServices.list
container.auditSinks.get
container.auditSinks.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.
container.
container.
container.
container.clusterRoles.*
container.clusters.connect
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.
container.
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.csiDrivers.get
container.csiDrivers.list
container.csiNodeInfos.get
container.csiNodeInfos.list
container.csiNodes.get
container.csiNodes.list
container.
container.
container.
container.
container.
container.
container.daemonSets.*
container.deployments.get
container.deployments.getScale
container.
container.deployments.list
container.endpointSlices.get
container.endpointSlices.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.frontendConfigs.get
container.frontendConfigs.list
container.
container.
container.
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.
container.
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.leases.get
container.leases.list
container.limitRanges.get
container.limitRanges.list
container.
container.
container.
container.
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.
container.
container.
container.
container.
container.
container.petSets.get
container.petSets.list
container.
container.
container.
container.podPresets.get
container.podPresets.list
container.
container.
container.podTemplates.get
container.podTemplates.list
container.pods.attach
container.pods.create
container.pods.delete
container.pods.exec
container.pods.get
container.pods.getLogs
container.pods.getStatus
container.pods.list
container.pods.portForward
container.pods.update
container.priorityClasses.get
container.priorityClasses.list
container.replicaSets.get
container.replicaSets.getScale
container.
container.replicaSets.list
container.
container.
container.
container.
container.resourceQuotas.get
container.
container.resourceQuotas.list
container.roleBindings.*
container.roles.*
container.runtimeClasses.get
container.runtimeClasses.list
container.scheduledJobs.get
container.scheduledJobs.list
container.secrets.create
container.secrets.delete
container.secrets.list
container.secrets.update
container.
container.
container.serviceAccounts.get
container.serviceAccounts.list
container.
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.
container.
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.storageStates.get
container.
container.storageStates.list
container.
container.
container.
container.
container.
container.
container.
container.tokenReviews.create
container.updateInfos.get
container.updateInfos.list
container.
container.
container.
container.
container.
container.
container.
container.
container.
container.
container.volumeSnapshots.get
container.volumeSnapshots.list
recommender.
recommender.
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Content Warehouse Service Agent
(roles/)
Gives the Content Warehouse service account to manage customer resources
Warning: Do not grant service agent roles to any principals except
service agents .
cloudfunctions.
documentai.
documentai.processors.get
documentai.
pubsub.topics.publish
pubsublite.topics.publish
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Data Connectors Service Agent
(roles/)
Gives Data Connectors service agent permission to access the virtual private cloud
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.access
vpcaccess.connectors.get
vpcaccess.connectors.use
Cloud Dataflow Service Agent
(roles/)
Gives Cloud Dataflow service account access to managed resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery.
bigquery.reservations.*
bigquery.routines.*
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration.
clouddebugger.breakpoints.list
clouddebugger.
clouddebugger.
clouddebugger.debuggees.create
cloudnotifications.
compute.acceleratorTypes.*
compute.addresses.*
compute.autoscalers.*
compute.backendBuckets.*
compute.backendServices.*
compute.diskTypes.*
compute.disks.*
compute.externalVpnGateways.*
compute.firewallPolicies.get
compute.firewallPolicies.list
compute.
compute.
compute.firewallPolicies.use
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.*
compute.globalAddresses.*
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.images.*
compute.
compute.instanceGroups.*
compute.instanceSettings.get
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute.
compute.
compute.
compute.interconnects.*
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.*
compute.
compute.networkProfiles.*
compute.networks.*
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.*
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.*
compute.
compute.
compute.
compute.regionUrlMaps.*
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.*
compute.routes.*
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.securityPolicies.use
compute.serviceAttachments.*
compute.snapshots.*
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.*
compute.storagePools.*
compute.subnetworks.*
compute.targetGrpcProxies.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetInstances.*
compute.targetPools.*
compute.targetSslProxies.*
compute.targetTcpProxies.*
compute.targetVpnGateways.*
compute.urlMaps.*
compute.vpnGateways.*
compute.vpnTunnels.*
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
dataform.*
dataplex.projects.search
dns.
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.
iam.
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.buckets.create
logging.
logging.buckets.delete
logging.
logging.buckets.get
logging.buckets.list
logging.
logging.
logging.buckets.undelete
logging.buckets.update
logging.exclusions.*
logging.links.*
logging.locations.*
logging.logEntries.create
logging.logEntries.route
logging.logMetrics.*
logging.logScopes.*
logging.logServiceIndexes.list
logging.logServices.list
logging.logs.list
logging.notificationRules.*
logging.operations.*
logging.settings.*
logging.sinks.*
logging.sqlAlerts.*
logging.views.create
logging.views.delete
logging.views.get
logging.views.getIamPolicy
logging.views.list
logging.views.update
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.
monitoring.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.*
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.*
networkservices.*
observability.scopes.get
opsconfigmonitoring.
orgpolicy.policy.get
pubsub.*
recommender.
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.
servicenetworking.services.get
servicenetworking.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
stackdriver.projects.get
stackdriver.
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
trafficdirector.*
(roles/)
Gives permission for the Dataform API to access a secret from Secret Manager
Warning: Do not grant service agent roles to any principals except
service agents .
dataform.
dataform.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Data Fusion API Service Agent
(roles/)
Gives Cloud Data Fusion service account access to Service Networking, Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.create
bigquery.models.*
bigquery.routines.*
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.tables.*
bigtable.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instances.get
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.machineTypes.*
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.addPeering
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.networks.removePeering
compute.networks.update
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regions.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zones.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.
dataproc.clusters.create
dataproc.clusters.delete
dataproc.clusters.get
dataproc.clusters.list
dataproc.clusters.start
dataproc.clusters.stop
dataproc.clusters.update
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
dataproc.nodeGroups.*
dataproc.operations.cancel
dataproc.operations.delete
dataproc.operations.get
dataproc.operations.list
dataproc.sessionTemplates.*
dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.
dataproc.sessions.terminate
dataproc.
dataproc.
dataproc.workflowTemplates.get
dataproc.
dataproc.
dataproc.
dataproc.
dataprocrm.nodePools.*
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.nodes.list
dataprocrm.nodes.update
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.
dns.
firebase.projects.get
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.*
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkmanagement.
networkmanagement.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.locations.*
networksecurity.operations.get
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.urlLists.get
networksecurity.urlLists.list
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.gateways.get
networkservices.gateways.list
networkservices.grpcRoutes.get
networkservices.
networkservices.
networkservices.
networkservices.httpRoutes.get
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.locations.*
networkservices.meshes.get
networkservices.meshes.list
networkservices.operations.get
networkservices.
networkservices.route_views.*
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.tcpRoutes.get
networkservices.tcpRoutes.list
networkservices.tlsRoutes.get
networkservices.tlsRoutes.list
networkservices.
networkservices.
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
servicenetworking.services.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
spanner.databaseOperations.*
spanner.
spanner.
spanner.
spanner.databases.changequorum
spanner.databases.getDdl
spanner.databases.list
spanner.
spanner.
spanner.databases.read
spanner.databases.select
spanner.databases.updateDdl
spanner.databases.updateTag
spanner.databases.write
spanner.instanceConfigs.get
spanner.instanceConfigs.list
spanner.instancePartitions.get
spanner.
spanner.instances.get
spanner.instances.list
spanner.
spanner.
spanner.sessions.*
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
trafficdirector.*
Data Labeling Service Agent
(roles/)
Gives Data Labeling service account read/write access to Cloud Storage, read/write BigQuery, update CMLE model versions, editor access to Annotation service and AutoML service.
Warning: Do not grant service agent roles to any principals except
service agents .
automl.annotationSpecs.*
automl.annotations.*
automl.columnSpecs.*
automl.datasets.create
automl.datasets.delete
automl.datasets.export
automl.datasets.get
automl.datasets.import
automl.datasets.list
automl.datasets.update
automl.examples.*
automl.files.*
automl.humanAnnotationTasks.*
automl.locations.get
automl.locations.list
automl.modelEvaluations.*
automl.models.create
automl.models.delete
automl.models.deploy
automl.models.export
automl.models.get
automl.models.list
automl.models.predict
automl.models.undeploy
automl.operations.*
automl.tableSpecs.*
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
ml.jobs.create
ml.jobs.get
ml.jobs.getIamPolicy
ml.jobs.list
ml.locations.*
ml.models.*
ml.operations.get
ml.operations.list
ml.projects.getConfig
ml.studies.*
ml.trials.*
ml.versions.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Database Migration Service Agent
(roles/)
Gives Cloud Database Migration service account access to Cloud SQL resources.
Warning: Do not grant service agent roles to any principals except
service agents .
alloydb.clusters.create
alloydb.clusters.delete
alloydb.
alloydb.clusters.get
alloydb.clusters.list
alloydb.clusters.update
alloydb.instances.connect
alloydb.instances.create
alloydb.instances.delete
alloydb.instances.get
alloydb.instances.list
alloydb.instances.update
alloydb.operations.get
alloydb.operations.list
cloudsql.databases.delete
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.connect
cloudsql.instances.create
cloudsql.instances.delete
cloudsql.
cloudsql.instances.executeSql
cloudsql.instances.export
cloudsql.instances.get
cloudsql.instances.import
cloudsql.instances.list
cloudsql.instances.migrate
cloudsql.
cloudsql.instances.restart
cloudsql.
cloudsql.instances.stopReplica
cloudsql.instances.update
compute.forwardingRules.use
compute.globalAddresses.create
compute.
compute.globalAddresses.delete
compute.
compute.globalAddresses.get
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute.
compute.networks.removePeering
compute.networks.use
compute.regionOperations.get
compute.regionOperations.list
compute.routers.list
compute.routes.get
compute.routes.list
compute.serviceAttachments.get
compute.
compute.
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
networkmanagement.
serviceusage.services.use
storage.objects.get
storage.objects.list
Datapipelines Service Agent
(roles/)
Gives Datapipelines service permissions to create Dataflow & Cloud Scheduler jobs in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.applications.get
bigquery.tables.get
bigtable.tables.get
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
cloudscheduler.*
compute.machineTypes.get
compute.projects.get
compute.regions.list
compute.zones.list
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
firebase.projects.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
orgpolicy.policy.get
pubsub.schemas.get
pubsub.topics.get
recommender.
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Dataplex Discovery BigLake Publishing Service Agent
(roles/)
Gives the Dataplex Discovery Service Agent permissions to use bigquery connection.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.connections.delegate
bigquery.connections.use
Dataplex Discovery Publishing Service Agent
(roles/)
Gives the Dataplex Discovery Service Agent dataset create and get permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
Dataplex Discovery Service Agent
(roles/)
Gives the Dataplex Discovery Service Agent bucket read permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.objects.get
storage.objects.list
Cloud Dataplex Service Agent
(roles/)
Gives the Dataplex service account access to project resources. This access will be used in data discovery, data management and data workload management.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.bireservations.*
bigquery.capacityCommitments.*
bigquery.config.*
bigquery.connections.*
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.*
bigquery.models.*
bigquery.readsessions.*
bigquery.
bigquery.reservations.*
bigquery.routines.*
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.savedqueries.*
bigquery.tables.*
bigquery.transfers.*
bigquerymigration.
datacatalog.catalogs.searchAll
datacatalog.
datacatalog.
datacatalog.entries.get
datacatalog.taxonomies.create
datacatalog.taxonomies.delete
datacatalog.taxonomies.get
datacatalog.taxonomies.list
datacatalog.taxonomies.update
dataform.*
dataplex.assets.getIamPolicy
dataplex.environments.execute
dataplex.environments.get
dataplex.environments.list
dataplex.lakes.get
dataplex.lakes.getIamPolicy
dataplex.projects.search
dataplex.zones.getIamPolicy
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.get
dataproc.operations.cancel
dataproc.operations.get
dataproc.operations.list
firebase.projects.get
iam.serviceAccounts.actAs
logging.logEntries.create
logging.logEntries.route
metastore.services.get
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.
serviceusage.services.use
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Dataprep Service Agent
(roles/)
Dataprep service identity. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.bireservations.get
bigquery.
bigquery.
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.*
bigquery.readsessions.*
bigquery.
bigquery.
bigquery.reservations.get
bigquery.reservations.list
bigquery.
bigquery.routines.*
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.replicateData
bigquery.
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag
bigquery.transfers.get
bigquerymigration.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
cloudbuild.operations.*
compute.acceleratorTypes.*
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.
compute.disks.listTagBindings
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.
compute.images.listTagBindings
compute.
compute.
compute.
compute.
compute.instanceGroups.get
compute.instanceGroups.list
compute.
compute.
compute.instanceSettings.get
compute.instanceTemplates.get
compute.
compute.instanceTemplates.list
compute.instances.get
compute.
compute.
compute.instances.getIamPolicy
compute.
compute.
compute.
compute.
compute.instances.list
compute.
compute.
compute.
compute.instantSnapshots.get
compute.
compute.instantSnapshots.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.get
compute.
compute.licenseCodes.list
compute.licenses.get
compute.licenses.getIamPolicy
compute.licenses.list
compute.machineImages.get
compute.
compute.machineImages.list
compute.machineTypes.*
compute.multiMig.get
compute.multiMig.list
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.get
compute.
compute.resourcePolicies.list
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.get
compute.snapshots.getIamPolicy
compute.snapshots.list
compute.
compute.
