IAM basic and predefined roles reference

This page lists all basic and predefined roles for Identity and Access Management (IAM). To learn more about IAM roles, see Roles and permissions.

Basic roles

Basic roles are highly permissive roles that existed prior to the introduction of IAM. You can use basic roles to grant principals broad access to Google Cloud resources.

When you grant a basic role to a principal, the principal gets all of the permissions in the basic role. They also get any permissions that services provide to principals with basic roles—for example, permissions gained through Cloud Storage convenience values and BigQuery special group membership.

The following table summarizes the permissions that the basic roles give users across all Google Cloud services:

Basic roles Permissions
(roles/viewer)

Permissions for read-only actions that don't affect state, such as viewing (but not modifying) existing resources or data.

For a list of permissions in the Viewer role, see the role details in the Google Cloud console:

Go to Viewer role

(roles/editor)

All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.

The permissions in the Editor role let you create and delete resources for most Google Cloud services. However, the Editor role doesn't contain permissions to perform all actions for all services. For more information about how to check whether a role has the permissions that you need, see Role types.

For a list of permissions in the Editor role, see the role details in the Google Cloud console:

Go to Editor role

(roles/owner)

All Editor permissions, plus permissions for actions like the following:

  • Completing sensitive tasks, like creating App Engine applications
  • Managing roles and permissions for a project and all resources within the project
  • Setting up billing for a project

The Owner role doesn't contain all permissions for all Google Cloud resources. For example, it doesn't contain permissions to modify your Cloud Billing payment information or create IAM deny policies.

For a list of permissions in the Owner role, see the role details in the Google Cloud console:

Go to Owner role

Predefined roles

Predefined roles give granular access to specific Google Cloud resources. These roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services.

The following table lists all IAM predefined roles, organized by service.

For more information about predefined roles, see Roles and permissions. For help choosing the most appropriate predefined roles, see Choose predefined roles.

Permissions

(roles/accessapproval.approver)

Ability to view or act on access approval requests and view configuration.

accessapproval.requests.*

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accessapproval.configEditor)

Ability to update the Access Approval configuration

accessapproval.serviceAccounts.get

accessapproval.settings.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accessapproval.invalidator)

Ability to invalidate existing approved approval requests

accessapproval.requests.invalidate

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accessapproval.viewer)

Ability to view access approval requests and configuration

accessapproval.requests.get

accessapproval.requests.list

accessapproval.serviceAccounts.get

accessapproval.settings.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/accesscontextmanager.gcpAccessAdmin)

Create, edit, and change Cloud access bindings.

accesscontextmanager.gcpUserAccessBindings.*

(roles/accesscontextmanager.gcpAccessReader)

Read access to Cloud access bindings.

accesscontextmanager.gcpUserAccessBindings.get

accesscontextmanager.gcpUserAccessBindings.list

(roles/accesscontextmanager.policyAdmin)

Full access to policies, access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.*

accesscontextmanager.authorizedOrgsDescs.*

accesscontextmanager.policies.*

accesscontextmanager.servicePerimeters.*

cloudasset.assets.searchAllResources

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accesscontextmanager.policyEditor)

Edit access to policies. Create, edit, and change access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.*

accesscontextmanager.authorizedOrgsDescs.*

accesscontextmanager.policies.create

accesscontextmanager.policies.delete

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.policies.update

accesscontextmanager.servicePerimeters.*

cloudasset.assets.searchAllResources

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accesscontextmanager.policyReader)

Read access to policies, access levels, access zones and authorized orgs descs.

accesscontextmanager.accessLevels.get

accesscontextmanager.accessLevels.list

accesscontextmanager.authorizedOrgsDescs.get

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/accesscontextmanager.vpcScTroubleshooterViewer)

accesscontextmanager.accessLevels.get

accesscontextmanager.accessLevels.list

accesscontextmanager.authorizedOrgsDescs.get

accesscontextmanager.authorizedOrgsDescs.list

accesscontextmanager.policies.get

accesscontextmanager.policies.getIamPolicy

accesscontextmanager.policies.list

accesscontextmanager.servicePerimeters.get

accesscontextmanager.servicePerimeters.list

logging.exclusions.get

logging.exclusions.list

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.sinks.get

logging.sinks.list

logging.usage.get

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/actions.Admin)

Access to edit and deploy an action

actions.*

firebase.projects.get

firebase.projects.update

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

(roles/actions.Viewer)

Access to view an action

actions.agent.get

actions.agentVersions.get

actions.agentVersions.list

firebase.projects.get

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

Permissions

(roles/notebooks.admin)

Full access to Notebooks, all resources.

Lowest-level resources where you can grant this role:

  • Instance

aiplatform.notebookExecutionJobs.*

aiplatform.operations.list

aiplatform.pipelineJobs.create

aiplatform.schedules.*

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.listEffectiveTags

compute.externalVpnGateways.listTagBindings

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceGroups.listEffectiveTags

compute.instanceGroups.listTagBindings

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectAttachments.listEffectiveTags

compute.interconnectAttachments.listTagBindings

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.interconnects.listEffectiveTags

compute.interconnects.listTagBindings

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.multiMig.get

compute.multiMig.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkAttachments.listEffectiveTags

compute.networkAttachments.listTagBindings

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEdgeSecurityServices.listEffectiveTags

compute.networkEdgeSecurityServices.listTagBindings

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networkProfiles.*

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.packetMirrorings.listEffectiveTags

compute.packetMirrorings.listTagBindings

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.listEffectiveTags

compute.publicDelegatedPrefixes.listTagBindings

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionSslPolicies.listEffectiveTags

compute.regionSslPolicies.listTagBindings

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionTargetTcpProxies.listEffectiveTags

compute.regionTargetTcpProxies.listTagBindings

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.getRoutePolicy

compute.routers.list

compute.routers.listBgpRoutes

compute.routers.listEffectiveTags

compute.routers.listRoutePolicies

compute.routers.listTagBindings

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.serviceAttachments.listEffectiveTags

compute.serviceAttachments.listTagBindings

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.spotAssistants.get

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetGrpcProxies.listEffectiveTags

compute.targetGrpcProxies.listTagBindings

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.targetVpnGateways.listEffectiveTags

compute.targetVpnGateways.listTagBindings

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.listEffectiveTags

compute.vpnGateways.listTagBindings

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.vpnTunnels.listEffectiveTags

compute.vpnTunnels.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

notebooks.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/notebooks.legacyAdmin)

Full access to Notebooks all resources through compute API.

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.list

backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlans.useForComputeInstance

compute.*

notebooks.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/notebooks.legacyViewer)

Read-only access to Notebooks all resources through compute API.

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.listEffectiveTags

compute.externalVpnGateways.listTagBindings

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceGroups.listEffectiveTags

compute.instanceGroups.listTagBindings

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectAttachments.listEffectiveTags

compute.interconnectAttachments.listTagBindings

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.interconnects.listEffectiveTags

compute.interconnects.listTagBindings

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.multiMig.get

compute.multiMig.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkAttachments.listEffectiveTags

compute.networkAttachments.listTagBindings

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEdgeSecurityServices.listEffectiveTags

compute.networkEdgeSecurityServices.listTagBindings

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networkProfiles.*

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.packetMirrorings.listEffectiveTags

compute.packetMirrorings.listTagBindings

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.listEffectiveTags

compute.publicDelegatedPrefixes.listTagBindings

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionSslPolicies.listEffectiveTags

compute.regionSslPolicies.listTagBindings

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionTargetTcpProxies.listEffectiveTags

compute.regionTargetTcpProxies.listTagBindings

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.getRoutePolicy

compute.routers.list

compute.routers.listBgpRoutes

compute.routers.listEffectiveTags

compute.routers.listRoutePolicies

compute.routers.listTagBindings

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.serviceAttachments.listEffectiveTags

compute.serviceAttachments.listTagBindings

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.spotAssistants.get

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetGrpcProxies.listEffectiveTags

compute.targetGrpcProxies.listTagBindings

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.targetVpnGateways.listEffectiveTags

compute.targetVpnGateways.listTagBindings

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.listEffectiveTags

compute.vpnGateways.listTagBindings

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.vpnTunnels.listEffectiveTags

compute.vpnTunnels.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

notebooks.environments.get

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.get

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.checkUpgradability

notebooks.instances.get

notebooks.instances.getHealth

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.*

notebooks.operations.get

notebooks.operations.list

notebooks.runtimes.get

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.get

notebooks.schedules.getIamPolicy

notebooks.schedules.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/notebooks.runner)

Restricted access for running scheduled Notebooks.

aiplatform.notebookExecutionJobs.*

aiplatform.operations.list

aiplatform.pipelineJobs.create

aiplatform.schedules.*

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.listEffectiveTags

compute.externalVpnGateways.listTagBindings

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceGroups.listEffectiveTags

compute.instanceGroups.listTagBindings

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectAttachments.listEffectiveTags

compute.interconnectAttachments.listTagBindings

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.interconnects.listEffectiveTags

compute.interconnects.listTagBindings

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.multiMig.get

compute.multiMig.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkAttachments.listEffectiveTags

compute.networkAttachments.listTagBindings

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEdgeSecurityServices.listEffectiveTags

compute.networkEdgeSecurityServices.listTagBindings

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networkProfiles.*

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.packetMirrorings.listEffectiveTags

compute.packetMirrorings.listTagBindings

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.listEffectiveTags

compute.publicDelegatedPrefixes.listTagBindings

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionSslPolicies.listEffectiveTags

compute.regionSslPolicies.listTagBindings

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionTargetTcpProxies.listEffectiveTags

compute.regionTargetTcpProxies.listTagBindings

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.getRoutePolicy

compute.routers.list

compute.routers.listBgpRoutes

compute.routers.listEffectiveTags

compute.routers.listRoutePolicies

compute.routers.listTagBindings

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.serviceAttachments.listEffectiveTags

compute.serviceAttachments.listTagBindings

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.spotAssistants.get

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetGrpcProxies.listEffectiveTags

compute.targetGrpcProxies.listTagBindings

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.targetVpnGateways.listEffectiveTags

compute.targetVpnGateways.listTagBindings

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.listEffectiveTags

compute.vpnGateways.listTagBindings

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.vpnTunnels.listEffectiveTags

compute.vpnTunnels.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

notebooks.environments.get

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.create

notebooks.executions.get

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.checkUpgradability

notebooks.instances.create

notebooks.instances.get

notebooks.instances.getHealth

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.*

notebooks.operations.get

notebooks.operations.list

notebooks.runtimes.create

notebooks.runtimes.get

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.create

notebooks.schedules.get

notebooks.schedules.getIamPolicy

notebooks.schedules.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/notebooks.viewer)

Read-only access to Notebooks, all resources.

Lowest-level resources where you can grant this role:

  • Instance

aiplatform.notebookExecutionJobs.get

aiplatform.notebookExecutionJobs.list

aiplatform.schedules.get

aiplatform.schedules.list

compute.acceleratorTypes.*

compute.addresses.get

compute.addresses.list

compute.addresses.listEffectiveTags

compute.addresses.listTagBindings

compute.autoscalers.get

compute.autoscalers.list

compute.backendBuckets.get

compute.backendBuckets.getIamPolicy

compute.backendBuckets.list

compute.backendBuckets.listEffectiveTags

compute.backendBuckets.listTagBindings

compute.backendServices.get

compute.backendServices.getIamPolicy

compute.backendServices.list

compute.backendServices.listEffectiveTags

compute.backendServices.listTagBindings

compute.commitments.get

compute.commitments.list

compute.diskTypes.*

compute.disks.get

compute.disks.getIamPolicy

compute.disks.list

compute.disks.listEffectiveTags

compute.disks.listTagBindings

compute.externalVpnGateways.get

compute.externalVpnGateways.list

compute.externalVpnGateways.listEffectiveTags

compute.externalVpnGateways.listTagBindings

compute.firewallPolicies.get

compute.firewallPolicies.getIamPolicy

compute.firewallPolicies.list

compute.firewallPolicies.listEffectiveTags

compute.firewallPolicies.listTagBindings

compute.firewalls.get

compute.firewalls.list

compute.firewalls.listEffectiveTags

compute.firewalls.listTagBindings

compute.forwardingRules.get

compute.forwardingRules.list

compute.forwardingRules.listEffectiveTags

compute.forwardingRules.listTagBindings

compute.futureReservations.get

compute.futureReservations.getIamPolicy

compute.futureReservations.list

compute.globalAddresses.get

compute.globalAddresses.list

compute.globalAddresses.listEffectiveTags

compute.globalAddresses.listTagBindings

compute.globalForwardingRules.get

compute.globalForwardingRules.list

compute.globalForwardingRules.listEffectiveTags

compute.globalForwardingRules.listTagBindings

compute.globalForwardingRules.pscGet

compute.globalNetworkEndpointGroups.get

compute.globalNetworkEndpointGroups.list

compute.globalNetworkEndpointGroups.listEffectiveTags

compute.globalNetworkEndpointGroups.listTagBindings

compute.globalOperations.get

compute.globalOperations.getIamPolicy

compute.globalOperations.list

compute.globalPublicDelegatedPrefixes.get

compute.globalPublicDelegatedPrefixes.list

compute.healthChecks.get

compute.healthChecks.list

compute.healthChecks.listEffectiveTags

compute.healthChecks.listTagBindings

compute.httpHealthChecks.get

compute.httpHealthChecks.list

compute.httpHealthChecks.listEffectiveTags

compute.httpHealthChecks.listTagBindings

compute.httpsHealthChecks.get

compute.httpsHealthChecks.list

compute.httpsHealthChecks.listEffectiveTags

compute.httpsHealthChecks.listTagBindings

compute.images.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.list

compute.images.listEffectiveTags

compute.images.listTagBindings

compute.instanceGroupManagers.get

compute.instanceGroupManagers.list

compute.instanceGroupManagers.listEffectiveTags

compute.instanceGroupManagers.listTagBindings

compute.instanceGroups.get

compute.instanceGroups.list

compute.instanceGroups.listEffectiveTags

compute.instanceGroups.listTagBindings

compute.instanceSettings.get

compute.instanceTemplates.get

compute.instanceTemplates.getIamPolicy

compute.instanceTemplates.list

compute.instances.get

compute.instances.getEffectiveFirewalls

compute.instances.getGuestAttributes

compute.instances.getIamPolicy

compute.instances.getScreenshot

compute.instances.getSerialPortOutput

compute.instances.getShieldedInstanceIdentity

compute.instances.getShieldedVmIdentity

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.listReferrers

compute.instances.listTagBindings

compute.instantSnapshots.get

compute.instantSnapshots.getIamPolicy

compute.instantSnapshots.list

compute.interconnectAttachments.get

compute.interconnectAttachments.list

compute.interconnectAttachments.listEffectiveTags

compute.interconnectAttachments.listTagBindings

compute.interconnectLocations.*

compute.interconnectRemoteLocations.*

compute.interconnects.get

compute.interconnects.list

compute.interconnects.listEffectiveTags

compute.interconnects.listTagBindings

compute.licenseCodes.get

compute.licenseCodes.getIamPolicy

compute.licenseCodes.list

compute.licenses.get

compute.licenses.getIamPolicy

compute.licenses.list

compute.machineImages.get

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.machineTypes.*

compute.multiMig.get

compute.multiMig.list

compute.networkAttachments.get

compute.networkAttachments.getIamPolicy

compute.networkAttachments.list

compute.networkAttachments.listEffectiveTags

compute.networkAttachments.listTagBindings

compute.networkEdgeSecurityServices.get

compute.networkEdgeSecurityServices.list

compute.networkEdgeSecurityServices.listEffectiveTags

compute.networkEdgeSecurityServices.listTagBindings

compute.networkEndpointGroups.get

compute.networkEndpointGroups.list

compute.networkEndpointGroups.listEffectiveTags

compute.networkEndpointGroups.listTagBindings

compute.networkProfiles.*

compute.networks.get

compute.networks.getEffectiveFirewalls

compute.networks.getRegionEffectiveFirewalls

compute.networks.list

compute.networks.listEffectiveTags

compute.networks.listPeeringRoutes

compute.networks.listTagBindings

compute.nodeGroups.get

compute.nodeGroups.getIamPolicy

compute.nodeGroups.list

compute.nodeTemplates.get

compute.nodeTemplates.getIamPolicy

compute.nodeTemplates.list

compute.nodeTypes.*

compute.organizations.listAssociations

compute.packetMirrorings.get

compute.packetMirrorings.list

compute.packetMirrorings.listEffectiveTags

compute.packetMirrorings.listTagBindings

compute.projects.get

compute.publicAdvertisedPrefixes.get

compute.publicAdvertisedPrefixes.list

compute.publicDelegatedPrefixes.get

compute.publicDelegatedPrefixes.list

compute.publicDelegatedPrefixes.listEffectiveTags

compute.publicDelegatedPrefixes.listTagBindings

compute.regionBackendServices.get

compute.regionBackendServices.getIamPolicy

compute.regionBackendServices.list

compute.regionBackendServices.listEffectiveTags

compute.regionBackendServices.listTagBindings

compute.regionFirewallPolicies.get

compute.regionFirewallPolicies.getIamPolicy

compute.regionFirewallPolicies.list

compute.regionFirewallPolicies.listEffectiveTags

compute.regionFirewallPolicies.listTagBindings

compute.regionHealthCheckServices.get

compute.regionHealthCheckServices.list

compute.regionHealthChecks.get

compute.regionHealthChecks.list

compute.regionHealthChecks.listEffectiveTags

compute.regionHealthChecks.listTagBindings

compute.regionNetworkEndpointGroups.get

compute.regionNetworkEndpointGroups.list

compute.regionNetworkEndpointGroups.listEffectiveTags

compute.regionNetworkEndpointGroups.listTagBindings

compute.regionNotificationEndpoints.get

compute.regionNotificationEndpoints.list

compute.regionOperations.get

compute.regionOperations.getIamPolicy

compute.regionOperations.list

compute.regionSecurityPolicies.get

compute.regionSecurityPolicies.list

compute.regionSecurityPolicies.listEffectiveTags

compute.regionSecurityPolicies.listTagBindings

compute.regionSslCertificates.get

compute.regionSslCertificates.list

compute.regionSslCertificates.listEffectiveTags

compute.regionSslCertificates.listTagBindings

compute.regionSslPolicies.get

compute.regionSslPolicies.list

compute.regionSslPolicies.listAvailableFeatures

compute.regionSslPolicies.listEffectiveTags

compute.regionSslPolicies.listTagBindings

compute.regionTargetHttpProxies.get

compute.regionTargetHttpProxies.list

compute.regionTargetHttpProxies.listEffectiveTags

compute.regionTargetHttpProxies.listTagBindings

compute.regionTargetHttpsProxies.get

compute.regionTargetHttpsProxies.list

compute.regionTargetHttpsProxies.listEffectiveTags

compute.regionTargetHttpsProxies.listTagBindings

compute.regionTargetTcpProxies.get

compute.regionTargetTcpProxies.list

compute.regionTargetTcpProxies.listEffectiveTags

compute.regionTargetTcpProxies.listTagBindings

compute.regionUrlMaps.get

compute.regionUrlMaps.list

compute.regionUrlMaps.listEffectiveTags

compute.regionUrlMaps.listTagBindings

compute.regionUrlMaps.validate

compute.regions.*

compute.reservations.get

compute.reservations.list

compute.resourcePolicies.get

compute.resourcePolicies.getIamPolicy

compute.resourcePolicies.list

compute.routers.get

compute.routers.getRoutePolicy

compute.routers.list

compute.routers.listBgpRoutes

compute.routers.listEffectiveTags

compute.routers.listRoutePolicies

compute.routers.listTagBindings

compute.routes.get

compute.routes.list

compute.routes.listEffectiveTags

compute.routes.listTagBindings

compute.securityPolicies.get

compute.securityPolicies.list

compute.securityPolicies.listEffectiveTags

compute.securityPolicies.listTagBindings

compute.serviceAttachments.get

compute.serviceAttachments.getIamPolicy

compute.serviceAttachments.list

compute.serviceAttachments.listEffectiveTags

compute.serviceAttachments.listTagBindings

compute.snapshotSettings.get

compute.snapshots.get

compute.snapshots.getIamPolicy

compute.snapshots.list

compute.snapshots.listEffectiveTags

compute.snapshots.listTagBindings

compute.spotAssistants.get

compute.sslCertificates.get

compute.sslCertificates.list

compute.sslCertificates.listEffectiveTags

compute.sslCertificates.listTagBindings

compute.sslPolicies.get

compute.sslPolicies.list

compute.sslPolicies.listAvailableFeatures

compute.sslPolicies.listEffectiveTags

compute.sslPolicies.listTagBindings

compute.storagePools.get

compute.storagePools.getIamPolicy

compute.storagePools.list

compute.subnetworks.get

compute.subnetworks.getIamPolicy

compute.subnetworks.list

compute.subnetworks.listEffectiveTags

compute.subnetworks.listTagBindings

compute.targetGrpcProxies.get

compute.targetGrpcProxies.list

compute.targetGrpcProxies.listEffectiveTags

compute.targetGrpcProxies.listTagBindings

compute.targetHttpProxies.get

compute.targetHttpProxies.list

compute.targetHttpProxies.listEffectiveTags

compute.targetHttpProxies.listTagBindings

compute.targetHttpsProxies.get

compute.targetHttpsProxies.list

compute.targetHttpsProxies.listEffectiveTags

compute.targetHttpsProxies.listTagBindings

compute.targetInstances.get

compute.targetInstances.list

compute.targetInstances.listEffectiveTags

compute.targetInstances.listTagBindings

compute.targetPools.get

compute.targetPools.list

compute.targetPools.listEffectiveTags

compute.targetPools.listTagBindings

compute.targetSslProxies.get

compute.targetSslProxies.list

compute.targetSslProxies.listEffectiveTags

compute.targetSslProxies.listTagBindings

compute.targetTcpProxies.get

compute.targetTcpProxies.list

compute.targetTcpProxies.listEffectiveTags

compute.targetTcpProxies.listTagBindings

compute.targetVpnGateways.get

compute.targetVpnGateways.list

compute.targetVpnGateways.listEffectiveTags

compute.targetVpnGateways.listTagBindings

compute.urlMaps.get

compute.urlMaps.list

compute.urlMaps.listEffectiveTags

compute.urlMaps.listTagBindings

compute.urlMaps.validate

compute.vpnGateways.get

compute.vpnGateways.list

compute.vpnGateways.listEffectiveTags

compute.vpnGateways.listTagBindings

compute.vpnTunnels.get

compute.vpnTunnels.list

compute.vpnTunnels.listEffectiveTags

compute.vpnTunnels.listTagBindings

compute.zoneOperations.get

compute.zoneOperations.getIamPolicy

compute.zoneOperations.list

compute.zones.*

notebooks.environments.get

notebooks.environments.getIamPolicy

notebooks.environments.list

notebooks.executions.get

notebooks.executions.getIamPolicy

notebooks.executions.list

notebooks.instances.checkUpgradability

notebooks.instances.get

notebooks.instances.getHealth

notebooks.instances.getIamPolicy

notebooks.instances.list

notebooks.locations.*

notebooks.operations.get

notebooks.operations.list

notebooks.runtimes.get

notebooks.runtimes.getIamPolicy

notebooks.runtimes.list

notebooks.schedules.get

notebooks.schedules.getIamPolicy

notebooks.schedules.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/ml.admin)

Provides full access to AI Platform resources, and its jobs, operations, models, and versions.

Lowest-level resources where you can grant this role:

  • Project

ml.*

resourcemanager.projects.get

(roles/ml.developer)

Provides ability to use AI Platform resources for creating models, versions, jobs for training and prediction, and sending online prediction requests.

Lowest-level resources where you can grant this role:

  • Project

ml.jobs.create

ml.jobs.get

ml.jobs.getIamPolicy

ml.jobs.list

ml.locations.*

ml.models.create

ml.models.get

ml.models.getIamPolicy

ml.models.list

ml.models.predict

ml.operations.get

ml.operations.list

ml.projects.getConfig

ml.studies.*

ml.trials.*

ml.versions.get

ml.versions.list

ml.versions.predict

resourcemanager.projects.get

(roles/ml.jobOwner)

Provides full access to all permissions for a particular job resource. This role is automatically granted to the user who creates the job.

Lowest-level resources where you can grant this role:

  • Job

ml.jobs.*

(roles/ml.modelOwner)

Provides full access to the model and its versions. This role is automatically granted to the user who creates the model.

Lowest-level resources where you can grant this role:

  • Model

ml.models.*

ml.versions.*

(roles/ml.modelUser)

Provides permissions to read the model and its versions, and use them for prediction.

Lowest-level resources where you can grant this role:

  • Model

ml.models.get

ml.models.predict

ml.versions.get

ml.versions.list

ml.versions.predict

(roles/ml.operationOwner)

Provides full access to all permissions for a particular operation resource.

Lowest-level resources where you can grant this role:

  • Operation

ml.operations.*

(roles/ml.viewer)

Provides read-only access to AI Platform resources.