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
dataflow.snapshots.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataplex.projects.search
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
orgpolicy.policy.get
recommender.
remotebuildexecution.blobs.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.get
storage.buckets.list
storage.folders.*
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list
storage.multipartUploads.*
storage.objects.*
Dataproc Service Agent
(roles/)
Gives Dataproc Service Account access to service accounts, compute resources, storage resources, and kubernetes resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.acceleratorTypes.*
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.diskTypes.*
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.
compute.
compute.
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.get
compute.firewalls.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.globalAddresses.use
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
compute.
compute.instanceGroups.*
compute.instanceSettings.get
compute.instanceTemplates.*
compute.instances.*
compute.licenses.get
compute.licenses.list
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.
compute.networks.get
compute.
compute.networks.list
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.nodeTypes.get
compute.projects.get
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.list
compute.
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.
compute.subnetworks.use
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
container.
container.clusterRoles.*
container.clusters.get
container.clusters.update
container.
container.
container.
container.
container.
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container.namespaces.update
container.operations.get
container.roleBindings.*
container.roles.bind
container.roles.escalate
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.
dataproc.clusters.*
dataproc.jobs.*
dataproc.nodeGroups.*
dataproc.operations.cancel
dataproc.sessionTemplates.get
dataproc.sessions.*
dataprocrm.nodePools.*
dataprocrm.nodes.*
dataprocrm.operations.cancel
dataprocrm.operations.get
dataprocrm.operations.list
dataprocrm.workloads.*
firebase.projects.get
iam.serviceAccounts.actAs
iam.
metastore.services.get
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
servicemanagement.
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Dataproc Resource Manager Node Service Agent
(roles/)
Dataproc Resource Manager Node Service Agent used to run managed resources in user project with restricted permissions.
Warning: Do not grant service agent roles to any principals except
service agents .
dataprocrm.nodes.get
dataprocrm.nodes.heartbeat
dataprocrm.
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
Datastream Service Agent
(roles/)
Grants Cloud Datastream permissions to write data in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.connections.delegate
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.delete
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
compute.globalAddresses.create
compute.
compute.globalAddresses.delete
compute.
compute.globalAddresses.get
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.
compute.networks.removePeering
compute.networks.use
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
pubsub.topics.publish
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Data Studio Service Agent
(roles/)
Grants Data Studio Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.jobs.create
DesignCenter Service Agent
(roles/)
Gives the DesignCenter API Service Account access to necessary GCP resources.
Warning: Do not grant service agent roles to any principals except
service agents .
apphub.applications.create
apphub.applications.delete
apphub.applications.get
apphub.applications.list
apphub.applications.update
apphub.operations.get
apphub.operations.list
apphub.
apphub.
apphub.
config.deployments.create
config.deployments.delete
config.deployments.get
config.deployments.list
config.deployments.update
config.locations.*
config.operations.*
config.previews.create
config.previews.delete
config.previews.get
config.previews.list
config.resources.*
config.revisions.*
config.terraformversions.*
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.
storage.managedFolders.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Dialogflow Service Agent
(roles/)
Gives Dialogflow Service Account access to resources on behalf of user project for Integrations (Facebook Messenger, Slack, Telephony, etc.), BigQuery, Discovery Engine, Integration Connectors, and Vertex.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.get
aiplatform.endpoints.predict
aiplatform.extensions.execute
aiplatform.extensions.get
aiplatform.models.get
bigquery.jobs.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.updateData
cloudfunctions.
connectors.actions.*
connectors.
connectors.
connectors.connections.get
connectors.entities.*
connectors.entityTypes.list
connectors.operations.get
connectors.versions.get
dialogflow.agents.export
dialogflow.agents.get
dialogflow.agents.list
dialogflow.agents.search
dialogflow.
dialogflow.answerrecords.get
dialogflow.answerrecords.list
dialogflow.callMatchers.list
dialogflow.changelogs.*
dialogflow.contexts.*
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.
dialogflow.conversations.*
dialogflow.deployments.*
dialogflow.documents.get
dialogflow.documents.list
dialogflow.encryptionspec.get
dialogflow.entityTypes.get
dialogflow.entityTypes.list
dialogflow.environments.get
dialogflow.environments.list
dialogflow.
dialogflow.examples.get
dialogflow.examples.list
dialogflow.experiments.get
dialogflow.experiments.list
dialogflow.flows.get
dialogflow.flows.list
dialogflow.fulfillments.get
dialogflow.generators.get
dialogflow.generators.list
dialogflow.integrations.get
dialogflow.integrations.list
dialogflow.intents.get
dialogflow.intents.list
dialogflow.knowledgeBases.get
dialogflow.knowledgeBases.list
dialogflow.messages.list
dialogflow.modelEvaluations.*
dialogflow.operations.get
dialogflow.pages.get
dialogflow.pages.list
dialogflow.participants.*
dialogflow.
dialogflow.
dialogflow.phoneNumbers.list
dialogflow.playbooks.get
dialogflow.playbooks.list
dialogflow.
dialogflow.
dialogflow.
dialogflow.sessions.*
dialogflow.
dialogflow.
dialogflow.testcases.get
dialogflow.testcases.list
dialogflow.tools.get
dialogflow.tools.list
dialogflow.
dialogflow.
dialogflow.versions.get
dialogflow.versions.list
dialogflow.webhooks.get
dialogflow.webhooks.list
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.engines.create
discoveryengine.engines.delete
discoveryengine.engines.get
discoveryengine.engines.update
discoveryengine.
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
logging.logEntries.create
logging.logEntries.route
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
run.jobs.run
run.routes.invoke
serviceusage.services.use
speakerid.phrases.*
speakerid.speakers.*
speech.adaptations.execute
speech.customClasses.get
speech.customClasses.list
speech.phraseSets.get
speech.phraseSets.list
speech.recognizers.get
speech.recognizers.list
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.create
storage.objects.get
storage.objects.list
Discovery Engine Service Agent
(roles/)
Discovery Engine service uploads documents and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects using Cloud Logging, and writes and reads metrics for customer using Cloud Monitoring.
Warning: Do not grant service agent roles to any principals except
service agents .
alloydb.clusters.export
alloydb.databases.list
alloydb.instances.get
alloydb.operations.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.readRows
bigtable.tables.sampleRowKeys
cloudsql.databases.get
cloudsql.instances.export
cloudsql.instances.get
datastore.databases.export
datastore.databases.get
datastore.
datastore.operations.get
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
discoveryengine.
logging.logEntries.create
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.*
spanner.
spanner.
spanner.databases.select
spanner.databases.useDataBoost
spanner.sessions.create
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.managedFolders.*
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
DLP API Service Agent
(roles/)
Gives the Cloud DLP API service agent permissions for BigQuery, Cloud Storage, Datastore, Pub/Sub, and Cloud KMS.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.applications.get
bigquery.config.get
bigquery.dataPolicies.create
bigquery.dataPolicies.delete
bigquery.dataPolicies.get
bigquery.
bigquery.dataPolicies.list
bigquery.
bigquery.dataPolicies.update
bigquery.datasets.*
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.update
bigquery.models.*
bigquery.readsessions.*
bigquery.routines.*
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.tables.*
cloudasset.
cloudasset.
cloudasset.
cloudkms.
cloudkms.locations.get
cloudkms.locations.list
datacatalog.
datacatalog.tagTemplates.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
dataplex.projects.search
datastore.databases.get
datastore.
datastore.databases.list
datastore.entities.*
datastore.indexes.list
datastore.namespaces.*
datastore.statistics.*
dlp.analyzeRiskTemplates.get
dlp.analyzeRiskTemplates.list
dlp.deidentifyTemplates.get
dlp.deidentifyTemplates.list
dlp.inspectTemplates.get
dlp.inspectTemplates.list
dlp.jobs.*
dlp.kms.encrypt
firebase.projects.get
orgpolicy.policy.get
pubsub.*
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Cloud DNS Service Agent
(roles/)
Gives Cloud DNS Service Agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.healthChecks.get
DocumentAI Core Service Agent
(roles/)
Gives DocumentAI Core Service Account access to consumer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
automl.models.predict
documentai.
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
DSPM Service Agent
(roles/)
Gives DSPM Service Account access to consumer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
bigquery.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.update
resourcemanager.
resourcemanager.tagKeys.create
resourcemanager.tagKeys.delete
resourcemanager.tagKeys.get
resourcemanager.
resourcemanager.tagKeys.list
resourcemanager.tagKeys.update
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.tagValues.get
resourcemanager.
resourcemanager.tagValues.list
resourcemanager.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securityposture.operations.get
securityposture.
securityposture.
securityposture.
securityposture.postures.get
storage.
storage.
storage.
storage.
Edge Container Cluster Service Agent
(roles/)
Grants the Edge Container Cluster Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudnotifications.
gkehub.endpoints.connect
gkehub.features.create
gkehub.features.get
gkehub.features.list
gkehub.features.update
gkehub.fleet.create
gkehub.fleet.delete
gkehub.fleet.get
gkehub.locations.*
gkehub.memberships.create
gkehub.memberships.delete
gkehub.
gkehub.memberships.get
gkehub.memberships.list
gkehub.memberships.update
gkehub.operations.*
kubernetesmetadata.*
logging.logEntries.create
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.*
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.
monitoring.
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
stackdriver.resourceMetadata.*
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Edge Container Service Agent
(roles/)
Grants the Edge Container Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.networks.get
compute.networks.updatePolicy
compute.regionOperations.get
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.update
compute.routers.use
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.use
compute.vpnTunnels.create
compute.vpnTunnels.delete
compute.vpnTunnels.get
gkehub.memberships.create
gkehub.memberships.delete
gkehub.
gkehub.memberships.get
gkehub.memberships.list
gkehub.memberships.update
gkehub.operations.cancel
gkehub.operations.get
serviceusage.services.list
Cloud Endpoints Service Agent
(roles/)
Gives the Cloud Endpoints service account access to Endpoints services and the ability to act as a service controller.
Warning: Do not grant service agent roles to any principals except
service agents .
servicemanagement.
servicemanagement.services.get
servicemanagement.
servicemanagement.
Endpoints Portal Service Agent
(roles/)
Can access information about Endpoints services for consumer portal management, and can read Source Repositories for consumer portal custom content.
Warning: Do not grant service agent roles to any principals except
service agents .
servicemanagement.services.get
servicemanagement.
source.repos.get
Enterprise Knowledge Graph Service Agent
(roles/)
Gives Enterprise Knowledge Graph Service Account access to consumer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Eventarc Service Agent
(roles/)
Gives Eventarc service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudfunctions.functions.get
compute.
compute.networkAttachments.get
compute.
compute.regionOperations.get
container.clusters.connect
container.clusters.get
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.list
container.deployments.update
container.namespaces.create
container.namespaces.delete
container.namespaces.get
container.namespaces.list
container.
container.
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.list
dns.
eventarc.channels.publish
eventarc.messageBuses.publish
eventarc.operations.get
iam.serviceAccounts.actAs
iam.
iam.
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
run.jobs.get
run.services.get
serviceusage.services.use
storage.buckets.get
storage.buckets.update
workflows.workflows.get
Cloud Filestore Service Agent
(roles/)
Gives Cloud Filestore service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.networks.updatePeering
compute.routes.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Firebase App Distribution Admin SDK Service Agent
(roles/)
Read and write access to Firebase App Distribution with the Admin SDK
Warning: Do not grant service agent roles to any principals except
service agents .
firebaseappdistro.*
Firebase Service Management Service Agent
(roles/)
Access to create new service agents for Firebase projects; assign roles to service agents; provision GCP resources as required by Firebase services.
Warning: Do not grant service agent roles to any principals except
service agents .
apikeys.keys.create
apikeys.keys.get
apikeys.keys.list
apikeys.keys.update
appengine.applications.create
appengine.applications.get
appengine.applications.update
appengine.operations.get
appengine.services.list
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.update
bigquery.transfers.*
clientauthconfig.brands.create
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.
clientauthconfig.
clientauthconfig.clients.get
clientauthconfig.
clientauthconfig.clients.list
clientauthconfig.
firebase.clients.create
firebase.clients.delete
firebase.clients.get
firebase.clients.undelete
firebase.projects.*
firebaseabt.experiments.delete
firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.update
firebaserules.releases.create
firebaserules.releases.delete
firebaserules.releases.get
firebaserules.rulesets.create
firebasestorage.
iam.roles.get
iam.serviceAccounts.create
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.
resourcemanager.
servicemanagement.
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
storage.buckets.create
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
Firebase App Hosting Service Agent
(roles/)
Gives Firebase App Hosting access to resource for Building & Deploying Backends.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.update
cloudbuild.connections.get
cloudbuild.operations.get
cloudbuild.
cloudbuild.
cloudbuild.repositories.get
developerconnect.
developerconnect.
developerconnect.
developerconnect.
iam.serviceAccounts.actAs
run.operations.delete
run.operations.get
run.revisions.delete
run.revisions.get
run.routes.get
run.routes.invoke
run.services.create
run.services.delete
run.services.get
run.services.update
serviceusage.services.use
Firebase Crashlytics Service Agent
(roles/)
Access to BigQuery export for Crashlytics
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
serviceusage.services.use
Firebase Realtime Database Service Agent
(roles/)
Access to publish triggers
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.publish
serviceusage.services.use
Firebase Data Connect Service Agent
(roles/)
Gives Firebase Data Connect access to administer Cloud SQL instances.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsql.databases.create
cloudsql.databases.get
cloudsql.instances.connect
cloudsql.instances.get
cloudsql.instances.login
cloudsql.users.create
cloudsql.users.get
Firebase Machine Learning Service Agent
(roles/)
Access to Cloud ML and AI resources used by Firebase ML
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
Firebase Rules Firestore Service Agent
(roles/)
Grants Firebase Security Rules access to Firestore for providing cross-service Rules.
Warning: Do not grant service agent roles to any principals except
service agents .
datastore.entities.get
Cloud Storage for Firebase Service Agent
(roles/)
Access to Cloud Storage for Firebase through API and SDK.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.buckets.getIamPolicy
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.update
Firestore Service Agent
(roles/)
Gives Firestore service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Cloud Firewall Insights Service Agent
(roles/)
Gives Cloud Firewall Insights service agent permissions to retrieve Firewall, VM and route resources on user behalf.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.list
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.list
compute.healthChecks.list
compute.httpHealthChecks.list
compute.httpsHealthChecks.list
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute.
compute.networks.list
compute.projects.get
compute.
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.
compute.targetPools.list
compute.targetSslProxies.list
compute.targetTcpProxies.list
compute.targetVpnGateways.list
compute.urlMaps.list
compute.vpnGateways.list
compute.vpnTunnels.list
FleetEngine Service Agent
(roles/)
Grants the FleetEngine Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.tables.getData
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
Game Services Service Agent
(roles/)
Gives Game Services Service Account access to GCP resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container.
container.
container.
container.
container.
container.
container.
container.
container.
container.
container.clusterRoles.bind
container.clusterRoles.create
container.
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.connect
container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.componentStatuses.*
container.configMaps.*
container.
container.
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container.
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container.
container.ingresses.*
container.
container.jobs.*
container.leases.*
container.limitRanges.*
container.
container.
container.
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.operations.*
container.
container.persistentVolumes.*
container.petSets.*
container.
container.podPresets.*
container.
container.
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container.
container.resourceQuotas.*
container.roleBindings.create
container.roleBindings.get
container.roleBindings.list
container.roles.bind
container.roles.create
container.roles.escalate
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.
container.
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container.
container.
container.thirdPartyObjects.*
container.
container.tokenReviews.create
container.updateInfos.*
container.
container.volumeAttachments.*
container.
container.
container.volumeSnapshots.*
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub.
gkehub.memberships.get
gkehub.
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub.
iam.serviceAccounts.actAs
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
Genomics Service Agent
(roles/)
Gives Genomics Service Account access to compute resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.acceleratorTypes.*
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.diskTypes.*
compute.disks.*
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.globalAddresses.use
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.*
compute.
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.networks.list
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Backup for GKE Service Agent
(roles/)
Grants the Backup for GKE Service Account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.useReadOnly
compute.globalOperations.get
compute.regionOperations.get
compute.snapshots.delete
compute.snapshots.get
compute.zoneOperations.get
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container.
container.
container.
container.
container.
container.
container.
container.
container.clusterRoles.get
container.clusterRoles.list
container.clusters.connect
container.clusters.get
container.clusters.list
container.clusters.update
container.componentStatuses.*
container.configMaps.*
container.
container.
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container.
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container.
container.ingresses.*
container.
container.jobs.*
container.leases.*
container.limitRanges.*
container.
container.
container.
container.
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.operations.*
container.
container.persistentVolumes.*
container.petSets.*
container.
container.podPresets.*
container.
container.
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container.
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.
container.
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container.
container.
container.thirdPartyObjects.*
container.
container.tokenReviews.create
container.updateInfos.*
container.
container.
container.volumeAttachments.*
container.
container.
container.volumeSnapshots.*
gkebackup.operations.get
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.
Warp Run Service Agent
(roles/)
Gives the Warp Run service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.projects.get
resourcemanager.projects.list
GKE Hub Cross Project Service Agent
(roles/)
Gives the GKE Hub service agent permission to manage the project for cross-project fleet registration.
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.
resourcemanager.
GKE Hub Service Agent
(roles/)
Gives the GKE Hub service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.
container.clusterRoles.*
container.clusters.connect
container.clusters.get
container.clusters.list
container.clusters.update
container.
container.
container.
container.
container.
container.namespaces.get
container.operations.get
container.thirdPartyObjects.*
gkehub.features.create
gkehub.features.get
gkehub.features.list
gkehub.fleet.create
gkehub.fleet.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.create
gkehub.
gkehub.memberships.get
gkehub.memberships.list
gkehub.operations.get
gkemulticloud.awsClusters.get
gkemulticloud.
gkeonprem.
gkeonprem.vmwareClusters.get
logging.buckets.create
logging.buckets.get
logging.buckets.list
logging.buckets.update
logging.exclusions.*
logging.sinks.*
logging.views.create
logging.views.get
logging.views.list
logging.views.update
monitoring.metricsScopes.link
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.list
Anthos Multi-Cloud Container Service Agent
(roles/)
Grants the Anthos Multi-Cloud Container Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.
binaryauthorization.policy.get
cloudnotifications.
kubernetesmetadata.*
logging.logEntries.create
logging.logEntries.route
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.
monitoring.
opsconfigmonitoring.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
stackdriver.projects.get
stackdriver.
Anthos Multi-Cloud Control Plane Machine Service Agent
(roles/)
Grants the Anthos Multi-Cloud Control Plane Machine Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
serviceusage.services.use
Anthos Multi-Cloud Node Pool Machine Service Agent
(roles/)
Grants the Anthos Multi-Cloud Node Pool Machine Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
serviceusage.services.use
Anthos Multi-Cloud Service Agent
(roles/)
Grants the Anthos Multi-Cloud Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.*
gkehub.fleet.*
gkehub.locations.*
gkehub.membershipbindings.*
gkehub.membershipfeatures.*
gkehub.memberships.*
gkehub.namespaces.*
gkehub.operations.*
gkehub.rbacrolebindings.*
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.
gkehub.scopes.update
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
gkemulticloud.
resourcemanager.projects.get
resourcemanager.projects.list
GKE On-Prem Service Agent
(roles/)
Gives the GKE On-Prem service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.memberships.delete
gkehub.memberships.get
gkehub.memberships.update
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.operations.get
gkeonprem.operations.list
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.
gkeonprem.vmwareClusters.get
gkeonprem.
gkeonprem.
gkeonprem.vmwareNodePools.get
gkeonprem.
Healthcare Service Agent
(roles/)
Gives the Healthcare Service Account access to networks, Kubernetes engine, and Pub/Sub resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudnotifications.
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.
monitoring.
opsconfigmonitoring.
pubsub.snapshots.seek
pubsub.subscriptions.consume
pubsub.
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver.
(roles/)
Gives Identity Platform service account access to customer project resources.
Warning: Do not grant service agent roles to any principals except
service agents .
recaptchaenterprise.
recaptchaenterprise.
recaptchaenterprise.
recaptchaenterprise.keys.get
Application Integration Service Agent
(roles/)
Service agent that grants access to execute an integration.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudfunctions.
cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.enable
cloudscheduler.jobs.fullView
cloudscheduler.jobs.get
cloudscheduler.jobs.pause
cloudscheduler.jobs.run
cloudscheduler.jobs.update
cloudscheduler.locations.*
connectors.actions.*
connectors.
connectors.connections.get
connectors.entities.*
connectors.entityTypes.list
iam.
iam.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.authConfigs.*
integrations.certificates.*
integrations.executions.list
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.
integrations.integrations.get
integrations.
integrations.integrations.list
integrations.
integrations.sfdcChannels.*
integrations.sfdcInstances.*
integrations.suspensions.*
pubsub.schemas.attach
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.list
run.jobs.run
run.routes.invoke
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
storage.buckets.create
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
KRM API Hosting AnthosApiEndpoint Service Agent
(roles/)
Grants permissions to resources managed by AnthosApiEndpoint.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.
container.*
gkehub.features.*
gkehub.fleet.*
gkehub.gateway.*
gkehub.locations.*
gkehub.membershipbindings.*
gkehub.membershipfeatures.*
gkehub.memberships.*
gkehub.namespaces.*
gkehub.operations.*
gkehub.rbacrolebindings.*
gkehub.scopes.create
gkehub.scopes.delete
gkehub.scopes.get
gkehub.scopes.getIamPolicy
gkehub.scopes.list
gkehub.
gkehub.scopes.update
iam.serviceAccounts.actAs
meshconfig.projects.init
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
resourcemanager.
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
KRM API Hosting Service Agent
(roles/)
Gives KRM API Hosting service account access to managed resource.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.
compute.regions.get
container.*
iam.serviceAccounts.actAs
recommender.
recommender.
recommender.locations.*
recommender.
recommender.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.use
KubeRun Events Control Plane Service Agent
(roles/)
Service account role used to setup authentication for the control plane used by KubeRun Events.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudscheduler.jobs.create
cloudscheduler.jobs.delete
cloudscheduler.jobs.get
logging.sinks.create
logging.sinks.delete
logging.sinks.get
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.setIamPolicy
resourcemanager.projects.get
storage.buckets.get
storage.buckets.update
KubeRun Events Data Plane Service Agent
(roles/)
Service account role used to setup authentication for the data plane used by KubeRun Events.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudtrace.traces.patch
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.get
pubsub.topics.get
pubsub.topics.publish
resourcemanager.projects.get
Cloud Life Sciences Service Agent
(roles/)
Gives Cloud Life Sciences Service Account access to compute resources. Includes access to service accounts.
Warning: Do not grant service agent roles to any principals except
service agents .
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.acceleratorTypes.*
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.diskTypes.*
compute.disks.*
compute.
compute.
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.globalAddresses.use
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.*
compute.
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.networks.list
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.serviceAttachments.get
compute.
compute.
compute.
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
iam.serviceAccounts.actAs
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Live Stream Service Agent
(roles/)
Uploads media files to customer Cloud Storage buckets.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Logging Service Agent
(roles/)
Grants a Cloud Logging Service Account the ability to create and link datasets.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.link
Looker Service Agent
(roles/)
Gives the Looker service account permission to manage customer resources
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.config.get
bigquery.datasets.get
bigquery.jobs.create
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.tables.create
bigquery.tables.createSnapshot
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
compute.globalAddresses.get
looker.backups.create
resourcemanager.projects.get
serviceusage.services.use
Managed Flink Service Agent
(roles/)
Gives Managed Flink Service Agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.
compute.
compute.networkAttachments.get
compute.
compute.
compute.networks.get
compute.networks.list
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
dns.
managedkafka.clusters.get
managedkafka.clusters.list
managedkafka.clusters.update
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
serviceusage.services.use
storage.objects.get
Cloud Managed Identities Service Agent
(roles/)
Gives Managed Identities service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.list
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.managedZones.update
dns.
dns.
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Managed Kafka Service Agent
(roles/)
Gives Managed Kafka Service Agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.create
compute.
compute.addresses.delete
compute.
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.list
compute.
compute.
compute.networks.get
compute.networks.use
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
dns.changes.create
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.list
dns.
dns.
dns.resourceRecordSets.create
dns.resourceRecordSets.delete
dns.resourceRecordSets.list
dns.resourceRecordSets.update
managedkafka.clusters.connect
privateca.caPools.get
servicedirectory.
servicedirectory.
servicedirectory.
(roles/)
Downloads and uploads media files from and to customer Cloud Storage buckets.
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.get
pubsub.topics.publish
storage.objects.create
storage.objects.delete
storage.objects.get
transcoder.jobs.create
transcoder.jobs.delete
transcoder.jobs.get
Cloud Memorystore Memcached Service Agent
(roles/)
Gives Cloud Memorystore Memcached service account access to managed resource
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Memorystore Service Agent
(roles/)
Gives Cloud Memorystore service account access to managed resource
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.projects.get
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Mesh Config Service Agent
(roles/)
Apply mesh configuration
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.
compute.backendServices.update
compute.backendServices.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.globalOperations.list
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.
compute.
compute.
compute.
compute.networks.get
compute.networks.updatePolicy
compute.networks.use
compute.
compute.
compute.
compute.
compute.
compute.subnetworks.use
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.targetHttpProxies.use
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.
compute.targetHttpsProxies.use
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.
compute.targetSslProxies.use
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.targetTcpProxies.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.
compute.urlMaps.list
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networksecurity.
networkservices.httpFilters.*
networkservices.
networkservices.
networkservices.
networkservices.
networkservices.
Mesh Managed Control Plane Service Agent
(roles/)
Anthos Service Mesh Managed Control Plane Agent
Warning: Do not grant service agent roles to any principals except
service agents .
container.apiServices.*
container.auditSinks.*
container.backendConfigs.*
container.bindings.*
container.
container.
container.clusterRoles.*
container.clusters.get
container.
container.clusters.list
container.clusters.update
container.componentStatuses.*
container.configMaps.*
container.
container.cronJobs.*
container.csiDrivers.*
container.csiNodeInfos.*
container.csiNodes.*
container.
container.daemonSets.*
container.deployments.*
container.endpointSlices.*
container.endpoints.*
container.events.*
container.frontendConfigs.*
container.
container.hostServiceAgent.use
container.ingresses.*
container.
container.jobs.*
container.leases.*
container.limitRanges.*
container.
container.
container.