Lowest-level resources where you can grant this role:

  • Project

ml.jobs.get

ml.jobs.list

ml.locations.*

ml.models.get

ml.models.list

ml.operations.get

ml.operations.list

ml.projects.getConfig

ml.studies.get

ml.studies.getIamPolicy

ml.studies.list

ml.trials.get

ml.trials.list

ml.versions.get

ml.versions.list

resourcemanager.projects.get

Permissions

(roles/analyticshub.admin)

Administer Data Exchanges and Listings

analyticshub.dataExchanges.create

analyticshub.dataExchanges.delete

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.dataExchanges.setIamPolicy

analyticshub.dataExchanges.update

analyticshub.dataExchanges.viewSubscriptions

analyticshub.listings.create

analyticshub.listings.delete

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.listings.update

analyticshub.listings.viewSubscriptions

analyticshub.subscriptions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/analyticshub.listingAdmin)

Grants full control over the Listing, including updating, deleting and setting ACLs

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.delete

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.listings.update

analyticshub.listings.viewSubscriptions

resourcemanager.projects.get

resourcemanager.projects.list

(roles/analyticshub.publisher)

Can publish to Data Exchanges thus creating Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.create

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/analyticshub.subscriber)

Can browse Data Exchanges and subscribe to Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.dataExchanges.subscribe

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.subscribe

resourcemanager.projects.get

resourcemanager.projects.list

(roles/analyticshub.subscriptionOwner)

Grants full control over the Subscription, including updating and deleting

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.subscriptions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/analyticshub.viewer)

Can browse Data Exchanges and Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/androidmanagement.user)

Full access to manage devices.

androidmanagement.enterprises.manage

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/gkemulticloud.admin)

Admin access to Anthos Multi-cloud resources.

gkemulticloud.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkemulticloud.telemetryWriter)

Grant access to write cluster telemetry data such as logs, metrics, and resource metadata.

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.timeSeries.create

opsconfigmonitoring.resourceMetadata.write

(roles/gkemulticloud.viewer)

Viewer access to Anthos Multi-cloud resources.

gkemulticloud.attachedClusters.generateInstallManifest

gkemulticloud.attachedClusters.get

gkemulticloud.attachedClusters.list

gkemulticloud.attachedServerConfigs.get

gkemulticloud.awsClusters.generateAccessToken

gkemulticloud.awsClusters.get

gkemulticloud.awsClusters.list

gkemulticloud.awsNodePools.get

gkemulticloud.awsNodePools.list

gkemulticloud.awsServerConfigs.get

gkemulticloud.azureClients.get

gkemulticloud.azureClients.list

gkemulticloud.azureClusters.generateAccessToken

gkemulticloud.azureClusters.get

gkemulticloud.azureClusters.list

gkemulticloud.azureNodePools.get

gkemulticloud.azureNodePools.list

gkemulticloud.azureServerConfigs.get

gkemulticloud.operations.get

gkemulticloud.operations.list

gkemulticloud.operations.wait

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/apigateway.admin)

Full access to ApiGateway and related resources.

apigateway.*

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

serviceusage.services.get

serviceusage.services.list

(roles/apigateway.viewer)

Read-only access to ApiGateway and related resources.

apigateway.apiconfigs.get

apigateway.apiconfigs.getIamPolicy

apigateway.apiconfigs.list

apigateway.apis.get

apigateway.apis.getIamPolicy

apigateway.apis.list

apigateway.gateways.get

apigateway.gateways.getIamPolicy

apigateway.gateways.list

apigateway.locations.*

apigateway.operations.get

apigateway.operations.list

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.get

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.list

servicemanagement.services.get

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/apigee.admin)

Full access to all apigee resource features

apigee.*

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/apigee.analyticsAgent)

Curated set of permissions for Apigee Universal Data Collection Agent to manage analytics for an Apigee Organization

apigee.datalocation.get

apigee.environments.getDataLocation

apigee.runtimeconfigs.get

(roles/apigee.analyticsEditor)

Analytics editor for an Apigee Organization

apigee.datacollectors.*

apigee.datastores.*

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.exports.*

apigee.hostqueries.*

apigee.hoststats.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.queries.*

apigee.reports.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.analyticsViewer)

Analytics viewer for an Apigee Organization

apigee.datacollectors.get

apigee.datacollectors.list

apigee.datastores.get

apigee.datastores.list

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.exports.get

apigee.exports.list

apigee.hostqueries.get

apigee.hostqueries.list

apigee.hoststats.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.queries.get

apigee.queries.list

apigee.reports.get

apigee.reports.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.apiAdminV2)

Full read/write access to all apigee API resources

apigee.apiproductattributes.*

apigee.apiproducts.*

apigee.deployments.list

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.keyvaluemapentries.*

apigee.keyvaluemaps.*

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.proxies.*

apigee.proxyrevisions.*

apigee.sharedflowrevisions.*

apigee.sharedflows.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.apiReaderV2)

Reader of apigee resources

apigee.apiproductattributes.get

apigee.apiproductattributes.list

apigee.apiproducts.get

apigee.apiproducts.list

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.keyvaluemapentries.get

apigee.keyvaluemapentries.list

apigee.keyvaluemaps.list

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.proxies.get

apigee.proxies.list

apigee.proxyrevisions.deploy

apigee.proxyrevisions.get

apigee.proxyrevisions.list

apigee.proxyrevisions.undeploy

apigee.sharedflowrevisions.deploy

apigee.sharedflowrevisions.get

apigee.sharedflowrevisions.list

apigee.sharedflowrevisions.undeploy

apigee.sharedflows.get

apigee.sharedflows.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.deploymentInvoker)

Invoker of deployments in the apigee runtime

apigee.deployments.invoke

(roles/apigee.developerAdmin)

Developer admin of apigee resources

apigee.apiproductattributes.get

apigee.apiproductattributes.list

apigee.apiproducts.get

apigee.apiproducts.list

apigee.appgroupapps.*

apigee.appgroups.*

apigee.appkeys.*

apigee.apps.*

apigee.datacollectors.*

apigee.developerappattributes.*

apigee.developerapps.*

apigee.developerattributes.*

apigee.developerbalances.*

apigee.developermonetizationconfigs.*

apigee.developers.*

apigee.developersubscriptions.*

apigee.entitlements.get

apigee.environments.get

apigee.environments.getStats

apigee.environments.list

apigee.hoststats.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.rateplans.get

apigee.rateplans.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/apigee.environmentAdmin)

Full read/write access to apigee environment resources, including deployments.

apigee.addonsconfig.*

apigee.archivedeployments.*

apigee.datacollectors.get

apigee.datacollectors.list

apigee.deployments.*

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getIamPolicy

apigee.environments.getStats

apigee.environments.list

apigee.environments.setIamPolicy

apigee.environments.update

apigee.flowhooks.*

apigee.ingressconfigs.get

apigee.keystorealiases.*

apigee.keystores.*

apigee.keyvaluemapentries.*

apigee.keyvaluemaps.*

apigee.maskconfigs.*

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.proxies.get

apigee.proxies.list

apigee.proxyrevisions.deploy

apigee.proxyrevisions.get

apigee.proxyrevisions.list

apigee.proxyrevisions.undeploy

apigee.references.*

apigee.resourcefiles.*

apigee.sharedflowrevisions.deploy

apigee.sharedflowrevisions.get

apigee.sharedflowrevisions.list

apigee.sharedflowrevisions.undeploy

apigee.sharedflows.get

apigee.sharedflows.list

apigee.targetservers.*

apigee.traceconfig.*

apigee.traceconfigoverrides.*

apigee.tracesessions.*

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/apigee.monetizationAdmin)

All permissions related to monetization

apigee.apiproducts.get

apigee.apiproducts.list

apigee.developerbalances.*

apigee.developermonetizationconfigs.*

apigee.developersubscriptions.*

apigee.entitlements.get

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.rateplans.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.portalAdmin)

Portal admin for an Apigee Organization

apigee.entitlements.get

apigee.organizations.get

apigee.organizations.list

apigee.portals.*

apigee.projectorganizations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.readOnlyAdmin)

Viewer of all apigee resources

apigee.addonsconfig.get

apigee.apiproductattributes.get

apigee.apiproductattributes.list

apigee.apiproducts.get

apigee.apiproducts.list

apigee.appgroupapps.get

apigee.appgroupapps.list

apigee.appgroups.get

apigee.appgroups.list

apigee.appkeys.get

apigee.apps.*

apigee.archivedeployments.download

apigee.archivedeployments.get

apigee.archivedeployments.list

apigee.caches.list

apigee.canaryevaluations.get

apigee.datacollectors.get

apigee.datacollectors.list

apigee.datalocation.get

apigee.datastores.get

apigee.datastores.list

apigee.deployments.get

apigee.deployments.list

apigee.developerappattributes.get

apigee.developerappattributes.list

apigee.developerapps.get

apigee.developerapps.list

apigee.developerattributes.get

apigee.developerattributes.list

apigee.developerbalances.get

apigee.developermonetizationconfigs.get

apigee.developers.get

apigee.developers.list

apigee.developersubscriptions.get

apigee.developersubscriptions.list

apigee.endpointattachments.get

apigee.endpointattachments.list

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.getDataLocation

apigee.environments.getIamPolicy

apigee.environments.getStats

apigee.environments.list

apigee.exports.get

apigee.exports.list

apigee.flowhooks.getSharedFlow

apigee.flowhooks.list

apigee.hostqueries.get

apigee.hostqueries.list

apigee.hostsecurityreports.get

apigee.hostsecurityreports.list

apigee.hoststats.get

apigee.ingressconfigs.get

apigee.instanceattachments.get

apigee.instanceattachments.list

apigee.instances.get

apigee.instances.list

apigee.keystorealiases.get

apigee.keystorealiases.list

apigee.keystores.get

apigee.keystores.list

apigee.keyvaluemapentries.get

apigee.keyvaluemapentries.list

apigee.keyvaluemaps.list

apigee.maskconfigs.get

apigee.nataddresses.get

apigee.nataddresses.list

apigee.operations.*

apigee.organizations.get

apigee.organizations.list

apigee.portals.get

apigee.portals.list

apigee.projectorganizations.get

apigee.proxies.get

apigee.proxies.list

apigee.proxyrevisions.get

apigee.proxyrevisions.list

apigee.queries.get

apigee.queries.list

apigee.rateplans.get

apigee.rateplans.list

apigee.references.get

apigee.references.list

apigee.reports.get

apigee.reports.list

apigee.resourcefiles.get

apigee.resourcefiles.list

apigee.runtimeconfigs.get

apigee.securityActions.get

apigee.securityActions.list

apigee.securityActionsConfig.get

apigee.securityAssessmentResults.compute

apigee.securityFeedback.get

apigee.securityFeedback.list

apigee.securityIncidents.get

apigee.securityIncidents.list

apigee.securityProfileEnvironments.computeScore

apigee.securityProfiles.get

apigee.securityProfiles.list

apigee.securityProfilesV2.get

apigee.securityProfilesV2.list

apigee.securitySettings.get

apigee.securityStats.*

apigee.securityreports.get

apigee.securityreports.list

apigee.setupcontexts.get

apigee.sharedflowrevisions.get

apigee.sharedflowrevisions.list

apigee.sharedflows.get

apigee.sharedflows.list

apigee.targetservers.get

apigee.targetservers.list

apigee.traceconfig.get

apigee.traceconfigoverrides.get

apigee.traceconfigoverrides.list

apigee.tracesessions.get

apigee.tracesessions.list

monitoring.timeSeries.list

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

resourcemanager.projects.list

(roles/apigee.runtimeAgent)

Curated set of permissions for a runtime agent to access Apigee Organization resources

apigee.canaryevaluations.*

apigee.entitlements.get

apigee.ingressconfigs.get

apigee.instances.reportStatus

apigee.operations.*

apigee.organizations.get

apigee.projectorganizations.get

apigee.runtimeconfigs.get

(roles/apigee.securityAdmin)

Security admin for an Apigee Organization

apigee.addonsconfig.get

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.list

apigee.hostsecurityreports.*

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.securityActions.*

apigee.securityActionsConfig.*

apigee.securityAssessmentResults.compute

apigee.securityFeedback.*

apigee.securityIncidents.*

apigee.securityProfileEnvironments.*

apigee.securityProfiles.*

apigee.securityProfilesV2.*

apigee.securitySettings.*

apigee.securityStats.*

apigee.securityreports.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.securityViewer)

Security viewer for an Apigee Organization

apigee.addonsconfig.get

apigee.entitlements.get

apigee.envgroupattachments.get

apigee.envgroupattachments.list

apigee.envgroups.get

apigee.envgroups.list

apigee.environments.get

apigee.environments.list

apigee.hostsecurityreports.get

apigee.hostsecurityreports.list

apigee.organizations.get

apigee.organizations.list

apigee.projectorganizations.get

apigee.securityActions.get

apigee.securityActions.list

apigee.securityActionsConfig.get

apigee.securityAssessmentResults.compute

apigee.securityFeedback.get

apigee.securityFeedback.list

apigee.securityIncidents.get

apigee.securityIncidents.list

apigee.securityProfileEnvironments.computeScore

apigee.securityProfiles.get

apigee.securityProfiles.list

apigee.securityProfilesV2.get

apigee.securityProfilesV2.list

apigee.securitySettings.get

apigee.securityStats.*

apigee.securityreports.get

apigee.securityreports.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigee.synchronizerManager)