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.operations.*
container.
container.persistentVolumes.*
container.petSets.*
container.
container.podPresets.*
container.
container.podTemplates.*
container.pods.*
container.priorityClasses.*
container.replicaSets.*
container.
container.resourceQuotas.*
container.roleBindings.*
container.roles.*
container.runtimeClasses.*
container.scheduledJobs.*
container.secrets.*
container.
container.
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.storageStates.*
container.
container.
container.thirdPartyObjects.*
container.
container.tokenReviews.create
container.updateInfos.*
container.
container.volumeAttachments.*
container.
container.
container.volumeSnapshots.*
gkehub.features.get
gkehub.features.getIamPolicy
gkehub.features.list
gkehub.fleet.get
gkehub.fleet.getFreeTrial
gkehub.gateway.*
gkehub.locations.*
gkehub.membershipbindings.get
gkehub.membershipbindings.list
gkehub.membershipfeatures.get
gkehub.membershipfeatures.list
gkehub.
gkehub.memberships.get
gkehub.
gkehub.memberships.list
gkehub.namespaces.get
gkehub.namespaces.list
gkehub.operations.get
gkehub.operations.list
gkehub.rbacrolebindings.get
gkehub.rbacrolebindings.list
gkehub.scopes.get
gkehub.scopes.list
gkehub.
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.get
serviceusage.services.use
trafficdirector.*
Mesh Data Plane Service Agent
(roles/)
Run user-space Istio components
Warning: Do not grant service agent roles to any principals except
service agents .
cloudtrace.traces.patch
compute.forwardingRules.get
compute.
logging.logEntries.create
logging.logEntries.route
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
serviceusage.services.use
(roles/)
Gives the Dataproc Metastore service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.
compute.
compute.addresses.get
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.
compute.
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.globalOperations.list
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.updatePeering
compute.networks.use
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
dns.changes.create
dns.changes.get
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.
dns.
dns.resourceRecordSets.*
metastore.databases.get
metastore.
metastore.databases.update
metastore.federations.use
metastore.services.get
metastore.tables.get
metastore.tables.setIamPolicy
metastore.tables.update
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Migration Center Service Agent
(roles/)
Gives Migration Center Service Account access to objects storedin object store and Cloud Migration products.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.objects.get
vmmigration.
AI Platform Service Agent
(roles/)
AI Platform service agent can act as log writer, Cloud Storage admin, Artifact Registry Reader, BigQuery writer, and service account access token creator.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.updateData
firebase.projects.get
iam.serviceAccounts.get
iam.
iam.
iam.
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
logging.logEntries.create
logging.logEntries.route
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
Monitoring Service Agent
(roles/)
Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.jobs.create
cloudfunctions.functions.get
cloudtrace.traces.patch
logging.links.list
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.list
run.routes.invoke
servicedirectory.
servicedirectory.
serviceusage.services.use
Multi Cluster Ingress Service Agent
(roles/)
Gives the Multi Cluster Ingress service agent access to CloudPlatform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
certificatemanager.
certificatemanager.
certificatemanager.certmaps.*
certificatemanager.certs.*
certificatemanager.
compute.addresses.create
compute.
compute.addresses.delete
compute.
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.backendServices.*
compute.firewalls.*
compute.forwardingRules.*
compute.globalAddresses.create
compute.globalAddresses.delete
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.
compute.healthChecks.*
compute.
compute.
compute.
compute.networks.updatePolicy
compute.networks.use
compute.
compute.regionHealthChecks.*
compute.
compute.regionSslPolicies.use
compute.
compute.
compute.regionUrlMaps.*
compute.securityPolicies.use
compute.sslCertificates.*
compute.sslPolicies.use
compute.subnetworks.list
compute.subnetworks.use
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.urlMaps.*
container.backendConfigs.*
container.clusters.get
container.
container.
container.
container.
container.
container.deployments.*
container.events.create
container.events.update
container.frontendConfigs.*
container.namespaces.list
container.secrets.get
container.secrets.list
container.services.*
container.thirdPartyObjects.*
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Multi-cluster metering Service Agent
(roles/)
Gives the Multi-cluster metering service agent access to CloudPlatform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
Multi-Cluster Service Discovery Service Agent
(roles/)
Gives the Multi-Cluster Service Discovery service access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.backendServices.*
compute.firewalls.*
compute.forwardingRules.*
compute.
compute.globalOperations.get
compute.healthChecks.*
compute.httpHealthChecks.*
compute.httpsHealthChecks.*
compute.
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.
compute.regions.*
compute.targetHttpProxies.*
compute.targetHttpsProxies.*
compute.targetTcpProxies.*
compute.urlMaps.*
container.clusters.get
container.clusters.list
container.
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
resourcemanager.projects.get
resourcemanager.projects.list
Network Actions Service Agent
(roles/)
Gives Network Actions service account access to read required resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
Network Connectivity Service Agent
(roles/)
Grants the Network Connectivity API authority to read some networking resources. It does not mutate these resources.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.create
compute.
compute.addresses.delete
compute.
compute.addresses.get
compute.addresses.setLabels
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.instances.get
compute.
compute.networks.get
compute.networks.use
compute.projects.get
compute.regionOperations.get
compute.routers.get
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.subnetworks.use
compute.vpnTunnels.get
dns.managedZones.create
dns.
networkconnectivity.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
GCP Network Management Service Agent
(roles/)
Grants the GCP Network Management API the authority to complete analysis based on network configurations from Compute Engine and Container Engine.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudsql.instances.get
cloudsql.instances.list
compute.addresses.get
compute.addresses.list
compute.backendServices.get
compute.backendServices.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute.
compute.
compute.networks.get
compute.
compute.networks.list
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.routers.get
compute.routers.list
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.targetPools.get
compute.targetPools.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.urlMaps.get
compute.urlMaps.list
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnTunnels.get
compute.vpnTunnels.list
container.clusters.get
container.clusters.list
container.nodes.get
container.nodes.list
AI Platform Notebooks Service Agent
(roles/)
Provide access for notebooks service agent to manage notebook instances in user projects
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.customJobs.cancel
aiplatform.customJobs.create
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
backupdr.
backupdr.
backupdr.
backupdr.
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.locations.list
backupdr.operations.get
backupdr.operations.list
backupdr.
compute.acceleratorTypes.*
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.
compute.
compute.addresses.use
compute.addresses.useInternal
compute.autoscalers.*
compute.backendBuckets.get
compute.
compute.backendBuckets.list
compute.
compute.
compute.backendServices.get
compute.
compute.backendServices.list
compute.
compute.
compute.commitments.get
compute.commitments.list
compute.diskTypes.*
compute.disks.*
compute.
compute.
compute.
compute.
compute.firewallPolicies.get
compute.
compute.firewallPolicies.list
compute.
compute.
compute.firewalls.get
compute.firewalls.list
compute.
compute.
compute.forwardingRules.get
compute.forwardingRules.list
compute.
compute.
compute.futureReservations.get
compute.
compute.
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.globalAddresses.use
compute.
compute.
compute.
compute.
compute.
compute.
compute.globalOperations.get
compute.
compute.globalOperations.list
compute.
compute.
compute.healthChecks.get
compute.healthChecks.list
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.
compute.
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.
compute.
compute.images.*
compute.
compute.instanceGroups.*
compute.instanceSettings.*
compute.instanceTemplates.*
compute.instances.*
compute.instantSnapshots.*
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.get
compute.interconnects.list
compute.
compute.
compute.licenseCodes.*
compute.licenses.*
compute.machineImages.*
compute.machineTypes.*
compute.multiMig.*
compute.networkAttachments.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.networkProfiles.*
compute.networks.get
compute.
compute.
compute.networks.list
compute.
compute.
compute.
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.get
compute.
compute.nodeGroups.list
compute.nodeTemplates.get
compute.
compute.nodeTemplates.list
compute.nodeTypes.*
compute.
compute.packetMirrorings.get
compute.packetMirrorings.list
compute.
compute.
compute.projects.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionHealthChecks.get
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionOperations.get
compute.
compute.regionOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionSslPolicies.get
compute.regionSslPolicies.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.regionUrlMaps.get
compute.regionUrlMaps.list
compute.
compute.
compute.regionUrlMaps.validate
compute.regions.*
compute.reservationBlocks.*
compute.reservations.get
compute.reservations.list
compute.resourcePolicies.*
compute.routers.get
compute.routers.getRoutePolicy
compute.routers.list
compute.routers.listBgpRoutes
compute.
compute.
compute.
compute.routes.get
compute.routes.list
compute.
compute.routes.listTagBindings
compute.securityPolicies.get
compute.securityPolicies.list
compute.
compute.
compute.serviceAttachments.get
compute.
compute.
compute.
compute.
compute.snapshotSettings.get
compute.snapshots.*
compute.spotAssistants.get
compute.sslCertificates.get
compute.sslCertificates.list
compute.
compute.
compute.sslPolicies.get
compute.sslPolicies.list
compute.
compute.
compute.
compute.storagePools.get
compute.
compute.storagePools.list
compute.storagePools.use
compute.subnetworks.get
compute.
compute.subnetworks.list
compute.
compute.
compute.subnetworks.use
compute.
compute.targetGrpcProxies.get
compute.targetGrpcProxies.list
compute.
compute.
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.
compute.
compute.targetHttpsProxies.get
compute.
compute.
compute.
compute.targetInstances.get
compute.targetInstances.list
compute.
compute.
compute.targetPools.get
compute.targetPools.list
compute.
compute.
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.
compute.
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.
compute.
compute.targetVpnGateways.get
compute.targetVpnGateways.list
compute.
compute.
compute.urlMaps.get
compute.urlMaps.list
compute.
compute.
compute.urlMaps.validate
compute.vpnGateways.get
compute.vpnGateways.list
compute.
compute.
compute.vpnTunnels.get
compute.vpnTunnels.list
compute.
compute.
compute.zoneOperations.get
compute.
compute.zoneOperations.list
compute.zones.*
dataproc.clusters.get
dataproc.clusters.use
dataproc.jobs.cancel
dataproc.jobs.create
dataproc.jobs.delete
dataproc.jobs.get
dataproc.jobs.list
dataproc.jobs.update
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.
iam.serviceAccounts.list
ml.jobs.create
ml.jobs.get
ml.jobs.list
notebooks.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Oracle Database@Google Cloud Service Agent
(roles/)
Grants Oracle Database@Google Cloud access to services and APIs in the user project
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.get
compute.addresses.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.globalOperations.list
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.
compute.interconnects.create
compute.interconnects.delete
compute.interconnects.get
compute.
compute.interconnects.list
compute.
compute.interconnects.update
compute.interconnects.use
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.update
compute.routers.use
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.*
dns.changes.*
dns.dnsKeys.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
networkconnectivity.
resourcemanager.projects.get
resourcemanager.
On-Demand Scanning Service Agent
(roles/)
Gives the On-Demand Scanning API the access it needs to function.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Cloud OS Config Service Agent
(roles/)
Grants OS Config Service Account access to Google Compute Engine instances.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
cloudasset.
compute.globalOperations.get
compute.instances.get
compute.
compute.instances.list
compute.instances.setMetadata
compute.projects.get
compute.
compute.zones.*
containeranalysis.
containeranalysis.notes.create
containeranalysis.notes.delete
containeranalysis.notes.get
containeranalysis.notes.list
containeranalysis.notes.update
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
containeranalysis.
iam.serviceAccounts.actAs
osconfig.
resourcemanager.projects.get
resourcemanager.projects.list
Parallelstore Service Agent
(roles/)
Gives the Parallelstore service agent ability to access customer resources.
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.projects.get
resourcemanager.projects.list
Privileged Access Manager Folder Service Agent
(roles/)
Gives privileged access manager service account access to modify IAM policies on GCP folders
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.folders.get
resourcemanager.
resourcemanager.
Privileged Access Manager Organization Service Agent
(roles/)
Gives privileged access manager service account access to modify IAM policies on GCP organizations
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.
resourcemanager.
resourcemanager.
Privileged Access Manager Project Service Agent
(roles/)
Gives privileged access manager service account access to modify IAM policies on GCP projects
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.projects.get
resourcemanager.
resourcemanager.
Privileged Access Manager Service Agent
(roles/)
Gives privileged access manager service account access to modify IAM policies on GCP resources
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.folders.get
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.
Progressive Rollout Service Agent
(roles/)
Gives Progressive Rollout the ability to roll out a customer change.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
Cloud Pub/Sub Service Agent
(roles/)
Grants Cloud Pub/Sub Service Account access to manage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.serviceAccounts.get
iam.
iam.
iam.
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Pub/Sub Lite Service Agent
(roles/)
Grants Pub/Sub Lite Service Agent access to project resources.
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.publish
pubsublite.subscriptions.get
pubsublite.
pubsublite.
pubsublite.
pubsublite.
pubsublite.
pubsublite.topics.publish
pubsublite.topics.subscribe
RMA Service Agent
(roles/)
Gives RMA service account access to MC resources.
Warning: Do not grant service agent roles to any principals except
service agents .
autoscaling.sites.writeMetrics
cloudasset.
cloudasset.feeds.create
logging.logEntries.create
migrationcenter.assets.list
migrationcenter.
migrationcenter.importJobs.get
migrationcenter.
migrationcenter.sources.*
monitoring.
monitoring.
monitoring.timeSeries.create
resourcemanager.projects.get
Cloud Memorystore Redis Service Agent
(roles/)
Gives Cloud Memorystore Redis service account access to managed resource
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.projects.get
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Remote Build Execution Service Agent
(roles/)
Gives Remote Build Execution service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
remotebuildexecution.
remotebuildexecution.blobs.*
remotebuildexecution.
remotebuildexecution.
remotebuildexecution.
Remoting Cloud Service Agent
(roles/)
Grants Chrome Remote Desktop Service Agent access to Google Compute Engine metadata.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.projects.get
Retail Service Agent
(roles/)
Retail service uploads product feeds and user events from Cloud Storage and BigQuery, reports results to the customer Cloud Storage bucket, writes logs to customer projects, and writes and reads Google Cloud Observability metrics for customer projects.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.update
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
bigquery.tables.update
bigquery.tables.updateData
cloudnotifications.
dataflow.jobs.*
dataflow.messages.list
dataflow.metrics.get
logging.logEntries.create
logging.logEntries.route
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.*
monitoring.
monitoring.
opsconfigmonitoring.
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
stackdriver.
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Risk Manager Service Agent
(roles/)
Service agent that grants Risk Manager service access to fetch findings for generating Reports
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.assets.*
recommender.
recommender.
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.assets.group
securitycenter.assets.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.findings.group
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.muteconfigs.get
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.sources.get
securitycenter.sources.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
Route Optimization Service Agent
(roles/)
Grants Route Optimization Service Account access to read and write GCS objects in the host project.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
Cloud Run Service Agent
(roles/)
Gives Cloud Run service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
binaryauthorization.
binaryauthorization.
clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.globalOperations.get
compute.networks.access
compute.networks.get
compute.subnetworks.get
compute.subnetworks.use
iam.serviceAccounts.actAs
iam.
iam.
iam.serviceAccounts.signBlob
networkservices.meshes.get
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.routes.invoke
serviceusage.services.use
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.use
Serverless Integrations Service Agent
(roles/)
Gives Serverless Integrations Service Account access to customer project resources.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudbuild.builds.create
cloudbuild.builds.get
cloudsql.databases.get
cloudsql.instances.get
cloudsql.users.get
compute.backendServices.get
compute.backendServices.list
compute.globalAddresses.get
compute.globalAddresses.list
compute.
compute.
compute.networks.get
compute.networks.list
compute.
compute.
compute.sslCertificates.get
compute.sslCertificates.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.
compute.urlMaps.get
compute.urlMaps.list
firebasehosting.sites.get
iam.serviceAccounts.actAs
redis.instances.get
redis.instances.list
run.jobs.get
run.jobs.list
run.services.get
run.services.list
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.list
SecLM Service Agent
(roles/)
Service agent used by SecLM to access resources used by SecLM Workbenches.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
aiplatform.locations.get
aiplatform.ragCorpora.get
aiplatform.ragCorpora.list
aiplatform.ragCorpora.query
discoveryengine.
discoveryengine.dataStores.get
discoveryengine.
discoveryengine.
Secured Landing Zone Service Agent
(roles/)
Grants Secured Landing Zone service account permissions to manage resources in the customer project
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
cloudasset.
cloudasset.feeds.create
cloudasset.feeds.delete
cloudasset.feeds.update
logging.logEntries.list
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.
pubsub.topics.getIamPolicy
pubsub.topics.setIamPolicy
resourcemanager.projects.get
securitycenter.
securitycenter.findings.list
securitycenter.findings.update
securitycenter.sources.list
securitycenter.sources.update
serviceusage.services.use
Secure Source Manager Service Agent
(roles/)
Gives Secure Source Manager service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.serviceAccounts.signJwt
securesourcemanager.
serviceusage.services.use
Attack Surface Management Scanner Service Agent
(roles/)
Gives Mandiant Attack Surface Management the ability to scan Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
apigateway.apiconfigs.get
cloudasset.assets.listResource
dns.managedZones.list
dns.resourceRecordSets.list
resourcemanager.projects.get
Security Center Automation Service Agent
(roles/)
Security Center automation service agent can configure GCP resources to enable security scanning.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.feeds.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
Security Center Control Service Agent
(roles/)
Security Center Control service agent can monitor and configure GCP resources and import security findings.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.get
binaryauthorization.policy.get
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.feeds.*
cloudsql.instances.connect
cloudsql.users.list
compute.disks.useReadOnly
compute.globalOperations.get
compute.instances.get
compute.instances.list
compute.
compute.projects.get
container.clusters.get
iam.denypolicies.get
iam.denypolicies.list
iam.googleapis.
iam.googleapis.
logging.logEntries.list
monitoring.alertPolicies.list
monitoring.timeSeries.list
orgpolicy.policies.list
orgpolicy.policy.get
recommender.
recommender.
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.list
securitycenter.
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.sources.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
serviceusage.quotas.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
Security Center Integration Executor Service Agent
(roles/)
Gives Security Center access to execute Integrations.
Warning: Do not grant service agent roles to any principals except
service agents .
integrations.
integrations.
integrations.
Security Center Notification Service Agent
(roles/)
Security Center service agent can publish notifications to Pub/Sub topics.
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.publish
Security Health Analytics Service Agent
(roles/)
Security Health Analytics service agent can scan GCP resource metadata to find security vulnerabilities.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.get
binaryauthorization.policy.get
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.feeds.*
cloudsql.instances.connect
cloudsql.users.list
compute.globalOperations.get
compute.instances.get
compute.instances.list
compute.
compute.projects.get
container.clusters.get
monitoring.alertPolicies.list
orgpolicy.policy.get
recommender.
recommender.
recommender.locations.*
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
Google Cloud Security Response Service Agent
(roles/)
Gives Playbook Runner permissions to execute all Google authored Playbooks. This role will keep evolving as we add more playbooks
Warning: Do not grant service agent roles to any principals except
service agents .
compute.
compute.instances.get
compute.instances.setMetadata
iam.serviceAccounts.actAs
pubsub.topics.publish
securitycenter.findings.list
storage.buckets.get
storage.buckets.update
Security Center Service Agent
(roles/)
Security Center service agent can scan GCP resources and import security scans.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.get
binaryauthorization.policy.get
cloudasset.
cloudasset.assets.analyzeMove
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.exportIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIamRoles
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listIapWeb
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listTpuNodes
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.feeds.*
cloudsql.instances.connect
cloudsql.users.list
compute.disks.useReadOnly
compute.globalOperations.get
compute.instances.get
compute.instances.list
compute.
compute.projects.get
container.clusters.get
iam.denypolicies.get
iam.denypolicies.list
iam.googleapis.
iam.googleapis.
logging.logEntries.list
monitoring.alertPolicies.list
monitoring.timeSeries.list
orgpolicy.policies.list
orgpolicy.policy.get
recommender.
recommender.
recommender.locations.*
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
resourcemanager.tagValues.get
securitycenter.assets.list
securitycenter.
securitycenter.findings.list
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.
securitycenter.sources.list
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
securitycentermanagement.
serviceusage.quotas.get
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
stackdriver.projects.get
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
Service Directory Service Agent
(roles/)
Give the Service Directory service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.clusters.get
gkehub.features.get
gkehub.gateway.delete
gkehub.
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.
servicedirectory.
servicedirectory.endpoints.get
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.locations.*
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.services.bind
servicedirectory.
servicedirectory.
servicedirectory.services.get
servicedirectory.
servicedirectory.services.list
servicedirectory.
servicedirectory.
Service Networking Service Agent
(roles/)
Gives permission to manage network configuration, such as establishing network peering, necessary for service producers
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.list
compute.
compute.networks.removePeering
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.routers.get
compute.routers.list
compute.routes.list
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
networkconnectivity.
resourcemanager.projects.get
resourcemanager.projects.list
Cloud Source Repositories Service Agent
(roles/)
Allow Cloud Source Repositories to integrate with other Cloud services.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.
pubsub.topics.publish
Cloud Spanner API Service Agent
(roles/)
Cloud Spanner API Service Agent
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.models.get
aiplatform.models.list
Spectrum SAS Service Agent
(roles/)
Gives Spectrum SAS Service Account access to enable analytics on behalf of users.
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
bigquery.jobs.create
bigquery.tables.create
bigquery.tables.updateData
pubsub.schemas.attach
pubsub.schemas.commit
pubsub.schemas.create
pubsub.schemas.delete
pubsub.schemas.get
pubsub.schemas.list
pubsub.schemas.listRevisions
pubsub.schemas.rollback
pubsub.schemas.validate
pubsub.snapshots.create
pubsub.snapshots.delete
pubsub.snapshots.get
pubsub.snapshots.list
pubsub.snapshots.seek
pubsub.snapshots.update
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Cloud Speech-to-Text Service Agent
(roles/)
Gives Speech-to-Text service account access to Cloud Storage resources.
Warning: Do not grant service agent roles to any principals except
service agents .
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.get
storage.objects.list
storage.objects.update
StorageInsights Service Agent
(roles/)
Permissions for Insights to write reports into customer project
Warning: Do not grant service agent roles to any principals except
service agents .
bigquery.datasets.create
serviceusage.services.use
storageinsights.
Storage Transfer Service Agent
(roles/)
Grants Storage Transfer Service Agent permissions required to run transfers
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.publish
pubsub.topics.update
Stream Service Agent
(roles/)
Gives Immersive Stream for XR access to the required resources.
Warning: Do not grant service agent roles to any principals except
service agents .
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
Cloud TPU API Service Agent
(roles/)
Give Cloud TPUs service account access to managed resources
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.update
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.*
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
resourcemanager.projects.get
resourcemanager.projects.list
Transcoder Service Agent
(roles/)
Downloads and uploads media files from and to customer Cloud Storage buckets. Publishes status updates to customer Pub/Sub.
Warning: Do not grant service agent roles to any principals except
service agents .
pubsub.topics.publish
storage.objects.create
storage.objects.delete
storage.objects.get
transcoder.jobs.delete
Cloud Vision AI Service Agent
(roles/)
Grants Cloud Vision AI service account permissions to manage resources in consumer project
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.endpoints.predict
aiplatform.models.export
aiplatform.models.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.get
bigquery.models.export
bigquery.readsessions.create
bigquery.tables.create
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.update
bigquery.tables.updateData
bigtable.tables.get
bigtable.tables.list
bigtable.tables.readRows
cloudfunctions.functions.get
cloudfunctions.
cloudfunctions.functions.list
compute.machineTypes.get
logging.logEntries.create
monitoring.
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.create
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
run.jobs.run
run.routes.invoke
serviceusage.services.use
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
visionai.analyses.create
visionai.analyses.delete
visionai.analyses.get
visionai.analyses.list
visionai.analyses.update
visionai.annotations.*
visionai.applications.*
visionai.assets.*
visionai.clusters.create
visionai.clusters.delete
visionai.clusters.get
visionai.clusters.list
visionai.clusters.update
visionai.clusters.watch
visionai.corpora.*
visionai.dataSchemas.*
visionai.drafts.*
visionai.events.create
visionai.events.delete
visionai.events.get
visionai.events.list
visionai.events.update
visionai.indexEndpoints.*
visionai.indexes.*
visionai.instances.*
visionai.operations.get
visionai.operations.list
visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai.operators.list
visionai.operators.update
visionai.processors.create
visionai.processors.delete
visionai.processors.get
visionai.processors.list
visionai.processors.update
visionai.searchConfigs.*
visionai.series.acquireLease
visionai.series.create
visionai.series.delete
visionai.series.get
visionai.series.list
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.series.update
visionai.streams.create
visionai.streams.delete
visionai.streams.get
visionai.streams.list
visionai.streams.receive
visionai.streams.send
visionai.streams.update
visionai.uistreams.*
Visual Inspection AI Service Agent
(roles/)
Grants Visual Inspection AI Service Agent admin roles for accessing/exporting training data, pushing containers artifacts to GCR and ArtifactsRegistry, and Vertex AI for storing data and running training jobs.
Warning: Do not grant service agent roles to any principals except
service agents .
aiplatform.*
artifactregistry.
artifactregistry.attachments.*
artifactregistry.
artifactregistry.files.*
artifactregistry.
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.*
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.*
artifactregistry.tags.*
artifactregistry.versions.*
artifactregistry.
firebase.projects.get
orgpolicy.policy.get
recommender.
recommender.
recommender.
recommender.
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
storage.anywhereCaches.*
storage.bucketOperations.*
storage.buckets.*
storage.folders.*
storage.managedFolders.*
storage.managementHubs.*
storage.multipartUploads.*
storage.objects.*
VM Migration Service Agent
(roles/)
Grants VM Migration Service Account access to create migrated VMs, disks and images in the user project.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.globalOperations.list
compute.images.create
compute.images.get
compute.images.setLabels
compute.images.useReadOnly
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.instances.stop
compute.instances.update
compute.instances.useReadOnly
compute.machineImages.create
compute.machineImages.get
compute.machineTypes.list
compute.networks.use
compute.networks.useExternalIp
compute.subnetworks.use
compute.