Curated set of permissions for a Synchronizer to manage environments in an Apigee Organization

apigee.environments.get

apigee.environments.manageRuntime

apigee.ingressconfigs.get

(roles/apigeeconnect.Admin)

Admin of Apigee Connect

apigeeconnect.connections.list

(roles/apigeeconnect.Agent)

Ability to set up Apigee Connect agent between external clusters and Google.

apigeeconnect.endpoints.connect

Permissions

(roles/apigeeregistry.admin)

Full access to Cloud Apigee Registry Registry and Runtime resources.

apigeeregistry.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigeeregistry.editor)

Edit access to Cloud Apigee Registry Registry resources.

apigeeregistry.apis.create

apigeeregistry.apis.delete

apigeeregistry.apis.get

apigeeregistry.apis.getIamPolicy

apigeeregistry.apis.list

apigeeregistry.apis.update

apigeeregistry.artifacts.create

apigeeregistry.artifacts.delete

apigeeregistry.artifacts.get

apigeeregistry.artifacts.getIamPolicy

apigeeregistry.artifacts.list

apigeeregistry.artifacts.update

apigeeregistry.deployments.*

apigeeregistry.specs.create

apigeeregistry.specs.delete

apigeeregistry.specs.get

apigeeregistry.specs.getIamPolicy

apigeeregistry.specs.list

apigeeregistry.specs.update

apigeeregistry.versions.create

apigeeregistry.versions.delete

apigeeregistry.versions.get

apigeeregistry.versions.getIamPolicy

apigeeregistry.versions.list

apigeeregistry.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigeeregistry.viewer)

Read-only access to Cloud Apigee Registry Registry resources.

apigeeregistry.apis.get

apigeeregistry.apis.list

apigeeregistry.artifacts.get

apigeeregistry.artifacts.list

apigeeregistry.deployments.get

apigeeregistry.deployments.list

apigeeregistry.specs.get

apigeeregistry.specs.list

apigeeregistry.versions.get

apigeeregistry.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/apigeeregistry.worker)

The role used by Apigee Registry application workers to read and update Apigee Registry Artifacts.

apigeeregistry.apis.get

apigeeregistry.apis.list

apigeeregistry.apis.update

apigeeregistry.artifacts.create

apigeeregistry.artifacts.delete

apigeeregistry.artifacts.get

apigeeregistry.artifacts.list

apigeeregistry.artifacts.update

apigeeregistry.deployments.get

apigeeregistry.deployments.list

apigeeregistry.deployments.update

apigeeregistry.specs.get

apigeeregistry.specs.list

apigeeregistry.specs.update

apigeeregistry.versions.get

apigeeregistry.versions.list

apigeeregistry.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/appengine.appAdmin)

Read/Write/Modify access to all application configuration and settings.

To deploy new versions, a principal must have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.applications.update

appengine.instances.*

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

appengine.operations.*

appengine.runtimes.actAsAdmin

appengine.services.*

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.appCreator)

Ability to create the App Engine resource for the project.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.appViewer)

Read-only access to all application configuration and settings.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.codeViewer)

Read-only access to all application configuration, settings, and deployed source code.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.getFileContents

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.debugger)

Ability to read or manage v2 instances.

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.*

appengine.operations.*

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.deployer)

Read-only access to all application configuration and settings.

To deploy new versions, you must also have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

Cannot modify existing versions other than deleting versions that are not receiving traffic.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.services.get

appengine.services.list

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.uploadArtifacts

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.memcacheDataAdmin)

Can get, set, delete, and flush App Engine Memcache items.

appengine.applications.get

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/appengine.serviceAdmin)

Read-only access to all application configuration and settings.

Write access to module-level and version-level settings. Cannot deploy a new version.

Lowest-level resources where you can grant this role:

  • Project

appengine.applications.get

appengine.applications.listRuntimes

appengine.instances.delete

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.services.*

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/artifactregistry.admin)

Administrator access to create and manage repositories.

artifactregistry.aptartifacts.create

artifactregistry.attachments.*

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.*

artifactregistry.projectsettings.*

artifactregistry.pythonpackages.*

artifactregistry.repositories.create

artifactregistry.repositories.createTagBinding

artifactregistry.repositories.delete

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.deleteTagBinding

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.setIamPolicy

artifactregistry.repositories.update

artifactregistry.repositories.uploadArtifacts

artifactregistry.rules.*

artifactregistry.tags.*

artifactregistry.versions.*

artifactregistry.yumartifacts.create

(roles/artifactregistry.containerRegistryMigrationAdmin)

Access to run migration tooling to migrate from Container Registry to Artifact Registry

artifactregistry.projectsettings.*

artifactregistry.repositories.create

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list

artifactregistry.repositories.setIamPolicy

artifactregistry.repositories.uploadArtifacts

cloudasset.assets.analyzeIamPolicy

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

iam.roles.get

resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

serviceusage.services.use

storage.objects.list

(roles/artifactregistry.createOnPushRepoAdmin)

Access to manage artifacts in repositories, as well as create new repositories on push

artifactregistry.aptartifacts.create

artifactregistry.attachments.*

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.*

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.createOnPush

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.rules.*

artifactregistry.tags.*

artifactregistry.versions.*

artifactregistry.yumartifacts.create

(roles/artifactregistry.createOnPushWriter)

Access to read and write repository items, as well as create new repositories on push

artifactregistry.aptartifacts.create

artifactregistry.attachments.create

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.files.update

artifactregistry.files.upload

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.packages.update

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.createOnPush

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

(roles/artifactregistry.reader)

Access to read repository items.

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.versions.get

artifactregistry.versions.list

(roles/artifactregistry.repoAdmin)

Access to manage artifacts in repositories.

artifactregistry.aptartifacts.create

artifactregistry.attachments.*

artifactregistry.dockerimages.*

artifactregistry.files.*

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.*

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.deleteArtifacts

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.rules.*

artifactregistry.tags.*

artifactregistry.versions.*

artifactregistry.yumartifacts.create

(roles/artifactregistry.writer)

Access to read and write repository items.

artifactregistry.aptartifacts.create

artifactregistry.attachments.create

artifactregistry.attachments.get

artifactregistry.attachments.list

artifactregistry.dockerimages.*

artifactregistry.files.download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry.files.update

artifactregistry.files.upload

artifactregistry.kfpartifacts.create

artifactregistry.locations.*

artifactregistry.mavenartifacts.*

artifactregistry.npmpackages.*

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry.packages.update

artifactregistry.projectsettings.get

artifactregistry.pythonpackages.*

artifactregistry.repositories.downloadArtifacts

artifactregistry.repositories.get

artifactregistry.repositories.list

artifactregistry.repositories.listEffectiveTags

artifactregistry.repositories.listTagBindings

artifactregistry.repositories.readViaVirtualRepository

artifactregistry.repositories.uploadArtifacts

artifactregistry.rules.get

artifactregistry.rules.list

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry.yumartifacts.create

Permissions

(roles/assuredworkloads.admin)

Grants full access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

assuredworkloads.*

axt.labels.set

bigquery.config.update

logging.settings.update

orgpolicy.policies.*

orgpolicy.policy.*

resourcemanager.folders.create

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredworkloads.editor)

Grants read, write access to Assured Workloads resources, CRM resources - project/folder and Organization Policy administration

assuredworkloads.*

axt.labels.set

bigquery.config.update

logging.settings.update

orgpolicy.policies.*

orgpolicy.policy.*

resourcemanager.folders.create

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.create

resourcemanager.projects.get

resourcemanager.projects.list

(roles/assuredworkloads.reader)

Grants read access to all Assured Workloads resources and CRM resources - project/folder

assuredworkloads.operations.*

assuredworkloads.updates.list

assuredworkloads.violations.get

assuredworkloads.violations.list

assuredworkloads.workload.get

assuredworkloads.workload.list

orgpolicy.policies.list

orgpolicy.policy.get

resourcemanager.folders.get

resourcemanager.folders.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/automl.admin)

Full access to all AutoML resources

Lowest-level resources where you can grant this role:

  • Dataset
  • Model

automl.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/automl.editor)

Editor of all AutoML resources

Lowest-level resources where you can grant this role:

  • Dataset
  • Model

automl.annotationSpecs.*

automl.annotations.*

automl.columnSpecs.*

automl.datasets.create

automl.datasets.delete

automl.datasets.export

automl.datasets.get

automl.datasets.import

automl.datasets.list

automl.datasets.update

automl.examples.*

automl.files.*

automl.humanAnnotationTasks.*

automl.locations.get

automl.locations.list

automl.modelEvaluations.*

automl.models.create

automl.models.delete

automl.models.deploy

automl.models.export

automl.models.get

automl.models.list

automl.models.predict

automl.models.undeploy

automl.operations.*

automl.tableSpecs.*

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

(roles/automl.predictor)

Predict using models

Lowest-level resources where you can grant this role:

  • Model

automl.models.predict

resourcemanager.projects.get

resourcemanager.projects.list

(roles/automl.viewer)

Viewer of all AutoML resources

Lowest-level resources where you can grant this role:

  • Dataset
  • Model

automl.annotationSpecs.get

automl.annotationSpecs.list

automl.annotations.list

automl.columnSpecs.get

automl.columnSpecs.list

automl.datasets.get

automl.datasets.list

automl.examples.get

automl.examples.list

automl.files.list

automl.humanAnnotationTasks.get

automl.humanAnnotationTasks.list

automl.locations.get

automl.locations.list

automl.modelEvaluations.get

automl.modelEvaluations.list

automl.models.get

automl.models.list

automl.operations.get

automl.operations.list

automl.tableSpecs.get

automl.tableSpecs.list

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.get

serviceusage.services.list

Permissions

(roles/backupdr.admin)

Provides full access to all Backup and DR resources.

backupdr.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.backupUser)

Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.

backupdr.backupPlanAssociations.*

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForComputeInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.locations.*

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackups

backupdr.managementServers.manageHosts

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.backupvaultAccessor)

Allows the Backup Appliance permissions to create and manage backups in a backup vault.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.delete

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.update

backupdr.bvdataSources.*

backupdr.operations.*

(roles/backupdr.backupvaultAdmin)

Allows the Backup Appliance full administrative control of backup vault resources.

backupdr.backupVaults.*

backupdr.bvbackups.*

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.update

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

backupdr.operations.*

(roles/backupdr.backupvaultLister)

Allows the Backup Appliance permission to list backup vaults in a given project.

backupdr.backupVaults.list

(roles/backupdr.backupvaultViewer)

Allows read-only permissions to access backup vault resources and backups.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.operations.get

backupdr.operations.list

(roles/backupdr.cloudStorageOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

(roles/backupdr.computeEngineOperator)

Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.

backupdr.managementServers.createConnection

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.diskTypes.*

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.pscInterfaceCreate

compute.instances.setDeletionProtection

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.updateDisplayDevice

compute.instances.useReadOnly

compute.machineTypes.*

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.resourcePolicies.use

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.managementServerAccessor)

Grants the Backup and DR management server access role to Backup Appliances.

backupdr.managementServers.createConnection

(roles/backupdr.mountUser)

Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.

backupdr.locations.*

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.restoreUser)

Allows the user to restore or mount from a backup. This role cannot create a backup plan.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.user)

Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.userv2)

Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.

backupdr.backupPlanAssociations.*

backupdr.backupPlans.*

backupdr.backupVaults.associate

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.backupAccess

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackupPlans

backupdr.managementServers.manageBackups

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageJobs

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.viewer)

Provides read-only access to all Backup and DR resources.

backupdr.backupPlanAssociations.get

backupdr.backupPlanAssociations.list

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.locations.*

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/gkebackup.admin)

Full access to all Backup for GKE resources.

gkebackup.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkebackup.backupAdmin)

Allows administrators to manage all BackupPlan and Backup resources.

gkebackup.backupPlans.*

gkebackup.backups.*

gkebackup.locations.*

gkebackup.operations.get

gkebackup.operations.list

gkebackup.volumeBackups.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkebackup.delegatedBackupAdmin)

Allows administrators to manage Backup resources for specific BackupPlans

gkebackup.backupPlans.get

gkebackup.backups.*

gkebackup.volumeBackups.*

(roles/gkebackup.delegatedRestoreAdmin)

Allows administrators to manage Restore resources for specific RestorePlans

gkebackup.restorePlans.get

gkebackup.restores.*

gkebackup.volumeRestores.*

(roles/gkebackup.restoreAdmin)

Allows administrators to manage all RestorePlan and Restore resources.

gkebackup.backupPlans.get

gkebackup.backupPlans.list

gkebackup.backups.get

gkebackup.backups.getBackupIndex

gkebackup.backups.list

gkebackup.locations.*

gkebackup.operations.get

gkebackup.operations.list

gkebackup.restorePlans.*

gkebackup.restores.*

gkebackup.volumeBackups.*

gkebackup.volumeRestores.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/gkebackup.viewer)

Read-only access to all Backup for GKE resources.