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.list
VMware Engine Service Agent
(roles/)
Gives permission to manage network configuration, such as establishing network peering, necessary for GCVE
Warning: Do not grant service agent roles to any principals except
service agents .
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalOperations.get
compute.networks.addPeering
compute.networks.get
compute.networks.list
compute.
compute.networks.removePeering
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.routers.get
compute.routers.list
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
dns.changes.*
dns.dnsKeys.*
dns.gkeClusters.*
dns.managedZoneOperations.*
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.getIamPolicy
dns.managedZones.list
dns.managedZones.update
dns.networks.*
dns.policies.create
dns.policies.delete
dns.policies.get
dns.policies.getIamPolicy
dns.policies.list
dns.policies.update
dns.projects.get
dns.resourceRecordSets.*
dns.responsePolicies.*
dns.responsePolicyRules.*
resourcemanager.projects.get
resourcemanager.projects.list
vmwareengine.
vmwareengine.
vmwareengine.nodes.*
Serverless VPC Access Service Agent
(roles/)
Can create and manage resources to support serverless application to connect to virtual private cloud.
Warning: Do not grant service agent roles to any principals except
service agents .
billing.accounts.get
compute.autoscalers.*
compute.disks.create
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.
compute.
compute.
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpHealthChecks.use
compute.
compute.
compute.
compute.httpsHealthChecks.get
compute.
compute.httpsHealthChecks.use
compute.
compute.images.get
compute.images.useReadOnly
compute.
compute.
compute.
compute.
compute.
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.update
compute.
compute.
compute.instanceTemplates.get
compute.
compute.instances.create
compute.instances.delete
compute.instances.get
compute.
compute.instances.list
compute.instances.reset
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.use
compute.machineTypes.get
compute.networks.get
compute.networks.use
compute.projects.get
compute.
compute.regionOperations.get
compute.regionOperations.list
compute.regions.*
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.*
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.
deploymentmanager.manifests.*
deploymentmanager.operations.*
deploymentmanager.
deploymentmanager.
logging.logEntries.create
logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.update
resourcemanager.projects.get
Cloud Web Security Scanner Service Agent
(roles/)
Gives the Cloud Web Security Scanner service account access to compute engine details and app engine details.
Warning: Do not grant service agent roles to any principals except
service agents .
appengine.applications.get
cloudasset.assets.listResource
compute.addresses.list
compute.backendServices.get
compute.forwardingRules.get
compute.
compute.sslCertificates.list
compute.targetHttpProxies.get
compute.targetHttpsProxies.get
compute.urlMaps.get
Cloud Workflows Service Agent
(roles/)
Gives Cloud Workflows service account access to managed resources.
Warning: Do not grant service agent roles to any principals except
service agents .
iam.serviceAccounts.get
iam.
iam.
serviceusage.services.use
Workload Certificate Service Agent
(roles/)
Gives the Workload Certificate service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.
container.
container.clusters.get
container.clusters.update
container.
container.
container.
container.operations.get
container.
gkehub.features.get
gkehub.fleet.create
gkehub.fleet.get
gkehub.locations.*
gkehub.memberships.get
gkehub.memberships.list
gkehub.operations.get
serviceconsumermanagement.
serviceconsumermanagement.
serviceconsumermanagement.
serviceconsumermanagement.
serviceusage.services.use
workloadcertificate.
workloadcertificate.
Workload Manager Service Agent
(roles/)
Gives Workload Manager Service Agent access to CAI export functions and Cloud Monitoring.
Warning: Do not grant service agent roles to any principals except
service agents .
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.
cloudasset.assets.listResource
cloudasset.
config.deployments.create
config.deployments.delete
config.deployments.get
config.deployments.list
config.deployments.update
config.locations.*
config.operations.*
config.resources.list
config.revisions.get
config.revisions.list
monitoring.
monitoring.
monitoring.
monitoring.timeSeries.list
serviceusage.services.use
workloadmanager.
workloadmanager.
Workstations Service Agent
(roles/)
Grants the Workstations Service Account access to manage resources in consumer project.
Warning: Do not grant service agent roles to any principals except
service agents .
compute.addresses.create
compute.
compute.addresses.delete
compute.
compute.addresses.get
compute.addresses.use
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.
compute.
compute.globalOperations.get
compute.instances.attachDisk
compute.instances.create
compute.
compute.instances.delete
compute.
compute.instances.detachDisk
compute.instances.get
compute.
compute.instances.setLabels
compute.instances.setMetadata
compute.
compute.instances.setTags
compute.networks.addPeering
compute.networks.get
compute.networks.removePeering
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.regionOperations.get
compute.regions.get
compute.snapshots.create
compute.
compute.snapshots.delete
compute.
compute.snapshots.get
compute.
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.use
compute.
compute.zoneOperations.get
dns.
dns.
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
serviceusage.services.get
Service Consumer Management roles
Permissions
Admin of Tenancy Units
Beta
(roles/)
Administrate tenancy units
serviceconsumermanagement.
Viewer of Tenancy Units
Beta
(roles/)
View tenancy units
serviceconsumermanagement.
Service Directory roles
Permissions
Service Directory Admin
(roles/)
Full control of all Service Directory resources and permissions.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.*
servicedirectory.locations.*
servicedirectory.namespaces.*
servicedirectory.
servicedirectory.services.*
Service Directory Editor
(roles/)
Edit Service Directory resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.
servicedirectory.
servicedirectory.endpoints.get
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.locations.*
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.services.bind
servicedirectory.
servicedirectory.
servicedirectory.services.get
servicedirectory.
servicedirectory.services.list
servicedirectory.
servicedirectory.
Service Directory Network Attacher
(roles/)
Gives access to attach VPC Networks to Service Directory Endpoints
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.
Private Service Connect Authorized Service
(roles/)
Gives access to VPC Networks via Service Directory
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.
Service Directory Viewer
(roles/)
View Service Directory resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.get
servicedirectory.
servicedirectory.
servicedirectory.locations.*
servicedirectory.
servicedirectory.
servicedirectory.
servicedirectory.services.get
servicedirectory.
servicedirectory.services.list
servicedirectory.
Service Management roles
Permissions
Cloud Run Service Agent
(roles/)
Gives Cloud Run service account access to managed resources.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.locations.*
artifactregistry.
artifactregistry.npmpackages.*
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.rules.get
artifactregistry.rules.list
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.get
artifactregistry.versions.list
binaryauthorization.
binaryauthorization.
clientauthconfig.clients.list
cloudbuild.builds.create
cloudbuild.builds.get
compute.
compute.
compute.addresses.get
compute.addresses.list
compute.globalOperations.get
compute.networks.access
compute.networks.get
compute.subnetworks.get
compute.subnetworks.use
iam.serviceAccounts.actAs
iam.
iam.
iam.serviceAccounts.signBlob
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
run.routes.invoke
serviceusage.services.use
storage.folders.get
storage.folders.list
storage.managedFolders.get
storage.managedFolders.list
storage.objects.get
storage.objects.list
vpcaccess.connectors.get
vpcaccess.connectors.use
Service Management Administrator
(roles/)
Full control of Google Service Management resources.
monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceconsumermanagement.*
servicemanagement.*
serviceusage.quotas.get
serviceusage.services.get
Service Config Editor
(roles/)
Access to update the service config and create rollouts.
servicemanagement.services.get
servicemanagement.
Quota Administrator
Beta
(roles/)
Provides access to administer service quotas.
Lowest-level resources where you can grant this role:
cloudquotas.*
monitoring.alertPolicies.*
monitoring.timeSeries.list
resourcemanager.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.*
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
Quota Viewer
Beta
(roles/)
Provides access to view service quotas.
Lowest-level resources where you can grant this role:
cloudquotas.quotas.get
monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Service Reporter
(roles/)
Can report usage of a service during runtime.
servicemanagement.
Service Consumer
(roles/)
Can enable the service.
servicemanagement.
Service Controller
(roles/)
Can check preconditions and report usage of a service during runtime.
Lowest-level resources where you can grant this role:
servicemanagement.
servicemanagement.services.get
servicemanagement.
servicemanagement.
Service Networking roles
Permissions
Service Networking Admin
Beta
(roles/)
Full control of service networking with projects.
servicenetworking.*
Service Usage roles
Permissions
API Keys Admin
(roles/)
Ability to create, delete, update, get and list API keys for a project.
apikeys.*
orgpolicy.policy.get
serviceusage.apiKeys.*
API Keys Viewer
(roles/)
Ability to get and list API keys for a project.
apikeys.keys.get
apikeys.keys.getKeyString
apikeys.keys.list
apikeys.keys.lookup
Service Usage Admin
(roles/)
Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.
monitoring.timeSeries.list
serviceusage.quotas.*
serviceusage.services.*
Service Usage Consumer
(roles/)
Ability to inspect service states and operations, and consume quota and billing for a consumer project.
monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Service Usage Viewer
(roles/)
Ability to inspect service states and operations for a consumer project.
monitoring.timeSeries.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
Source roles
Permissions
Source Repository Administrator
(roles/)
Provides permissions to create, update, delete, list, clone, fetch, and
browse repositories. Also provides permissions to read and change IAM
policies.
Lowest-level resources where you can grant this role:
source.*
Source Repository Reader
(roles/)
Provides permissions to list, clone, fetch, and browse repositories.
Lowest-level resources where you can grant this role:
source.repos.get
source.repos.list
Source Repository Writer
(roles/)
Provides permissions to list, clone, fetch, browse, and update
repositories.
Lowest-level resources where you can grant this role:
source.repos.get
source.repos.list
source.repos.update
Stackdriver roles
Permissions
Stackdriver Accounts Editor
(roles/)
Read/write access to manage Stackdriver account structure.
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.enable
serviceusage.services.get
stackdriver.projects.*
Stackdriver Accounts Viewer
(roles/)
Read-only access to get and list information about Stackdriver account structure.
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
(roles/)
Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.
stackdriver.
Stream roles
Permissions
Stream Admin
(roles/)
Full access to Stream all resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.*
Stream Content Admin
(roles/)
Full access to all StreamContent resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.streamContents.*
Stream Content Builder
(roles/)
Read and build access to StreamContent resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.streamContents.build
stream.streamContents.get
stream.streamContents.list
Stream Instance Admin
(roles/)
Full access to all StreamInstance resources and Read access to all StreamContent resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.streamContents.get
stream.streamContents.list
stream.streamInstances.*
Stream Viewer
(roles/)
Read-only access to Stream all resources.
resourcemanager.projects.get
resourcemanager.projects.list
stream.locations.*
stream.operations.get
stream.operations.list
stream.streamContents.get
stream.streamContents.list
stream.streamInstances.get
stream.streamInstances.list
Support roles
Permissions
Support Account Administrator
(roles/)
Allows management of a support account without giving access to support cases.
See the
Cloud Support documentation
for more information.
Lowest-level resources where you can grant this role:
cloudsupport.accounts.*
cloudsupport.operations.get
cloudsupport.properties.get
resourcemanager.
Tech Support Editor
(roles/)
Full read-write access to technical support cases (applicable for GCP Customer Care and Maps
support). See the
Cloud Support documentation
for more information.
billing.
cloudasset.
cloudsupport.properties.get
cloudsupport.techCases.*
resourcemanager.projects.get
resourcemanager.projects.list
Tech Support Viewer
(roles/)
Read-only access to technical support cases (applicable for GCP Customer Care and Maps support).
See the
Cloud Support documentation
for more information.
cloudsupport.properties.get
cloudsupport.techCases.get
cloudsupport.techCases.list
resourcemanager.projects.get
resourcemanager.projects.list
Support Account Viewer
(roles/)
Read-only access to details of a support account. This does not allow viewing cases.
See the
Cloud Support documentation
for more information.
Lowest-level resources where you can grant this role:
cloudsupport.accounts.get
cloudsupport.
cloudsupport.accounts.list
cloudsupport.properties.get
Third-party Partner roles
Permissions
Dell EMC Cloud OneFS Admin
Beta
(roles/)
This role is managed by Dell EMC, not Google.
cloudonefs.isiloncloud.com/*
resourcemanager.projects.get
resourcemanager.projects.list
Dell EMC Cloud OneFS User
Beta
(roles/)
This role is managed by Dell EMC, not Google.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
resourcemanager.projects.get
resourcemanager.projects.list
Dell EMC Cloud OneFS Viewer
Beta
(roles/)
This role is managed by Dell EMC, not Google.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
cloudonefs.isiloncloud.
resourcemanager.projects.get
resourcemanager.projects.list
NetApp Cloud Volumes Admin
Beta
(roles/)
This role is managed by NetApp, not Google.
cloudvolumesgcp-api.
resourcemanager.projects.get
resourcemanager.projects.list
NetApp Cloud Volumes Viewer
Beta
(roles/)
This role is managed by NetApp, not Google.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
cloudvolumesgcp-api.netapp.
resourcemanager.projects.get
resourcemanager.projects.list
Redis Enterprise Cloud Admin
Beta
(roles/)
This role is managed by Redis Labs, not Google.
gcp.redisenterprise.com/*
resourcemanager.projects.get
resourcemanager.projects.list
Redis Enterprise Cloud Viewer
Beta
(roles/)
This role is managed by Redis Labs, not Google.
gcp.redisenterprise.
gcp.redisenterprise.
gcp.redisenterprise.
gcp.redisenterprise.
resourcemanager.projects.get
resourcemanager.projects.list
Transcoder roles
Permissions
Transcoder Admin
(roles/)
Full access to all transcoder resources.
resourcemanager.projects.get
resourcemanager.projects.list
transcoder.*
Transcoder Viewer
(roles/)
Viewer of all transcoder resources.
resourcemanager.projects.get
resourcemanager.projects.list
transcoder.jobTemplates.get
transcoder.jobTemplates.list
transcoder.jobs.get
transcoder.jobs.list
Transfer Appliance roles
Permissions
Transfer Appliance Admin
Beta
(roles/)
Full access to Transfer Appliance all resources.
resourcemanager.projects.get
resourcemanager.projects.list
transferappliance.*
Transfer Appliance Viewer
Beta
(roles/)
Read-only access to Transfer Appliance all resources.
resourcemanager.projects.get
resourcemanager.projects.list
transferappliance.
transferappliance.
transferappliance.locations.*
transferappliance.
transferappliance.
transferappliance.orders.get
transferappliance.orders.list
transferappliance.
transferappliance.
Vertex AI roles
Permissions
(roles/)
Grants full access to all resources in Vertex AI
aiplatform.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Admin role of using colab enterprise.
aiplatform.
aiplatform.
aiplatform.notebookRuntimes.*
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
compute.reservations.get
compute.reservations.list
dataform.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
User role of using colab enterprise.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
dataform.locations.*
dataform.repositories.create
dataform.repositories.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Provides full access to all permissions for a particular entity type resource.
Lowest-level resources where you can grant this role:
aiplatform.entityTypes.delete
aiplatform.
aiplatform.
aiplatform.entityTypes.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.entityTypes.update
aiplatform.
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.features.*
aiplatform.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants admin access to Vertex AI Express
aiplatform.datasetVersions.*
aiplatform.datasets.create
aiplatform.datasets.delete
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.datasets.update
aiplatform.endpoints.predict
aiplatform.
(roles/)
Grants user access to Vertex AI Express
aiplatform.endpoints.predict
(roles/)
Grants full access to all resources in Vertex AI Feature Store
Lowest-level resources where you can grant this role:
aiplatform.entityTypes.*
aiplatform.featureGroups.*
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.featureViews.*
aiplatform.features.*
aiplatform.featurestores.*
aiplatform.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
This role provides permissions to read Feature data.
Lowest-level resources where you can grant this role:
aiplatform.
aiplatform.entityTypes.get
aiplatform.
aiplatform.
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.features.get
aiplatform.features.list
aiplatform.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
This role provides permissions to read and write Feature data.
Lowest-level resources where you can grant this role:
aiplatform.
aiplatform.
aiplatform.entityTypes.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.features.get
aiplatform.features.list
aiplatform.
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Administrator of Featurestore resources, but not the child resources under Featurestores.
Lowest-level resources where you can grant this role:
aiplatform.
aiplatform.
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.
(roles/)
Viewer of all resources in Vertex AI Feature Store but cannot make changes.
Lowest-level resources where you can grant this role:
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Deprecated. Use featurestoreAdmin instead.
aiplatform.entityTypes.*
aiplatform.features.*
aiplatform.featurestores.*
aiplatform.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants access to use migration service in Vertex AI
aiplatform.
(roles/)
Grants users full access to schedules and notebook execution jobs.
aiplatform.
aiplatform.operations.list
aiplatform.pipelineJobs.create
aiplatform.schedules.*
(roles/)
Grants full access to all runtime templates and runtimes in Notebook Service.
aiplatform.
aiplatform.notebookRuntimes.*
aiplatform.operations.list
compute.reservations.get
compute.reservations.list
(roles/)
Grants users permissions to create runtime resources using a runtime template and manage the runtime resources they created.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
(roles/)
Grants access to use all resources related to Vertex AI Provisioned Throughput
aiplatform.
(roles/)
Grants access to the Vertex AI TensorBoard web app.
aiplatform.
(roles/)
Grants access to use all resource in Vertex AI
aiplatform.agentExamples.*
aiplatform.agents.*
aiplatform.annotationSpecs.*
aiplatform.annotations.*
aiplatform.apps.*
aiplatform.artifacts.*
aiplatform.
aiplatform.cacheConfigs.get
aiplatform.cachedContents.*
aiplatform.consents.get
aiplatform.contexts.*
aiplatform.customJobs.*
aiplatform.dataItems.*
aiplatform.dataLabelingJobs.*
aiplatform.datasetVersions.*
aiplatform.datasets.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.edgeDevices.*
aiplatform.endpoints.create
aiplatform.endpoints.delete
aiplatform.endpoints.deploy
aiplatform.endpoints.explain
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.endpoints.predict
aiplatform.endpoints.undeploy
aiplatform.endpoints.update
aiplatform.entityTypes.create
aiplatform.entityTypes.delete
aiplatform.
aiplatform.
aiplatform.entityTypes.get
aiplatform.
aiplatform.entityTypes.list
aiplatform.
aiplatform.
aiplatform.entityTypes.update
aiplatform.
aiplatform.executions.*
aiplatform.extensions.*
aiplatform.featureGroups.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.featureViews.create
aiplatform.featureViews.delete
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.featureViews.sync
aiplatform.featureViews.update
aiplatform.features.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.featurestores.get
aiplatform.
aiplatform.featurestores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.humanInTheLoops.*
aiplatform.
aiplatform.indexEndpoints.*
aiplatform.indexes.*
aiplatform.locations.*
aiplatform.metadataSchemas.*
aiplatform.metadataStores.*
aiplatform.
aiplatform.
aiplatform.modelEvaluations.*
aiplatform.
aiplatform.modelMonitors.*
aiplatform.models.*
aiplatform.nasJobs.*
aiplatform.nasTrialDetails.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.notebookRuntimes.*
aiplatform.operations.list
aiplatform.
aiplatform.
aiplatform.pipelineJobs.*
aiplatform.
aiplatform.ragCorpora.*
aiplatform.ragFiles.*
aiplatform.reasoningEngines.*
aiplatform.schedules.*
aiplatform.sessions.*
aiplatform.specialistPools.*
aiplatform.studies.*
aiplatform.
aiplatform.tensorboardRuns.*
aiplatform.
aiplatform.tensorboards.create
aiplatform.tensorboards.delete
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.tensorboards.update
aiplatform.trainingPipelines.*
aiplatform.trials.*
aiplatform.tuningJobs.*
resourcemanager.projects.get
resourcemanager.projects.list
(roles/)
Grants access to view all resource in Vertex AI
aiplatform.agentExamples.get
aiplatform.agentExamples.list
aiplatform.agents.get
aiplatform.agents.list
aiplatform.annotationSpecs.get
aiplatform.
aiplatform.annotations.get
aiplatform.annotations.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.artifacts.get
aiplatform.artifacts.list
aiplatform.
aiplatform.
aiplatform.cacheConfigs.get
aiplatform.cachedContents.get
aiplatform.cachedContents.list
aiplatform.consents.get
aiplatform.contexts.get
aiplatform.contexts.list
aiplatform.
aiplatform.customJobs.get
aiplatform.customJobs.list
aiplatform.dataItems.get
aiplatform.dataItems.list
aiplatform.
aiplatform.
aiplatform.datasetVersions.get
aiplatform.
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.edgeDevices.get
aiplatform.edgeDevices.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.entityTypes.get
aiplatform.entityTypes.list
aiplatform.executions.get
aiplatform.executions.list
aiplatform.
aiplatform.extensions.get
aiplatform.extensions.list
aiplatform.featureGroups.get
aiplatform.featureGroups.list
aiplatform.
aiplatform.
aiplatform.featureViewSyncs.*
aiplatform.
aiplatform.featureViews.get
aiplatform.featureViews.list
aiplatform.
aiplatform.features.get
aiplatform.features.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.humanInTheLoops.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.locations.get
aiplatform.locations.list
aiplatform.metadataSchemas.get
aiplatform.
aiplatform.metadataStores.get
aiplatform.metadataStores.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.modelMonitors.get
aiplatform.modelMonitors.list
aiplatform.
aiplatform.
aiplatform.models.get
aiplatform.models.list
aiplatform.nasJobs.get
aiplatform.nasJobs.list
aiplatform.nasTrialDetails.*
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.operations.list
aiplatform.
aiplatform.
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.
aiplatform.ragCorpora.get
aiplatform.ragCorpora.list
aiplatform.ragCorpora.query
aiplatform.ragFiles.get
aiplatform.ragFiles.list
aiplatform.
aiplatform.
aiplatform.
aiplatform.schedules.get
aiplatform.schedules.list
aiplatform.sessions.get
aiplatform.sessions.list
aiplatform.specialistPools.get
aiplatform.
aiplatform.
aiplatform.studies.get
aiplatform.studies.list
aiplatform.
aiplatform.
aiplatform.tensorboardRuns.get
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.
aiplatform.tensorboards.get
aiplatform.tensorboards.list
aiplatform.
aiplatform.
aiplatform.trials.get
aiplatform.trials.list
aiplatform.tuningJobs.get
aiplatform.tuningJobs.list
resourcemanager.projects.get
resourcemanager.projects.list
Video Stitcher roles
Permissions
Video Stitcher Admin
(roles/)
Full access to all video stitcher resources.
resourcemanager.projects.get
resourcemanager.projects.list
videostitcher.*
Video Stitcher User
(roles/)
Full access to video stitcher sessions.
resourcemanager.projects.get
resourcemanager.projects.list
videostitcher.liveSessions.*
videostitcher.vodSessions.*
Video Stitcher Viewer
(roles/)
Read-only access to video stitcher resources.
resourcemanager.projects.get
resourcemanager.projects.list
videostitcher.cdnKeys.get
videostitcher.cdnKeys.list
videostitcher.
videostitcher.liveConfigs.get
videostitcher.liveConfigs.list
videostitcher.liveSessions.get
videostitcher.operations.get
videostitcher.operations.list
videostitcher.slates.get
videostitcher.slates.list
videostitcher.
videostitcher.vodConfigs.get
videostitcher.vodConfigs.list
videostitcher.vodSessions.get
videostitcher.
Vision AI roles
Permissions
VisionAI Admin
Beta
(roles/)
Full access to Vision AI all resources.
resourcemanager.projects.get
resourcemanager.projects.list
visionai.*
Vision AI Analysis Editor
Beta
(roles/)
Access to read and write Vision AI Analyses.
visionai.analyses.create
visionai.analyses.delete
visionai.analyses.get
visionai.analyses.list
visionai.analyses.update
Vision AI Analysis Viewer
Beta
(roles/)
Access to read Vision AI Analyses.
visionai.analyses.get
visionai.analyses.list
VisionAI Warehouse Annotation Editor
Beta
(roles/)
Grants access to edit media asset annotations into the Warehouse.
visionai.annotations.*
VisionAI Warehouse Annotation Viewer
Beta
(roles/)
Grants access to view media asset annotations into the Warehouse.
visionai.annotations.get
visionai.annotations.list
Vision AI Application Editor
Beta
(roles/)
Access to read and write Vision AI Applications.
visionai.applications.*
visionai.drafts.*
visionai.instances.*
Vision AI Application Viewer
Beta
(roles/)
Access to read Vision AI Applications.
visionai.applications.get
visionai.applications.list
visionai.drafts.get
visionai.drafts.list
visionai.instances.*
VisionAI Warehouse Asset Creator
Beta
(roles/)
Grants access to ingest media assets into the Warehouse.
visionai.assets.create
visionai.assets.ingest
VisionAI Warehouse Asset Editor
Beta
(roles/)
Grants access to edit media assets into the Warehouse.
visionai.assets.*
VisionAI Warehouse Asset Viewer
Beta
(roles/)
Grants access to view media assets into the Warehouse.
visionai.assets.get
visionai.assets.list
visionai.assets.search
Vision AI Cluster Editor
Beta
(roles/)
Access to read and write Vision AI Cluster.
visionai.clusters.create
visionai.clusters.delete
visionai.clusters.get
visionai.clusters.list
visionai.clusters.update
visionai.clusters.watch
Vision AI Cluster Viewer
Beta
(roles/)
Access to read Vision AI Clusters.
visionai.clusters.get
visionai.clusters.list
VisionAI Warehouse Corpus Administrator
Beta
(roles/)
Full control to everything in a corpus including corpus access control.
visionai.annotations.*
visionai.assets.*
visionai.corpora.*
visionai.dataSchemas.*
visionai.indexes.*
visionai.operations.get
visionai.operations.list
visionai.searchConfigs.*
VisionAI Warehouse Corpus Editor
Beta
(roles/)
Read-write access to everything in a corpus.
visionai.annotations.*
visionai.assets.*
visionai.corpora.*
visionai.dataSchemas.*
visionai.indexes.*
visionai.operations.get
visionai.operations.list
visionai.searchConfigs.*
VisionAI Warehouse Corpus Viewer
Beta
(roles/)
Grants access to view everything in a corpus.