gkebackup.backupPlans.get

gkebackup.backupPlans.getIamPolicy

gkebackup.backupPlans.list

gkebackup.backups.get

gkebackup.backups.getBackupIndex

gkebackup.backups.list

gkebackup.locations.*

gkebackup.operations.get

gkebackup.operations.list

gkebackup.restorePlans.get

gkebackup.restorePlans.getIamPolicy

gkebackup.restorePlans.list

gkebackup.restores.get

gkebackup.restores.list

gkebackup.volumeBackups.*

gkebackup.volumeRestores.*

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/baremetalsolution.admin)

Administrator of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.*

baremetalsolution.luns.*

baremetalsolution.maintenanceevents.*

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

baremetalsolution.nfsshares.*

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.pods.list

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.*

baremetalsolution.sshKeys.*

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

baremetalsolution.volumesnapshots.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.editor)

Editor of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.*

baremetalsolution.luns.*

baremetalsolution.maintenanceevents.*

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

baremetalsolution.nfsshares.*

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.pods.list

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.*

baremetalsolution.sshKeys.*

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

baremetalsolution.volumesnapshots.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.instancesadmin)

Admin of Bare Metal Solution Instance resources

baremetalsolution.instances.*

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.pods.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.instancesviewer)

Viewer of Bare Metal Solution Instance resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.get

baremetalsolution.instances.list

baremetalsolution.operations.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.lunsadmin)

Administrator of Bare Metal Solution Lun resources

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.operations.get

(roles/baremetalsolution.lunsviewer)

Viewer of Bare Metal Solution Lun resources

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.operations.get

(roles/baremetalsolution.maintenanceeventsadmin)

Administrator of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.*

(roles/baremetalsolution.maintenanceeventseditor)

Editor of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.*

(roles/baremetalsolution.maintenanceeventsviewer)

Viewer of Bare Metal Solution maintenance events resources

baremetalsolution.maintenanceevents.get

baremetalsolution.maintenanceevents.list

(roles/baremetalsolution.networksadmin)

Admin of Bare Metal Solution networks resources

baremetalsolution.networkquotas.list

baremetalsolution.networks.*

baremetalsolution.operations.get

baremetalsolution.pods.list

(roles/baremetalsolution.nfssharesadmin)

Administrator of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.*

baremetalsolution.operations.get

baremetalsolution.pods.list

(roles/baremetalsolution.nfsshareseditor)

Editor of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.*

baremetalsolution.operations.get

baremetalsolution.pods.list

(roles/baremetalsolution.nfssharesviewer)

Viewer of Bare Metal Solution NFS Share resources

baremetalsolution.nfsshares.get

baremetalsolution.nfsshares.list

baremetalsolution.operations.get

(roles/baremetalsolution.osimagesviewer)

Viewer of Bare Metal Solution OS images resources

baremetalsolution.osimages.list

(roles/baremetalsolution.procurementsadmin)

Administrator of Bare Metal Solution Procurements

baremetalsolution.pods.list

baremetalsolution.procurements.*

baremetalsolution.skus.list

(roles/baremetalsolution.procurementseditor)

Editor of Bare Metal Solution Procurements

baremetalsolution.pods.list

baremetalsolution.procurements.*

baremetalsolution.skus.list

(roles/baremetalsolution.procurementsviewer)

Viewer of Bare Metal Solution Procurements

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

(roles/baremetalsolution.storageadmin)

Administrator of Bare Metal Solution storage resources

baremetalsolution.luns.*

baremetalsolution.nfsshares.*

baremetalsolution.operations.get

baremetalsolution.pods.list

baremetalsolution.snapshotschedulepolicies.*

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.*

baremetalsolution.volumesnapshots.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.viewer)

Viewer of Bare Metal Solution resources

baremetalsolution.instancequotas.list

baremetalsolution.instances.get

baremetalsolution.instances.list

baremetalsolution.luns.get

baremetalsolution.luns.list

baremetalsolution.maintenanceevents.get

baremetalsolution.maintenanceevents.list

baremetalsolution.networkquotas.list

baremetalsolution.networks.get

baremetalsolution.networks.list

baremetalsolution.nfsshares.get

baremetalsolution.nfsshares.list

baremetalsolution.operations.get

baremetalsolution.osimages.list

baremetalsolution.pods.list

baremetalsolution.procurements.get

baremetalsolution.procurements.list

baremetalsolution.skus.list

baremetalsolution.snapshotschedulepolicies.get

baremetalsolution.snapshotschedulepolicies.list

baremetalsolution.sshKeys.list

baremetalsolution.storageaggregatepools.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.get

baremetalsolution.volumes.list

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/baremetalsolution.volumesadmin)

Administrator of Bare Metal Solution volume resources

baremetalsolution.operations.get

baremetalsolution.pods.list

baremetalsolution.volumes.*

(roles/baremetalsolution.volumeseditor)

Editor of Bare Metal Solution volumes resources

baremetalsolution.operations.get

baremetalsolution.pods.list

baremetalsolution.volumequotas.list

baremetalsolution.volumes.create

baremetalsolution.volumes.delete

baremetalsolution.volumes.get

baremetalsolution.volumes.list

baremetalsolution.volumes.rename

baremetalsolution.volumes.resize

baremetalsolution.volumes.update

(roles/baremetalsolution.volumesnapshotsadmin)

Administrator of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.*

(roles/baremetalsolution.volumesnapshotseditor)

Editor of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.create

baremetalsolution.volumesnapshots.delete

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

(roles/baremetalsolution.volumesnapshotsviewer)

Viewer of Bare Metal Solution snapshots resources

baremetalsolution.operations.get

baremetalsolution.volumesnapshots.get

baremetalsolution.volumesnapshots.list

(roles/baremetalsolution.volumessviewer)

Viewer of Bare Metal Solution volumes resources

baremetalsolution.operations.get

baremetalsolution.volumes.get

baremetalsolution.volumes.list

Permissions

(roles/beyondcorp.admin)

Full access to all Cloud BeyondCorp resources.

beyondcorp.appConnections.*

beyondcorp.appConnectors.*

beyondcorp.appGateways.*

beyondcorp.clientConnectorServices.create

beyondcorp.clientConnectorServices.delete

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientConnectorServices.setIamPolicy

beyondcorp.clientConnectorServices.update

beyondcorp.clientGateways.*

beyondcorp.locations.*

beyondcorp.operations.*

beyondcorp.subscriptions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/beyondcorp.clientConnectorAdmin)

Full access to all BeyondCorp Client Connector resources.

beyondcorp.clientConnectorServices.create

beyondcorp.clientConnectorServices.delete

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientConnectorServices.setIamPolicy

beyondcorp.clientConnectorServices.update

beyondcorp.clientGateways.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/beyondcorp.clientConnectorServiceUser)

Access Client Connector Service

beyondcorp.clientConnectorServices.access

(roles/beyondcorp.clientConnectorViewer)

Read-only access to all BeyondCorp Client Connector resources.

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientGateways.get

beyondcorp.clientGateways.getIamPolicy

beyondcorp.clientGateways.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/beyondcorp.partnerServiceDelegateAdmin)

Delegates access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.

beyondcorp.operations.*

beyondcorp.partnerTenants.*

beyondcorp.proxyConfigs.*

resourcemanager.organizations.get

(roles/beyondcorp.partnerServiceDelegateViewer)

Delegates read-only access to all BeyondCorp partner service resources to a BeyondCorp Enterprise partner.

beyondcorp.partnerTenants.get

beyondcorp.partnerTenants.list

beyondcorp.proxyConfigs.get

beyondcorp.proxyConfigs.list

resourcemanager.organizations.get

(roles/beyondcorp.subscriptionAdmin)

Full access to all BeyondCorp Subscription resources.

beyondcorp.subscriptions.*

resourcemanager.organizations.get

(roles/beyondcorp.subscriptionViewer)

Read-only access to all BeyondCorp Subscription resources.

beyondcorp.subscriptions.get

beyondcorp.subscriptions.list

resourcemanager.organizations.get

(roles/beyondcorp.viewer)

Read-only access to all Cloud BeyondCorp resources.

beyondcorp.appConnections.get

beyondcorp.appConnections.getIamPolicy

beyondcorp.appConnections.list

beyondcorp.appConnectors.get

beyondcorp.appConnectors.getIamPolicy

beyondcorp.appConnectors.list

beyondcorp.appGateways.get

beyondcorp.appGateways.getIamPolicy

beyondcorp.appGateways.list

beyondcorp.clientConnectorServices.get

beyondcorp.clientConnectorServices.getIamPolicy

beyondcorp.clientConnectorServices.list

beyondcorp.clientGateways.get

beyondcorp.clientGateways.getIamPolicy

beyondcorp.clientGateways.list

beyondcorp.locations.*

beyondcorp.operations.get

beyondcorp.operations.list

beyondcorp.subscriptions.get

beyondcorp.subscriptions.list

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/bigquery.admin)

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

Lowest-level resources where you can grant this role:

  • Datasets
  • Row access policies
  • Tables
  • Views

bigquery.bireservations.*

bigquery.capacityCommitments.*

bigquery.config.*

bigquery.connections.*

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.jobs.*

bigquery.models.*

bigquery.readsessions.*

bigquery.reservationAssignments.*

bigquery.reservations.*

bigquery.routines.*

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.tables.*

bigquery.transfers.*

bigquerymigration.translation.translate

dataform.*

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.connectionAdmin)

bigquery.connections.*

(roles/bigquery.connectionUser)

bigquery.connections.get

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.use

(roles/bigquery.dataEditor)

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read the dataset's metadata and list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.models.*

bigquery.routines.*

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateTag

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.dataOwner)

When applied to a table or view, this role provides permissions to:

  • Read and update data and metadata for the table or view.
  • Share the table or view.
  • Delete the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.config.get

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.models.*

bigquery.routines.*

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.dataViewer)

When applied to a table or view, this role provides permissions to:

  • Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to list all of the resources in the dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata with applicable APIs and in queries.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.createSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.filteredDataViewer)

Access to view filtered table data defined by a row access policy

bigquery.rowAccessPolicies.getFilteredData

(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

Lowest-level resources where you can grant this role:

  • Project

bigquery.config.get

bigquery.jobs.create

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.metadataViewer)

When applied to a table or view, this role provides permissions to:

  • Read metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

  • List tables and views in the dataset.
  • Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

  • Table
  • View

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.get

bigquery.tables.getIamPolicy

bigquery.tables.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.readSessionUser)

Provides the ability to create and use read sessions.

Lowest-level resources where you can grant this role:

  • Project

bigquery.readsessions.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.resourceAdmin)

Administers BigQuery workloads, including slot assignments, commitments, and reservations.

bigquery.bireservations.*

bigquery.capacityCommitments.*

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservations.*

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.resourceEditor)

Manages BigQuery workloads, but is unable to create or modify slot commitments.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.resourceViewer)

Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.studioAdmin)

Combination role of BigQuery Admin, Dataform Admin, and Notebook Runtime Admin.

aiplatform.notebookRuntimeTemplates.*

aiplatform.notebookRuntimes.*

aiplatform.operations.list

bigquery.bireservations.*

bigquery.capacityCommitments.*

bigquery.config.*

bigquery.connections.*

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.jobs.*

bigquery.models.*

bigquery.readsessions.*

bigquery.reservationAssignments.*

bigquery.reservations.*

bigquery.routines.*

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.tables.*

bigquery.transfers.*

bigquerymigration.translation.translate

compute.reservations.get

compute.reservations.list

dataform.*

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.studioUser)

Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, and Notebook Runtime User.