visionai.annotations.get
visionai.annotations.list
visionai.assets.clip
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.list
visionai.assets.search
visionai.corpora.get
visionai.corpora.list
visionai.corpora.suggest
visionai.dataSchemas.get
visionai.dataSchemas.list
visionai.dataSchemas.validate
visionai.indexes.get
visionai.indexes.list
visionai.indexes.viewAssets
visionai.operations.get
visionai.operations.list
visionai.searchConfigs.get
visionai.searchConfigs.list
VisionAI Warehouse Corpus Writer
Beta
(roles/)
Grants access to create/update/delete everything in a corpus.
visionai.annotations.*
visionai.assets.*
visionai.corpora.analyze
visionai.corpora.delete
visionai.corpora.import
visionai.corpora.update
visionai.dataSchemas.create
visionai.dataSchemas.delete
visionai.dataSchemas.update
visionai.indexes.create
visionai.indexes.delete
visionai.indexes.update
visionai.operations.get
visionai.operations.list
visionai.searchConfigs.create
visionai.searchConfigs.delete
visionai.searchConfigs.update
VisionAI Editor
Beta
(roles/)
Edit access to Vision AI all resources.
resourcemanager.projects.get
resourcemanager.projects.list
visionai.analyses.create
visionai.analyses.delete
visionai.analyses.get
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.analyses.update
visionai.annotations.*
visionai.applications.*
visionai.assets.*
visionai.clusters.create
visionai.clusters.delete
visionai.clusters.get
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.clusters.update
visionai.clusters.watch
visionai.corpora.*
visionai.dataSchemas.*
visionai.drafts.*
visionai.events.create
visionai.events.delete
visionai.events.get
visionai.events.getIamPolicy
visionai.events.list
visionai.events.update
visionai.indexEndpoints.*
visionai.indexes.*
visionai.instances.*
visionai.locations.*
visionai.operations.*
visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai.
visionai.operators.list
visionai.operators.update
visionai.processors.*
visionai.searchConfigs.*
visionai.series.acquireLease
visionai.series.create
visionai.series.delete
visionai.series.get
visionai.series.getIamPolicy
visionai.series.list
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.series.update
visionai.streams.create
visionai.streams.delete
visionai.streams.get
visionai.streams.getIamPolicy
visionai.streams.list
visionai.streams.receive
visionai.streams.send
visionai.streams.update
visionai.uistreams.*
Vision AI Event Editor
Beta
(roles/)
Access to read and write Vision AI Events.
visionai.events.create
visionai.events.delete
visionai.events.get
visionai.events.list
visionai.events.update
Vision AI Event Viewer
Beta
(roles/)
Access to read Vision AI Events.
visionai.events.get
visionai.events.list
VisionAI Warehouse IndexEndpoint Administrator
Beta
(roles/)
Full control of all Media Warehouse resources and permissions.
visionai.indexEndpoints.*
VisionAI Warehouse IndexEndpoint Editor
Beta
(roles/)
Read, write and create access to all index endpoints level resources.
visionai.indexEndpoints.*
VisionAI Warehouse IndexEndpoint Viewer
Beta
(roles/)
Grants access to view all index endpoint resources and be able to search on them. (ReadOnly)
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
VisionAI Warehouse IndexEndpoint Writer
Beta
(roles/)
Grants access to perform update, delete, deploy and undeploy operations on the index endpoint.
visionai.indexEndpoints.delete
visionai.indexEndpoints.deploy
visionai.
visionai.indexEndpoints.update
Vision AI Operator Editor
Beta
(roles/)
Access to read and write Vision AI Operators.
visionai.operators.create
visionai.operators.delete
visionai.operators.get
visionai.operators.list
visionai.operators.update
Vision AI Operator Viewer
Beta
(roles/)
Access to read Vision AI Operators.
visionai.operators.get
visionai.operators.list
Vision AI Packet Receiver
Beta
(roles/)
Access to read Vision AI Series.
visionai.clusters.watch
visionai.series.acquireLease
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.streams.receive
Vision AI Packet Sender
Beta
(roles/)
Packet sender to the series.
visionai.series.acquireLease
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.streams.send
Vision AI Processor Editor
Beta
(roles/)
Access to read and write Vision AI Processors.
visionai.processors.*
Vision AI Processor Viewer
Beta
(roles/)
Access to read Vision AI Processors.
visionai.processors.get
visionai.processors.list
visionai.
Vision AI RetailCatalog Editor
Beta
(roles/)
Access to read and write Vision AI RetailCatalogs.
Vision AI RetailCatalog Viewer
Beta
(roles/)
Access to read Vision AI RetailCatalogs.
Vision AI RetailEndpoint Editor
Beta
(roles/)
Access to read and write Vision AI RetailEndpoints.
Vision AI RetailEndpoint Viewer
Beta
(roles/)
Access to read Vision AI RetailEndpoints.
Vision AI Series Editor
Beta
(roles/)
Access to read and write Vision AI Series.
visionai.clusters.watch
visionai.series.acquireLease
visionai.series.create
visionai.series.delete
visionai.series.get
visionai.series.list
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.series.update
visionai.streams.receive
visionai.streams.send
Vision AI Series Viewer
Beta
(roles/)
Access to read Vision AI Series.
visionai.series.get
visionai.series.list
Vision AI Stream Editor
Beta
(roles/)
Access to read and write Vision AI Streams.
visionai.clusters.watch
visionai.series.acquireLease
visionai.series.receive
visionai.series.releaseLease
visionai.series.renewLease
visionai.series.send
visionai.streams.create
visionai.streams.delete
visionai.streams.get
visionai.streams.list
visionai.streams.receive
visionai.streams.send
visionai.streams.update
Vision AI Stream Viewer
Beta
(roles/)
Access to read Vision AI Streams.
visionai.streams.get
visionai.streams.list
Vision AI UI Stream Editor
Beta
(roles/)
Access to read & write Vision AI UI Streams.
visionai.uistreams.*
Vision AI UI Stream Viewer
Beta
(roles/)
Access to read Vision AI UI Streams.
visionai.uistreams.get
visionai.uistreams.list
VisionAI Viewer
Beta
(roles/)
View access to Vision AI all resources.
resourcemanager.projects.get
resourcemanager.projects.list
visionai.analyses.get
visionai.analyses.getIamPolicy
visionai.analyses.list
visionai.annotations.get
visionai.annotations.list
visionai.applications.get
visionai.applications.list
visionai.assets.clip
visionai.assets.generateHlsUri
visionai.assets.get
visionai.assets.list
visionai.assets.search
visionai.clusters.get
visionai.clusters.getIamPolicy
visionai.clusters.list
visionai.corpora.get
visionai.corpora.list
visionai.corpora.suggest
visionai.dataSchemas.get
visionai.dataSchemas.list
visionai.dataSchemas.validate
visionai.drafts.get
visionai.drafts.list
visionai.events.get
visionai.events.getIamPolicy
visionai.events.list
visionai.indexEndpoints.get
visionai.indexEndpoints.list
visionai.indexEndpoints.search
visionai.indexes.get
visionai.indexes.list
visionai.indexes.viewAssets
visionai.instances.*
visionai.locations.*
visionai.operations.get
visionai.operations.list
visionai.operators.get
visionai.
visionai.operators.list
visionai.processors.get
visionai.processors.list
visionai.
visionai.searchConfigs.get
visionai.searchConfigs.list
visionai.series.get
visionai.series.getIamPolicy
visionai.series.list
visionai.streams.get
visionai.streams.getIamPolicy
visionai.streams.list
visionai.uistreams.get
visionai.uistreams.list
VMwareEngine roles
Permissions
VMware Engine Service Admin
(roles/)
Admin has full access to VMware Engine Service
resourcemanager.projects.get
resourcemanager.projects.list
vmwareengine.*
VMware Engine Service Viewer
(roles/)
Viewer has read-only access to VMware Engine Service
resourcemanager.projects.get
resourcemanager.projects.list
vmwareengine.clusters.get
vmwareengine.
vmwareengine.clusters.list
vmwareengine.
vmwareengine.dnsForwarding.get
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.locations.*
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.nodeTypes.*
vmwareengine.nodes.*
vmwareengine.operations.get
vmwareengine.operations.list
vmwareengine.privateClouds.get
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.
vmwareengine.projectState.get
vmwareengine.services.view
vmwareengine.subnets.get
vmwareengine.subnets.list
vmwareengine.
vmwareengine.
Workflows roles
Permissions
Workflows Admin
(roles/)
Full access to workflows and related resources.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
workflows.*
Workflows Editor
(roles/)
Read and write access to workflows and related resources, including development and debugging of workflows.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
workflows.*
Workflows Invoker
(roles/)
Access to execute workflows and manage the executions using the API. Does not provide access to develop and debug workflows.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
workflows.callbacks.*
workflows.executions.*
workflows.stepEntries.*
Workflows Viewer
(roles/)
Read-only access to workflows and related resources.
Lowest-level resources where you can grant this role:
resourcemanager.projects.get
resourcemanager.projects.list
workflows.callbacks.list
workflows.executions.get
workflows.executions.list
workflows.locations.*
workflows.operations.get
workflows.operations.list
workflows.stepEntries.*
workflows.workflows.get
workflows.workflows.list
workflows.
workflows.
workflows.
Workforce Pools roles
Permissions
IAM OAuth Client Admin
Beta
(roles/)
Full rights to create and manage OAuth clients.
iam.oauthClientCredentials.*
iam.oauthClients.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM OAuth Client Viewer
Beta
(roles/)
Read access to a particular instance of an OAuth client.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
resourcemanager.projects.get
resourcemanager.projects.list
IAM Workforce Pool Admin
(roles/)
Full rights to create and manage all workforce pools in the org, along with the ability to delegate permissions to other admins.
iam.
iam.workforcePoolProviders.*
iam.workforcePoolSubjects.*
iam.workforcePools.*
IAM Workforce Pool Editor
(roles/)
Rights to edit a particular instance of a workforce pool.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.workforcePoolProviders.*
IAM Workforce Pool Viewer
(roles/)
Rights to read workforce pool.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
Workload Certificate roles
Permissions
Workload Certificate Admin
Beta
(roles/)
Full access to all Workload Certificate API resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadcertificate.*
Workload Certificate Registration Admin
Beta
(roles/)
Full access to WorkloadRegistration resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadcertificate.
workloadcertificate.
workloadcertificate.
Workload Certificate Registration Viewer
Beta
(roles/)
Read-only access to WorkloadRegistration resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
Workload Certificate Viewer
Beta
(roles/)
Read-only access to Workload Certificate all resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
workloadcertificate.
Workload Identity Pools roles
Permissions
IAM Workload Identity Pool Admin
Beta
(roles/)
Full rights to create and manage workload identity pools.
iam.
iam.
iam.workloadIdentityPools.*
resourcemanager.projects.get
resourcemanager.projects.list
IAM Workload Identity Pool Viewer
Beta
(roles/)
Read access to workload identity pools.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
iam.googleapis.
resourcemanager.projects.get
resourcemanager.projects.list
Workload Manager roles
Permissions
Workload Manager Admin
Beta
(roles/)
Full access to Workload Manager all resources.
compute.acceleratorTypes.list
compute.diskTypes.list
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regions.list
compute.subnetworks.list
compute.zones.list
dns.managedZones.list
iam.serviceAccounts.list
monitoring.timeSeries.list
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
storage.buckets.list
storage.objects.list
workloadmanager.*
Workload Manager Deployment Admin
Beta
(roles/)
Full access to Workload Manager deployment resources.
compute.acceleratorTypes.list
compute.diskTypes.list
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regions.list
compute.subnetworks.list
compute.zones.list
dns.managedZones.list
iam.serviceAccounts.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
storage.buckets.list
storage.objects.list
workloadmanager.actuations.*
workloadmanager.deployments.*
workloadmanager.locations.*
workloadmanager.operations.*
Workload Manager Deployment Viewer
Beta
(roles/)
Read-only access to Workload Manager deployment resources.
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.actuations.get
workloadmanager.
workloadmanager.
workloadmanager.
Workload Manager Evaluation Admin
Beta
(roles/)
Full access to Workload Manager evaluation resources.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.evaluations.*
workloadmanager.executions.*
workloadmanager.locations.*
workloadmanager.operations.*
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Evaluation Viewer
Beta
(roles/)
Read-only access to Workload Manager evaluation resources.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.
workloadmanager.
workloadmanager.executions.get
workloadmanager.
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Insights Writer
Beta
(roles/)
The role used to write data to WLM data warehouse.
workloadmanager.insights.write
Workload Manager Viewer
Beta
(roles/)
Read-only access to Workload Manager all resources.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.actuations.get
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.
workloadmanager.executions.get
workloadmanager.
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Worker
Beta
(roles/)
The role used by Workload Manager application runners to read and update workloads.
orgpolicy.policy.get
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.actuations.*
workloadmanager.deployments.*
workloadmanager.
workloadmanager.evaluations.*
workloadmanager.executions.*
workloadmanager.insights.write
workloadmanager.results.list
workloadmanager.rules.list
Workload Manager Workload Viewer
Beta
(roles/)
The role used to view the workload related data.
resourcemanager.projects.get
resourcemanager.projects.list
workloadmanager.