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimes.assign

aiplatform.notebookRuntimes.get

aiplatform.notebookRuntimes.list

aiplatform.operations.list

bigquery.config.get

bigquery.jobs.create

bigquery.readsessions.*

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquery.user)

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Lowest-level resources where you can grant this role:

  • Dataset

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.jobs.create

bigquery.jobs.list

bigquery.models.list

bigquery.readsessions.*

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.list

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.list

bigquery.transfers.get

bigquerymigration.translation.translate

dataform.locations.*

dataform.repositories.create

dataform.repositories.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

(roles/bigquerydatapolicy.admin)

Role for managing Data Policies in BigQuery

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

(roles/bigquerydatapolicy.maskedReader)

Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns

bigquery.dataPolicies.maskedGet

(roles/bigquerydatapolicy.rawDataReader)

Raw read access to sub-resources associated with a data policy, for example, BigQuery columns

bigquery.dataPolicies.getRawData

(roles/bigquerydatapolicy.viewer)

Role for viewing Data Policies in BigQuery

bigquery.dataPolicies.get

bigquery.dataPolicies.list

Permissions

(roles/billing.admin)

Provides access to see and manage all aspects of billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.close

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.move

billing.accounts.redeemPromotion

billing.accounts.removeFromOrganization

billing.accounts.reopen

billing.accounts.setIamPolicy

billing.accounts.update

billing.accounts.updatePaymentInfo

billing.accounts.updateUsageExportSpec

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

billing.billingAccountSkuGroupSkus.*

billing.billingAccountSkuGroups.*

billing.billingAccountSkus.*

billing.budgets.*

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.*

billing.subscriptions.*

cloudasset.assets.searchAllResources

cloudnotifications.activities.list

cloudsupport.properties.get

cloudsupport.techCases.*

commerceoffercatalog.*

compute.commitments.*

consumerprocurement.accounts.*

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

consumerprocurement.licensePools.*

consumerprocurement.orderAttributions.*

consumerprocurement.orders.*

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

logging.logEntries.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.privateLogEntries.list

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.*

recommender.computeAddressIdleResourceRecommendations.get

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceRecommendations.get

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeImageIdleResourceRecommendations.get

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.get

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceIdleResourceRecommendations.get

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.get

recommender.computeInstanceMachineTypeRecommendations.list

recommender.costInsights.*

recommender.costRecommendations.*

recommender.resourcemanagerProjectUtilizationRecommendations.get

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.spendBasedCommitmentInsights.*

recommender.spendBasedCommitmentRecommendations.*

recommender.spendBasedCommitmentRecommenderConfig.*

recommender.usageCommitmentRecommendations.*

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

resourcemanager.projects.get

resourcemanager.projects.list

(roles/billing.costsManager)

Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.updateUsageExportSpec

billing.budgets.*

billing.resourceAssociations.list

recommender.costInsights.*

(roles/billing.creator)

Provides access to create billing accounts.

Lowest-level resources where you can grant this role:

  • Organization

billing.accounts.create

resourcemanager.organizations.get

(roles/billing.projectManager)

When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

(roles/billing.user)

When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

(roles/billing.viewer)

View billing account cost and pricing information, transactions, and billing and commitment recommendations.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

billing.billingAccountSkuGroupSkus.*

billing.billingAccountSkuGroups.*

billing.billingAccountSkus.*

billing.budgets.get

billing.budgets.list

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.list

billing.subscriptions.get

billing.subscriptions.list

commerceoffercatalog.*

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.costInsights.get

recommender.costInsights.list

recommender.costRecommendations.*

recommender.spendBasedCommitmentInsights.get

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.get

recommender.spendBasedCommitmentRecommendations.list

recommender.spendBasedCommitmentRecommenderConfig.get

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

Permissions

(roles/binaryauthorization.attestorsAdmin)

Administrator of Binary Authorization Attestors

binaryauthorization.attestors.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.attestorsEditor)

Editor of Binary Authorization Attestors

binaryauthorization.attestors.create

binaryauthorization.attestors.delete

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.update

binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.attestorsVerifier)

Caller of Binary Authorization Attestors VerifyImageAttested

binaryauthorization.attestors.get

binaryauthorization.attestors.list

binaryauthorization.attestors.verifyImageAttested

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.attestorsViewer)

Viewer of Binary Authorization Attestors

binaryauthorization.attestors.get

binaryauthorization.attestors.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.policyAdmin)

Administrator of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.*

binaryauthorization.platformPolicies.*

binaryauthorization.policy.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.policyEditor)

Editor of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get

binaryauthorization.continuousValidationConfig.update

binaryauthorization.platformPolicies.*

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

binaryauthorization.policy.update

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.policyEvaluator)

Evaluator of Binary Authorization Policy

binaryauthorization.platformPolicies.evaluatePolicy

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.evaluatePolicy

binaryauthorization.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/binaryauthorization.policyViewer)

Viewer of Binary Authorization Policy

binaryauthorization.continuousValidationConfig.get

binaryauthorization.platformPolicies.get

binaryauthorization.platformPolicies.list

binaryauthorization.policy.get

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/privateca.admin)

Full access to all CA Service resources.

privateca.*

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

(roles/privateca.auditor)

Read-only access to all CA Service resources.

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.*

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/privateca.caManager)

Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.

privateca.caPools.create

privateca.caPools.delete

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.caPools.update

privateca.certificateAuthorities.create

privateca.certificateAuthorities.delete

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateAuthorities.update

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateRevocationLists.update

privateca.certificateTemplates.create

privateca.certificateTemplates.delete

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificateTemplates.update

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.certificates.update

privateca.locations.*

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.create

privateca.reusableConfigs.delete

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

privateca.reusableConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

(roles/privateca.certificateManager)

Create certificates and read-only access for CA Service resources.

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificates.create

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.*

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/privateca.certificateRequester)

Request certificates from CA Service.

privateca.certificates.create

(roles/privateca.poolReader)

Read CA Pools in CA Service.

privateca.caPools.get

(roles/privateca.templateUser)

Read, list and use certificate templates.

privateca.certificateTemplates.get

privateca.certificateTemplates.list

privateca.certificateTemplates.use

(roles/privateca.workloadCertificateRequester)

Request certificates from CA Service with caller's identity.

privateca.certificates.createForSelf

Permissions

(roles/certificatemanager.editor)

Edit access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.create

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certissuanceconfigs.update

certificatemanager.certissuanceconfigs.use

certificatemanager.certmapentries.create

certificatemanager.certmapentries.get

certificatemanager.certmapentries.list

certificatemanager.certmapentries.update

certificatemanager.certmaps.create

certificatemanager.certmaps.get

certificatemanager.certmaps.list

certificatemanager.certmaps.update

certificatemanager.certmaps.use

certificatemanager.certs.create

certificatemanager.certs.get

certificatemanager.certs.list

certificatemanager.certs.update

certificatemanager.certs.use

certificatemanager.dnsauthorizations.create

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.update

certificatemanager.dnsauthorizations.use

certificatemanager.locations.*

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.create

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

certificatemanager.trustconfigs.update

certificatemanager.trustconfigs.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/certificatemanager.owner)

Full access to Certificate Manager all resources.

certificatemanager.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/certificatemanager.viewer)

Read-only access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.get

certificatemanager.certmapentries.list

certificatemanager.certmaps.get

certificatemanager.certmaps.list

certificatemanager.certs.get

certificatemanager.certs.list

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.list

certificatemanager.locations.*

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/chat.owner)

Can view and modify app configurations

chat.*

(roles/chat.reader)

Can view app configurations

chat.bots.get

Permissions

(roles/chronicle.admin)

Full access to the Chronicle API services, including global settings.

chronicle.ais.*

chronicle.analyticValues.list

chronicle.analytics.list

chronicle.bigQueryAccess.provide

chronicle.cases.countPriorities

chronicle.collectors.*

chronicle.conversations.*

chronicle.curatedRuleSetCategories.*

chronicle.curatedRuleSetDeployments.*

chronicle.curatedRuleSets.*

chronicle.curatedRules.*

chronicle.dashboardCharts.*

chronicle.dashboardQueries.*

chronicle.dashboards.*

chronicle.dataAccessLabels.*

chronicle.dataAccessScopes.*

chronicle.dataExports.*

chronicle.dataTableOperationErrors.get

chronicle.dataTableRows.*

chronicle.dataTables.*

chronicle.dataTaps.*

chronicle.enrichmentControls.*

chronicle.entities.*

chronicle.entityRiskScores.queryEntityRiskScores

chronicle.errorNotificationConfigs.*

chronicle.events.*

chronicle.extensionValidationReports.*

chronicle.feedServiceAccounts.fetch

chronicle.feedSourceTypeSchemas.list

chronicle.feeds.*

chronicle.findingsGraphs.*

chronicle.findingsRefinementDeployments.*

chronicle.findingsRefinements.*

chronicle.forwarders.*

chronicle.globalDataAccessScopes.permit

chronicle.ingestionLogLabels.*

chronicle.ingestionLogNamespaces.*

chronicle.instances.generateCollectionAgentAuth

chronicle.instances.generateSoarAuthJwt

chronicle.instances.generateWorkspaceConnectionToken

chronicle.instances.get

chronicle.instances.logTypeClassifier

chronicle.instances.report

chronicle.iocMatches.*

chronicle.iocState.*

chronicle.iocs.*

chronicle.legacies.*

chronicle.logTypeSchemas.list

chronicle.logTypes.list

chronicle.logs.*

chronicle.messages.*

chronicle.multitenantDirectories.get

chronicle.nativeDashboards.*

chronicle.operations.*

chronicle.parserExtensions.*

chronicle.parsers.*

chronicle.parsingErrors.list

chronicle.preferenceSets.*

chronicle.referenceLists.*

chronicle.retrohunts.*

chronicle.riskConfigs.*

chronicle.ruleDeployments.*

chronicle.ruleExecutionErrors.list

chronicle.rules.*

chronicle.searchQueries.*

chronicle.validationErrors.list

chronicle.validationReports.get

chronicle.watchlists.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.editor)

Modify Access to Chronicle API resources.

chronicle.ais.*

chronicle.analyticValues.list

chronicle.analytics.list

chronicle.cases.countPriorities

chronicle.collectors.get

chronicle.collectors.list

chronicle.conversations.*

chronicle.curatedRuleSetCategories.*

chronicle.curatedRuleSetDeployments.*

chronicle.curatedRuleSets.*

chronicle.curatedRules.*

chronicle.dashboardCharts.*

chronicle.dashboardQueries.*

chronicle.dashboards.*

chronicle.dataAccessScopes.list

chronicle.dataExports.*

chronicle.dataTableOperationErrors.get

chronicle.dataTableRows.*

chronicle.dataTables.*

chronicle.dataTaps.*

chronicle.enrichmentControls.get

chronicle.enrichmentControls.list

chronicle.entities.*

chronicle.entityRiskScores.queryEntityRiskScores

chronicle.errorNotificationConfigs.get

chronicle.errorNotificationConfigs.list

chronicle.events.*

chronicle.findingsGraphs.*

chronicle.findingsRefinementDeployments.*

chronicle.findingsRefinements.*

chronicle.forwarders.generate

chronicle.forwarders.get

chronicle.forwarders.list

chronicle.globalDataAccessScopes.permit

chronicle.ingestionLogLabels.*

chronicle.ingestionLogNamespaces.*

chronicle.instances.generateCollectionAgentAuth

chronicle.instances.generateSoarAuthJwt

chronicle.instances.get

chronicle.instances.logTypeClassifier

chronicle.instances.report

chronicle.iocMatches.*

chronicle.iocState.*

chronicle.iocs.*

chronicle.legacies.*

chronicle.logTypeSchemas.list

chronicle.logs.*

chronicle.messages.*

chronicle.multitenantDirectories.get

chronicle.nativeDashboards.*

chronicle.operations.*

chronicle.preferenceSets.*

chronicle.referenceLists.*

chronicle.retrohunts.*

chronicle.riskConfigs.*

chronicle.ruleDeployments.*

chronicle.ruleExecutionErrors.list

chronicle.rules.create

chronicle.rules.get

chronicle.rules.list

chronicle.rules.listRevisions

chronicle.rules.update

chronicle.rules.verifyRuleText

chronicle.searchQueries.*

chronicle.watchlists.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.globalDataAccess)

Grants global access to data i.e. all data can be accessed.

chronicle.globalDataAccessScopes.permit

(roles/chronicle.limitedViewer)

Grants read-only access to Chronicle API resources, excluding Rules and Retrohunts.

chronicle.analyticValues.list

chronicle.analytics.list

chronicle.cases.countPriorities

chronicle.conversations.get

chronicle.conversations.list

chronicle.dashboardCharts.*

chronicle.dashboardQueries.*

chronicle.dashboards.get

chronicle.dashboards.list

chronicle.dashboards.schedule

chronicle.dataAccessScopes.list

chronicle.entities.find

chronicle.entities.findRelatedEntities

chronicle.entities.get

chronicle.entities.queryEntityRiskScoreModifications

chronicle.entities.searchEntities

chronicle.entities.summarize

chronicle.entities.summarizeFromQuery

chronicle.entityRiskScores.queryEntityRiskScores

chronicle.errorNotificationConfigs.get

chronicle.errorNotificationConfigs.list

chronicle.events.batchGet

chronicle.events.findUdmFieldValues

chronicle.events.get

chronicle.events.queryProductSourceStats

chronicle.events.searchRawLogs

chronicle.events.udmSearch

chronicle.events.validateQuery

chronicle.findingsGraphs.*

chronicle.findingsRefinementDeployments.get

chronicle.findingsRefinementDeployments.list

chronicle.findingsRefinements.computeActivity

chronicle.findingsRefinements.computeAllActivities

chronicle.findingsRefinements.get

chronicle.findingsRefinements.list

chronicle.findingsRefinements.test

chronicle.globalDataAccessScopes.permit

chronicle.ingestionLogLabels.*

chronicle.ingestionLogNamespaces.*

chronicle.instances.get

chronicle.legacies.legacyBatchGetCases

chronicle.legacies.legacyCalculateAlertStats

chronicle.legacies.legacyFetchAlertsView

chronicle.legacies.legacyFetchUdmSearchCsv

chronicle.legacies.legacyFetchUdmSearchView

chronicle.legacies.legacyFindAssetEvents

chronicle.legacies.legacyFindRawLogs

chronicle.legacies.legacyFindUdmEvents

chronicle.legacies.legacyGetAlert

chronicle.legacies.legacyGetFinding

chronicle.legacies.legacySearchArtifactEvents

chronicle.legacies.legacySearchArtifactIoCDetails

chronicle.legacies.legacySearchAssetEvents

chronicle.legacies.legacySearchCustomerStats

chronicle.legacies.legacySearchDomainsRecentlyRegistered

chronicle.legacies.legacySearchDomainsTimingStats

chronicle.legacies.legacySearchEnterpriseWideAlerts

chronicle.legacies.legacySearchEnterpriseWideIoCs

chronicle.legacies.legacySearchFindings

chronicle.legacies.legacySearchIngestionStats

chronicle.legacies.legacySearchIoCInsights

chronicle.legacies.legacySearchRawLogs

chronicle.legacies.legacySearchUserEvents

chronicle.logTypeSchemas.list

chronicle.logs.export

chronicle.logs.get

chronicle.logs.list

chronicle.messages.get

chronicle.messages.list

chronicle.multitenantDirectories.get

chronicle.nativeDashboards.get

chronicle.nativeDashboards.list

chronicle.operations.get

chronicle.operations.list

chronicle.operations.streamSearch

chronicle.operations.wait

chronicle.preferenceSets.*

chronicle.searchQueries.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.restrictedDataAccess)

Grants access to data controlled by Data Access Scopes. Intended to be refined by IAM Conditions.

chronicle.dataAccessScopes.permit

(roles/chronicle.restrictedDataAccessViewer)

Grants readonly access to Chronicle API resources without global data access scope.

chronicle.ais.*

chronicle.dashboardCharts.*

chronicle.dashboardQueries.*

chronicle.dataAccessScopes.list

chronicle.entities.find

chronicle.entities.findRelatedEntities

chronicle.entities.get

chronicle.entities.list

chronicle.entities.searchEntities

chronicle.entities.summarize

chronicle.entities.summarizeFromQuery

chronicle.events.batchGet

chronicle.events.findUdmFieldValues

chronicle.events.get

chronicle.events.queryProductSourceStats

chronicle.events.searchRawLogs

chronicle.events.udmSearch

chronicle.events.validateQuery

chronicle.findingsGraphs.*

chronicle.instances.generateCollectionAgentAuth

chronicle.instances.generateSoarAuthJwt

chronicle.instances.get

chronicle.instances.report

chronicle.legacies.legacyBatchGetCases

chronicle.legacies.legacyCalculateAlertStats

chronicle.legacies.legacyFetchAlertsView

chronicle.legacies.legacyFetchUdmSearchCsv

chronicle.legacies.legacyFetchUdmSearchView

chronicle.legacies.legacyFindAssetEvents

chronicle.legacies.legacyFindRawLogs

chronicle.legacies.legacyFindUdmEvents

chronicle.legacies.legacyGetAlert

chronicle.legacies.legacyGetFinding

chronicle.legacies.legacyGetRuleCounts

chronicle.legacies.legacyGetRulesTrends

chronicle.legacies.legacyRunTestRule

chronicle.legacies.legacySearchArtifactEvents

chronicle.legacies.legacySearchArtifactIoCDetails

chronicle.legacies.legacySearchAssetEvents

chronicle.legacies.legacySearchCustomerStats

chronicle.legacies.legacySearchDomainsRecentlyRegistered

chronicle.legacies.legacySearchDomainsTimingStats

chronicle.legacies.legacySearchFindings

chronicle.legacies.legacySearchIngestionStats

chronicle.legacies.legacySearchIoCInsights

chronicle.legacies.legacySearchRawLogs

chronicle.legacies.legacySearchRuleDetectionCountBuckets

chronicle.legacies.legacySearchRuleDetectionEvents

chronicle.legacies.legacySearchRuleResults

chronicle.legacies.legacySearchRulesAlerts

chronicle.legacies.legacySearchUserEvents

chronicle.logs.get

chronicle.logs.list

chronicle.multitenantDirectories.get

chronicle.nativeDashboards.get

chronicle.nativeDashboards.list

chronicle.operations.get

chronicle.operations.list

chronicle.operations.streamSearch

chronicle.operations.wait

chronicle.preferenceSets.*

chronicle.referenceLists.get

chronicle.referenceLists.list

chronicle.referenceLists.verifyReferenceList

chronicle.retrohunts.get

chronicle.retrohunts.list

chronicle.ruleDeployments.get

chronicle.ruleDeployments.list

chronicle.ruleExecutionErrors.list

chronicle.rules.get

chronicle.rules.list

chronicle.rules.listRevisions

chronicle.rules.verifyRuleText

chronicle.searchQueries.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/chronicle.soarAdmin)

Grants admin access to Chronicle SOAR.

chronicle.instances.soarAdmin

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.attackpaths.list

securitycenter.exposurepathexplan.get

securitycenter.findings.bulkMuteUpdate

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.findings.setMute

securitycenter.findings.setState

securitycenter.findings.update

securitycenter.findingsecuritymarks.update

securitycenter.simulations.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

(roles/chronicle.soarThreatManager)

Grants threat manager access to Chronicle SOAR.

chronicle.instances.soarThreatManager

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.attackpaths.list

securitycenter.exposurepathexplan.get

securitycenter.findings.bulkMuteUpdate

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.findings.setMute

securitycenter.findings.setState

securitycenter.findings.update

securitycenter.findingsecuritymarks.update

securitycenter.simulations.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

(roles/chronicle.soarVulnerabilityManager)

Grants vulnerability manager access to Chronicle SOAR.

chronicle.instances.soarVulnerabilityManager

cloudasset.assets.exportResource

cloudasset.assets.queryAccessPolicy

cloudasset.assets.queryIamPolicy

cloudasset.assets.queryOSInventories

cloudasset.assets.queryResource

cloudasset.assets.searchAllIamPolicies

cloudasset.assets.searchAllResources

cloudasset.assets.searchEnrichmentResourceOwners

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.attackpaths.list

securitycenter.exposurepathexplan.get

securitycenter.findings.bulkMuteUpdate

securitycenter.findings.group

securitycenter.findings.list

securitycenter.findings.listFindingPropertyNames

securitycenter.findings.setMute

securitycenter.findings.setState

securitycenter.findings.update

securitycenter.findingsecuritymarks.update

securitycenter.simulations.get

securitycenter.userinterfacemetadata.get

securitycenter.valuedresources.list

(roles/chronicle.viewer)

Read-only access to the Chronicle API resources.

chronicle.ais.*

chronicle.analyticValues.list

chronicle.analytics.list

chronicle.cases.countPriorities

chronicle.collectors.get

chronicle.collectors.list

chronicle.conversations.get

chronicle.conversations.list

chronicle.curatedRuleSetCategories.*

chronicle.curatedRuleSetDeployments.get

chronicle.curatedRuleSetDeployments.list

chronicle.curatedRuleSets.*

chronicle.curatedRules.*

chronicle.dashboardCharts.*

chronicle.dashboardQueries.*

chronicle.dashboards.get

chronicle.dashboards.list

chronicle.dashboards.schedule

chronicle.dataAccessScopes.list

chronicle.dataExports.fetchLogTypesAvailableForExport

chronicle.dataExports.get

chronicle.dataTableOperationErrors.get

chronicle.dataTableRows.get

chronicle.dataTableRows.list

chronicle.dataTables.get

chronicle.dataTables.list

chronicle.dataTaps.get

chronicle.dataTaps.list

chronicle.enrichmentControls.get

chronicle.enrichmentControls.list

chronicle.entities.find

chronicle.entities.findRelatedEntities

chronicle.entities.get

chronicle.entities.list

chronicle.entities.queryEntityRiskScoreModifications

chronicle.entities.searchEntities

chronicle.entities.summarize

chronicle.entities.summarizeFromQuery

chronicle.entityRiskScores.queryEntityRiskScores

chronicle.errorNotificationConfigs.get

chronicle.errorNotificationConfigs.list

chronicle.events.batchGet

chronicle.events.findUdmFieldValues

chronicle.events.get

chronicle.events.queryProductSourceStats

chronicle.events.searchRawLogs

chronicle.events.udmSearch

chronicle.events.validateQuery

chronicle.findingsGraphs.*

chronicle.findingsRefinementDeployments.get

chronicle.findingsRefinementDeployments.list

chronicle.findingsRefinements.computeActivity

chronicle.findingsRefinements.computeAllActivities

chronicle.findingsRefinements.get

chronicle.findingsRefinements.list

chronicle.findingsRefinements.test

chronicle.forwarders.generate

chronicle.forwarders.get

chronicle.forwarders.list

chronicle.globalDataAccessScopes.permit

chronicle.ingestionLogLabels.*

chronicle.ingestionLogNamespaces.*

chronicle.instances.generateCollectionAgentAuth

chronicle.instances.generateSoarAuthJwt

chronicle.instances.get

chronicle.instances.logTypeClassifier

chronicle.instances.report

chronicle.iocMatches.*

chronicle.iocState.get

chronicle.iocs.*

chronicle.legacies.legacyBatchGetCases

chronicle.legacies.legacyCalculateAlertStats

chronicle.legacies.legacyFetchAlertsView

chronicle.legacies.legacyFetchUdmSearchCsv

chronicle.legacies.legacyFetchUdmSearchView

chronicle.legacies.legacyFindAssetEvents

chronicle.legacies.legacyFindRawLogs

chronicle.legacies.legacyFindUdmEvents

chronicle.legacies.legacyGetAlert

chronicle.legacies.legacyGetCuratedRulesTrends

chronicle.legacies.legacyGetDetection

chronicle.legacies.legacyGetEventForDetection

chronicle.legacies.legacyGetFinding

chronicle.legacies.legacyGetRuleCounts

chronicle.legacies.legacyGetRulesTrends

chronicle.legacies.legacyRunTestRule

chronicle.legacies.legacySearchArtifactEvents

chronicle.legacies.legacySearchArtifactIoCDetails

chronicle.legacies.legacySearchAssetEvents

chronicle.legacies.legacySearchCuratedDetections

chronicle.legacies.legacySearchCustomerStats

chronicle.legacies.legacySearchDetections

chronicle.legacies.legacySearchDomainsRecentlyRegistered

chronicle.legacies.legacySearchDomainsTimingStats

chronicle.legacies.legacySearchEnterpriseWideAlerts

chronicle.legacies.legacySearchEnterpriseWideIoCs

chronicle.legacies.legacySearchFindings

chronicle.legacies.legacySearchIngestionStats

chronicle.legacies.legacySearchIoCInsights

chronicle.legacies.legacySearchRawLogs

chronicle.legacies.legacySearchRuleDetectionCountBuckets

chronicle.legacies.legacySearchRuleDetectionEvents

chronicle.legacies.legacySearchRuleResults

chronicle.legacies.legacySearchRulesAlerts

chronicle.legacies.legacySearchUserEvents

chronicle.legacies.legacyStreamDetectionAlerts

chronicle.legacies.legacyTestRuleStreaming

chronicle.logTypeSchemas.list

chronicle.logs.export

chronicle.logs.get

chronicle.logs.list

chronicle.messages.get

chronicle.messages.list

chronicle.multitenantDirectories.get

chronicle.nativeDashboards.get

chronicle.nativeDashboards.list

chronicle.operations.get

chronicle.operations.list

chronicle.operations.streamSearch

chronicle.operations.wait

chronicle.preferenceSets.*

chronicle.referenceLists.get

chronicle.referenceLists.list

chronicle.referenceLists.verifyReferenceList

chronicle.retrohunts.get

chronicle.retrohunts.list

chronicle.riskConfigs.get

chronicle.ruleDeployments.get

chronicle.ruleDeployments.list

chronicle.ruleExecutionErrors.list

chronicle.rules.get

chronicle.rules.list

chronicle.rules.listRevisions

chronicle.rules.verifyRuleText

chronicle.searchQueries.*

chronicle.watchlists.get

chronicle.watchlists.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/alloydb.admin)

Full access to Cloud AlloyDB all resources.

alloydb.*

cloudaicompanion.entitlements.get

recommender.alloydbClusterPerformanceInsights.*

recommender.alloydbClusterPerformanceRecommendations.*

recommender.alloydbClusterReliabilityInsights.*

recommender.alloydbClusterReliabilityRecommendations.*

recommender.alloydbInstanceSecurityInsights.*

recommender.alloydbInstanceSecurityRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

(roles/alloydb.client)

Connectivity access to Cloud AlloyDB instances.

alloydb.clusters.generateClientCertificate

alloydb.clusters.get

alloydb.instances.connect

alloydb.instances.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/alloydb.databaseUser)

Role allowing access to login as a database user.

alloydb.clusters.get

alloydb.instances.executeSql

alloydb.instances.get

alloydb.users.login

resourcemanager.projects.get

resourcemanager.projects.list

(roles/alloydb.viewer)

Read-only access to Cloud AlloyDB all resources.

alloydb.backups.get

alloydb.backups.list

alloydb.backups.listEffectiveTags

alloydb.backups.listTagBindings

alloydb.clusters.export

alloydb.clusters.get

alloydb.clusters.list

alloydb.clusters.listEffectiveTags

alloydb.clusters.listTagBindings

alloydb.databases.list

alloydb.instances.get

alloydb.instances.list

alloydb.locations.*

alloydb.operations.get

alloydb.operations.list

alloydb.supportedDatabaseFlags.*

alloydb.users.get

alloydb.users.list

cloudaicompanion.entitlements.get

recommender.alloydbClusterPerformanceInsights.get

recommender.alloydbClusterPerformanceInsights.list

recommender.alloydbClusterPerformanceRecommendations.get

recommender.alloydbClusterPerformanceRecommendations.list

recommender.alloydbClusterReliabilityInsights.get

recommender.alloydbClusterReliabilityInsights.list

recommender.alloydbClusterReliabilityRecommendations.get

recommender.alloydbClusterReliabilityRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

Permissions

(roles/cloudasset.owner)

Full access to cloud assets metadata

cloudasset.assets.analyzeIamPolicy

cloudasset.assets.analyzeMove

cloudasset.assets.analyzeOrgPolicy

cloudasset.assets.exportAccessLevel

cloudasset.assets.exportAccessPolicy

cloudasset.assets.exportAiplatformBatchPredictionJobs

cloudasset.assets.exportAiplatformCustomJobs

cloudasset.assets.exportAiplatformDataLabelingJobs

cloudasset.assets.exportAiplatformDatasets

cloudasset.assets.exportAiplatformEndpoints

cloudasset.assets.exportAiplatformHyperparameterTuningJobs

cloudasset.assets.exportAiplatformMetadataStores

cloudasset.assets.exportAiplatformModelDeploymentMonitoringJobs

cloudasset.assets.exportAiplatformModels

cloudasset.assets.exportAiplatformPipelineJobs

cloudasset.assets.exportAiplatformSpecialistPools

cloudasset.assets.exportAiplatformTrainingPipelines

cloudasset.assets.exportAllAccessPolicy

cloudasset.assets.exportAnthosConnectedCluster

cloudasset.assets.exportAnthosedgeCluster

cloudasset.assets.exportApigatewayApi

cloudasset.assets.exportApigatewayApiConfig

cloudasset.assets.exportApigatewayGateway

cloudasset.assets.exportApikeysKeys

cloudasset.assets.exportAppengineApplications

cloudasset.assets.exportAppengineServices

cloudasset.assets.exportAppengineVersions

cloudasset.assets.exportArtifactregistryDockerImages

cloudasset.assets.exportArtifactregistryRepositories

cloudasset.assets.exportAssuredWorkloadsWorkloads

cloudasset.assets.exportBeyondCorpApiGateways

cloudasset.assets.exportBeyondCorpAppConnections

cloudasset.assets.exportBeyondCorpAppConnectors

cloudasset.assets.exportBeyondCorpAppGateways

cloudasset.assets.exportBeyondCorpClientConnectorServices

cloudasset.assets.exportBeyondCorpClientGateways

cloudasset.assets.exportBigqueryDatasets

cloudasset.assets.exportBigqueryModels

cloudasset.assets.exportBigqueryTables

cloudasset.assets.exportBigtableAppProfile

cloudasset.assets.exportBigtableBackup

cloudasset.assets.exportBigtableCluster

cloudasset.assets.exportBigtableInstance

cloudasset.assets.exportBigtableTable

cloudasset.assets.exportCloudAssetFeeds

cloudasset.assets.exportCloudDeployDeliveryPipelines

cloudasset.assets.exportCloudDeployReleases

cloudasset.assets.exportCloudDeployRollouts

cloudasset.assets.exportCloudDeployTargets

cloudasset.assets.exportCloudDocumentAIEvaluation

cloudasset.assets.exportCloudDocumentAIHumanReviewConfig

cloudasset.assets.exportCloudDocumentAILabelerPool

cloudasset.assets.exportCloudDocumentAIProcessor

cloudasset.assets.exportCloudDocumentAIProcessorVersion

cloudasset.assets.exportCloudbillingBillingAccounts

cloudasset.assets.exportCloudbillingProjectBillingInfos

cloudasset.assets.exportCloudfunctionsFunctions

cloudasset.assets.exportCloudfunctionsGen2Functions

cloudasset.assets.exportCloudkmsCryptoKeyVersions

cloudasset.assets.exportCloudkmsCryptoKeys

cloudasset.assets.exportCloudkmsEkmConnections

cloudasset.assets.exportCloudkmsImportJobs

cloudasset.assets.exportCloudkmsKeyRings

cloudasset.assets.exportCloudmemcacheInstances

cloudasset.assets.exportCloudresourcemanagerFolders

cloudasset.assets.exportCloudresourcemanagerOrganizations

cloudasset.assets.exportCloudresourcemanagerProjects

cloudasset.assets.exportCloudresourcemanagerTagBindings

cloudasset.assets.exportCloudresourcemanagerTagKeys

cloudasset.assets.exportCloudresourcemanagerTagValues

cloudasset.assets.exportComposerEnvironments

cloudasset.assets.exportComputeAddress

cloudasset.assets.exportComputeAutoscalers

cloudasset.assets.exportComputeBackendBuckets

cloudasset.assets.exportComputeBackendServices

cloudasset.assets.exportComputeCommitments

cloudasset.assets.exportComputeDisks

cloudasset.assets.exportComputeExternalVpnGateways

cloudasset.assets.exportComputeFirewallPolicies

cloudasset.assets.exportComputeFirewalls

cloudasset.assets.exportComputeForwardingRules

cloudasset.assets.exportComputeGlobalAddress

cloudasset.assets.exportComputeGlobalForwardingRules

cloudasset.assets.exportComputeHealthChecks

cloudasset.assets.exportComputeHttpHealthChecks

cloudasset.assets.exportComputeHttpsHealthChecks

cloudasset.assets.exportComputeImages

cloudasset.assets.exportComputeInstanceGroupManagers

cloudasset.assets.exportComputeInstanceGroups

cloudasset.assets.exportComputeInstanceTemplates

cloudasset.assets.exportComputeInstances

cloudasset.assets.exportComputeInterconnect

cloudasset.assets.exportComputeInterconnectAttachment

cloudasset.assets.exportComputeLicenses

cloudasset.assets.exportComputeNetworkEndpointGroups

cloudasset.assets.exportComputeNetworks

cloudasset.assets.exportComputeNodeGroups

cloudasset.assets.exportComputeNodeTemplates

cloudasset.assets.exportComputePacketMirrorings

cloudasset.assets.exportComputeProjects

cloudasset.assets.exportComputeRegionAutoscaler

cloudasset.assets.exportComputeRegionBackendServices

cloudasset.assets.exportComputeRegionDisk

cloudasset.assets.exportComputeRegionInstanceGroup

cloudasset.assets.exportComputeRegionInstanceGroupManager

cloudasset.assets.exportComputeReservations

cloudasset.assets.exportComputeResourcePolicies

cloudasset.assets.exportComputeRouters

cloudasset.assets.exportComputeRoutes

cloudasset.assets.exportComputeSecurityPolicy

cloudasset.assets.exportComputeServiceAttachments

cloudasset.assets.exportComputeSnapshots

cloudasset.assets.exportComputeSslCertificates

cloudasset.assets.exportComputeSslPolicies

cloudasset.assets.exportComputeSubnetworks

cloudasset.assets.exportComputeTargetHttpProxies

cloudasset.assets.exportComputeTargetHttpsProxies

cloudasset.assets.exportComputeTargetInstances

cloudasset.assets.exportComputeTargetPools

cloudasset.assets.exportComputeTargetSslProxies

cloudasset.assets.exportComputeTargetTcpProxies

cloudasset.assets.exportComputeTargetVpnGateways

cloudasset.assets.exportComputeUrlMaps

cloudasset.assets.exportComputeVpnGateways

cloudasset.assets.exportComputeVpnTunnels

cloudasset.assets.exportConnectorsConnections

cloudasset.assets.exportConnectorsConnectorVersions

cloudasset.assets.exportConnectorsConnectors

cloudasset.assets.exportConnectorsProviders

cloudasset.assets.exportConnectorsRuntimeConfigs

cloudasset.assets.exportContainerAppsDeployment

cloudasset.assets.exportContainerAppsReplicaSets

cloudasset.assets.exportContainerBatchJobs

cloudasset.assets.exportContainerClusterrole

cloudasset.assets.exportContainerClusterrolebinding

cloudasset.assets.exportContainerClusters

cloudasset.assets.exportContainerExtensionsIngresses

cloudasset.assets.exportContainerJobs

cloudasset.assets.exportContainerNamespace

cloudasset.assets.exportContainerNetworkingIngresses

cloudasset.assets.exportContainerNetworkingNetworkPolicies

cloudasset.assets.exportContainerNode

cloudasset.assets.exportContainerNodepool

cloudasset.assets.exportContainerPod

cloudasset.assets.exportContainerReplicaSets

cloudasset.assets.exportContainerRole

cloudasset.assets.exportContainerRolebinding

cloudasset.assets.exportContainerServices

cloudasset.assets.exportContainerregistryImage

cloudasset.assets.exportDataMigrationConnectionProfiles

cloudasset.assets.exportDataMigrationMigrationJobs

cloudasset.assets.exportDataflowJobs

cloudasset.assets.exportDatafusionInstance

cloudasset.assets.exportDataplexAssets

cloudasset.assets.exportDataplexLakes

cloudasset.assets.exportDataplexTasks

cloudasset.assets.exportDataplexZones

cloudasset.assets.exportDataprocAutoscalingPolicies

cloudasset.assets.exportDataprocBatches

cloudasset.assets.exportDataprocClusters

cloudasset.assets.exportDataprocJobs

cloudasset.assets.exportDataprocSessions

cloudasset.assets.exportDataprocWorkflowTemplates

cloudasset.assets.exportDatastreamConnectionProfile

cloudasset.assets.exportDatastreamPrivateConnection

cloudasset.assets.exportDatastreamStream

cloudasset.assets.exportDialogflowAgents

cloudasset.assets.exportDialogflowConversationProfiles

cloudasset.assets.exportDialogflowKnowledgeBases

cloudasset.assets.exportDialogflowLocationSettings

cloudasset.assets.exportDlpDeidentifyTemplates

cloudasset.assets.exportDlpDlpJobs

cloudasset.assets.exportDlpInspectTemplates

cloudasset.assets.exportDlpJobTriggers

cloudasset.assets.exportDlpStoredInfoTypes

cloudasset.assets.exportDnsManagedZones

cloudasset.assets.exportDnsPolicies

cloudasset.assets.exportDomainsRegistrations

cloudasset.assets.exportEventarcTriggers

cloudasset.assets.exportFileBackups

cloudasset.assets.exportFileInstances

cloudasset.assets.exportFirebaseAppInfos

cloudasset.assets.exportFirebaseProjects

cloudasset.assets.exportFirestoreDatabases

cloudasset.assets.exportGKEHubFeatures

cloudasset.assets.exportGKEHubMemberships

cloudasset.assets.exportGameservicesGameServerClusters

cloudasset.assets.exportGameservicesGameServerConfigs

cloudasset.assets.exportGameservicesGameServerDeployments

cloudasset.assets.exportGameservicesRealms

cloudasset.assets.exportGkeBackupBackupPlans

cloudasset.assets.exportGkeBackupBackups

cloudasset.assets.exportGkeBackupRestorePlans

cloudasset.assets.exportGkeBackupRestores

cloudasset.assets.exportGkeBackupVolumeBackups

cloudasset.assets.exportGkeBackupVolumeRestores

cloudasset.assets.exportHealthcareConsentStores

cloudasset.assets.exportHealthcareDatasets

cloudasset.assets.exportHealthcareDicomStores

cloudasset.assets.exportHealthcareFhirStores

cloudasset.assets.exportHealthcareHl7V2Stores

cloudasset.assets.exportIamPolicy

cloudasset.assets.exportIamRoles

cloudasset.assets.exportIamServiceAccountKeys

cloudasset.assets.exportIamServiceAccounts

cloudasset.assets.exportIapTunnel

cloudasset.assets.exportIapTunnelInstances

cloudasset.assets.exportIapTunnelZones

cloudasset.assets.exportIapWeb

cloudasset.assets.exportIapWebServiceVersion

cloudasset.assets.exportIapWebServices

cloudasset.assets.exportIapWebType

cloudasset.assets.exportIdsEndpoints

cloudasset.assets.exportIntegrationsAuthConfigs

cloudasset.assets.exportIntegrationsCertificates

cloudasset.assets.exportIntegrationsExecutions

<